SecurityFocus Linux Newsletter #116
-----------------------------------
This newsletter is sponsored by: Black Hat (http://www.blackhat.com)
Spooked about Windows security? Find solutions instead. Plan now to
attend the Black Hat Briefings & Training Windows Security conference,
February 25-28 in Seattle, the world's premier technical event for Windows
and .Net security experts. This event is fully supported by Microsoft.
The Training on February 25-26 features 7 two-day courses on the hottest
subjects. The Briefings on February 27-28 features 30 of the top industry
speakers presenting topics in 6 tracks. Visit www.blackhat.com to see why
top security experts rave about the Black Hat Briefings.
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. SunScreen, Part One: An Overview of the Sun Microsystem Firewall
2. The Turkey that Bites
3. The Canary in the Data Mine
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003 (March 10-12,2003,Orlando,FL)
II. LINUX VULNERABILITY SUMMARY
1. Blackboard Learning System search.pl SQL Injection Vulnerability
2. ESCPUtil Local Printer Name Buffer Overflow Vulnerability
3. Apache Web Server MS-DOS Device Name Denial Of Service...
4. GNU Mailman 'email' Cross Site Scripting Vulnerability
5. GNU Mailman Error Page Cross Site Scripting Vulnerability
6. MyRoom save_item.php Arbitrary File Upload Vulnerability
7. slocate Local Buffer Overrun Vulnerability
8. CVS Directory Request Double Free Heap Corruption Vulnerability
9. ModLogAn Remote Heap Corruption Vulnerability
10. Apache Web Server MS-DOS Device Name Arbitrary Code Execution...
11. Apache Web Server Illegal Character HTTP Request File...
12. Apache Web Server Default Script Mapping Bypass Vulnerability
13. MTink Printer Status Monitor Environment Variable Buffer...
14. YABB SE Packages.PHP Remote File Include Vulnerability
15. Kodak KCMS KCS_OPEN_PROFILE Procedure Arbitrary File Access...
16. PHPOutsourcing Zorum Remote Include Command Execution...
17. YaBB SE News.PHP Remote File Include Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. Secure Web-Based Administration (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORM
1. Cisco VPN 5000 Series Concentrators
2. Covalent Fast Start Server
3. DirectorySmart
V. NEW TOOLS FOR LINUX PLATFORMS
1. radmind v0.9.3
2. BENIDS v0.1.3
3. Lepton's Crack v1.1
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. SunScreen, Part One: An Overview of the Sun Microsystem Firewall
By Ido Dubrawsky
SunScreen is Sun Microsystem's firewall that runs under the Solaris
operating system. It provides for packet filtering, authentication and
data encryption as well as the creation of IPsec-based VPNs. This article
is the first of a two-part series that will offer a brief overview of the
implementation and administration of SunScreen.
http://online.securityfocus.com/infocus/1660
2. The Turkey that Bites
By Jon Lasser
With last week's RIAA worm hoax, the scallywags at Gobbles raised security
advisories to subversive performance art.
http://online.securityfocus.com/columnists/137
3. The Canary in the Data Mine
By Mark Rasch
At the turn of the century just past, mining companies would use a
brightly colored bird in the mine shaft to protect the lives of citizens.
These canaries were more sensitive to the foul, noxious and deadly but
invisible vapors that would otherwise threaten the lives of the mine shaft
workers. When the canaries died, the miners would know an invisible threat
existed.
http://online.securityfocus.com/columnists/136
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Blackboard Learning System search.pl SQL Injection Vulnerability
BugTraq ID: 6655
Remote: Yes
Date Published: Jan 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6655
Summary:
Blackboard Learning system is a suite of software products available for
Microsoft Windows, Linux and Solaris servers that power an "e-Education
Infrastructure" for education providers.
Blackboard Learning System, in some cases, does not sufficiently sanitize
user-supplied input which is used when constructing SQL queries. As a
result, attackers may supply malicious parameters to manipulate the
structure and logic of SQL queries. This may result in unauthorized
operations being performed on the underlying database.
This vulnerability was reported to exist in the search.pl script file (the
address book search feature). A remote attacker can exploit this
vulnerability to brute-force user accounts. It may also be possible to
conduct other attacks, such as executing stored procedures and exploiting
vulnerabilities in the database server.
This vulnerability was reported for Blackboard Learning System 5.5.1,level
1 and 2. Previous releases may also be affected.
2. ESCPUtil Local Printer Name Buffer Overflow Vulnerability
BugTraq ID: 6658
Remote: No
Date Published: Jan 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6658
Summary:
escputil is a freely available, open source print driver for the Linux
operating system. It is publicly maintained.
It has been reported that a buffer overflow in escputil exists.
This problem is due to insufficient bounds checking on the values supplied
as arguments of the -P command line parameter. It is possible for a
malicious local user to corrupt sensitive regions of memory with
attacker-supplied values.
escputil is reportedly installed setgid 'sys' on Mandrake Linux, so it is
possible that this issue may be exploited to execute arbitrary code with
elevated privileges. Other distributions may also be affected if the
utility is installed or runs with elevated privileges.
It should also be noted that this program is included with a number of
other packages for printing on Linux systems.
3. Apache Web Server MS-DOS Device Name Denial Of Service Vulnerability
BugTraq ID: 6662
Remote: Yes
Date Published: Jan 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6662
Summary:
Apache is a freely available Web server for Unix and Linux variants, as
well as Microsoft operating systems.
A vulnerability has been reported in Apache Web server for Microsoft
Windows 9x/Me operating environments. The vulnerability exists in the way
some HTTP requests are handled by the Apache Web server. Specifically,
HTTP requests that involve MS-DOS device names may cause the Apache Web
server to crash.
An attacker can exploit this vulnerability by sending a malformed HTTP GET
request to the Apache server using a reserved MS-DOS device name such as
'aux'. When the server receives this request it will crash.
This vulnerability exists for Apache versions prior to 2.0.44 for
Microsoft Windows 9x/Me operating environments.
4. GNU Mailman 'email' Cross Site Scripting Vulnerability
BugTraq ID: 6677
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6677
Summary:
Mailman is software to help manage email discussion lists, much like
Majordomo and SmartList. It is written and maintained by the GNU Project
and is available for the Linux and Unix operating systems.
A cross site scripting vulnerability has been discovered in GNU Mailman.
The issue occurs due to insufficient sanitization of URI parameters.
Specifically, the 'email' URI parameter is not correctly filtered for
embedded HTML or script code.
As a result, attackers may embed malicious script code or HTML into a link
to a site running the vulnerable software. When this link is followed by a
web user, the attacker-supplied code will be interpreted in their web
browser in the security context of the site hosting the software.
It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. Other
attacks are also possible.
5. GNU Mailman Error Page Cross Site Scripting Vulnerability
BugTraq ID: 6678
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6678
Summary:
Mailman is software to help manage email discussion lists, much like
Majordomo and SmartList. It is written and maintained by the GNU Project
and is available for the Linux and Unix operating systems.
A cross site scripting vulnerability has been discovered in GNU Mailman.
The issue occurs due to insufficient sanitization of URI parameters.
Specifically, the 'language' variable is not sufficiently sanitized before
being included in error pages.
As a result, attackers may embed malicious script code or HTML into a link
to a site running the vulnerable software. When this link is followed by a
web user, the attacker-supplied code will be interpreted in their web
browser in the security context of the site hosting the software.
It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. Other
attacks are also possible.
It has been reported that GNU Mailman 2.0.11 is not affected by this
issue.
MyRoom is an online item management system implemented in PHP. It is
available for a variety of platforms including Linux variant operating
systems and Microsoft Windows.
A problem with MyRoom may make it possible for remote attackers to upload
files to a vulnerable system.
Due to inadequate security checks performed by some PHP scripts, an
attacker is able to upload arbitrary files to the system. The
room/save_item.php script has been reported to be vulnerable to this
issue.
Specifically, the script only checks to see whether the file to be
uploaded is an image file. As such, any file that includes the allowed
extensions may be uploaded. Any uploaded files will be stored in the
'img/photo' folder.
Given the ability to upload arbitrary files to the host, an attacker can
exploit this vulnerability to upload malicious applications to the
vulnerable system or use the system for the storage of files.
This vulnerability was reported for MyRoom 3.5 GOLD.
7. slocate Local Buffer Overrun Vulnerability
BugTraq ID: 6676
Remote: No
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6676
Summary:
Secure Locate (slocate) provides a secure way to index and quickly search
for files on your system. It is available for the Linux and Unix operating
systems. Typically slocate is installed with setgid 'slocate' privileges.
A buffer overrun vulnerability has been discovered in slocate. The issue
occurs when 1024, or more, bytes of data are supplied to both the regex
('-r') and the parse /etc/updatedb.conf ('-c') command line arguments.
This issue occurs due to insufficient bounds checking on user-supplied
input.
A malicious local user may be able to exploit this issue to overwrite
sensitive locations in memory. For instance, by overwriting the programs
instruction pointer it may be possible to redirect program flow to point
to attacker-supplied instructions. As slocate is typically installed with
setgid privileges, any code execution accomplished by an attacker will be
executed with group 'slocate' privileges. An attacker may leverage this
privilege escalation to exploit the target system further.
It should be noted that this issue has been reportedly verified on RedHat
7.3 and 7.2. RedHat 6.2 appears to be immune to this issue. It has not yet
been verified whether other versions are also affected.
CVS is the concurrent versioning system. CVS is a freely available, open
source software development package for the Unix, Linux, and Microsoft
Windows platforms.
CVS is prone to a double free vulnerability in Directory requests.
Malformed Directory requests may potentially cause dynamically allocated
memory to be de-allocated twice, using the free() function.
An attacker may potentially take advantage of this issue to cause heap
memory to be corrupted with attacker-supplied values, which may result in
execution of arbitrary code in the security context of the CVS server.
ModLogAn is a modular logfile analyzer which parses logfiles generated by
several server types including HTTP and FTP. It is available for the Unix
and Linux operating systems.
A vulnerability has been discovered in ModLogAn. The problem occurs when
attempting to decode a URL with the url_decode() function. When the
url_decode() function detects a percentage character ('%') in a URL, it
incorrectly presumes that the following 2 bytes will represent a
hexadecimal encoded value. After this assumption is made the length
counter (for the size of the decoded string) is reduced by two. If the URL
contains values after the percentage character which are not hexadecimal,
the URL data may be larger than the buffer allocated for the decoded
string.
By generating a malicious log entry containing a URL with excessive
percentage characters designed to trigger to the issue, it may be possible
for an attacker to corrupt heap memory.
Exploiting this issue to overwrite a malloc() header may make it possible
to overwrite an arbitrary word in memory when the corrupted chunk is
freed. This may result in arbitrary attacker-supplied instructions being
executed with the privileges of the ModLogAn process.
10. Apache Web Server MS-DOS Device Name Arbitrary Code Execution Vulnerability
BugTraq ID: 6659
Remote: Yes
Date Published: Jan 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6659
Summary:
Apache is a freely available Web server for Unix and Linux variants, as
well as Microsoft operating systems.
A vulnerability has been reported in Apache Web server for Microsoft
Windows 9x/Me operating environments. The vulnerability exists in the way
some HTTP requests are handled by the Apache Web server. Specifically, the
issue exists due to the way some CGI input is redirected when the
ScriptAlias directive is enabled.
The ScriptAlias directive is used to map between URLs and paths residing
outside of the DocumentRoot. This directive also enables the target
directory as containing only CGI scripts.
An attacker can exploit this vulnerability by making a malformed HTTP POST
request to 'con.xxx' in a directory enabled with ScriptAlias. When this
malformed POST data is sent to a CGI, it may result in any malicious code
to be executed by the requested CGI.
This vulnerability exists for Apache versions prior to 2.0.44 for
Microsoft Windows 9x/Me operating environments.
11. Apache Web Server Illegal Character HTTP Request File Disclosure Vulnerability
BugTraq ID: 6660
Remote: Yes
Date Published: Jan 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6660
Summary:
Apache is a freely available Web server for Unix and Linux variants, as
well as Microsoft operating systems.
A vulnerability has been reported in Apache Web server for Microsoft
Windows operating environments. The vulnerability exists in the way some
HTTP requests are handled by the Apache Server. Any HTTP requests that end
in some illegal characters will cause the server to disclose the contents
of certain files to a remote attacker.
It has been reported that an HTTP request that ends in the '>' character
will cause the Apache Web server to serve certain files to the remote
attacker. Any information obtained in this manner may be used by the
attacker to launch further attacks against a vulnerable system.
This vulnerability exists for Apache versions prior to 2.0.44 for
Microsoft Windows operating environments.
12. Apache Web Server Default Script Mapping Bypass Vulnerability
BugTraq ID: 6661
Remote: Yes
Date Published: Jan 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6661
Summary:
Apache is a freely available Web server for Unix and Linux variants, as
well as Microsoft operating systems.
A vulnerability has been reported in the Apache Web browser that may
result in the server bypassing existing default mappings when serving
files.
The vulnerability exists when making requests for files in directories
with extensions. The vulnerability may cause the Web server to incorrectly
parse the requested file.
An attacker may be able to make a request for
www.target.com/folder.php/test. The request for the file test should be
served as a text file but due to some flaws in the mapping algorithm, the
file 'test' will be interpreted as a PHP script.
This may have unintended consequences on users and the system.
This vulnerability was reported to affect Apache versions prior to 2.0.44.
13. MTink Printer Status Monitor Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 6656
Remote: No
Date Published: Jan 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6656
Summary:
mtink is a printer status monitor for Linux operating systems. It is used
to monitor ink quantity, negotiate changing and cleaning of ink
cartridges, etc.
mtink is prone to a locally exploitable buffer overflow condition. This
is due to insufficient bounds checking of the $HOME environment variable.
An attacker may take advantage of this issue to corrupt sensitive regions
of memory, such as stack variables, with attacker-supplied values. This
may result in execution of arbitrary attacker-supplied code.
mtink is reportedly installed setgid 'sys' on Mandrake Linux, so it is
possible that this issue may be exploited to execute arbitrary code with
elevated privileges. Other distributions may also be affected if mtink is
installed or runs with elevated privileges.
14. YABB SE Packages.PHP Remote File Include Vulnerability
BugTraq ID: 6663
Remote: Yes
Date Published: Jan 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6663
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for a number of platforms include Unix,
Linux, and Microsoft Windows operating systems.
YaBB SE allows remote users to influence the location of an external
script ('Packer.php') that is included by the 'Packages.php'. A remote
attacker may exploit this condition to cause an external,
attacker-supplied file to be included by YaBB SE. If the attacker
includes malicious PHP code, then it may be executed.
This may allow a remote attacker to execute arbitrary commands in the
context of the webserver.
The Kodak Color Management System (KCMS) is an image and video management
Application Programming Interface (API) for Unix, Linux, and Windows
Operating Systems. It is distributed and maintained by Kodak.
A problem could make it possible for a remote user to gain unauthorized
remote access to arbitrary files.
It has been reported that a problem exists in the Kodak Color Management
System (KCMS) due to the insecure handling of input. It may be possible
for a remote user to gain access to arbitrary files on a vulnerable host.
This could allow remote information gathering, leakage of sensitive
information, and potentially privilege elevation.
The problem occurs in the KCS_OPEN_PROFILE. By exploiting a vulnerable
system running the kcms_server process, it is possible for a remote user
to download any file to which the kcms_server has read access. As the
kcms_server process is typically executed as root, this could be any file
on the target system. It should be noted that an attacker must use the
TT_ISBUILD procedure call of ToolTalk to exploit this issue.
16. PHPOutsourcing Zorum Remote Include Command Execution Vulnerability
BugTraq ID: 6669
Remote: Yes
Date Published: Jan 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6669
Summary:
Zorum is a freely available, open source PHP forum. It is available for
UNIX, Linux, and Microsoft operating systems.
A problem could make it possible for remote users to execute arbitrary
commands.
It has been reported that Zorum may allow remote users to influence to
location of PHP includes. Because of this, it is possible for a remote
user to include an external arbitrary PHP script containing commands that
may be carried out on the vulnerable host.
This problem could allow a remote attacker to execute arbitrary code with
the privileges of the web server process. This could result the attacker
gaining local access, and potentially elevated privileges.
17. YaBB SE News.PHP Remote File Include Vulnerability
BugTraq ID: 6674
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6674
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for a number of platforms include Unix,
Linux, and Microsoft Windows operating systems.
A vulnerability has been discovered in YaBB SE. Due to insufficient
sanitization of some user-supplied variables by the 'News.php' script, it
is possible for a remote attacker to include a malicious PHP file in a
URL.
An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the
'$template' parameter.
If the remote file is a malicious PHP script, this may allow for execution
of attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may provide local access to the attacker.
This vulnerability was reported for YaBB SE 1.5.1 and earlier.
III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. Secure Web-Based Administration (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/307958
IV. NEW PRODUCTS FOR LINUX PLATFORM
-----------------------------------
1. Cisco VPN 5000 Series Concentrators
by Cisco Systems
Platforms: Linux, MacOS, Solaris, Windows 95/98, Windows NT
http://www.cisco.com/warp/public/cc/pd/hb/vp5000/
Summary:
The Cisco VPN 5000 series of concentrators, and associated VPN client
software, provide a comprehensive and flexible set of IPsec VPN
capabilities for both site to site and remote access services. This series
of products enables both customer premise equipment (CPE) and service
provider edge based depolyments utilizing the most advanced high
performance encyrption and authentication techniques available. The Cisco
VPN 5000 concentrator series is a feature rich carrier class VPN product
that supports the most demanding multiplatform, multiprotocol
environments.
2. Covalent Fast Start Server
by Covalent Technologies
Platforms: AIX, BSDI, DG-UX, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD,
Solaris, UNIX, Unixware
http://www.covalent.net/products/faststart/
Summary:
Covalent Fast Start Server automatically produces an Apache configuration
suitable for many enterprise applications. Because of Apache's
standards-based interoperability, Fast Start Server is able to serve as
the presentation layer for all major application servers, databases and
Web-based applications, reducing the complexity of Web infrastructures. It
includes a streamlined installer for rapid deployment.
3. DirectorySmart
by OpenNetwork Technologies
Platforms: AIX, HP-UX, Linux, Solaris, Windows NT
http://www.opennetwork.com/products/
Summary:
By defining and enforcing eBusiness rules through user security and secure
access, DirectorySmart enables eBusinesses to provide self-service
applications and create tight customer feedback loops. DirectorySmart
scales to millions of users and is designed for the largest and most
complex of computing environments. DirectorySmart makes it possible for
enterprises to manage information access for thousands, or even millions,
of users, all of whom require different levels of application access,
without adding dramatically to the burden on corporate IT departments or
risking the security of sensitive corporate data.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. radmind v0.9.3
by UMich RSUG
Relevant URL:
http://rsug.itd.umich.edu/software/radmind
Platforms: FreeBSD, Linux, MacOS, OpenBSD, Solaris, SunOS, UNIX
Summary:
radmind is a suite of Unix command-line tools and a server designed to
remotely administer the file systems of multiple Unix machines. At its
core, radmind operates as a tripwire. It is able to detect changes to any
managed filesystem object, e.g. files, directories, links, etc. However,
radmind goes further than just integrity checking: once a change is
detected, radmind can optionally reverse the change. Each managed machine
may have its own loadset composed of multiple, layered overloads. This
allows, for example, the operating system to be described separately from
applications. Loadsets are stored on a remote server. By updating a
loadset on the server, changes can be pushed to managed machines.
BENIDS is a pcap-based Network Intrusion Detection System for Linux. It
uses its own XML rule file format which allows arbitrary, complex boolean
matching conditions. It generates IDMEFv0.3 alert messages, and also
supports fragment and TCP stream reassembly.
3. Lepton's Crack v1.1
by Nekromancer nekromancer (at) eudoramail (dot) com [email concealed]
Relevant URL:
http://usuarios.lycos.es/reinob/
Platforms: Linux, POSIX, Windows 2000, Windows NT
Summary:
Lepton's Crack is a generic password cracker. It is easily-customizable
with a simple plugin system and allows system administrators to review the
quality of the passwords being used on their systems. It can perform a
dictionary-based (wordlist) attack as well as a brute force (incremental)
password scan. It supports standard MD4 hash, standard MD5 hash, NT
MD4/Unicode, and Lotus Domino HTTP password (R4) formats.
VI. SPONSOR INFORMATION
-----------------------
This newsletter is sponsored by: Black Hat (http://www.blackhat.com)
Spooked about Windows security? Find solutions instead. Plan now to
attend the Black Hat Briefings & Training Windows Security conference,
February 25-28 in Seattle, the world's premier technical event for Windows
and .Net security experts. This event is fully supported by Microsoft.
The Training on February 25-26 features 7 two-day courses on the hottest
subjects. The Briefings on February 27-28 features 30 of the top industry
speakers presenting topics in 6 tracks. Visit www.blackhat.com to see why
top security experts rave about the Black Hat Briefings.
------------------------------------------------------------------------
-------
SecurityFocus Linux Newsletter #116
-----------------------------------
This newsletter is sponsored by: Black Hat (http://www.blackhat.com)
Spooked about Windows security? Find solutions instead. Plan now to
attend the Black Hat Briefings & Training Windows Security conference,
February 25-28 in Seattle, the world's premier technical event for Windows
and .Net security experts. This event is fully supported by Microsoft.
The Training on February 25-26 features 7 two-day courses on the hottest
subjects. The Briefings on February 27-28 features 30 of the top industry
speakers presenting topics in 6 tracks. Visit www.blackhat.com to see why
top security experts rave about the Black Hat Briefings.
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. SunScreen, Part One: An Overview of the Sun Microsystem Firewall
2. The Turkey that Bites
3. The Canary in the Data Mine
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003 (March 10-12,2003,Orlando,FL)
II. LINUX VULNERABILITY SUMMARY
1. Blackboard Learning System search.pl SQL Injection Vulnerability
2. ESCPUtil Local Printer Name Buffer Overflow Vulnerability
3. Apache Web Server MS-DOS Device Name Denial Of Service...
4. GNU Mailman 'email' Cross Site Scripting Vulnerability
5. GNU Mailman Error Page Cross Site Scripting Vulnerability
6. MyRoom save_item.php Arbitrary File Upload Vulnerability
7. slocate Local Buffer Overrun Vulnerability
8. CVS Directory Request Double Free Heap Corruption Vulnerability
9. ModLogAn Remote Heap Corruption Vulnerability
10. Apache Web Server MS-DOS Device Name Arbitrary Code Execution...
11. Apache Web Server Illegal Character HTTP Request File...
12. Apache Web Server Default Script Mapping Bypass Vulnerability
13. MTink Printer Status Monitor Environment Variable Buffer...
14. YABB SE Packages.PHP Remote File Include Vulnerability
15. Kodak KCMS KCS_OPEN_PROFILE Procedure Arbitrary File Access...
16. PHPOutsourcing Zorum Remote Include Command Execution...
17. YaBB SE News.PHP Remote File Include Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. Secure Web-Based Administration (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORM
1. Cisco VPN 5000 Series Concentrators
2. Covalent Fast Start Server
3. DirectorySmart
V. NEW TOOLS FOR LINUX PLATFORMS
1. radmind v0.9.3
2. BENIDS v0.1.3
3. Lepton's Crack v1.1
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. SunScreen, Part One: An Overview of the Sun Microsystem Firewall
By Ido Dubrawsky
SunScreen is Sun Microsystem's firewall that runs under the Solaris
operating system. It provides for packet filtering, authentication and
data encryption as well as the creation of IPsec-based VPNs. This article
is the first of a two-part series that will offer a brief overview of the
implementation and administration of SunScreen.
http://online.securityfocus.com/infocus/1660
2. The Turkey that Bites
By Jon Lasser
With last week's RIAA worm hoax, the scallywags at Gobbles raised security
advisories to subversive performance art.
http://online.securityfocus.com/columnists/137
3. The Canary in the Data Mine
By Mark Rasch
At the turn of the century just past, mining companies would use a
brightly colored bird in the mine shaft to protect the lives of citizens.
These canaries were more sensitive to the foul, noxious and deadly but
invisible vapors that would otherwise threaten the lives of the mine shaft
workers. When the canaries died, the miners would know an invisible threat
existed.
http://online.securityfocus.com/columnists/136
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Blackboard Learning System search.pl SQL Injection Vulnerability
BugTraq ID: 6655
Remote: Yes
Date Published: Jan 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6655
Summary:
Blackboard Learning system is a suite of software products available for
Microsoft Windows, Linux and Solaris servers that power an "e-Education
Infrastructure" for education providers.
Blackboard Learning System, in some cases, does not sufficiently sanitize
user-supplied input which is used when constructing SQL queries. As a
result, attackers may supply malicious parameters to manipulate the
structure and logic of SQL queries. This may result in unauthorized
operations being performed on the underlying database.
This vulnerability was reported to exist in the search.pl script file (the
address book search feature). A remote attacker can exploit this
vulnerability to brute-force user accounts. It may also be possible to
conduct other attacks, such as executing stored procedures and exploiting
vulnerabilities in the database server.
This vulnerability was reported for Blackboard Learning System 5.5.1,level
1 and 2. Previous releases may also be affected.
2. ESCPUtil Local Printer Name Buffer Overflow Vulnerability
BugTraq ID: 6658
Remote: No
Date Published: Jan 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6658
Summary:
escputil is a freely available, open source print driver for the Linux
operating system. It is publicly maintained.
It has been reported that a buffer overflow in escputil exists.
This problem is due to insufficient bounds checking on the values supplied
as arguments of the -P command line parameter. It is possible for a
malicious local user to corrupt sensitive regions of memory with
attacker-supplied values.
escputil is reportedly installed setgid 'sys' on Mandrake Linux, so it is
possible that this issue may be exploited to execute arbitrary code with
elevated privileges. Other distributions may also be affected if the
utility is installed or runs with elevated privileges.
It should also be noted that this program is included with a number of
other packages for printing on Linux systems.
3. Apache Web Server MS-DOS Device Name Denial Of Service Vulnerability
BugTraq ID: 6662
Remote: Yes
Date Published: Jan 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6662
Summary:
Apache is a freely available Web server for Unix and Linux variants, as
well as Microsoft operating systems.
A vulnerability has been reported in Apache Web server for Microsoft
Windows 9x/Me operating environments. The vulnerability exists in the way
some HTTP requests are handled by the Apache Web server. Specifically,
HTTP requests that involve MS-DOS device names may cause the Apache Web
server to crash.
An attacker can exploit this vulnerability by sending a malformed HTTP GET
request to the Apache server using a reserved MS-DOS device name such as
'aux'. When the server receives this request it will crash.
This vulnerability exists for Apache versions prior to 2.0.44 for
Microsoft Windows 9x/Me operating environments.
4. GNU Mailman 'email' Cross Site Scripting Vulnerability
BugTraq ID: 6677
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6677
Summary:
Mailman is software to help manage email discussion lists, much like
Majordomo and SmartList. It is written and maintained by the GNU Project
and is available for the Linux and Unix operating systems.
A cross site scripting vulnerability has been discovered in GNU Mailman.
The issue occurs due to insufficient sanitization of URI parameters.
Specifically, the 'email' URI parameter is not correctly filtered for
embedded HTML or script code.
As a result, attackers may embed malicious script code or HTML into a link
to a site running the vulnerable software. When this link is followed by a
web user, the attacker-supplied code will be interpreted in their web
browser in the security context of the site hosting the software.
It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. Other
attacks are also possible.
5. GNU Mailman Error Page Cross Site Scripting Vulnerability
BugTraq ID: 6678
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6678
Summary:
Mailman is software to help manage email discussion lists, much like
Majordomo and SmartList. It is written and maintained by the GNU Project
and is available for the Linux and Unix operating systems.
A cross site scripting vulnerability has been discovered in GNU Mailman.
The issue occurs due to insufficient sanitization of URI parameters.
Specifically, the 'language' variable is not sufficiently sanitized before
being included in error pages.
As a result, attackers may embed malicious script code or HTML into a link
to a site running the vulnerable software. When this link is followed by a
web user, the attacker-supplied code will be interpreted in their web
browser in the security context of the site hosting the software.
It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. Other
attacks are also possible.
It has been reported that GNU Mailman 2.0.11 is not affected by this
issue.
6. MyRoom save_item.php Arbitrary File Upload Vulnerability
BugTraq ID: 6644
Remote: Yes
Date Published: Jan 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6644
Summary:
MyRoom is an online item management system implemented in PHP. It is
available for a variety of platforms including Linux variant operating
systems and Microsoft Windows.
A problem with MyRoom may make it possible for remote attackers to upload
files to a vulnerable system.
Due to inadequate security checks performed by some PHP scripts, an
attacker is able to upload arbitrary files to the system. The
room/save_item.php script has been reported to be vulnerable to this
issue.
Specifically, the script only checks to see whether the file to be
uploaded is an image file. As such, any file that includes the allowed
extensions may be uploaded. Any uploaded files will be stored in the
'img/photo' folder.
Given the ability to upload arbitrary files to the host, an attacker can
exploit this vulnerability to upload malicious applications to the
vulnerable system or use the system for the storage of files.
This vulnerability was reported for MyRoom 3.5 GOLD.
7. slocate Local Buffer Overrun Vulnerability
BugTraq ID: 6676
Remote: No
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6676
Summary:
Secure Locate (slocate) provides a secure way to index and quickly search
for files on your system. It is available for the Linux and Unix operating
systems. Typically slocate is installed with setgid 'slocate' privileges.
A buffer overrun vulnerability has been discovered in slocate. The issue
occurs when 1024, or more, bytes of data are supplied to both the regex
('-r') and the parse /etc/updatedb.conf ('-c') command line arguments.
This issue occurs due to insufficient bounds checking on user-supplied
input.
A malicious local user may be able to exploit this issue to overwrite
sensitive locations in memory. For instance, by overwriting the programs
instruction pointer it may be possible to redirect program flow to point
to attacker-supplied instructions. As slocate is typically installed with
setgid privileges, any code execution accomplished by an attacker will be
executed with group 'slocate' privileges. An attacker may leverage this
privilege escalation to exploit the target system further.
It should be noted that this issue has been reportedly verified on RedHat
7.3 and 7.2. RedHat 6.2 appears to be immune to this issue. It has not yet
been verified whether other versions are also affected.
8. CVS Directory Request Double Free Heap Corruption Vulnerability
BugTraq ID: 6650
Remote: Yes
Date Published: Jan 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6650
Summary:
CVS is the concurrent versioning system. CVS is a freely available, open
source software development package for the Unix, Linux, and Microsoft
Windows platforms.
CVS is prone to a double free vulnerability in Directory requests.
Malformed Directory requests may potentially cause dynamically allocated
memory to be de-allocated twice, using the free() function.
An attacker may potentially take advantage of this issue to cause heap
memory to be corrupted with attacker-supplied values, which may result in
execution of arbitrary code in the security context of the CVS server.
9. ModLogAn Remote Heap Corruption Vulnerability
BugTraq ID: 6652
Remote: Yes
Date Published: Jan 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6652
Summary:
ModLogAn is a modular logfile analyzer which parses logfiles generated by
several server types including HTTP and FTP. It is available for the Unix
and Linux operating systems.
A vulnerability has been discovered in ModLogAn. The problem occurs when
attempting to decode a URL with the url_decode() function. When the
url_decode() function detects a percentage character ('%') in a URL, it
incorrectly presumes that the following 2 bytes will represent a
hexadecimal encoded value. After this assumption is made the length
counter (for the size of the decoded string) is reduced by two. If the URL
contains values after the percentage character which are not hexadecimal,
the URL data may be larger than the buffer allocated for the decoded
string.
By generating a malicious log entry containing a URL with excessive
percentage characters designed to trigger to the issue, it may be possible
for an attacker to corrupt heap memory.
Exploiting this issue to overwrite a malloc() header may make it possible
to overwrite an arbitrary word in memory when the corrupted chunk is
freed. This may result in arbitrary attacker-supplied instructions being
executed with the privileges of the ModLogAn process.
10. Apache Web Server MS-DOS Device Name Arbitrary Code Execution Vulnerability
BugTraq ID: 6659
Remote: Yes
Date Published: Jan 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6659
Summary:
Apache is a freely available Web server for Unix and Linux variants, as
well as Microsoft operating systems.
A vulnerability has been reported in Apache Web server for Microsoft
Windows 9x/Me operating environments. The vulnerability exists in the way
some HTTP requests are handled by the Apache Web server. Specifically, the
issue exists due to the way some CGI input is redirected when the
ScriptAlias directive is enabled.
The ScriptAlias directive is used to map between URLs and paths residing
outside of the DocumentRoot. This directive also enables the target
directory as containing only CGI scripts.
An attacker can exploit this vulnerability by making a malformed HTTP POST
request to 'con.xxx' in a directory enabled with ScriptAlias. When this
malformed POST data is sent to a CGI, it may result in any malicious code
to be executed by the requested CGI.
This vulnerability exists for Apache versions prior to 2.0.44 for
Microsoft Windows 9x/Me operating environments.
11. Apache Web Server Illegal Character HTTP Request File Disclosure Vulnerability
BugTraq ID: 6660
Remote: Yes
Date Published: Jan 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6660
Summary:
Apache is a freely available Web server for Unix and Linux variants, as
well as Microsoft operating systems.
A vulnerability has been reported in Apache Web server for Microsoft
Windows operating environments. The vulnerability exists in the way some
HTTP requests are handled by the Apache Server. Any HTTP requests that end
in some illegal characters will cause the server to disclose the contents
of certain files to a remote attacker.
It has been reported that an HTTP request that ends in the '>' character
will cause the Apache Web server to serve certain files to the remote
attacker. Any information obtained in this manner may be used by the
attacker to launch further attacks against a vulnerable system.
This vulnerability exists for Apache versions prior to 2.0.44 for
Microsoft Windows operating environments.
12. Apache Web Server Default Script Mapping Bypass Vulnerability
BugTraq ID: 6661
Remote: Yes
Date Published: Jan 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6661
Summary:
Apache is a freely available Web server for Unix and Linux variants, as
well as Microsoft operating systems.
A vulnerability has been reported in the Apache Web browser that may
result in the server bypassing existing default mappings when serving
files.
The vulnerability exists when making requests for files in directories
with extensions. The vulnerability may cause the Web server to incorrectly
parse the requested file.
An attacker may be able to make a request for
www.target.com/folder.php/test. The request for the file test should be
served as a text file but due to some flaws in the mapping algorithm, the
file 'test' will be interpreted as a PHP script.
This may have unintended consequences on users and the system.
This vulnerability was reported to affect Apache versions prior to 2.0.44.
13. MTink Printer Status Monitor Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 6656
Remote: No
Date Published: Jan 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6656
Summary:
mtink is a printer status monitor for Linux operating systems. It is used
to monitor ink quantity, negotiate changing and cleaning of ink
cartridges, etc.
mtink is prone to a locally exploitable buffer overflow condition. This
is due to insufficient bounds checking of the $HOME environment variable.
An attacker may take advantage of this issue to corrupt sensitive regions
of memory, such as stack variables, with attacker-supplied values. This
may result in execution of arbitrary attacker-supplied code.
mtink is reportedly installed setgid 'sys' on Mandrake Linux, so it is
possible that this issue may be exploited to execute arbitrary code with
elevated privileges. Other distributions may also be affected if mtink is
installed or runs with elevated privileges.
14. YABB SE Packages.PHP Remote File Include Vulnerability
BugTraq ID: 6663
Remote: Yes
Date Published: Jan 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6663
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for a number of platforms include Unix,
Linux, and Microsoft Windows operating systems.
YaBB SE allows remote users to influence the location of an external
script ('Packer.php') that is included by the 'Packages.php'. A remote
attacker may exploit this condition to cause an external,
attacker-supplied file to be included by YaBB SE. If the attacker
includes malicious PHP code, then it may be executed.
This may allow a remote attacker to execute arbitrary commands in the
context of the webserver.
15. Kodak KCMS KCS_OPEN_PROFILE Procedure Arbitrary File Access Vulnerability
BugTraq ID: 6665
Remote: Yes
Date Published: Jan 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6665
Summary:
The Kodak Color Management System (KCMS) is an image and video management
Application Programming Interface (API) for Unix, Linux, and Windows
Operating Systems. It is distributed and maintained by Kodak.
A problem could make it possible for a remote user to gain unauthorized
remote access to arbitrary files.
It has been reported that a problem exists in the Kodak Color Management
System (KCMS) due to the insecure handling of input. It may be possible
for a remote user to gain access to arbitrary files on a vulnerable host.
This could allow remote information gathering, leakage of sensitive
information, and potentially privilege elevation.
The problem occurs in the KCS_OPEN_PROFILE. By exploiting a vulnerable
system running the kcms_server process, it is possible for a remote user
to download any file to which the kcms_server has read access. As the
kcms_server process is typically executed as root, this could be any file
on the target system. It should be noted that an attacker must use the
TT_ISBUILD procedure call of ToolTalk to exploit this issue.
16. PHPOutsourcing Zorum Remote Include Command Execution Vulnerability
BugTraq ID: 6669
Remote: Yes
Date Published: Jan 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6669
Summary:
Zorum is a freely available, open source PHP forum. It is available for
UNIX, Linux, and Microsoft operating systems.
A problem could make it possible for remote users to execute arbitrary
commands.
It has been reported that Zorum may allow remote users to influence to
location of PHP includes. Because of this, it is possible for a remote
user to include an external arbitrary PHP script containing commands that
may be carried out on the vulnerable host.
This problem could allow a remote attacker to execute arbitrary code with
the privileges of the web server process. This could result the attacker
gaining local access, and potentially elevated privileges.
17. YaBB SE News.PHP Remote File Include Vulnerability
BugTraq ID: 6674
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6674
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for a number of platforms include Unix,
Linux, and Microsoft Windows operating systems.
A vulnerability has been discovered in YaBB SE. Due to insufficient
sanitization of some user-supplied variables by the 'News.php' script, it
is possible for a remote attacker to include a malicious PHP file in a
URL.
An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the
'$template' parameter.
If the remote file is a malicious PHP script, this may allow for execution
of attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may provide local access to the attacker.
This vulnerability was reported for YaBB SE 1.5.1 and earlier.
III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. Secure Web-Based Administration (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/307958
IV. NEW PRODUCTS FOR LINUX PLATFORM
-----------------------------------
1. Cisco VPN 5000 Series Concentrators
by Cisco Systems
Platforms: Linux, MacOS, Solaris, Windows 95/98, Windows NT
http://www.cisco.com/warp/public/cc/pd/hb/vp5000/
Summary:
The Cisco VPN 5000 series of concentrators, and associated VPN client
software, provide a comprehensive and flexible set of IPsec VPN
capabilities for both site to site and remote access services. This series
of products enables both customer premise equipment (CPE) and service
provider edge based depolyments utilizing the most advanced high
performance encyrption and authentication techniques available. The Cisco
VPN 5000 concentrator series is a feature rich carrier class VPN product
that supports the most demanding multiplatform, multiprotocol
environments.
2. Covalent Fast Start Server
by Covalent Technologies
Platforms: AIX, BSDI, DG-UX, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD,
Solaris, UNIX, Unixware
http://www.covalent.net/products/faststart/
Summary:
Covalent Fast Start Server automatically produces an Apache configuration
suitable for many enterprise applications. Because of Apache's
standards-based interoperability, Fast Start Server is able to serve as
the presentation layer for all major application servers, databases and
Web-based applications, reducing the complexity of Web infrastructures. It
includes a streamlined installer for rapid deployment.
3. DirectorySmart
by OpenNetwork Technologies
Platforms: AIX, HP-UX, Linux, Solaris, Windows NT
http://www.opennetwork.com/products/
Summary:
By defining and enforcing eBusiness rules through user security and secure
access, DirectorySmart enables eBusinesses to provide self-service
applications and create tight customer feedback loops. DirectorySmart
scales to millions of users and is designed for the largest and most
complex of computing environments. DirectorySmart makes it possible for
enterprises to manage information access for thousands, or even millions,
of users, all of whom require different levels of application access,
without adding dramatically to the burden on corporate IT departments or
risking the security of sensitive corporate data.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. radmind v0.9.3
by UMich RSUG
Relevant URL:
http://rsug.itd.umich.edu/software/radmind
Platforms: FreeBSD, Linux, MacOS, OpenBSD, Solaris, SunOS, UNIX
Summary:
radmind is a suite of Unix command-line tools and a server designed to
remotely administer the file systems of multiple Unix machines. At its
core, radmind operates as a tripwire. It is able to detect changes to any
managed filesystem object, e.g. files, directories, links, etc. However,
radmind goes further than just integrity checking: once a change is
detected, radmind can optionally reverse the change. Each managed machine
may have its own loadset composed of multiple, layered overloads. This
allows, for example, the operating system to be described separately from
applications. Loadsets are stored on a remote server. By updating a
loadset on the server, changes can be pushed to managed machines.
2. BENIDS v0.1.3
by lifeonmars
Relevant URL:
http://www.marlboro.edu/~ttoomey/benids/
Platforms: Linux, POSIX
Summary:
BENIDS is a pcap-based Network Intrusion Detection System for Linux. It
uses its own XML rule file format which allows arbitrary, complex boolean
matching conditions. It generates IDMEFv0.3 alert messages, and also
supports fragment and TCP stream reassembly.
3. Lepton's Crack v1.1
by Nekromancer nekromancer (at) eudoramail (dot) com [email concealed]
Relevant URL:
http://usuarios.lycos.es/reinob/
Platforms: Linux, POSIX, Windows 2000, Windows NT
Summary:
Lepton's Crack is a generic password cracker. It is easily-customizable
with a simple plugin system and allows system administrators to review the
quality of the passwords being used on their systems. It can perform a
dictionary-based (wordlist) attack as well as a brute force (incremental)
password scan. It supports standard MD4 hash, standard MD5 hash, NT
MD4/Unicode, and Lotus Domino HTTP password (R4) formats.
VI. SPONSOR INFORMATION
-----------------------
This newsletter is sponsored by: Black Hat (http://www.blackhat.com)
Spooked about Windows security? Find solutions instead. Plan now to
attend the Black Hat Briefings & Training Windows Security conference,
February 25-28 in Seattle, the world's premier technical event for Windows
and .Net security experts. This event is fully supported by Microsoft.
The Training on February 25-26 features 7 two-day courses on the hottest
subjects. The Briefings on February 27-28 features 30 of the top industry
speakers presenting topics in 6 tracks. Visit www.blackhat.com to see why
top security experts rave about the Black Hat Briefings.
------------------------------------------------------------------------
-------
[ reply ]