SecurityFocus Linux Newsletter #129
-----------------------------------
This issue is sponsored by: FastTrain
FastTrain has your solution for a great CISSP Boot Camp. The industry's
most recognized corporate security certification track, provides a
comprehensive prospectus based upon the core principle concepts of
security. This ALL INCLUSIVE curriculum utilizes lectures, case studies
and true hands-on utilization of pertinent security tools. For a limited
time you can enter for a chance to win one of the latest technological
innovations, the SEGWAY HT.
I. FRONT AND CENTER
1. Anti-Virus Defence In Depth
2. Al-Jazeera, the First Amendment, and Security Professionals
3. SecurityFocus DPP Program
II. LINUX VULNERABILITY SUMMARY
1. Rinetd Connection List Resizing Denial of Service Vulnerability
2. Central Command Vexira Antivirus Buffer Overflow Vulnerability
3. YaBB SE Language Remote File Include Vulnerability
4. OpenBB Index.PHP Remote SQL Injection Vulnerability
5. Mod_NTLM Authorization Format String Vulnerability
6. PT News Unauthorized Administrative Access Vulnerability
7. OpenBB Board.PHP Remote SQL Injection Vulnerability
8. SAP Database Development Tools INSTDBMSRV INSTROOT...
9. Xinetd Rejected Connection Memory Leakage Denial Of Service...
10. Mod_NTLM Authorization Heap Overflow Vulnerability
11. SAP Database Development Tools INSTLSERVER INSTROOT...
12. MIME-Support Package Insecure Temporary File Creation...
13. OpenBB Member.PHP Remote SQL Injection Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. Linux Security Courses (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. AppAudit
2. FloodGuard
3. Sourcefire Intrusion Management System
V. NEW TOOLS FOR LINUX PLATFORMS
1. Crash Core Analysis Suite v3.3
2. In Memory Core Dump v3.1.4
3. FloodGuard Alert v2_2p3
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Anti-Virus Defence In Depth
by Ken Bechtel
Lately it seems I can't open my inbox with out seeing a new article on
defence in depth. This is fine: defence in depth is crucial to anti-virus
protection. Unfortunately, most of the articles are missing two crucial
components. To understand what is being missed, we need to look at what is
meant by defence in depth as it applies in the malicious software world.
For the purpose of this paper, when referring to defence in depth, we will
be specifically talking about the utilization of anti-virus software, and
other methods to provide a multi-layered anti-malware defence in a
corporate environment.
http://www.securityfocus.com/infocus/1687
2. Al-Jazeera, the First Amendment, and Security Professionals
By Scott Granneman
While attempts to disrupt Web broadcasts of Al-Jazeera may seem like a
distant concern, they reflect the problems that should concern security
professionals everywhere.
http://www.securityfocus.com/columnists/156
3. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
II. BUGTRAQ SUMMARY
-------------------
1. Rinetd Connection List Resizing Denial of Service Vulnerability
BugTraq ID: 7377
Remote: Yes
Date Published: Apr 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7377
Summary:
rinetd is a small server designed to redirect connections from one IP
address and port to another. It is available for the Microsoft Windows and
Linux operating system.
By default rinetd allocations space for a list of 64 connections. When
this 64-connection boundary has been reached, the program attempts to
reallocate the buffer, to accommodate additional connections. A flaw has
been discovered in the reallocation process that may open an opportunity
for an attacker to trigger a denial of service.
Specifically, a buffer overflow may be triggered after attempting to
reallocate memory. This is due to the buffer being reallocated
incorrectly. As a result, when a new connection is established the
information will be written past the buffer. This may result in a
segmentation violation and cause the process to crash.
It should be noted that, although unconfirmed, if data written passed the
buffer can be controlled by an attacker it could be possible to exploit
this issue to execute arbitrary code.
This vulnerability affects rinetd 0.61 and earlier.
2. Central Command Vexira Antivirus Buffer Overflow Vulnerability
BugTraq ID: 7383
Remote: No
Date Published: Apr 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7383
Summary:
Vexira Antivirus is an antivirus solution for Linux variant systems
distributed by Central Command.
A buffer overflow vulnerability has been reported for Vexira Antivirus
which may result in privilege escalation.
A local attacker can exploit this vulnerability by supplying an overly
long commandline argument to the /usr/lib/Vexira/vexira binary, consisting
of at least 280 characters. When the binary attempts to process this
input, it will trigger the buffer overflow condition and cause the
application to crash.
Although unconfirmed, it may be possible to exploit this vulnerability to
execute malicious attacker-supplied code.
This vulnerability was reported for Vexira Antivirus 2.1.7 for Linux.
3. YaBB SE Language Remote File Include Vulnerability
BugTraq ID: 7399
Remote: Yes
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7399
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for a number of platforms include Unix,
Linux, and Microsoft Windows operating systems.
YaBB may allow malicious bulletin board users to influence the include
path for language files. Registered users may influence the include path
of language files through the "Change Profile" option. A malicious user
could set an include path that points to a malicious PHP script on an
external host. This could result in execution of commands in the context
of the web server.
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.
A problem with the software may make it possible for remote users to
modify database query logic.
It has been reported that OpenBB does not properly check input passed via
the 'index.php' script. Because of this, it may be possible for a remote
user to inject malicious arbitrary SQL queries in the context of the
database user for the bulletin board software. The consequences of
successful exploitation will vary depending on the underyling database
implementation, but may allow for disclosure of sensitive information or
remote compromise of the bulletin board or database itself.
This vulnerability has been reported in OpenBB version 1.1.0. The
currently available version reported by the vendor is 1.0.5. This
vulnerability may affect the reported version, and previous versions of
the affected software.
mod_ntlm is an Apache module which implements NLTM authentication. It is
available for Apache 2.0.x and 1.3.x on the Linux operating system.
A format string vulnerability has been discovered in the mod_ntlm Apache
module. The issue occurs when processing authorization information located
in HTTP headers.
The problem occurs in a call to ap_log_rerror(), by the log() function,
without including format specifier arguments. As a result, it may be
possible for a remote attacker to embed their own specifiers within
authorization data. This may allow for an attacker to write to sensitive
locations in memory.
It should be noted that the exploitability of this issue to execute
arbitrary code may be hindered by various system specific limitations. As
a result, exploitation may only result in a denial of service.
This vulnerability was reported in mod_ntlm <= 0.4 and mod_ntlm2 0.1.
PT News is a web based news system. It is implemented in PHP and
available for Microsoft Windows operating systems and Linux/Unix variants.
PT News does not adequately prevent remote users from gaining unauthorized
access to administrative functions. The source of this issue is that the
'index.php' script includes the 'news.inc' file, which contains various
administrative functions for PT News. Remote users may access the
administrative functions of 'news.inc' through the 'index.php' script.
Exploitation could allow remote attackers to manipulate content.
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.
A problem with the software may make it possible for remote users to
modify database query logic.
It has been reported that OpenBB does not properly check input passed via
the 'board.php' script. Because of this, it may be possible for a remote
user to inject malicious arbitrary SQL queries in the context of the
database user for the bulletin board software. The consequences of
successful exploitation will vary depending on the underyling database
implementation, but may allow for disclosure of sensitive information or
remote compromise of the bulletin board or database itself.
This vulnerability has been reported in OpenBB version 1.1.0. The
currently available version reported by the vendor is 1.0.5. This
vulnerability may affect the reported version, and previous versions of
the affected software.
8. SAP Database Development Tools INSTDBMSRV INSTROOT Environment Variable Vulnerability
BugTraq ID: 7407
Remote: No
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7407
Summary:
SAP DB is a free database software package for Unix, Linux, and Microsoft
Operating Systems.
It has been reported that a vulnerability exists in the SAP Database
program instdbmsrv. Because of this, a local attacker may be able to gain
elevated privileges.
The problem is in the handling of input from untrusted sources. When
executed, the instdbmsrv program checks the INSTROOT environment variable
for the location of the pgm/dbmsrv program. The permissions of the dbmsrv
program are changed to give the program setuid root privileges when the
instdbmsrv is executed. An attacker could modify the INSTROOT environment
variable locally to point to an arbitrary directory. When the instdbmsrv
program is executed, an attacker-supplied version of the dbmsrv program
would be changed to setuid root.
This could result in an attacker gaining local administrative privileges.
9. Xinetd Rejected Connection Memory Leakage Denial Of Service Vulnerability
BugTraq ID: 7382
Remote: Yes
Date Published: Apr 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7382
Summary:
Xinetd is intended as a secure replacement for inetd. It is designed for
use with Linux and Unix variant operating environments.
A denial of service vulnerability has been reported for Xinetd. The
vulnerability exists due to memory leaks occuring when connections are
rejected. This issue was reported to occur in the svc_request() function
of the service.c source file where some allocated memory is not properly
freed when a connection is rejected.
An attacker can exploit this vulnerability by repeatedly connecting to a
Xinetd server and having the connection rejected. This will result in a
memory exhaustion issue that will result in a denial of service condition.
This vulnerability was reported for Xinted prior to 2.3.11.
mod_ntlm is an Apache module, which implements NLTM authentication. It is
available for Apache 2.0.x and 1.3.x on the Linux operating system.
The mod_ntlm Apache module has been reported prone to a heap overflow
vulnerability.
The vulnerability is due to a lack of sufficient bounds checking performed
on user-supplied data, stored in a 2048 byte buffer within heap memory.
Specifically, an insecure 'vsprintf()' function call is made within the
mod_ntlm 'log()' function. The call to 'vsprintf()' copies user-supplied
authorization data without carrying out sufficient bounds checking. As a
result, excessive data may be copied into the 2048 byte buffer, resulting
in the corruption of sensitive memory management information.
By modifying an adjacent malloc header to contain malicious values, it may
be possible for an attacker to overwrite sensitive locations in memory
when a subsequent call to free() is made. As a result, it may be possible
for an attacker to execute arbitrary instructions, with the privileges of
the Apache server.
This vulnerability is reported to affect mod_ntlm v0.4 for Apache 1.3 and
mod_ntlmv2 version 0.1 for Apache 2.0. Although unconfirmed, previous
versions may also be affected.
11. SAP Database Development Tools INSTLSERVER INSTROOT Environment Variable Vulnerability
BugTraq ID: 7408
Remote: No
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7408
Summary:
SAP DB is a free database software package for Unix, Linux, and Microsoft
Operating Systems.
It has been reported that a vulnerability exists in the SAP Database
program instlserver. Because of this, a local attacker may be able to gain
elevated privileges.
The problem is in the handling of input from untrusted sources. When
executed, the instlserver program checks the INSTROOT environment variable
for the location of the pgm/lserver program. The permissions of the
lserver program are changed to give the program setuid root privileges
when the instlserver is executed. An attacker could modify the INSTROOT
environment variable locally to point to an arbitrary directory. When the
instlserver program is executed, an attacker-supplied version of the
lserver program would be changed to setuid root.
This could result in an attacker gaining local administrative privileges.
The mime-support package contains a variety of MIME applications and
tools. It is available for the Linux operating system.
A vulnerability has been discovered in the run-mailcap application
included with mime-support. The problem occurs due to invalid sanity
checks when creating temporary files.
By populating the /tmp directory with symbolic links which point to
sensitive system files, it may be possible for an unprivileged user to
corrupt arbitrary files. As a result, an unprivileged user may be capable
of rendering a target system unusable or possibly gain elevated
privileges.
This vulnerability affects run-mailcap included in mime-support verison
3.21 and earlier.
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.
A problem with the software may make it possible for remote users to
modify database query logic.
It has been reported that OpenBB does not properly check input passed via
the 'member.php' script. Because of this, it may be possible for a remote
user to inject malicious arbitrary SQL queries in the context of the
database user for the bulletin board software. The consequences of
successful exploitation will vary depending on the underyling database
implementation, but may allow for disclosure of sensitive information or
remote compromise of the bulletin board or database itself.
This vulnerability has been reported in OpenBB version 1.1.0. The
currently available version reported by the vendor is 1.0.5. This
vulnerability may affect the reported version, and previous versions of
the affected software.
III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. Linux Security Courses (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/319322
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. AppAudit
by Sanctum, Inc.
Platforms: N/A
Relevant URL:
http://www.sanctuminc.com/solutions/appaudit/index.html
Summary:
Sanctum's AppAudit will help you find the holes in your Web site before
somebody else does. AppAudit is a remote audit on your Web site conducted
by Sanctum, to determine the general security of your site at the
application level. AppAudit reveals Web application vulnerabilities,
including: Hidden Manipulation, Parameter Tampering, Cookie Poisoning,
Stealth Commanding, Forceful Browsing, Backdoors and Debug options,
Configuration Subversion, Buffer Overflow and Vendor-assisted Hacking.
FloodGuard, from Reactive Network Solutions, is dedicated to detecting -
and mitigating - all types of flooding attacks. By distributing
intelligence through the network, FloodGuard? is the most effective
hardware-software solution for shutting down flooding attacks before they
shut down your business.
3. Sourcefire Intrusion Management System
by Sourcefire
Platforms: N/A
Relevant URL:
http://www.securityfocus.com/www.sourcefire.com/products/products.htm
Summary:
Sourcefire Intrusion Management System (IMS) delivers all of the
capabilities needed to proactively defend against intruders. Unlike
current intrusion detection systems, Sourcefire offers a comprehensive
system that gives one granular flexibility, scalability, and complete data
management. Sourcefire IMS offers the best protection and allows users to
customize every aspect of the system to suit their specific environment
and security needs.
V. NEW TOOLS FOR LINUX PLATFORMS
---------------------------------
1. Crash Core Analysis Suite v3.3
by Mission Critical Linux webmaster (at) missioncriticallinux (dot) com [email concealed]
Relevant URL:
http://oss.missioncriticallinux.com/projects/crash/
Platforms: Linux, POSIX
Summary:
The Crash Core Analysis Suite utility is a self-contained tool, loosely
based on the SVR4 crash command but completely merged with gdb, thereby
combining the kernel-specific nature of crash with the source level
debugging capabilities of gdb. The utility can be used to investigate live
systems, kernel core dumps created from the Kernel Core Dump patch offered
by Mission Critical Linux, and kernel core dumps created from the Linux
Kernel Crash Dumps (LKCD) patch offered by SGI.
2. In Memory Core Dump v3.1.4
by Mission Critical Linux webmaster (at) missioncriticallinux (dot) com [email concealed]
Relevant URL:
http://oss.missioncriticallinux.com/projects/mcore/
Platforms: Linux, POSIX
Summary:
In Memory Core Dump uses system memory to save crash information. On a
subsequent reboot of the system, the crash information can be recovered.
3. FloodGuard Alert v2_2p3
by Reactive Network Solutions, Inc. jagan (at) reactivenetwork (dot) com [email concealed]
Relevant URL:
http://www.reactivenetwork.com/downloads/
Platforms: Linux, POSIX
Summary:
FloodGuard Alert is designed to detect all forms of flooding and bandwidth
attacks, including DDoSes and worms. The software initially trains on
ingress traffic directed at your protection domain that it uses to
statistically identify anomalous traffic. It also suggests initial
mitigation steps (ACLs/filters) that can be taken to stop the attack while
letting legitimate traffic through. It comes with a comprehensive
Java-based GUI that facilitates traffic visualization, configuration,
control, analysis, report generation, and SYSLOG- and email-based
communications.
VI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: FastTrain
FastTrain has your solution for a great CISSP Boot Camp. The industry's
most recognized corporate security certification track, provides a
comprehensive prospectus based upon the core principle concepts of
security. This ALL INCLUSIVE curriculum utilizes lectures, case studies
and true hands-on utilization of pertinent security tools. For a limited
time you can enter for a chance to win one of the latest technological
innovations, the SEGWAY HT.
SecurityFocus Linux Newsletter #129
-----------------------------------
This issue is sponsored by: FastTrain
FastTrain has your solution for a great CISSP Boot Camp. The industry's
most recognized corporate security certification track, provides a
comprehensive prospectus based upon the core principle concepts of
security. This ALL INCLUSIVE curriculum utilizes lectures, case studies
and true hands-on utilization of pertinent security tools. For a limited
time you can enter for a chance to win one of the latest technological
innovations, the SEGWAY HT.
Log onto http://www.fasttraincamp.com.
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Anti-Virus Defence In Depth
2. Al-Jazeera, the First Amendment, and Security Professionals
3. SecurityFocus DPP Program
II. LINUX VULNERABILITY SUMMARY
1. Rinetd Connection List Resizing Denial of Service Vulnerability
2. Central Command Vexira Antivirus Buffer Overflow Vulnerability
3. YaBB SE Language Remote File Include Vulnerability
4. OpenBB Index.PHP Remote SQL Injection Vulnerability
5. Mod_NTLM Authorization Format String Vulnerability
6. PT News Unauthorized Administrative Access Vulnerability
7. OpenBB Board.PHP Remote SQL Injection Vulnerability
8. SAP Database Development Tools INSTDBMSRV INSTROOT...
9. Xinetd Rejected Connection Memory Leakage Denial Of Service...
10. Mod_NTLM Authorization Heap Overflow Vulnerability
11. SAP Database Development Tools INSTLSERVER INSTROOT...
12. MIME-Support Package Insecure Temporary File Creation...
13. OpenBB Member.PHP Remote SQL Injection Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. Linux Security Courses (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. AppAudit
2. FloodGuard
3. Sourcefire Intrusion Management System
V. NEW TOOLS FOR LINUX PLATFORMS
1. Crash Core Analysis Suite v3.3
2. In Memory Core Dump v3.1.4
3. FloodGuard Alert v2_2p3
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Anti-Virus Defence In Depth
by Ken Bechtel
Lately it seems I can't open my inbox with out seeing a new article on
defence in depth. This is fine: defence in depth is crucial to anti-virus
protection. Unfortunately, most of the articles are missing two crucial
components. To understand what is being missed, we need to look at what is
meant by defence in depth as it applies in the malicious software world.
For the purpose of this paper, when referring to defence in depth, we will
be specifically talking about the utilization of anti-virus software, and
other methods to provide a multi-layered anti-malware defence in a
corporate environment.
http://www.securityfocus.com/infocus/1687
2. Al-Jazeera, the First Amendment, and Security Professionals
By Scott Granneman
While attempts to disrupt Web broadcasts of Al-Jazeera may seem like a
distant concern, they reflect the problems that should concern security
professionals everywhere.
http://www.securityfocus.com/columnists/156
3. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
II. BUGTRAQ SUMMARY
-------------------
1. Rinetd Connection List Resizing Denial of Service Vulnerability
BugTraq ID: 7377
Remote: Yes
Date Published: Apr 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7377
Summary:
rinetd is a small server designed to redirect connections from one IP
address and port to another. It is available for the Microsoft Windows and
Linux operating system.
By default rinetd allocations space for a list of 64 connections. When
this 64-connection boundary has been reached, the program attempts to
reallocate the buffer, to accommodate additional connections. A flaw has
been discovered in the reallocation process that may open an opportunity
for an attacker to trigger a denial of service.
Specifically, a buffer overflow may be triggered after attempting to
reallocate memory. This is due to the buffer being reallocated
incorrectly. As a result, when a new connection is established the
information will be written past the buffer. This may result in a
segmentation violation and cause the process to crash.
It should be noted that, although unconfirmed, if data written passed the
buffer can be controlled by an attacker it could be possible to exploit
this issue to execute arbitrary code.
This vulnerability affects rinetd 0.61 and earlier.
2. Central Command Vexira Antivirus Buffer Overflow Vulnerability
BugTraq ID: 7383
Remote: No
Date Published: Apr 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7383
Summary:
Vexira Antivirus is an antivirus solution for Linux variant systems
distributed by Central Command.
A buffer overflow vulnerability has been reported for Vexira Antivirus
which may result in privilege escalation.
A local attacker can exploit this vulnerability by supplying an overly
long commandline argument to the /usr/lib/Vexira/vexira binary, consisting
of at least 280 characters. When the binary attempts to process this
input, it will trigger the buffer overflow condition and cause the
application to crash.
Although unconfirmed, it may be possible to exploit this vulnerability to
execute malicious attacker-supplied code.
This vulnerability was reported for Vexira Antivirus 2.1.7 for Linux.
3. YaBB SE Language Remote File Include Vulnerability
BugTraq ID: 7399
Remote: Yes
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7399
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for a number of platforms include Unix,
Linux, and Microsoft Windows operating systems.
YaBB may allow malicious bulletin board users to influence the include
path for language files. Registered users may influence the include path
of language files through the "Change Profile" option. A malicious user
could set an include path that points to a malicious PHP script on an
external host. This could result in execution of commands in the context
of the web server.
4. OpenBB Index.PHP Remote SQL Injection Vulnerability
BugTraq ID: 7401
Remote: Yes
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7401
Summary:
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.
A problem with the software may make it possible for remote users to
modify database query logic.
It has been reported that OpenBB does not properly check input passed via
the 'index.php' script. Because of this, it may be possible for a remote
user to inject malicious arbitrary SQL queries in the context of the
database user for the bulletin board software. The consequences of
successful exploitation will vary depending on the underyling database
implementation, but may allow for disclosure of sensitive information or
remote compromise of the bulletin board or database itself.
This vulnerability has been reported in OpenBB version 1.1.0. The
currently available version reported by the vendor is 1.0.5. This
vulnerability may affect the reported version, and previous versions of
the affected software.
5. Mod_NTLM Authorization Format String Vulnerability
BugTraq ID: 7393
Remote: Yes
Date Published: Apr 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7393
Summary:
mod_ntlm is an Apache module which implements NLTM authentication. It is
available for Apache 2.0.x and 1.3.x on the Linux operating system.
A format string vulnerability has been discovered in the mod_ntlm Apache
module. The issue occurs when processing authorization information located
in HTTP headers.
The problem occurs in a call to ap_log_rerror(), by the log() function,
without including format specifier arguments. As a result, it may be
possible for a remote attacker to embed their own specifiers within
authorization data. This may allow for an attacker to write to sensitive
locations in memory.
It should be noted that the exploitability of this issue to execute
arbitrary code may be hindered by various system specific limitations. As
a result, exploitation may only result in a denial of service.
This vulnerability was reported in mod_ntlm <= 0.4 and mod_ntlm2 0.1.
6. PT News Unauthorized Administrative Access Vulnerability
BugTraq ID: 7394
Remote: Yes
Date Published: Apr 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7394
Summary:
PT News is a web based news system. It is implemented in PHP and
available for Microsoft Windows operating systems and Linux/Unix variants.
PT News does not adequately prevent remote users from gaining unauthorized
access to administrative functions. The source of this issue is that the
'index.php' script includes the 'news.inc' file, which contains various
administrative functions for PT News. Remote users may access the
administrative functions of 'news.inc' through the 'index.php' script.
Exploitation could allow remote attackers to manipulate content.
7. OpenBB Board.PHP Remote SQL Injection Vulnerability
BugTraq ID: 7404
Remote: Yes
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7404
Summary:
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.
A problem with the software may make it possible for remote users to
modify database query logic.
It has been reported that OpenBB does not properly check input passed via
the 'board.php' script. Because of this, it may be possible for a remote
user to inject malicious arbitrary SQL queries in the context of the
database user for the bulletin board software. The consequences of
successful exploitation will vary depending on the underyling database
implementation, but may allow for disclosure of sensitive information or
remote compromise of the bulletin board or database itself.
This vulnerability has been reported in OpenBB version 1.1.0. The
currently available version reported by the vendor is 1.0.5. This
vulnerability may affect the reported version, and previous versions of
the affected software.
8. SAP Database Development Tools INSTDBMSRV INSTROOT Environment Variable Vulnerability
BugTraq ID: 7407
Remote: No
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7407
Summary:
SAP DB is a free database software package for Unix, Linux, and Microsoft
Operating Systems.
It has been reported that a vulnerability exists in the SAP Database
program instdbmsrv. Because of this, a local attacker may be able to gain
elevated privileges.
The problem is in the handling of input from untrusted sources. When
executed, the instdbmsrv program checks the INSTROOT environment variable
for the location of the pgm/dbmsrv program. The permissions of the dbmsrv
program are changed to give the program setuid root privileges when the
instdbmsrv is executed. An attacker could modify the INSTROOT environment
variable locally to point to an arbitrary directory. When the instdbmsrv
program is executed, an attacker-supplied version of the dbmsrv program
would be changed to setuid root.
This could result in an attacker gaining local administrative privileges.
9. Xinetd Rejected Connection Memory Leakage Denial Of Service Vulnerability
BugTraq ID: 7382
Remote: Yes
Date Published: Apr 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7382
Summary:
Xinetd is intended as a secure replacement for inetd. It is designed for
use with Linux and Unix variant operating environments.
A denial of service vulnerability has been reported for Xinetd. The
vulnerability exists due to memory leaks occuring when connections are
rejected. This issue was reported to occur in the svc_request() function
of the service.c source file where some allocated memory is not properly
freed when a connection is rejected.
An attacker can exploit this vulnerability by repeatedly connecting to a
Xinetd server and having the connection rejected. This will result in a
memory exhaustion issue that will result in a denial of service condition.
This vulnerability was reported for Xinted prior to 2.3.11.
10. Mod_NTLM Authorization Heap Overflow Vulnerability
BugTraq ID: 7388
Remote: Yes
Date Published: Apr 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7388
Summary:
mod_ntlm is an Apache module, which implements NLTM authentication. It is
available for Apache 2.0.x and 1.3.x on the Linux operating system.
The mod_ntlm Apache module has been reported prone to a heap overflow
vulnerability.
The vulnerability is due to a lack of sufficient bounds checking performed
on user-supplied data, stored in a 2048 byte buffer within heap memory.
Specifically, an insecure 'vsprintf()' function call is made within the
mod_ntlm 'log()' function. The call to 'vsprintf()' copies user-supplied
authorization data without carrying out sufficient bounds checking. As a
result, excessive data may be copied into the 2048 byte buffer, resulting
in the corruption of sensitive memory management information.
By modifying an adjacent malloc header to contain malicious values, it may
be possible for an attacker to overwrite sensitive locations in memory
when a subsequent call to free() is made. As a result, it may be possible
for an attacker to execute arbitrary instructions, with the privileges of
the Apache server.
This vulnerability is reported to affect mod_ntlm v0.4 for Apache 1.3 and
mod_ntlmv2 version 0.1 for Apache 2.0. Although unconfirmed, previous
versions may also be affected.
11. SAP Database Development Tools INSTLSERVER INSTROOT Environment Variable Vulnerability
BugTraq ID: 7408
Remote: No
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7408
Summary:
SAP DB is a free database software package for Unix, Linux, and Microsoft
Operating Systems.
It has been reported that a vulnerability exists in the SAP Database
program instlserver. Because of this, a local attacker may be able to gain
elevated privileges.
The problem is in the handling of input from untrusted sources. When
executed, the instlserver program checks the INSTROOT environment variable
for the location of the pgm/lserver program. The permissions of the
lserver program are changed to give the program setuid root privileges
when the instlserver is executed. An attacker could modify the INSTROOT
environment variable locally to point to an arbitrary directory. When the
instlserver program is executed, an attacker-supplied version of the
lserver program would be changed to setuid root.
This could result in an attacker gaining local administrative privileges.
12. MIME-Support Package Insecure Temporary File Creation Vulnerability
BugTraq ID: 7403
Remote: No
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7403
Summary:
The mime-support package contains a variety of MIME applications and
tools. It is available for the Linux operating system.
A vulnerability has been discovered in the run-mailcap application
included with mime-support. The problem occurs due to invalid sanity
checks when creating temporary files.
By populating the /tmp directory with symbolic links which point to
sensitive system files, it may be possible for an unprivileged user to
corrupt arbitrary files. As a result, an unprivileged user may be capable
of rendering a target system unusable or possibly gain elevated
privileges.
This vulnerability affects run-mailcap included in mime-support verison
3.21 and earlier.
13. OpenBB Member.PHP Remote SQL Injection Vulnerability
BugTraq ID: 7405
Remote: Yes
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7405
Summary:
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.
A problem with the software may make it possible for remote users to
modify database query logic.
It has been reported that OpenBB does not properly check input passed via
the 'member.php' script. Because of this, it may be possible for a remote
user to inject malicious arbitrary SQL queries in the context of the
database user for the bulletin board software. The consequences of
successful exploitation will vary depending on the underyling database
implementation, but may allow for disclosure of sensitive information or
remote compromise of the bulletin board or database itself.
This vulnerability has been reported in OpenBB version 1.1.0. The
currently available version reported by the vendor is 1.0.5. This
vulnerability may affect the reported version, and previous versions of
the affected software.
III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. Linux Security Courses (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/319322
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. AppAudit
by Sanctum, Inc.
Platforms: N/A
Relevant URL:
http://www.sanctuminc.com/solutions/appaudit/index.html
Summary:
Sanctum's AppAudit will help you find the holes in your Web site before
somebody else does. AppAudit is a remote audit on your Web site conducted
by Sanctum, to determine the general security of your site at the
application level. AppAudit reveals Web application vulnerabilities,
including: Hidden Manipulation, Parameter Tampering, Cookie Poisoning,
Stealth Commanding, Forceful Browsing, Backdoors and Debug options,
Configuration Subversion, Buffer Overflow and Vendor-assisted Hacking.
2. FloodGuard
by Reactive Network
Platforms: N/A
Relevant URL:
http://www.reactivenetwork.com/products/products.htm
Summary:
FloodGuard, from Reactive Network Solutions, is dedicated to detecting -
and mitigating - all types of flooding attacks. By distributing
intelligence through the network, FloodGuard? is the most effective
hardware-software solution for shutting down flooding attacks before they
shut down your business.
3. Sourcefire Intrusion Management System
by Sourcefire
Platforms: N/A
Relevant URL:
http://www.securityfocus.com/www.sourcefire.com/products/products.htm
Summary:
Sourcefire Intrusion Management System (IMS) delivers all of the
capabilities needed to proactively defend against intruders. Unlike
current intrusion detection systems, Sourcefire offers a comprehensive
system that gives one granular flexibility, scalability, and complete data
management. Sourcefire IMS offers the best protection and allows users to
customize every aspect of the system to suit their specific environment
and security needs.
V. NEW TOOLS FOR LINUX PLATFORMS
---------------------------------
1. Crash Core Analysis Suite v3.3
by Mission Critical Linux webmaster (at) missioncriticallinux (dot) com [email concealed]
Relevant URL:
http://oss.missioncriticallinux.com/projects/crash/
Platforms: Linux, POSIX
Summary:
The Crash Core Analysis Suite utility is a self-contained tool, loosely
based on the SVR4 crash command but completely merged with gdb, thereby
combining the kernel-specific nature of crash with the source level
debugging capabilities of gdb. The utility can be used to investigate live
systems, kernel core dumps created from the Kernel Core Dump patch offered
by Mission Critical Linux, and kernel core dumps created from the Linux
Kernel Crash Dumps (LKCD) patch offered by SGI.
2. In Memory Core Dump v3.1.4
by Mission Critical Linux webmaster (at) missioncriticallinux (dot) com [email concealed]
Relevant URL:
http://oss.missioncriticallinux.com/projects/mcore/
Platforms: Linux, POSIX
Summary:
In Memory Core Dump uses system memory to save crash information. On a
subsequent reboot of the system, the crash information can be recovered.
3. FloodGuard Alert v2_2p3
by Reactive Network Solutions, Inc. jagan (at) reactivenetwork (dot) com [email concealed]
Relevant URL:
http://www.reactivenetwork.com/downloads/
Platforms: Linux, POSIX
Summary:
FloodGuard Alert is designed to detect all forms of flooding and bandwidth
attacks, including DDoSes and worms. The software initially trains on
ingress traffic directed at your protection domain that it uses to
statistically identify anomalous traffic. It also suggests initial
mitigation steps (ACLs/filters) that can be taken to stop the attack while
letting legitimate traffic through. It comes with a comprehensive
Java-based GUI that facilitates traffic visualization, configuration,
control, analysis, report generation, and SYSLOG- and email-based
communications.
VI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: FastTrain
FastTrain has your solution for a great CISSP Boot Camp. The industry's
most recognized corporate security certification track, provides a
comprehensive prospectus based upon the core principle concepts of
security. This ALL INCLUSIVE curriculum utilizes lectures, case studies
and true hands-on utilization of pertinent security tools. For a limited
time you can enter for a chance to win one of the latest technological
innovations, the SEGWAY HT.
Log onto http://www.fasttraincamp.com.
------------------------------------------------------------------------
-------
[ reply ]