SecurityFocus Linux Newsletter #151
------------------------------------
This Issue is Sponsored by: Astaro
FREE TRIAL - LinuxWorld Best Security Solution software!
Astaro Security Linux is the pre-integrated software security solution
that costs less to implement and manage. Firewall, VPN, spam/surf
protection, virus protection - download all to a single CD.
FREE TRIAL at:
http://www.securityfocus.com/sponsor/Astaro_linux-secnews_030929
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Exploiting Cisco Routers (Part One)
2. Intrusion Detection Terminology (Part Two)
3. The Subpoenas are Coming!
4. SPECIAL ANNOUNCEMENT
II. LINUX VULNERABILITY SUMMARY
1. IBM DB2 Discovery Service UDP Denial Of Service Vulnerabilit...
2. LSH Remote Buffer Overflow Vulnerability
3. ColdFusionMX Error Handler Pages Cross-Site Scripting Vulner...
4. myPHPNuke auth.inc.php SQL Injection Vulnerability
5. ipmasq Incorrect Packet Forwarding Default Ruleset Vulnerabi...
6. Sun Java XML Document Nested Entity Denial Of Service Vulner...
7. Wu-Ftpd SockPrintf() Remote Stack-based Buffer Overrun Vulne...
8. Speak Freely Show Your Face Malformed Gif Denial Of Service ...
9. Speak Freely Spoofed UDP Packet Flood Remote Denial Of Servi...
10. NetUP UTM Web Interface Session ID SQL Injection Vulnerabili...
11. NetUP UTM Web Interface utm_stat Script SQL Injection Vulner...
12. NetUp UTM Web Interface Local Privilege Escalation Vulnerabi...
13. Multiple Portable OpenSSH PAM Vulnerabilities
14. wzdftpd Login Remote Denial of Service Vulnerability
15. ProFTPD ASCII File Transfer Buffer Overrun Vulnerability
16. MPG123 Remote File Play Heap Corruption Vulnerability
17. NullLogic Null HTTPd Error Page Long HTTP Request Cross-Site...
18. NullLogic Null HTTPd Remote Denial Of Service Vulnerability
19. CFEngine CFServD Transaction Packet Buffer Overrun Vulnerabi...
20. MPlayer Streaming ASX Header Parsing Buffer Overrun Vulnerab...
21. Athttpd Remote GET Request Buffer Overrun Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. FW: Linux and firewall load balancing (Thread)
2. Linux and firewall load balancing (Thread)
3. Kerberos + OpenLDAP help needed. (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Sophos Anti-Virus
2. F-Secure Policy Manager
3. Gordano Messaging Suite
4. LANDesk Management Suite 7
5. ActiveScout Enterprise
6. Immunity CANVAS
V. NEW TOOLS FOR LINUX PLATFORMS
1. MasarLabs NoArp v1.2.0
2. OS-SIM v0.5.1
3. Network Packet Capture Facility for Java v0.01.14
4. Arno's IPTABLES Firewall Script v1.8.1RC-1
5. Portable OpenSSH v3.7.1p2
6. sensorTrends v0.5
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Exploiting Cisco Routers (Part One)
By Mark Wolfgang
This is the first of a three-part series that will focus on identifying
and then exploiting vulnerabilities and poor configurations in Cisco
routers.
http://www.securityfocus.com/infocus/1734
2. Intrusion Detection Terminology (Part Two)
By Andy Cuff
This is the second and final part of the series that discusses IDS
terminology, including terms where there may be disagreement from within
the security community.
http://www.securityfocus.com/infocus/1733
3. The Subpoenas are Coming!
By Mark Rasch
Citing a provision of the Patriot Act, the FBI is sending letters to
journalists telling them to secretly prepare to turn over their notes, e-
mails and sources to the bureau. Should we throw out the First Amendment
to nail a hacker?
http://www.securityfocus.com/columnists/187
4. SPECIAL ANNOUNCEMENT
We are pleased to announce that The Basics infocus area has been renamed
to Foundations, in order to accommodate a wider range of security-related
articles that are not necessarily basic, but do not fit into one of the
seven other infocus areas either.
http://www.securityfocus.com/foundations
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. IBM DB2 Discovery Service UDP Denial Of Service Vulnerabilit...
BugTraq ID: 8653
Remote: Yes
Date Published: Sep 19 2003
Relevant URL: http://www.securityfocus.com/bid/8653
Summary:
IBM DB2 is a commercial relational database implementation that is
available for a number of operating systems including Microsoft Windows
and Unix/Linux variants.
IBM DB2 includes a Discovery Service that is used to locate other
databases on the network. By default, this service listens on UDP port
523.
The IBM DB2 Discovery Service is prone to denial of service attacks. The
service expects to receive messages of a certain size. If a UDP packet
larger than 20 bytes is received by the service, it will shut down. The
"DB2 - DB2DAS00" service must then be restarted to regain normal
functionality.
2. LSH Remote Buffer Overflow Vulnerability
BugTraq ID: 8655
Remote: Yes
Date Published: Sep 19 2003
Relevant URL: http://www.securityfocus.com/bid/8655
Summary:
lsh is a free software implementation of the ssh version 2 protocol. It is
available for multiple platforms including Linux, Unix and Apple.
lsh has been reported prone to a remote buffer overflow vulnerability. The
condition is reported to present itself under fairly restrictive
circumstances; specifically the vulnerable server must receive malicious
exploit data before any other communications after it has been started.
The vulnerability has been reported to exist in read_line.c, inside an
error reporting function. It has been reported that the vulnerable
function does not return from a reporting procedure, and instead writes
arbitrary data past the end of a reserved buffer in heap-based memory.
This will eventually lead to the corruption of adjacent heap based
management structures.
This vulnerability has been reported to be exploitable pre-authentication,
resulting in the execution of arbitrary attacker supplied instructions in
the context of the affected daemon.
Although this issue has been reported to affect lsh versions 1.4.x, other
versions may also be affected.
3. ColdFusionMX Error Handler Pages Cross-Site Scripting Vulner...
BugTraq ID: 8660
Remote: Yes
Date Published: Sep 19 2003
Relevant URL: http://www.securityfocus.com/bid/8660
Summary:
ColdFusion MX is the application server for developing and hosting
infrastructure distributed by Macromedia. It is available as a standalone
product for Unix, Linux, and Microsoft Operating Systems.
ColdFusionMX has been reported prone to a cross-site scripting
vulnerability, under some circumstances.
The issue has been reported to present itself in web sites that harness
the default ColdFusionMX Site-Wide Error Handler page, the default
ColdFusionMX Missing Template Handler has additionally been reported
vulnerable.
The vendor has reported that a HTTP header, containing malicious content
in the 'referer' field, may be used as an attack vector to inject
malicious content into the aforementioned Error handler pages of
ColdFusionMX.
This vulnerability may be exploited by malicious attackers, to execute
arbitrary HTML or Script code in the context of the affected site, in the
browsers of unsuspecting users.
This vulnerability has been reported to affect ColdFusion MX 6.0, 6.1(All
editions), 6.0 J2EE (All editions), 6.1 J2EE (All editions),and ColdFusion
5.0 and prior versions.
4. myPHPNuke auth.inc.php SQL Injection Vulnerability
BugTraq ID: 8663
Remote: Yes
Date Published: Sep 20 2003
Relevant URL: http://www.securityfocus.com/bid/8663
Summary:
myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available
for the Linux and Microsoft Windows operating systems.
A vulnerability has been reported to exist in myPHPNuke that may allow a
remote attacker to inject malicious SQL syntax into database queries. The
source of this issue is insufficient sanitization of user-supplied input.
The problem is reported to exist in the $aid variable contained within the
auth.inc.php module. It has been reported that $aid is not sanitized for
user-supplied input before it is included in the database. A remote
attacker may exploit this issue to influence SQL query logic.
A malicious user may influence database queries in order to view or modify
sensitive information, potentially compromising the software or the
database.
myPHPNuke version 1.8.8 has been reported to be prone to this issue,
however other versions may be affected as well.
5. ipmasq Incorrect Packet Forwarding Default Ruleset Vulnerabi...
BugTraq ID: 8664
Remote: Yes
Date Published: Sep 20 2003
Relevant URL: http://www.securityfocus.com/bid/8664
Summary:
ipmasq is a package that is used to initialize and simplify the
configuration of Linux IP Masquerade. IP Masquerade is a feature of linux
that allows multiple hosts to share a single IP address.
Debian has reported that the firewall rules configured by ipmasq may
result in incorrect (and potentially insecure) forwarding of traffic on
the gateway host. According to the report, any traffic destined for
internal hosts arriving at the external interface of the gateway will be
forwarded to the destination host on the internal network regardless of
whether the packet can be associated with an established connection or
not. This behavior is incorrect and may result in attackers gaining
unauthorized access to internal and potentially more vulnerable hosts.
ipmasq 3.5.10 has been reported to be prone to this vulnerability.
6. Sun Java XML Document Nested Entity Denial Of Service Vulner...
BugTraq ID: 8666
Remote: No
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8666
Summary:
A problem has been identified in Sun Java when handling XML documents with
specific constructs. Because of this, an attacker with the ability to
cause the software to parse malicious XML documents may have the ability
to crash a system hosting Sun Java.
The problem is in the handling of nested entities. By default Sun Java
does not permit recursive entity definitions. This default design
prevents resource consumption and denial of service through looping entity
definitions.
However, by using multiple deeply nested entity definitions, it is
possible to cause excessive consumption of system resources. By creating
maliciously nested entity definitions, it is possible to force the Java
engine to spend excessive amounts of processor and memory resources
attempting to reach the end of nested entities, making all system
resources unavailable for a period of time. This attack could be launched
continuously to launch a prolonged denial of service.
This problem is known to affect the Sun Java Runtime Environment. Other
versions may also be affected.
7. Wu-Ftpd SockPrintf() Remote Stack-based Buffer Overrun Vulne...
BugTraq ID: 8668
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8668
Summary:
Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained by
Washington University. Wu-Ftpd includes an option 'MAIL_ADMIN', which
allows the administrator to be e-mailed when a specific event occurs on
the server. One such event may be the uploading of a remote file.
A remote vulnerability has been discovered in Wu-Ftpd, when configured
using the 'MAIL_ADMIN' option to report file uploads, that could allow for
the execution of arbitrary code. It should be noted that Wu-Ftpd servers
running the default configuration are not affected by this vulnerability.
The problem is present within the SockPrintf() function, located within
the ftpd.c source file, and occurs due to insufficient bounds checking.
When SockPrintf() is called, a number of formatted arguments are passed to
the svprintf() function and are stored within the local stack buffer. Due
to insufficient bounds checking prior to calling svprintf(), an attacker
capable of influencing data passed to SockPrintf() may be capable of
overrunning the 32768 byte buffer with malicious data.
This issue may be exploitable through the store() function defined in
ftpd.c, which invokes the SockPrintf() function using an uploaded filename
as the 'name' argument. If an attacker was somehow capable of influencing
the size of the path used to store the uploaded file, possibly by creating
nested directories, it may be possible to construct a 'name' argument
greater then 32768 bytes. This would effectively result in the allocated
stack buffer being overrun, and could ultimately allow for the corruption
of sensitive stack variables such as a saved frame pointer or a return
address.
It should be noted that specific operating systems place a limit on the
available size of filenames. For instance, Linux limits the size to 4096
bytes. Due to this limit, this bug may not be exploitable on certain
systems. However, if the aforementioned nested directory creation is
possible, exploitation may still be possible on systems that set smaller
size limits.
Successful exploitation of this vulnerability could result in the
execution of arbitrary code with the privileges of the Wu-Ftpd server,
typically root.
8. Speak Freely Show Your Face Malformed Gif Denial Of Service ...
BugTraq ID: 8669
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8669
Summary:
Speak Freely is a freely available Internet voice communication
application. It is available for the Unix, Linux, and Microsoft Windows
platforms.
Speak Freely clients may crash when processing malformed GIF images. This
vulnerability is exposed via the "Show Your Face" feature, which allows
clients to send images to other clients. In particular, a GIF with "Image
width" and "Image height" header fields that are too large or equal to
zero will trigger this issue.
When such a malformed "Show Your Face" GIF is received and processed by a
client, the client will crash.
Though unconfirmed, this could permit an attacker to corrupt memory with
specific values, potentially leading to arbitrary code execution.
This issue is reported to affect Speak Freely on Windows platforms only.
9. Speak Freely Spoofed UDP Packet Flood Remote Denial Of Servi...
BugTraq ID: 8670
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8670
Summary:
Speak Freely is a freely available Internet voice communication
application. It is available for the Unix, Linux, and Microsoft Windows
platforms.
Speak Freely for Microsoft Windows has been reported prone to a remote
denial of service vulnerability. The issue presents itself when the Speak
Freely software handles multiple UDP connections in quick succession that
have spoofed IP addresses. It has been reported that the software will
exponentially consume resources until it fails shortly after displaying
the following error message: "Cannot create transmit socket for host
(x.x.x.x), error 10055. No buffer space is available".
It has been reported that this vulnerability may also be exploited on a
low speed network, due to the low UDP packet size required to trigger the
issue.
This vulnerability has been reported to affect Speak Freely versions up to
and including 7.6a, for Microsoft Windows platforms. The Unix version is
not reported prone to this issue.
10. NetUP UTM Web Interface Session ID SQL Injection Vulnerabili...
BugTraq ID: 8671
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8671
Summary:
NetUp UTM is a billing system for Internet Service Providers (ISP). It
includes a web interface, which allows users to log in and manage their
accounts. It is available for the Linux, FreeBSD, and Microsoft Windows
operating systems.
A vulnerability has been reported to exist in NetUp UTM that may allow a
remote attacker to inject malicious SQL syntax into specific database
queries. The source of this issue is insufficient sanitization of
user-supplied input.
The problem is reported to exist in the $sid variable, used to supply a
current session id. It has been reported that potential control characters
stored within the $sid variable are not escaped prior to being included
within a SELECT statement. As a result, an attacker may be capable of
hijacking a users session by supplying malicious SQL data within a request
to the NetUp UTM web interface. This could be accomplished by including
commands designed to escape the context of the expected data and influence
the logic of the query.
Successful exploitation of this issue could allow an attacker to gain
access to the account of another user whose has an active session. It
should be noted that a malicious user might also be capable of influencing
database queries in order to view or modify sensitive information,
potentially compromising the software or underlying database.
11. NetUP UTM Web Interface utm_stat Script SQL Injection Vulner...
BugTraq ID: 8672
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8672
Summary:
NetUp UTM is a billing system for Internet Service Providers (ISP). It
includes a web interface, which allows users to log in and manage their
accounts. It is available for the Linux, FreeBSD, and Microsoft Windows
operating systems.
A vulnerability has been reported to exist in NetUp UTM that may allow a
remote attacker to inject malicious SQL syntax into specific database
queries. The source of this issue is insufficient sanitization of
user-supplied input.
The problem is reported to exist when handling data passed to the
'utm_stat' script. It has been reported that potential control characters
stored within variables passed to this script are not escaped prior to
being included within various SQL queries. As a result, an attacker may
be capable of modifying sensitive attributes of their user account. This
may include current money balance and bill status. It may also be possible
to influence the configuration behavior of the server, potentially making
it possible to execute arbitrary shell commands with 'nobody' privileges.
This could be accomplished by including commands designed to escape the
context of the expected data and influence the logic of the query.
It should be noted that the implications of this vulnerability might be
exaggerated by the issue described in BID 8671. If used in conjunction,
these issues may allow an attacker to modify the account data of arbitrary
ISP users.
12. NetUp UTM Web Interface Local Privilege Escalation Vulnerabi...
BugTraq ID: 8673
Remote: No
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8673
Summary:
NetUp UTM is a billing system for Internet Service Providers (ISP). It
includes a web interface, which allows users to log in and manage their
accounts. It is available for the Linux, FreeBSD, and Microsoft Windows
operating systems.
A vulnerability has been discovered in NetUP UTM that may allow a user who
is capable of executing code locally, gain elevated privileges. The
problem occurs due to the 'nobody' users sudoers entry allowing the use of
the '/bin/mv' utility with root privileges. As a result, a malicious user
with 'nobody' privileges may be capable of gaining root privileges on a
target system.
The implications of this vulnerability may be exaggerated by the issues
described in BID 8671, and BID 8672. If used in conjunction with these
issues an unauthorized remote attacker may be capable of gaining root
privileges on a target system.
13. Multiple Portable OpenSSH PAM Vulnerabilities
BugTraq ID: 8677
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8677
Summary:
Multiple vulnerabilities have been reported to affect Portable OpenSSH
with PAM support enabled. It has been reported that at least one of these
vulnerabilities may be exploitable, under a non-standard configuration
with privsep disabled, by a remote attacker.
Explicit technical details regarding this vulnerability is not currently
available, this BID will be updated, as further analysis of these
conditions is complete.
This vulnerability has been reported to affect Portable OpenSSH versions
3.7p1 and 3.7.1p1. OpenBSD releases of OpenSSH do not contain the
vulnerable code and so are not reported to be affected.
14. wzdftpd Login Remote Denial of Service Vulnerability
BugTraq ID: 8678
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8678
Summary:
wzdftpd is an FTP server implementation that is available for the Unix,
Linux, and Microsoft Windows platforms.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to cause a denial of service condition. The issue
presents itself when a remote attacker sends a single CRLF character to
the program during the login process. The attack may cause the software
to act in an unstable manner.
This issue occurs due to improper sanitizing of user-supplied input and a
successful attack may allow a remote attacker to cause the vulnerable
process to crash.
wzdftpd version 0.1rc5 has been reported to be prone to this
vulnerability, however other versions across various platforms may be
affected as well.
15. ProFTPD ASCII File Transfer Buffer Overrun Vulnerability
BugTraq ID: 8679
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8679
Summary:
ProFTPD is an FTP server implementation that is available for Unix and
Linux platforms.
A remotely exploitable buffer overrun vulnerability has been reported in
ProFTPD.
This issue could be triggered if a malicious file is transferred in ASCII
mode. Specifically, ASCII transfers are read in 1024 byte chunks and
checked for newlines (\n). Improper handling of newline characters in
ASCII files may potentially be abused to corrupt memory with
attacker-supplied values. If sensitive values in memory such as
instruction pointers can be overwritten with attacker-supplied data, it
will be possible to control execution flow of the process and execute
arbitrary code.
Successful exploitation will permit a malicious FTP user with upload
access to execute arbitrary code in the context of the FTP server. To
exploit the issue, the attacker must upload the malicious file and then
attempt to download it.
It is also reported that ProFTPD does not adequately drop privileges in
some circumstances, which may compound the risks associated with
exploitation.
This issue could also affect versions prior to 1.2.7, though this has not
been confirmed.
16. MPG123 Remote File Play Heap Corruption Vulnerability
BugTraq ID: 8680
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8680
Summary:
mpg123 is a freely available, open source audio file player. mpg123 is
available for the Linux and Unix platforms.
A problem in the handling of some types of remote files has been reported
in mpg123. Because of this, it may be possible for a remote attacker to
execute arbitrary code with the privileges of the mpg123 user.
The problem occurs in the readstring function implemented in the httpget.c
source file. When the program is used to connect to a remote streaming
server, it receives strings which is places onto the heap. However, the
readstring function does not sufficiently limit the data in some
instances, making it possible for an attacker to send an arbitrary amount
of data. An attacker can use this problem to overwrite sensitive process
memory, potentially executing arbitrary instructions.
17. NullLogic Null HTTPd Error Page Long HTTP Request Cross-Site...
BugTraq ID: 8695
Remote: Yes
Date Published: Sep 24 2003
Relevant URL: http://www.securityfocus.com/bid/8695
Summary:
NullLogic Null HTTPd is a small multithreaded web server for Linux and
Windows.
A vulnerability has been reported in the software that may allow an
attacker to execute HTML or script in the browser of a user running the
vulnerable version of the software.
The issue has been reported previously (BID 5603) and fixed, however an
attacker is reported to bypass the fix leading to a cross-site scripting
error. The problem is reported to present itself when displaying error
pages. An attacker may be able to pass long HTTP requests to the software
that overwrite memory and therefore bypass the check for cross-site
scripting issues. As a result, an attacker may construct a link
containing malicious HTML and script code that will be rendered in a
user's browser upon visiting that link. This would occur in the context
of the affected site.
Successful exploitation of this issue may allow a remote attacker to steal
cookie-based authentication credentials. Other attacks are possible as
well.
Null HTTPd version 0.5.1 and prior are reported to be prone to this issue.
18. NullLogic Null HTTPd Remote Denial Of Service Vulnerability
BugTraq ID: 8697
Remote: Yes
Date Published: Sep 24 2003
Relevant URL: http://www.securityfocus.com/bid/8697
Summary:
NullLogic Null HTTPd is a small-multithreaded web server for Linux and
Windows.
Null HTTPd has been reported prone to a remotely triggered denial of
service vulnerability.
The issue has been reported to present itself in the HTTP POST handling
routines within the Null HTTPd server. It has been reported that a remote
attacker may make a malicious HTTP POST request, specifying a
'Content-Length' value in the HTTP header and then sending data that
amounts to 1 byte less that the specified Content-Length.
It has been reported that after several consecutive connections employing
the method described above, the affected service will consume system
resources exponentially, effectively denying service to legitimate users.
Although unconfirmed, this behavior has been reported to be due to the
closure of an active connection by the client before the expected data
transfer is completed. Resulting in multiple threads continuing to be
active in an open state, waiting for the expected data.
This vulnerability has been reported to affect Null HTTPd versions up to
and including 0.5.1.
19. CFEngine CFServD Transaction Packet Buffer Overrun Vulnerabi...
BugTraq ID: 8699
Remote: Yes
Date Published: Sep 25 2003
Relevant URL: http://www.securityfocus.com/bid/8699
Summary:
GNU cfengine is software for automating administration and maintenance of
large networks. It is available for Unix and Linux variants.
cfengine is prone to a stack-based buffer overrun vulnerability. This
issue may be exploited by remote attackers who are able to send malicious
transaction packets to cfservd. cfservd is typically configured to run on
a central master server, which may have some degree of authority over
other systems in the network.
This issue is due to insufficient bounds checking of data that is read in
during a transaction with a remote user. In particular, the
BusyWithConnection() function in the cfservd.c source file passes
externally supplied data in a 4096 byte stack-based buffer to the
ReceiveTransaction() function in net.c. A value for the message length is
then read from the socket by ReceiveTransaction(). The message length and
buffer are then passed to the RecvSocketStream() function. If the message
length is more than 4096 bytes, then adjacent regions of memory will be
corrupted with the superfluous data. In this manner it is possible to
corrupt stack variables such as an instruction pointer with
attacker-supplied values, allowing for control of execution flow and
execution of malicious instructions embedded in memory by the attacker.
The vulnerability may be exploited to execute arbitrary code with the
privileges of cfservd. A denial of service may also be the result of
exploitation attempts as cfservd is multi-threaded and may not be
configured to restart itself via a super-server such as inetd.
20. MPlayer Streaming ASX Header Parsing Buffer Overrun Vulnerab...
BugTraq ID: 8702
Remote: Yes
Date Published: Sep 25 2003
Relevant URL: http://www.securityfocus.com/bid/8702
Summary:
MPlayer is a multimedia program designed for the Linux and BSD operating
systems. It supports are wide variety of video files, including the ASX
format.
A vulnerability has been discovered in MPlayer when handling malformed
streaming ASX file headers. The issue has been reported to present itself
within the ASX stream handler of MPlayer, and has been reported to be due
to a lack of sufficient boundary checks performed within the
asf_http_request() function.
An attacker may create a malicious ASX file and host it on a server that
responds to a connecting client with new line data that is sufficient to
subvert boundary checks. When the malicious ASX file stream is
interpreted, excessive data contained as an http_proxy value in the ASX
file header may overrun the bounds of a reserved stack-based buffer in
memory and corrupt adjacent memory.
A remote attacker may leverage this condition to corrupt a saved
instruction pointer and thereby influence execution flow of the vulnerable
application into attacker controlled memory. Ultimately an attacker may
execute embedded instructions in the context of the user running MPlayer.
21. Athttpd Remote GET Request Buffer Overrun Vulnerability
BugTraq ID: 8709
Remote: Yes
Date Published: Sep 25 2003
Relevant URL: http://www.securityfocus.com/bid/8709
Summary:
Athttpd is a web server available for the Linux operating system.
A vulnerability has been reported for Athttpd. The problem occurs due to
insufficient bounds checking when handling GET requests. Specifically,
making a GET request including approximately 820 bytes of data will
effectively overrun the bounds of the internal memory buffer used for its
storage.
As a result, an attacker may be capable of corrupting sensitive data such
as a return address, and effectively control the execution flow of the
program. This would ultimately allow for the execution of arbitrary code.
This vulnerability is said to affect atphttpd 0.4b, however, earlier
versions may also be affected.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. FW: Linux and firewall load balancing (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/338852
2. Linux and firewall load balancing (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/338792
3. Kerberos + OpenLDAP help needed. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/338715
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Sophos Anti-Virus
By: Sophos
Platforms: AIX, DOS, FreeBSD, HP-UX, Linux, MacOS, Netware, OS/2, Solaris,
UNIX, VMS, Windows 3.x, Windows 95/98, Windows NT
Relevant URL: http://www.sophos.com/products/sav/
Summary:
Sophos Anti-Virus is a unique solution to the virus problem, providing
true cross-platform protection in a single, fully integrated product. The
network-centric design provides a host of benefits for the protection of
servers, workstations and portables. Sophos's ground-breaking architecture
maximises protection, while minimising performance and administrative
overheads.
2. F-Secure Policy Manager
By: F-Secure Corporation
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.f-secure.com/products/policy-man/index.shtml
Summary:
With F-Secure Policy Manager, your system administrator can manage all the
critical security applications from antivirus protection to file and
network encryption from one single console. The administrator can
automatically and remotely install, configure and update the applications.
It is possible to manage the security applications on almost any device
and across the enterprise so that even the security of mobile workers'
laptops is guaranteed. In addition to all this, the administrator can
easily monitor the network by generating extensive reports on the security
status of the network.
3. Gordano Messaging Suite
By: Gordano
Platforms: AIX, Linux, Solaris, Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.gordano.com/
Summary:
Gordano's Messaging Suite provides robust and secure email, instant and
SMS messaging for small, medium and large businesses.
4. LANDesk Management Suite 7
By: LANDesk Software
Platforms: AIX, HP-UX, Linux, MacOS, Solaris, Windows 2000, Windows 95/98,
Windows NT, Windows XP
Relevant URL: http://www.landesk.com/products/ilms/
Summary:
LANDesk Management Suite 7 is a comprehensive, integrated management
solution that's easy to use. Enabling proactive management of desktops,
server and mobile devices across heterogeneous IT environments.
- Keep up with security patches and virus updates
- Efficiently install and maintain software on the desktop
- Decrease software license costs and respond to audits
- Reduce the cost of helpdesk support
- Discover and manage hardware and software assets
- Migrate many users and their profiles to new operating systems
5. ActiveScout Enterprise
By: ForeScout Technologies
Platforms: Linux, Solaris, Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.forescout.com/enterprise.html
Summary:
ActiveScout Enterprises actively protects a network with multiple access
points. In addition to the identification of attackers and automatic
action to stop them, this solution offers full management capabilities,
from configuration and reporting, to the sharing of threat information
between multiple deployed scouts.
6. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. MasarLabs NoArp v1.2.0
By: Masar
Relevant URL: http://www.masarlabs.com/noarp/
Platforms: Linux, POSIX
Summary:
MasarLabs NoArp is a Linux kernel module that filters and drops unwanted
ARP requests. It is useful when you need to add an alias to the loopback
interface to use a load balancer.
OSSIM pretends to unify network monitoring, security, correlation, and
qualification in one single tool. It combines Snort, Acid, HotSaNIC, NTOP,
OpenNMS, nmap, nessus, and rrdtool to provide the user with full control
over every aspect of networking or security.
3. Network Packet Capture Facility for Java v0.01.14
By: patrick charles
Relevant URL: http://jpcap.sourceforge.net
Platforms: Linux, Solaris, SunOS
Summary:
Network Packet Capture Facility for Java is a set of Java classes that
provide an interface and system for network packet capture. A protocol
library and tool for visualizing network traffic is included. It utilizes
libpcap, a widely used system library for packet capture.
Arno's Iptables firewall is a script which was originally derived from
Seven's iptables script. One of the biggest differences is that this
script also has support for ADSL modems. It also features stealth scan
detection, extensive user-definable logging with rate limiting to prevent
log flooding, masquerading and port forwarding (NAT), optimizing the
throughput of your connection, protection against SYN/ICMP flooding, and
much more. It's easy to configure and highly customizable. It includes a
filter script (fwfilter) to make your firewall log more readable.
This is a Unix/Linux port of OpenBSD's excellent OpenSSH. OpenSSH is a
full implementation of the SSH1 protocol and a 99% implementation of the
SSH 2 protocol, including sftp client and server support.
6. sensorTrends v0.5
By: John Weidley
Relevant URL: http://www.packetshack.org/index.php?page=sensorTrends
Platforms: Linux
Summary:
sensorTrends is a Web-based application that displays a high-level view of
the ports that are being scanned over the course of time. The display is
similar to the look and feel of incidents.org and Dshield.com. There are
also quick links to correlate your data with incidents.org and
Dshield.com. Supported log formats are Cisco router Access Control Lists
(ACLs) syslog output, Cisco PIX firewall syslog output, Snort's
portscan.log files, and NetScreen syslog output.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: Astaro
FREE TRIAL - LinuxWorld Best Security Solution software!
Astaro Security Linux is the pre-integrated software security solution
that costs less to implement and manage. Firewall, VPN, spam/surf
protection, virus protection - download all to a single CD.
FREE TRIAL at:
http://www.securityfocus.com/sponsor/Astaro_linux-secnews_030929
------------------------------------------------------------------------
------------------------------------
This Issue is Sponsored by: Astaro
FREE TRIAL - LinuxWorld Best Security Solution software!
Astaro Security Linux is the pre-integrated software security solution
that costs less to implement and manage. Firewall, VPN, spam/surf
protection, virus protection - download all to a single CD.
FREE TRIAL at:
http://www.securityfocus.com/sponsor/Astaro_linux-secnews_030929
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Exploiting Cisco Routers (Part One)
2. Intrusion Detection Terminology (Part Two)
3. The Subpoenas are Coming!
4. SPECIAL ANNOUNCEMENT
II. LINUX VULNERABILITY SUMMARY
1. IBM DB2 Discovery Service UDP Denial Of Service Vulnerabilit...
2. LSH Remote Buffer Overflow Vulnerability
3. ColdFusionMX Error Handler Pages Cross-Site Scripting Vulner...
4. myPHPNuke auth.inc.php SQL Injection Vulnerability
5. ipmasq Incorrect Packet Forwarding Default Ruleset Vulnerabi...
6. Sun Java XML Document Nested Entity Denial Of Service Vulner...
7. Wu-Ftpd SockPrintf() Remote Stack-based Buffer Overrun Vulne...
8. Speak Freely Show Your Face Malformed Gif Denial Of Service ...
9. Speak Freely Spoofed UDP Packet Flood Remote Denial Of Servi...
10. NetUP UTM Web Interface Session ID SQL Injection Vulnerabili...
11. NetUP UTM Web Interface utm_stat Script SQL Injection Vulner...
12. NetUp UTM Web Interface Local Privilege Escalation Vulnerabi...
13. Multiple Portable OpenSSH PAM Vulnerabilities
14. wzdftpd Login Remote Denial of Service Vulnerability
15. ProFTPD ASCII File Transfer Buffer Overrun Vulnerability
16. MPG123 Remote File Play Heap Corruption Vulnerability
17. NullLogic Null HTTPd Error Page Long HTTP Request Cross-Site...
18. NullLogic Null HTTPd Remote Denial Of Service Vulnerability
19. CFEngine CFServD Transaction Packet Buffer Overrun Vulnerabi...
20. MPlayer Streaming ASX Header Parsing Buffer Overrun Vulnerab...
21. Athttpd Remote GET Request Buffer Overrun Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. FW: Linux and firewall load balancing (Thread)
2. Linux and firewall load balancing (Thread)
3. Kerberos + OpenLDAP help needed. (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Sophos Anti-Virus
2. F-Secure Policy Manager
3. Gordano Messaging Suite
4. LANDesk Management Suite 7
5. ActiveScout Enterprise
6. Immunity CANVAS
V. NEW TOOLS FOR LINUX PLATFORMS
1. MasarLabs NoArp v1.2.0
2. OS-SIM v0.5.1
3. Network Packet Capture Facility for Java v0.01.14
4. Arno's IPTABLES Firewall Script v1.8.1RC-1
5. Portable OpenSSH v3.7.1p2
6. sensorTrends v0.5
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Exploiting Cisco Routers (Part One)
By Mark Wolfgang
This is the first of a three-part series that will focus on identifying
and then exploiting vulnerabilities and poor configurations in Cisco
routers.
http://www.securityfocus.com/infocus/1734
2. Intrusion Detection Terminology (Part Two)
By Andy Cuff
This is the second and final part of the series that discusses IDS
terminology, including terms where there may be disagreement from within
the security community.
http://www.securityfocus.com/infocus/1733
3. The Subpoenas are Coming!
By Mark Rasch
Citing a provision of the Patriot Act, the FBI is sending letters to
journalists telling them to secretly prepare to turn over their notes, e-
mails and sources to the bureau. Should we throw out the First Amendment
to nail a hacker?
http://www.securityfocus.com/columnists/187
4. SPECIAL ANNOUNCEMENT
We are pleased to announce that The Basics infocus area has been renamed
to Foundations, in order to accommodate a wider range of security-related
articles that are not necessarily basic, but do not fit into one of the
seven other infocus areas either.
http://www.securityfocus.com/foundations
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. IBM DB2 Discovery Service UDP Denial Of Service Vulnerabilit...
BugTraq ID: 8653
Remote: Yes
Date Published: Sep 19 2003
Relevant URL: http://www.securityfocus.com/bid/8653
Summary:
IBM DB2 is a commercial relational database implementation that is
available for a number of operating systems including Microsoft Windows
and Unix/Linux variants.
IBM DB2 includes a Discovery Service that is used to locate other
databases on the network. By default, this service listens on UDP port
523.
The IBM DB2 Discovery Service is prone to denial of service attacks. The
service expects to receive messages of a certain size. If a UDP packet
larger than 20 bytes is received by the service, it will shut down. The
"DB2 - DB2DAS00" service must then be restarted to regain normal
functionality.
2. LSH Remote Buffer Overflow Vulnerability
BugTraq ID: 8655
Remote: Yes
Date Published: Sep 19 2003
Relevant URL: http://www.securityfocus.com/bid/8655
Summary:
lsh is a free software implementation of the ssh version 2 protocol. It is
available for multiple platforms including Linux, Unix and Apple.
lsh has been reported prone to a remote buffer overflow vulnerability. The
condition is reported to present itself under fairly restrictive
circumstances; specifically the vulnerable server must receive malicious
exploit data before any other communications after it has been started.
The vulnerability has been reported to exist in read_line.c, inside an
error reporting function. It has been reported that the vulnerable
function does not return from a reporting procedure, and instead writes
arbitrary data past the end of a reserved buffer in heap-based memory.
This will eventually lead to the corruption of adjacent heap based
management structures.
This vulnerability has been reported to be exploitable pre-authentication,
resulting in the execution of arbitrary attacker supplied instructions in
the context of the affected daemon.
Although this issue has been reported to affect lsh versions 1.4.x, other
versions may also be affected.
3. ColdFusionMX Error Handler Pages Cross-Site Scripting Vulner...
BugTraq ID: 8660
Remote: Yes
Date Published: Sep 19 2003
Relevant URL: http://www.securityfocus.com/bid/8660
Summary:
ColdFusion MX is the application server for developing and hosting
infrastructure distributed by Macromedia. It is available as a standalone
product for Unix, Linux, and Microsoft Operating Systems.
ColdFusionMX has been reported prone to a cross-site scripting
vulnerability, under some circumstances.
The issue has been reported to present itself in web sites that harness
the default ColdFusionMX Site-Wide Error Handler page, the default
ColdFusionMX Missing Template Handler has additionally been reported
vulnerable.
The vendor has reported that a HTTP header, containing malicious content
in the 'referer' field, may be used as an attack vector to inject
malicious content into the aforementioned Error handler pages of
ColdFusionMX.
This vulnerability may be exploited by malicious attackers, to execute
arbitrary HTML or Script code in the context of the affected site, in the
browsers of unsuspecting users.
This vulnerability has been reported to affect ColdFusion MX 6.0, 6.1(All
editions), 6.0 J2EE (All editions), 6.1 J2EE (All editions),and ColdFusion
5.0 and prior versions.
4. myPHPNuke auth.inc.php SQL Injection Vulnerability
BugTraq ID: 8663
Remote: Yes
Date Published: Sep 20 2003
Relevant URL: http://www.securityfocus.com/bid/8663
Summary:
myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available
for the Linux and Microsoft Windows operating systems.
A vulnerability has been reported to exist in myPHPNuke that may allow a
remote attacker to inject malicious SQL syntax into database queries. The
source of this issue is insufficient sanitization of user-supplied input.
The problem is reported to exist in the $aid variable contained within the
auth.inc.php module. It has been reported that $aid is not sanitized for
user-supplied input before it is included in the database. A remote
attacker may exploit this issue to influence SQL query logic.
A malicious user may influence database queries in order to view or modify
sensitive information, potentially compromising the software or the
database.
myPHPNuke version 1.8.8 has been reported to be prone to this issue,
however other versions may be affected as well.
5. ipmasq Incorrect Packet Forwarding Default Ruleset Vulnerabi...
BugTraq ID: 8664
Remote: Yes
Date Published: Sep 20 2003
Relevant URL: http://www.securityfocus.com/bid/8664
Summary:
ipmasq is a package that is used to initialize and simplify the
configuration of Linux IP Masquerade. IP Masquerade is a feature of linux
that allows multiple hosts to share a single IP address.
Debian has reported that the firewall rules configured by ipmasq may
result in incorrect (and potentially insecure) forwarding of traffic on
the gateway host. According to the report, any traffic destined for
internal hosts arriving at the external interface of the gateway will be
forwarded to the destination host on the internal network regardless of
whether the packet can be associated with an established connection or
not. This behavior is incorrect and may result in attackers gaining
unauthorized access to internal and potentially more vulnerable hosts.
ipmasq 3.5.10 has been reported to be prone to this vulnerability.
6. Sun Java XML Document Nested Entity Denial Of Service Vulner...
BugTraq ID: 8666
Remote: No
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8666
Summary:
A problem has been identified in Sun Java when handling XML documents with
specific constructs. Because of this, an attacker with the ability to
cause the software to parse malicious XML documents may have the ability
to crash a system hosting Sun Java.
The problem is in the handling of nested entities. By default Sun Java
does not permit recursive entity definitions. This default design
prevents resource consumption and denial of service through looping entity
definitions.
However, by using multiple deeply nested entity definitions, it is
possible to cause excessive consumption of system resources. By creating
maliciously nested entity definitions, it is possible to force the Java
engine to spend excessive amounts of processor and memory resources
attempting to reach the end of nested entities, making all system
resources unavailable for a period of time. This attack could be launched
continuously to launch a prolonged denial of service.
This problem is known to affect the Sun Java Runtime Environment. Other
versions may also be affected.
7. Wu-Ftpd SockPrintf() Remote Stack-based Buffer Overrun Vulne...
BugTraq ID: 8668
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8668
Summary:
Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained by
Washington University. Wu-Ftpd includes an option 'MAIL_ADMIN', which
allows the administrator to be e-mailed when a specific event occurs on
the server. One such event may be the uploading of a remote file.
A remote vulnerability has been discovered in Wu-Ftpd, when configured
using the 'MAIL_ADMIN' option to report file uploads, that could allow for
the execution of arbitrary code. It should be noted that Wu-Ftpd servers
running the default configuration are not affected by this vulnerability.
The problem is present within the SockPrintf() function, located within
the ftpd.c source file, and occurs due to insufficient bounds checking.
When SockPrintf() is called, a number of formatted arguments are passed to
the svprintf() function and are stored within the local stack buffer. Due
to insufficient bounds checking prior to calling svprintf(), an attacker
capable of influencing data passed to SockPrintf() may be capable of
overrunning the 32768 byte buffer with malicious data.
This issue may be exploitable through the store() function defined in
ftpd.c, which invokes the SockPrintf() function using an uploaded filename
as the 'name' argument. If an attacker was somehow capable of influencing
the size of the path used to store the uploaded file, possibly by creating
nested directories, it may be possible to construct a 'name' argument
greater then 32768 bytes. This would effectively result in the allocated
stack buffer being overrun, and could ultimately allow for the corruption
of sensitive stack variables such as a saved frame pointer or a return
address.
It should be noted that specific operating systems place a limit on the
available size of filenames. For instance, Linux limits the size to 4096
bytes. Due to this limit, this bug may not be exploitable on certain
systems. However, if the aforementioned nested directory creation is
possible, exploitation may still be possible on systems that set smaller
size limits.
Successful exploitation of this vulnerability could result in the
execution of arbitrary code with the privileges of the Wu-Ftpd server,
typically root.
8. Speak Freely Show Your Face Malformed Gif Denial Of Service ...
BugTraq ID: 8669
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8669
Summary:
Speak Freely is a freely available Internet voice communication
application. It is available for the Unix, Linux, and Microsoft Windows
platforms.
Speak Freely clients may crash when processing malformed GIF images. This
vulnerability is exposed via the "Show Your Face" feature, which allows
clients to send images to other clients. In particular, a GIF with "Image
width" and "Image height" header fields that are too large or equal to
zero will trigger this issue.
When such a malformed "Show Your Face" GIF is received and processed by a
client, the client will crash.
Though unconfirmed, this could permit an attacker to corrupt memory with
specific values, potentially leading to arbitrary code execution.
This issue is reported to affect Speak Freely on Windows platforms only.
9. Speak Freely Spoofed UDP Packet Flood Remote Denial Of Servi...
BugTraq ID: 8670
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8670
Summary:
Speak Freely is a freely available Internet voice communication
application. It is available for the Unix, Linux, and Microsoft Windows
platforms.
Speak Freely for Microsoft Windows has been reported prone to a remote
denial of service vulnerability. The issue presents itself when the Speak
Freely software handles multiple UDP connections in quick succession that
have spoofed IP addresses. It has been reported that the software will
exponentially consume resources until it fails shortly after displaying
the following error message: "Cannot create transmit socket for host
(x.x.x.x), error 10055. No buffer space is available".
It has been reported that this vulnerability may also be exploited on a
low speed network, due to the low UDP packet size required to trigger the
issue.
This vulnerability has been reported to affect Speak Freely versions up to
and including 7.6a, for Microsoft Windows platforms. The Unix version is
not reported prone to this issue.
10. NetUP UTM Web Interface Session ID SQL Injection Vulnerabili...
BugTraq ID: 8671
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8671
Summary:
NetUp UTM is a billing system for Internet Service Providers (ISP). It
includes a web interface, which allows users to log in and manage their
accounts. It is available for the Linux, FreeBSD, and Microsoft Windows
operating systems.
A vulnerability has been reported to exist in NetUp UTM that may allow a
remote attacker to inject malicious SQL syntax into specific database
queries. The source of this issue is insufficient sanitization of
user-supplied input.
The problem is reported to exist in the $sid variable, used to supply a
current session id. It has been reported that potential control characters
stored within the $sid variable are not escaped prior to being included
within a SELECT statement. As a result, an attacker may be capable of
hijacking a users session by supplying malicious SQL data within a request
to the NetUp UTM web interface. This could be accomplished by including
commands designed to escape the context of the expected data and influence
the logic of the query.
Successful exploitation of this issue could allow an attacker to gain
access to the account of another user whose has an active session. It
should be noted that a malicious user might also be capable of influencing
database queries in order to view or modify sensitive information,
potentially compromising the software or underlying database.
11. NetUP UTM Web Interface utm_stat Script SQL Injection Vulner...
BugTraq ID: 8672
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8672
Summary:
NetUp UTM is a billing system for Internet Service Providers (ISP). It
includes a web interface, which allows users to log in and manage their
accounts. It is available for the Linux, FreeBSD, and Microsoft Windows
operating systems.
A vulnerability has been reported to exist in NetUp UTM that may allow a
remote attacker to inject malicious SQL syntax into specific database
queries. The source of this issue is insufficient sanitization of
user-supplied input.
The problem is reported to exist when handling data passed to the
'utm_stat' script. It has been reported that potential control characters
stored within variables passed to this script are not escaped prior to
being included within various SQL queries. As a result, an attacker may
be capable of modifying sensitive attributes of their user account. This
may include current money balance and bill status. It may also be possible
to influence the configuration behavior of the server, potentially making
it possible to execute arbitrary shell commands with 'nobody' privileges.
This could be accomplished by including commands designed to escape the
context of the expected data and influence the logic of the query.
It should be noted that the implications of this vulnerability might be
exaggerated by the issue described in BID 8671. If used in conjunction,
these issues may allow an attacker to modify the account data of arbitrary
ISP users.
12. NetUp UTM Web Interface Local Privilege Escalation Vulnerabi...
BugTraq ID: 8673
Remote: No
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8673
Summary:
NetUp UTM is a billing system for Internet Service Providers (ISP). It
includes a web interface, which allows users to log in and manage their
accounts. It is available for the Linux, FreeBSD, and Microsoft Windows
operating systems.
A vulnerability has been discovered in NetUP UTM that may allow a user who
is capable of executing code locally, gain elevated privileges. The
problem occurs due to the 'nobody' users sudoers entry allowing the use of
the '/bin/mv' utility with root privileges. As a result, a malicious user
with 'nobody' privileges may be capable of gaining root privileges on a
target system.
The implications of this vulnerability may be exaggerated by the issues
described in BID 8671, and BID 8672. If used in conjunction with these
issues an unauthorized remote attacker may be capable of gaining root
privileges on a target system.
13. Multiple Portable OpenSSH PAM Vulnerabilities
BugTraq ID: 8677
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8677
Summary:
Multiple vulnerabilities have been reported to affect Portable OpenSSH
with PAM support enabled. It has been reported that at least one of these
vulnerabilities may be exploitable, under a non-standard configuration
with privsep disabled, by a remote attacker.
Explicit technical details regarding this vulnerability is not currently
available, this BID will be updated, as further analysis of these
conditions is complete.
This vulnerability has been reported to affect Portable OpenSSH versions
3.7p1 and 3.7.1p1. OpenBSD releases of OpenSSH do not contain the
vulnerable code and so are not reported to be affected.
14. wzdftpd Login Remote Denial of Service Vulnerability
BugTraq ID: 8678
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8678
Summary:
wzdftpd is an FTP server implementation that is available for the Unix,
Linux, and Microsoft Windows platforms.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to cause a denial of service condition. The issue
presents itself when a remote attacker sends a single CRLF character to
the program during the login process. The attack may cause the software
to act in an unstable manner.
This issue occurs due to improper sanitizing of user-supplied input and a
successful attack may allow a remote attacker to cause the vulnerable
process to crash.
wzdftpd version 0.1rc5 has been reported to be prone to this
vulnerability, however other versions across various platforms may be
affected as well.
15. ProFTPD ASCII File Transfer Buffer Overrun Vulnerability
BugTraq ID: 8679
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8679
Summary:
ProFTPD is an FTP server implementation that is available for Unix and
Linux platforms.
A remotely exploitable buffer overrun vulnerability has been reported in
ProFTPD.
This issue could be triggered if a malicious file is transferred in ASCII
mode. Specifically, ASCII transfers are read in 1024 byte chunks and
checked for newlines (\n). Improper handling of newline characters in
ASCII files may potentially be abused to corrupt memory with
attacker-supplied values. If sensitive values in memory such as
instruction pointers can be overwritten with attacker-supplied data, it
will be possible to control execution flow of the process and execute
arbitrary code.
Successful exploitation will permit a malicious FTP user with upload
access to execute arbitrary code in the context of the FTP server. To
exploit the issue, the attacker must upload the malicious file and then
attempt to download it.
It is also reported that ProFTPD does not adequately drop privileges in
some circumstances, which may compound the risks associated with
exploitation.
This issue could also affect versions prior to 1.2.7, though this has not
been confirmed.
16. MPG123 Remote File Play Heap Corruption Vulnerability
BugTraq ID: 8680
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8680
Summary:
mpg123 is a freely available, open source audio file player. mpg123 is
available for the Linux and Unix platforms.
A problem in the handling of some types of remote files has been reported
in mpg123. Because of this, it may be possible for a remote attacker to
execute arbitrary code with the privileges of the mpg123 user.
The problem occurs in the readstring function implemented in the httpget.c
source file. When the program is used to connect to a remote streaming
server, it receives strings which is places onto the heap. However, the
readstring function does not sufficiently limit the data in some
instances, making it possible for an attacker to send an arbitrary amount
of data. An attacker can use this problem to overwrite sensitive process
memory, potentially executing arbitrary instructions.
17. NullLogic Null HTTPd Error Page Long HTTP Request Cross-Site...
BugTraq ID: 8695
Remote: Yes
Date Published: Sep 24 2003
Relevant URL: http://www.securityfocus.com/bid/8695
Summary:
NullLogic Null HTTPd is a small multithreaded web server for Linux and
Windows.
A vulnerability has been reported in the software that may allow an
attacker to execute HTML or script in the browser of a user running the
vulnerable version of the software.
The issue has been reported previously (BID 5603) and fixed, however an
attacker is reported to bypass the fix leading to a cross-site scripting
error. The problem is reported to present itself when displaying error
pages. An attacker may be able to pass long HTTP requests to the software
that overwrite memory and therefore bypass the check for cross-site
scripting issues. As a result, an attacker may construct a link
containing malicious HTML and script code that will be rendered in a
user's browser upon visiting that link. This would occur in the context
of the affected site.
Successful exploitation of this issue may allow a remote attacker to steal
cookie-based authentication credentials. Other attacks are possible as
well.
Null HTTPd version 0.5.1 and prior are reported to be prone to this issue.
18. NullLogic Null HTTPd Remote Denial Of Service Vulnerability
BugTraq ID: 8697
Remote: Yes
Date Published: Sep 24 2003
Relevant URL: http://www.securityfocus.com/bid/8697
Summary:
NullLogic Null HTTPd is a small-multithreaded web server for Linux and
Windows.
Null HTTPd has been reported prone to a remotely triggered denial of
service vulnerability.
The issue has been reported to present itself in the HTTP POST handling
routines within the Null HTTPd server. It has been reported that a remote
attacker may make a malicious HTTP POST request, specifying a
'Content-Length' value in the HTTP header and then sending data that
amounts to 1 byte less that the specified Content-Length.
It has been reported that after several consecutive connections employing
the method described above, the affected service will consume system
resources exponentially, effectively denying service to legitimate users.
Although unconfirmed, this behavior has been reported to be due to the
closure of an active connection by the client before the expected data
transfer is completed. Resulting in multiple threads continuing to be
active in an open state, waiting for the expected data.
This vulnerability has been reported to affect Null HTTPd versions up to
and including 0.5.1.
19. CFEngine CFServD Transaction Packet Buffer Overrun Vulnerabi...
BugTraq ID: 8699
Remote: Yes
Date Published: Sep 25 2003
Relevant URL: http://www.securityfocus.com/bid/8699
Summary:
GNU cfengine is software for automating administration and maintenance of
large networks. It is available for Unix and Linux variants.
cfengine is prone to a stack-based buffer overrun vulnerability. This
issue may be exploited by remote attackers who are able to send malicious
transaction packets to cfservd. cfservd is typically configured to run on
a central master server, which may have some degree of authority over
other systems in the network.
This issue is due to insufficient bounds checking of data that is read in
during a transaction with a remote user. In particular, the
BusyWithConnection() function in the cfservd.c source file passes
externally supplied data in a 4096 byte stack-based buffer to the
ReceiveTransaction() function in net.c. A value for the message length is
then read from the socket by ReceiveTransaction(). The message length and
buffer are then passed to the RecvSocketStream() function. If the message
length is more than 4096 bytes, then adjacent regions of memory will be
corrupted with the superfluous data. In this manner it is possible to
corrupt stack variables such as an instruction pointer with
attacker-supplied values, allowing for control of execution flow and
execution of malicious instructions embedded in memory by the attacker.
The vulnerability may be exploited to execute arbitrary code with the
privileges of cfservd. A denial of service may also be the result of
exploitation attempts as cfservd is multi-threaded and may not be
configured to restart itself via a super-server such as inetd.
20. MPlayer Streaming ASX Header Parsing Buffer Overrun Vulnerab...
BugTraq ID: 8702
Remote: Yes
Date Published: Sep 25 2003
Relevant URL: http://www.securityfocus.com/bid/8702
Summary:
MPlayer is a multimedia program designed for the Linux and BSD operating
systems. It supports are wide variety of video files, including the ASX
format.
A vulnerability has been discovered in MPlayer when handling malformed
streaming ASX file headers. The issue has been reported to present itself
within the ASX stream handler of MPlayer, and has been reported to be due
to a lack of sufficient boundary checks performed within the
asf_http_request() function.
An attacker may create a malicious ASX file and host it on a server that
responds to a connecting client with new line data that is sufficient to
subvert boundary checks. When the malicious ASX file stream is
interpreted, excessive data contained as an http_proxy value in the ASX
file header may overrun the bounds of a reserved stack-based buffer in
memory and corrupt adjacent memory.
A remote attacker may leverage this condition to corrupt a saved
instruction pointer and thereby influence execution flow of the vulnerable
application into attacker controlled memory. Ultimately an attacker may
execute embedded instructions in the context of the user running MPlayer.
21. Athttpd Remote GET Request Buffer Overrun Vulnerability
BugTraq ID: 8709
Remote: Yes
Date Published: Sep 25 2003
Relevant URL: http://www.securityfocus.com/bid/8709
Summary:
Athttpd is a web server available for the Linux operating system.
A vulnerability has been reported for Athttpd. The problem occurs due to
insufficient bounds checking when handling GET requests. Specifically,
making a GET request including approximately 820 bytes of data will
effectively overrun the bounds of the internal memory buffer used for its
storage.
As a result, an attacker may be capable of corrupting sensitive data such
as a return address, and effectively control the execution flow of the
program. This would ultimately allow for the execution of arbitrary code.
This vulnerability is said to affect atphttpd 0.4b, however, earlier
versions may also be affected.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. FW: Linux and firewall load balancing (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/338852
2. Linux and firewall load balancing (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/338792
3. Kerberos + OpenLDAP help needed. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/338715
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Sophos Anti-Virus
By: Sophos
Platforms: AIX, DOS, FreeBSD, HP-UX, Linux, MacOS, Netware, OS/2, Solaris,
UNIX, VMS, Windows 3.x, Windows 95/98, Windows NT
Relevant URL: http://www.sophos.com/products/sav/
Summary:
Sophos Anti-Virus is a unique solution to the virus problem, providing
true cross-platform protection in a single, fully integrated product. The
network-centric design provides a host of benefits for the protection of
servers, workstations and portables. Sophos's ground-breaking architecture
maximises protection, while minimising performance and administrative
overheads.
2. F-Secure Policy Manager
By: F-Secure Corporation
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.f-secure.com/products/policy-man/index.shtml
Summary:
With F-Secure Policy Manager, your system administrator can manage all the
critical security applications from antivirus protection to file and
network encryption from one single console. The administrator can
automatically and remotely install, configure and update the applications.
It is possible to manage the security applications on almost any device
and across the enterprise so that even the security of mobile workers'
laptops is guaranteed. In addition to all this, the administrator can
easily monitor the network by generating extensive reports on the security
status of the network.
3. Gordano Messaging Suite
By: Gordano
Platforms: AIX, Linux, Solaris, Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.gordano.com/
Summary:
Gordano's Messaging Suite provides robust and secure email, instant and
SMS messaging for small, medium and large businesses.
4. LANDesk Management Suite 7
By: LANDesk Software
Platforms: AIX, HP-UX, Linux, MacOS, Solaris, Windows 2000, Windows 95/98,
Windows NT, Windows XP
Relevant URL: http://www.landesk.com/products/ilms/
Summary:
LANDesk Management Suite 7 is a comprehensive, integrated management
solution that's easy to use. Enabling proactive management of desktops,
server and mobile devices across heterogeneous IT environments.
- Keep up with security patches and virus updates
- Efficiently install and maintain software on the desktop
- Decrease software license costs and respond to audits
- Reduce the cost of helpdesk support
- Discover and manage hardware and software assets
- Migrate many users and their profiles to new operating systems
5. ActiveScout Enterprise
By: ForeScout Technologies
Platforms: Linux, Solaris, Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.forescout.com/enterprise.html
Summary:
ActiveScout Enterprises actively protects a network with multiple access
points. In addition to the identification of attackers and automatic
action to stop them, this solution offers full management capabilities,
from configuration and reporting, to the sharing of threat information
between multiple deployed scouts.
6. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. MasarLabs NoArp v1.2.0
By: Masar
Relevant URL: http://www.masarlabs.com/noarp/
Platforms: Linux, POSIX
Summary:
MasarLabs NoArp is a Linux kernel module that filters and drops unwanted
ARP requests. It is useful when you need to add an alias to the loopback
interface to use a load balancer.
2. OS-SIM v0.5.1
By: Dominique Karg
Relevant URL: http://os-sim.sourceforge.net/
Platforms: Linux, MacOS, POSIX
Summary:
OSSIM pretends to unify network monitoring, security, correlation, and
qualification in one single tool. It combines Snort, Acid, HotSaNIC, NTOP,
OpenNMS, nmap, nessus, and rrdtool to provide the user with full control
over every aspect of networking or security.
3. Network Packet Capture Facility for Java v0.01.14
By: patrick charles
Relevant URL: http://jpcap.sourceforge.net
Platforms: Linux, Solaris, SunOS
Summary:
Network Packet Capture Facility for Java is a set of Java classes that
provide an interface and system for network packet capture. A protocol
library and tool for visualizing network traffic is included. It utilizes
libpcap, a widely used system library for packet capture.
4. Arno's IPTABLES Firewall Script v1.8.1RC-1
By: Arno
Relevant URL: http://rocky.molphys.leidenuniv.nl
Platforms: Linux, POSIX
Summary:
Arno's Iptables firewall is a script which was originally derived from
Seven's iptables script. One of the biggest differences is that this
script also has support for ADSL modems. It also features stealth scan
detection, extensive user-definable logging with rate limiting to prevent
log flooding, masquerading and port forwarding (NAT), optimizing the
throughput of your connection, protection against SYN/ICMP flooding, and
much more. It's easy to configure and highly customizable. It includes a
filter script (fwfilter) to make your firewall log more readable.
5. Portable OpenSSH v3.7.1p2
By: Damien Miller <djm (at) mindrot (dot) org [email concealed]>
Relevant URL: http://www.openssh.com/
Platforms: Linux, UNIX
Summary:
This is a Unix/Linux port of OpenBSD's excellent OpenSSH. OpenSSH is a
full implementation of the SSH1 protocol and a 99% implementation of the
SSH 2 protocol, including sftp client and server support.
6. sensorTrends v0.5
By: John Weidley
Relevant URL: http://www.packetshack.org/index.php?page=sensorTrends
Platforms: Linux
Summary:
sensorTrends is a Web-based application that displays a high-level view of
the ports that are being scanned over the course of time. The display is
similar to the look and feel of incidents.org and Dshield.com. There are
also quick links to correlate your data with incidents.org and
Dshield.com. Supported log formats are Cisco router Access Control Lists
(ACLs) syslog output, Cisco PIX firewall syslog output, Snort's
portscan.log files, and NetScreen syslog output.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: Astaro
FREE TRIAL - LinuxWorld Best Security Solution software!
Astaro Security Linux is the pre-integrated software security solution
that costs less to implement and manage. Firewall, VPN, spam/surf
protection, virus protection - download all to a single CD.
FREE TRIAL at:
http://www.securityfocus.com/sponsor/Astaro_linux-secnews_030929
------------------------------------------------------------------------
[ reply ]