SecurityFocus Linux Newsletter #106
-----------------------------------
This issue sponsored by: SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
I. FRONT AND CENTER
1. Complete Snort-based IDS Architecture, Part One
2. Polymorphic Macro Viruses, Part Two
3. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
II. LINUX VULNERABILITY SUMMARY
1. PHP-Nuke 5.6 Modules.PHP SQL Injection Vulnerability
2. Michael Krax log2mail Remote Buffer Overflow Vulnerability
3. Monkey HTTP Server Invalid POST Request Denial Of Service Vulnerability
4. Jason Orcutt Prometheus Remote File Include Vulnerability
5. Abuse Local Buffer Overflow Vulnerability
6. PERL-MailTools Remote Command Execution Vulnerability
7. The Magic Notebook Invalid Username Denial Of Service Vulnerability
8. Networking_Utils Remote Command Execution Vulnerability
9. Frank McIngvale LuxMan Memory File Descriptor Leakage Vulnerability
10. Linux Kernel 2.4 System Call TF Flag Denial Of Service Vulnerability
11. Pine From: Field Heap Corruption Vulnerability
12. Linuxconf mailconf Module Mail Relay Vulnerability
III. LINUX FOCUS LIST SUMMARY
[No Messages on Focus-Linux This Week]
IV. NEW PRODUCTS FOR LINUX PLATFORM
1. NetPilot Plus
2. ServerCluster
3. BlackBerry (RIM)
V. NEW TOOLS FOR LINUX PLATFORMS
1. MAILMILL
2. Annoyance Filter
3. Tnefclean
4. IP Blocker
5. MailStripper
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Complete Snort-based IDS Architecture, Part One
Many companies find it hard to justify acquiring the IDS systems due to
their perceived high cost of ownership. However, not all IDS systems are
prohibitively expensive. This two-part article will provide a set of
detailed directions to build an affordable intrusion detection
architecture from hardware and freely available software.
http://online.securityfocus.com/infocus/1640
2. Polymorphic Macro Viruses, Part Two
This article is the second of a two-part series that will offer a brief
overview of polymorphic strategies in macro viruses. This installment will
look at the first serious polymorphic macro viruses, as well as the
evolution of viruses into true polymorphic and, ultimately, metamorphic
viruses.
http://online.securityfocus.com/infocus/1638
3. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14
Vendor Expo March 10 & 11
Solutions to today^Òs security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all! Go to:
http://www.misti.com/10/os03nl37inf.html
PHP-Nuke is a web based Portal system. Implemented in PHP, it is available
for a range of systems, including Microsoft Windows and Linux.
A SQL injection vulnerability has been reported for PHP-Nuke 5.6.
The vulnerability is due to insufficient sanitization of variables used to
construct SQL queries in the 'modules.php' script. It is possible to
modify the logic of SQL queries through malformed query strings in
requests for the vulnerable script.
By injecting SQL code into variables, it may be possible for an attacker
to corrupt database information.
This issue was reported in PHPNuke version 5.6. Other versions may also be
affected.
2. Michael Krax log2mail Remote Buffer Overflow Vulnerability
BugTraq ID: 6089
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6089
Summary:
The log2mail daemon is a small utility used to watch logfiles and send
mail when specified patterns are matched. It is available for Linux and
Unix operating systems.
Typically, the log2mail daemon is invoked, by init scripts, during the
boot process and is run with root privileges.
A remotely exploitable buffer overflow has been discovered in the log2mail
daemon. By generating malicious log entries, it is possible for a remote
attacker to cause a static buffer to be overrun, resulting in memory
corruption.
By exploiting this vulnerability, it may be possible to overwrite
sensitive memory variables with attacker-supplied values, resulting in the
execution of arbitrary code with the privileges of the daemon.
This vulnerability was reported in log2mail v0.2.5. It is not yet known if
this issue affects earlier versions.
3. Monkey HTTP Server Invalid POST Request Denial Of Service Vulnerability
BugTraq ID: 6096
Remote: Yes
Date Published: Nov 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6096
Summary:
Monkey is an open source Web server written in C, based on the HTTP/1.1
protocol. It is available for the Linux platform.
A denial of service vulnerability has been reported for Monkey HTTP
server. The vulnerability is due to inadequate checks being performed when
decoding POST requests.
An attacker can exploit this vulnerability by issuing a POST request with
an invalid Content-Length header, or without a Content-Length value. When
the server attempts to service the request, it will crash and lead to the
denial of service condition.
This vulnerability was reported for Monkey HTTP server 0.50. Earlier
versions are likely to be affected by this vulnerability.
4. Jason Orcutt Prometheus Remote File Include Vulnerability
BugTraq ID: 6087
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6087
Summary:
Jason Orcutt Prometheus is a collection of tools to facilitate the design
and implementation of active content Web sites. It is implemented in PHP
and is available for Unix and Linux variants as well as Microsoft Windows
operating systems.
Prometheus is prone to an issue which may allow remote attackers to
include arbitrary files located on remote servers. This issue is present
in the following PHP script files provided with Prometheus:
index.php
install.php
test_*.php
An attacker may exploit this by supplying a path to a maliciously created
'autoload.lib' file, located on an attacker-controlled host as a value for
the 'PROMETHEUS_LIBRARY_BASE' parameter.
If the remote file is a PHP script, this may allow for execution of
attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may provide local access to the attacker.
5. Abuse Local Buffer Overflow Vulnerability
BugTraq ID: 6094
Remote: No
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6094
Summary:
Abuse is a popular side-scrolling video game. It is available for Linux
and Unix operating systems.
Buffer overflow vulnerabilities have been discovered in both the
abuse.console and abuse.x11R6 files, which are installed setuid 'root' and
setgid 'games' respectively.
It is possible to trigger the overflow by passing an execessively long
string, containing roughly 500 bytes, as a parameter to the '-net' command
line argument.
Exploiting this issue would allow a local attacker to overwrite sensitive
memory variables, potentially resulting in the execution of arbitrary code
with super user privileges.
It should be noted that Abuse 2.00, packaged and distributed with the x86
architecture of Debian Linux 3.0 has been reported vulnerable. It is not
yet known if other packages are affected by this
The perl-MailTools package is a collection of PERL modules related to mail
applications.
A vulnerability has been reported for the Mail::Mailer module, included in
the perl-MailTools package, which may allow remote attackers to execute
arbitrary commands on the underlying shell with the privileges of the
mailx process.
User-supplied input is passed to the mailx mailer, a simple MUA (Mail User
Agent), but is not sufficiently sanitized of shell metacharacters before
being passed through the shell.
Any applications that use Mail::Mailer directly or indirectly, like custom
auto reply programs or spam filters, are vulnerable to attack.
7. The Magic Notebook Invalid Username Denial Of Service Vulnerability
BugTraq ID: 6106
Remote: Yes
Date Published: Nov 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6106
Summary:
The Magic Notebook is a web-based application for creating and organizing
notes. It will run on Unix and Linux variants.
The Magic Notebook is prone to a denial of service vulnerability. The
Magic Notebook reportedly crashes when attempting to handle an invalid
username.
Remote attackers may be able to exploit this condition to deny service to
legitimate users of the web application.
Networking_Utils is an application for supplying web access to networking
tools such as ping, traceroute and nslookup. Networking_Utils is
implemented in PHP and intended to run on Unix and Linux variants.
Networking_Utils is prone to a remote command execution vulnerability.
The issue exists in the implementation of the ping command. Shell
metacharacters are not sufficiently sanitized from the domain name or IP
address fields. This input will be passed directly through the shell.
An attacker may exploit this issue by supplying malicious input which
includes shell metacharacters and arbitrary commands, which will be
interpreted by the underlying shell. The attacker may execute commands
with the privileges of the webserver.
Exploitation of this issue will allow a remote attacker to gain local,
interactive access to the underlying host.
Implementations of the other commands may also be affected by this
vulnerability.
9. Frank McIngvale LuxMan Memory File Descriptor Leakage Vulnerability
BugTraq ID: 6113
Remote: No
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6113
Summary:
Frank McIngvale LuxMan is a video game similar to Pac Man for Linux based
systems.
A vulnerability exists in LuxMan that could allow a local user read and
write access to the Memory.
It has been reported that the 'maped' setuid binary in LuxMan is
vulnerable to a leakage of open file descriptors that may result in
unauthorized disclosure of memory. It is allegedly possible for attackers
to inherit open file descriptors with read/write access to /dev/mem by
executing a malicious program through maped. Since maped calls gzip
without using the explicit path, an attacker could create a malicious
binary named gzip and add its directory to the PATH environment variable.
When gzip is called by maped, the malicious gzip will be called rather
than the legitimate version.
Upon exploiting this vulnerability, an attacker would have read and write
access to memory. The attacker could use this access to gain sensitive
information such as passwords, or other information. Additionally, an
attacker could remap system calls. It should be assumed that total
compromise is imminent if an attacker has read or write access to memory.
10. Linux Kernel 2.4 System Call TF Flag Denial Of Service Vulnerability
BugTraq ID: 6115
Remote: No
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6115
Summary:
A denial of service vulnerability has been reported for the Linux kernel.
Reportedly, it is possible to cause the kernel from responding by
triggering a system call with the TF flag enabled.
When a native Linux binary makes a system call, the 'int 0x80' instruction
is called, effectively triggering a trap into kernel mode. Non-native
Linux binaries use the 'lcall7' instruction to trigger a kernel trap. If
the TF (TRAP FLAG) bit is set when a trap is triggered using the 'lcall7'
instruction, the kernel will hang.
An attacker can exploit this vulnerability by executing a malicious
application that uses the lcall7/lcall27 functions to execute system
calls. By ensuring that the TF flag is set when the kernel attempts to
execute the system call, it is possible to cause the kernel to hang and
cause the denial of service condition. A reboot is necessary to restore
functionality.
This vulnerability was fixed in the Linux Kernel 2.4.19.
11. Pine From: Field Heap Corruption Vulnerability
BugTraq ID: 6120
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6120
Summary:
Pine is an open source mail user agent distributed by the University of
Washington. It is freely available for Unix, Linux, and Microsoft
operating systems.
It is possible to cause a denial of service in Pine by sending an email
message with a specially crafted "From:" address. According to the
report, the crash can be reproduced by setting the "From:" address to a
value such as:
A stack trace suggests that this behaviour may be due to corruption of
data in the heap. If that is the case, execution of arbitrary code may be
possible.
Note that the user does not have to view the message in order for the
denial of service to take place; the message simply has to be present in
the user's Inbox. While a message with this address is present in the
Pine Inbox, it is not possible to start Pine again. The message
containing this address must be manually removed from the spool or by
using another MUA.
It is important to note that this specially crafted "From:" address is RFC
legal.
This issue will reportedly be fixed in Pine 4.50.
12. Linuxconf mailconf Module Mail Relay Vulnerability
BugTraq ID: 6118
Remote: Yes
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6118
Summary:
Linuxconf is an administration system which is divided in several modules.
The mailconf module is responsible for the configuration of Sendmail.
A vulnerability has been discovered in the mailconf module included with
Linuxconf.
It has been reported that the sendmail.cf configuration file created by
the mailconf module, contains a bug which could allow message relaying. By
specifying a recipient in the format of "user%domain@", it is possible to
relay messages outside of the mail daemon's served network.
Exploitation of this issue could allow an attacker to send unauthorized
messages from the vulnerable server.
It should be noted that the default configuration file distributed with
Sendmail is not vulnerable to this issue. It must have been created by
Linuxconf for this vulnerability to be introduced.
III. LINUX FOCUS LIST SUMMARY
---------------------------------
[No Messages on Focus-Linux This Week]
IV. NEW PRODUCTS FOR LINUX PLATFORMS
-----------------------------------
1. NetPilot Plus
by Equiinet
Platforms: N/A
NetPilot Plus is an enhanced version of the market-leading NetPilot. This
product enables organisations to easily and securely deploy secure
Internet based IPSec-based VPNs, Internet access and email facilities,
while integrating key communications, networking and server elements into
a single secure appliance.
2. ServerCluster
by Stonesoft
Platforms: Linux, Solaris
ServerCluster is a High Availability software solution that: ? clusters up
to 32 servers and applications such as databases, web, mail etc. ?
Provides continuous 24x7 monitoring with comprehensive fault detection and
automated failover to secondary nodes in the cluster and therefore service
continuity in the event of a failure, without the need for immediate
on-site manual intervention.
3. BlackBerry (RIM)
by Research In Motion
Platforms: N/A
BlackBerry? is an end-to-end wireless email solution that provides quick,
easy access to your email, contacts, calendar and task list wherever you
go. With BlackBerry, mobile professionals get effortless access to email
while on the road and IT departments get centralized administration in a
secure solution.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. MAILMILL v0.1
by less random
Relevant URL: http://www.metamagix.net/mailmill.html
Platforms: UNIX
MAILMILL is a lightweight mail-receiving component built in Java. It
listens on the SMTP port for incoming messages, and once they arrive it
looks in its XML-based ruleset for corresponding filters to apply. It is
intended for Java developers who need mailserver functionality and want to
build their own Java classes for processing incoming mail. Standard
filters include forwarding, SMS, SMTP/HTTP conversion (e.g., send a google
request by mail) and more.
2. Annoyance Filter v1.0-RC1
by John Walker (kelvin (at) fourmilab (dot) ch [email concealed])
Relevant URL: http://www.fourmilab.ch/annoyance-filter/
Platforms: OS Independent
Annoyance Filter sifts mail you wish to read from junk arriving in your
mailbox by an adaptive process which gives priority to mail you're
interested in reading, and evolves to block cleverly disguised junk mail.
3. Tnefclean v1.0
by The Midnite Marauder
Relevant URL: http://www.dread.net/~striker/tnefclean/
Platforms: UNIX
tnefclean is a Perl script to convert attachments from Microsoft Outlook
to a readable format. Previously, people would have to find a way to
decipher the winmail.dat attachments that came from Outlook users. This
tool will either remove the attachment if there is nothing in it, or
change it to represent the proper attachment if it actually exists.
4. IP Blocker v1.0.20021107
by Rob Patrick (freshmeat.net (at) NOSPAMrpatrick (dot) com [email concealed])
Relevant URL: http://www.ipblocker.org/
Platforms: UNIX
IP Blocker is an incident response tool for network admins that
automatically updates access control lists (ACL) on Cisco routers and
other devices. Web and CLI are both supported. Logging, email
notification, and automatic expiration of blocks using policy-based TTL
values are all supported.
5. MailStripper v0.62
by Michael McConnell
Relevant URL: http://www.eridani.co.uk/MailStripper/
Platforms: Linux, Os Independent, POSIX
MailStripper is a mail scanner that aims to remove spam and viruses from
incoming mail. AV capability is provided by a hook to an external virus
scanner. Written from the ground up in Tcl, it aims to be MTA-independent,
by working on the SMTP transaction.
VI. SPONSOR INFORMATION
-----------------------
SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
-----------------------------------
This issue sponsored by: SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
---------------------------------------------------------------
I. FRONT AND CENTER
1. Complete Snort-based IDS Architecture, Part One
2. Polymorphic Macro Viruses, Part Two
3. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
II. LINUX VULNERABILITY SUMMARY
1. PHP-Nuke 5.6 Modules.PHP SQL Injection Vulnerability
2. Michael Krax log2mail Remote Buffer Overflow Vulnerability
3. Monkey HTTP Server Invalid POST Request Denial Of Service Vulnerability
4. Jason Orcutt Prometheus Remote File Include Vulnerability
5. Abuse Local Buffer Overflow Vulnerability
6. PERL-MailTools Remote Command Execution Vulnerability
7. The Magic Notebook Invalid Username Denial Of Service Vulnerability
8. Networking_Utils Remote Command Execution Vulnerability
9. Frank McIngvale LuxMan Memory File Descriptor Leakage Vulnerability
10. Linux Kernel 2.4 System Call TF Flag Denial Of Service Vulnerability
11. Pine From: Field Heap Corruption Vulnerability
12. Linuxconf mailconf Module Mail Relay Vulnerability
III. LINUX FOCUS LIST SUMMARY
[No Messages on Focus-Linux This Week]
IV. NEW PRODUCTS FOR LINUX PLATFORM
1. NetPilot Plus
2. ServerCluster
3. BlackBerry (RIM)
V. NEW TOOLS FOR LINUX PLATFORMS
1. MAILMILL
2. Annoyance Filter
3. Tnefclean
4. IP Blocker
5. MailStripper
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Complete Snort-based IDS Architecture, Part One
Many companies find it hard to justify acquiring the IDS systems due to
their perceived high cost of ownership. However, not all IDS systems are
prohibitively expensive. This two-part article will provide a set of
detailed directions to build an affordable intrusion detection
architecture from hardware and freely available software.
http://online.securityfocus.com/infocus/1640
2. Polymorphic Macro Viruses, Part Two
This article is the second of a two-part series that will offer a brief
overview of polymorphic strategies in macro viruses. This installment will
look at the first serious polymorphic macro viruses, as well as the
evolution of viruses into true polymorphic and, ultimately, metamorphic
viruses.
http://online.securityfocus.com/infocus/1638
3. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14
Vendor Expo March 10 & 11
Solutions to today^Òs security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all! Go to:
http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. PHP-Nuke 5.6 Modules.PHP SQL Injection Vulnerability
BugTraq ID: 6088
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6088
Summary:
PHP-Nuke is a web based Portal system. Implemented in PHP, it is available
for a range of systems, including Microsoft Windows and Linux.
A SQL injection vulnerability has been reported for PHP-Nuke 5.6.
The vulnerability is due to insufficient sanitization of variables used to
construct SQL queries in the 'modules.php' script. It is possible to
modify the logic of SQL queries through malformed query strings in
requests for the vulnerable script.
By injecting SQL code into variables, it may be possible for an attacker
to corrupt database information.
This issue was reported in PHPNuke version 5.6. Other versions may also be
affected.
2. Michael Krax log2mail Remote Buffer Overflow Vulnerability
BugTraq ID: 6089
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6089
Summary:
The log2mail daemon is a small utility used to watch logfiles and send
mail when specified patterns are matched. It is available for Linux and
Unix operating systems.
Typically, the log2mail daemon is invoked, by init scripts, during the
boot process and is run with root privileges.
A remotely exploitable buffer overflow has been discovered in the log2mail
daemon. By generating malicious log entries, it is possible for a remote
attacker to cause a static buffer to be overrun, resulting in memory
corruption.
By exploiting this vulnerability, it may be possible to overwrite
sensitive memory variables with attacker-supplied values, resulting in the
execution of arbitrary code with the privileges of the daemon.
This vulnerability was reported in log2mail v0.2.5. It is not yet known if
this issue affects earlier versions.
3. Monkey HTTP Server Invalid POST Request Denial Of Service Vulnerability
BugTraq ID: 6096
Remote: Yes
Date Published: Nov 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6096
Summary:
Monkey is an open source Web server written in C, based on the HTTP/1.1
protocol. It is available for the Linux platform.
A denial of service vulnerability has been reported for Monkey HTTP
server. The vulnerability is due to inadequate checks being performed when
decoding POST requests.
An attacker can exploit this vulnerability by issuing a POST request with
an invalid Content-Length header, or without a Content-Length value. When
the server attempts to service the request, it will crash and lead to the
denial of service condition.
This vulnerability was reported for Monkey HTTP server 0.50. Earlier
versions are likely to be affected by this vulnerability.
4. Jason Orcutt Prometheus Remote File Include Vulnerability
BugTraq ID: 6087
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6087
Summary:
Jason Orcutt Prometheus is a collection of tools to facilitate the design
and implementation of active content Web sites. It is implemented in PHP
and is available for Unix and Linux variants as well as Microsoft Windows
operating systems.
Prometheus is prone to an issue which may allow remote attackers to
include arbitrary files located on remote servers. This issue is present
in the following PHP script files provided with Prometheus:
index.php
install.php
test_*.php
An attacker may exploit this by supplying a path to a maliciously created
'autoload.lib' file, located on an attacker-controlled host as a value for
the 'PROMETHEUS_LIBRARY_BASE' parameter.
If the remote file is a PHP script, this may allow for execution of
attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may provide local access to the attacker.
5. Abuse Local Buffer Overflow Vulnerability
BugTraq ID: 6094
Remote: No
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6094
Summary:
Abuse is a popular side-scrolling video game. It is available for Linux
and Unix operating systems.
Buffer overflow vulnerabilities have been discovered in both the
abuse.console and abuse.x11R6 files, which are installed setuid 'root' and
setgid 'games' respectively.
It is possible to trigger the overflow by passing an execessively long
string, containing roughly 500 bytes, as a parameter to the '-net' command
line argument.
Exploiting this issue would allow a local attacker to overwrite sensitive
memory variables, potentially resulting in the execution of arbitrary code
with super user privileges.
It should be noted that Abuse 2.00, packaged and distributed with the x86
architecture of Debian Linux 3.0 has been reported vulnerable. It is not
yet known if other packages are affected by this
6. PERL-MailTools Remote Command Execution Vulnerability
BugTraq ID: 6104
Remote: Yes
Date Published: Nov 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6104
Summary:
The perl-MailTools package is a collection of PERL modules related to mail
applications.
A vulnerability has been reported for the Mail::Mailer module, included in
the perl-MailTools package, which may allow remote attackers to execute
arbitrary commands on the underlying shell with the privileges of the
mailx process.
User-supplied input is passed to the mailx mailer, a simple MUA (Mail User
Agent), but is not sufficiently sanitized of shell metacharacters before
being passed through the shell.
Any applications that use Mail::Mailer directly or indirectly, like custom
auto reply programs or spam filters, are vulnerable to attack.
7. The Magic Notebook Invalid Username Denial Of Service Vulnerability
BugTraq ID: 6106
Remote: Yes
Date Published: Nov 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6106
Summary:
The Magic Notebook is a web-based application for creating and organizing
notes. It will run on Unix and Linux variants.
The Magic Notebook is prone to a denial of service vulnerability. The
Magic Notebook reportedly crashes when attempting to handle an invalid
username.
Remote attackers may be able to exploit this condition to deny service to
legitimate users of the web application.
8. Networking_Utils Remote Command Execution Vulnerability
BugTraq ID: 6107
Remote: Yes
Date Published: Nov 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6107
Summary:
Networking_Utils is an application for supplying web access to networking
tools such as ping, traceroute and nslookup. Networking_Utils is
implemented in PHP and intended to run on Unix and Linux variants.
Networking_Utils is prone to a remote command execution vulnerability.
The issue exists in the implementation of the ping command. Shell
metacharacters are not sufficiently sanitized from the domain name or IP
address fields. This input will be passed directly through the shell.
An attacker may exploit this issue by supplying malicious input which
includes shell metacharacters and arbitrary commands, which will be
interpreted by the underlying shell. The attacker may execute commands
with the privileges of the webserver.
Exploitation of this issue will allow a remote attacker to gain local,
interactive access to the underlying host.
Implementations of the other commands may also be affected by this
vulnerability.
9. Frank McIngvale LuxMan Memory File Descriptor Leakage Vulnerability
BugTraq ID: 6113
Remote: No
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6113
Summary:
Frank McIngvale LuxMan is a video game similar to Pac Man for Linux based
systems.
A vulnerability exists in LuxMan that could allow a local user read and
write access to the Memory.
It has been reported that the 'maped' setuid binary in LuxMan is
vulnerable to a leakage of open file descriptors that may result in
unauthorized disclosure of memory. It is allegedly possible for attackers
to inherit open file descriptors with read/write access to /dev/mem by
executing a malicious program through maped. Since maped calls gzip
without using the explicit path, an attacker could create a malicious
binary named gzip and add its directory to the PATH environment variable.
When gzip is called by maped, the malicious gzip will be called rather
than the legitimate version.
Upon exploiting this vulnerability, an attacker would have read and write
access to memory. The attacker could use this access to gain sensitive
information such as passwords, or other information. Additionally, an
attacker could remap system calls. It should be assumed that total
compromise is imminent if an attacker has read or write access to memory.
10. Linux Kernel 2.4 System Call TF Flag Denial Of Service Vulnerability
BugTraq ID: 6115
Remote: No
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6115
Summary:
A denial of service vulnerability has been reported for the Linux kernel.
Reportedly, it is possible to cause the kernel from responding by
triggering a system call with the TF flag enabled.
When a native Linux binary makes a system call, the 'int 0x80' instruction
is called, effectively triggering a trap into kernel mode. Non-native
Linux binaries use the 'lcall7' instruction to trigger a kernel trap. If
the TF (TRAP FLAG) bit is set when a trap is triggered using the 'lcall7'
instruction, the kernel will hang.
An attacker can exploit this vulnerability by executing a malicious
application that uses the lcall7/lcall27 functions to execute system
calls. By ensuring that the TF flag is set when the kernel attempts to
execute the system call, it is possible to cause the kernel to hang and
cause the denial of service condition. A reboot is necessary to restore
functionality.
This vulnerability was fixed in the Linux Kernel 2.4.19.
11. Pine From: Field Heap Corruption Vulnerability
BugTraq ID: 6120
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6120
Summary:
Pine is an open source mail user agent distributed by the University of
Washington. It is freely available for Unix, Linux, and Microsoft
operating systems.
It is possible to cause a denial of service in Pine by sending an email
message with a specially crafted "From:" address. According to the
report, the crash can be reproduced by setting the "From:" address to a
value such as:
"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""@host.tld
A stack trace suggests that this behaviour may be due to corruption of
data in the heap. If that is the case, execution of arbitrary code may be
possible.
Note that the user does not have to view the message in order for the
denial of service to take place; the message simply has to be present in
the user's Inbox. While a message with this address is present in the
Pine Inbox, it is not possible to start Pine again. The message
containing this address must be manually removed from the spool or by
using another MUA.
It is important to note that this specially crafted "From:" address is RFC
legal.
This issue will reportedly be fixed in Pine 4.50.
12. Linuxconf mailconf Module Mail Relay Vulnerability
BugTraq ID: 6118
Remote: Yes
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6118
Summary:
Linuxconf is an administration system which is divided in several modules.
The mailconf module is responsible for the configuration of Sendmail.
A vulnerability has been discovered in the mailconf module included with
Linuxconf.
It has been reported that the sendmail.cf configuration file created by
the mailconf module, contains a bug which could allow message relaying. By
specifying a recipient in the format of "user%domain@", it is possible to
relay messages outside of the mail daemon's served network.
Exploitation of this issue could allow an attacker to send unauthorized
messages from the vulnerable server.
It should be noted that the default configuration file distributed with
Sendmail is not vulnerable to this issue. It must have been created by
Linuxconf for this vulnerability to be introduced.
III. LINUX FOCUS LIST SUMMARY
---------------------------------
[No Messages on Focus-Linux This Week]
IV. NEW PRODUCTS FOR LINUX PLATFORMS
-----------------------------------
1. NetPilot Plus
by Equiinet
Platforms: N/A
NetPilot Plus is an enhanced version of the market-leading NetPilot. This
product enables organisations to easily and securely deploy secure
Internet based IPSec-based VPNs, Internet access and email facilities,
while integrating key communications, networking and server elements into
a single secure appliance.
2. ServerCluster
by Stonesoft
Platforms: Linux, Solaris
ServerCluster is a High Availability software solution that: ? clusters up
to 32 servers and applications such as databases, web, mail etc. ?
Provides continuous 24x7 monitoring with comprehensive fault detection and
automated failover to secondary nodes in the cluster and therefore service
continuity in the event of a failure, without the need for immediate
on-site manual intervention.
3. BlackBerry (RIM)
by Research In Motion
Platforms: N/A
BlackBerry? is an end-to-end wireless email solution that provides quick,
easy access to your email, contacts, calendar and task list wherever you
go. With BlackBerry, mobile professionals get effortless access to email
while on the road and IT departments get centralized administration in a
secure solution.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. MAILMILL v0.1
by less random
Relevant URL: http://www.metamagix.net/mailmill.html
Platforms: UNIX
MAILMILL is a lightweight mail-receiving component built in Java. It
listens on the SMTP port for incoming messages, and once they arrive it
looks in its XML-based ruleset for corresponding filters to apply. It is
intended for Java developers who need mailserver functionality and want to
build their own Java classes for processing incoming mail. Standard
filters include forwarding, SMS, SMTP/HTTP conversion (e.g., send a google
request by mail) and more.
2. Annoyance Filter v1.0-RC1
by John Walker (kelvin (at) fourmilab (dot) ch [email concealed])
Relevant URL: http://www.fourmilab.ch/annoyance-filter/
Platforms: OS Independent
Annoyance Filter sifts mail you wish to read from junk arriving in your
mailbox by an adaptive process which gives priority to mail you're
interested in reading, and evolves to block cleverly disguised junk mail.
3. Tnefclean v1.0
by The Midnite Marauder
Relevant URL: http://www.dread.net/~striker/tnefclean/
Platforms: UNIX
tnefclean is a Perl script to convert attachments from Microsoft Outlook
to a readable format. Previously, people would have to find a way to
decipher the winmail.dat attachments that came from Outlook users. This
tool will either remove the attachment if there is nothing in it, or
change it to represent the proper attachment if it actually exists.
4. IP Blocker v1.0.20021107
by Rob Patrick (freshmeat.net (at) NOSPAMrpatrick (dot) com [email concealed])
Relevant URL: http://www.ipblocker.org/
Platforms: UNIX
IP Blocker is an incident response tool for network admins that
automatically updates access control lists (ACL) on Cisco routers and
other devices. Web and CLI are both supported. Logging, email
notification, and automatic expiration of blocks using policy-based TTL
values are all supported.
5. MailStripper v0.62
by Michael McConnell
Relevant URL: http://www.eridani.co.uk/MailStripper/
Platforms: Linux, Os Independent, POSIX
MailStripper is a mail scanner that aims to remove spam and viruses from
incoming mail. AV capability is provided by a hook to an external virus
scanner. Written from the ground up in Tcl, it aims to be MTA-independent,
by working on the SMTP transaction.
VI. SPONSOR INFORMATION
-----------------------
SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
[ reply ]