SecurityFocus Linux Newsletter #152
------------------------------------
I. FRONT AND CENTER
1. Wireless Policy Development (Part Two)
2. Exploiting Cisco Routers (Part One)
3. Fame, Infame, All the Same
4. Linux vs. Windows Viruses
5. SPECIAL ANNOUNCEMENT
II. LINUX VULNERABILITY SUMMARY
1. marbles Local Home Environment Variable Buffer Overflow Vuln...
2. Webfs HTTP Server Information Disclosure Vulnerability
3. WebFS Long Pathname Buffer Overrun Vulnerability
4. Mah-Jong MJ-Player Server Flag Local Buffer Overflow Vulnera...
5. OpenSSL ASN.1 Parsing Vulnerabilities
6. Silly Poker Local HOME Environment Variable Buffer Overrun V...
7. Invision Power Board Insecure Permissions Vulnerability
8. IBM DB2 Remote LOAD Command Buffer Overrun Vulnerability
9. IBM DB2 Invoke Stored Procedure Buffer Overflow Vulnerabilit...
10. Inter7 VPopMail Configuration File Insecure Default Permissi...
III. LINUX FOCUS LIST SUMMARY
NO NEW POSTS FOR THE WEEK 2003-09-29 to 2003-10-06.
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Sophos Anti-Virus
2. F-Secure Policy Manager
3. Gordano Messaging Suite
4. LANDesk Management Suite 7
5. ActiveScout Enterprise
6. Immunity CANVAS
V. NEW TOOLS FOR LINUX PLATFORMS
1. pmacct v0.5.1
2. Scapy v0.9.15
3. NSA Security-enhanced Linux v2003100110
4. NuFW v0.5.1
5. Sentry Firewall CD-ROM v1.5.0-rc5(dev)
6. IMAPFilter v0.9.4
I. FRONT AND CENTER
-------------------
1. Wireless Policy Development (Part Two)
By Jamil Farshchi
This is the second of a two-part series that will help create a framework
for the most important aspect of any wireless security strategy -- policy
development.
http://www.securityfocus.com/infocus/1735
2. Exploiting Cisco Routers (Part One)
By Mark Wolfgang
This is the first of a three-part series that will focus on identifying
and then exploiting vulnerabilities and poor configurations in Cisco
routers.
http://www.securityfocus.com/infocus/1734
3. Fame, Infame, All the Same
By George Smith
Blowing the lid off the altruistic computer security town-crier angle.
http://www.securityfocus.com/columnists/189
4. Linux vs. Windows Viruses
By Scott Granneman
To mess up a Linux box, you need to work at it; to mess up your Windows
box, you just need to work on it.
http://www.securityfocus.com/columnists/188
5. SPECIAL ANNOUNCEMENT
SecurityFocus is pleased to announce the relaunch of our RSS feeds.
http://www.securityfocus.com/rss/index.shtml
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. marbles Local Home Environment Variable Buffer Overflow Vuln...
BugTraq ID: 8710
Remote: No
Date Published: Sep 26 2003
Relevant URL: http://www.securityfocus.com/bid/8710
Summary:
marbles is a freely available, open source game for the Linux platform.
A problem in the handling of data in the Home environment variable has
been reported in the marbles program. This may make it possible for a
local attacker to gain elevated privileges.
The problem is in the checking of bounds on data stored in the Home
environment variable. By placing a string of excessive length in the
environment variable, it is possible to overwrite sensitive process
memory. This could lead to the execution of arbitrary code, and
potentially privilege escalation to groupid games.
2. Webfs HTTP Server Information Disclosure Vulnerability
BugTraq ID: 8724
Remote: Yes
Date Published: Sep 29 2003
Relevant URL: http://www.securityfocus.com/bid/8724
Summary:
WebFS is a simple web server that serves static content. It is available
for Linux and Unix variant operating environments.
An information disclosure vulnerability has been discovered in Webfs HTTP
server. The problem occurs due to insufficient sanitization of
user-supplied hostnames when accessing virtual hosts. Specifically,
placing dot-dot (..) sequences within a requested hostname can effectively
trigger this issue.
An attacker exploiting this issue may be capable of viewing the contents
of directories and files outside of the established web root. This issue
may only exist if the server has been configured to use virtual hosting.
3. WebFS Long Pathname Buffer Overrun Vulnerability
BugTraq ID: 8726
Remote: Yes
Date Published: Sep 29 2003
Relevant URL: http://www.securityfocus.com/bid/8726
Summary:
WebFS is a simple web server that serves static content. It is available
for Linux and Unix variant operating environments.
It has been discovered that WebFS is prone to a buffer overrun
vulnerability when handling path names of excessive length. As a result,
an attacker may be capable of triggering the condition and overwriting
sensitive memory with malicious data. This could ultimately allow for the
execution of arbitrary code with the privileges of the WebFS HTTP server.
It should be noted that for this condition to occur, an attacker must have
the ability to create directories on the affected system. This may be
accomplished by obtaining legitimate credentials, which allow for such
access, or possibly through the exploitation of another unrelated
vulnerability such as that described in BID 8724.
4. Mah-Jong MJ-Player Server Flag Local Buffer Overflow Vulnera...
BugTraq ID: 8729
Remote: No
Date Published: Sep 29 2003
Relevant URL: http://www.securityfocus.com/bid/8729
Summary:
Mah-Jong is a freely available, open source implementation of the Mah-Jong
game. It is available for the Linux platform.
A problem in the handling of large requests supplied with certain flags
has been reported in Maj-Jong. Because of this, it may be possible for a
local attacker to gain elevated privileges.
The problem is in the handling of long parameters by mj-player. When
supplying a long parameter with the server flag (--server), a boundary
condition error occurs. This is due to insufficient bounds checking
during a strcpy() operation where the user-supplied server string is
copied into an internal buffer. As this program is typically installed
with privileges, it is possible for a user with local access to a system
with the vulnerable program installed to execute code with elevated
privileges.
This vulnerability may be related to the issues described that were
addressed in Debian Security Advisory DSA 378-1 and described in BID 8557.
If this is the case, this BID will be updated accordingly.
5. OpenSSL ASN.1 Parsing Vulnerabilities
BugTraq ID: 8732
Remote: Yes
Date Published: Sep 30 2003
Relevant URL: http://www.securityfocus.com/bid/8732
Summary:
Multiple vulnerabilities were reported in the ASN.1 parsing code in
OpenSSL. OpenSSL does not directly implement ASN.1 but does use ASN.1
objects in X.509 certificates and various other cryptographic elements.
The following issues were reported:
Two flaws in the ASN.1 parser could lead to denial of service attacks.
The first bug may be exploited to cause an out of bounds read operation to
occur, most likely resulting in a denial of service. This can be
triggered by a malformed or unusual ASN.1 tag value. The second of the
described bugs occurs if an application is configured to ignore public key
decode errors (specifically the
X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY error). This is reportedly
not a common configuration in production setups but some applications may
ignore decode errors for debugging reasons. As a result, the impact and
exposure will vary depending on the targeted application and some
applications may be more vulnerable to attacks than others. Remote
attackers can exploit this issue with a maliciously crafted SSL client
certificate. CAN-2003-0543 and CAN-2003-0544 correspond to these two
denial of service issues. The issues are reported to exist in SSLeay and
OpenSSL versions prior to 0.9.7c or 0.9.6k.
Another vulnerability related to ASN.1 parsing was reported in OpenSSL
0.9.7. ASN.1 encodings that are rejected by the parser due to being
invalid may potentially trigger a memory management error. In particular,
a double free may result due to an ASN.1 structure (ASN1_TYPE) being
deallocated incorrectly. This reportedly could be leveraged to corrupt
stack memory. In this manner, sensitive stack variables such as
instruction pointers could be overwritten with attacker-supplied values.
The issue could be exploited by remote attacks via a maliciously crafted
SSL client certificate. This issue has been assigned CVE name
CAN-2003-0545.
An additional weakness was reported that may aid in exploitation of these
issues. In some circumstances, a client may force a server to parse a
client certificate when one has not been specifically requested. This
could even occur with server implementations that don't enable client
authentication.
Any applications which use the OpenSSL ASN.1 library to handle external
data may present an attack vector for these vulnerabilities.
These issues are pending further analysis and will be separated into
individual BIDs when analysis is complete.
6. Silly Poker Local HOME Environment Variable Buffer Overrun V...
BugTraq ID: 8736
Remote: No
Date Published: Sep 30 2003
Relevant URL: http://www.securityfocus.com/bid/8736
Summary:
Silly Poker is a simple poker card game developed for the Linux operating
system. It has been reported that on the Debian Linux distribution, the
sillypoker binary is installed setgid games by default.
*** It should be noted that new details released suggest that the
sillypoker binary is in fact not installed setgid games on Debian systems.
As such, the impact of this issue may be greatly limited.
A local buffer overrun vulnerability has been reported for Silly Poker.
The problem occurs due to insufficient bounds checking when handling
user-supplied data. As a result, an attacker may be capable of controlling
the execution flow of the sillypoker program and effectively executing
arbitrary code with elevated privileges.
Exploiting this condition may allow an attacker to gain group 'games'
privileges which could be used to modify sensitive information or could be
used to leverage attacks against other previously inaccessible utilities.
7. Invision Power Board Insecure Permissions Vulnerability
BugTraq ID: 8737
Remote: No
Date Published: Sep 30 2003
Relevant URL: http://www.securityfocus.com/bid/8737
Summary:
Invision Power Board is web forum software. It is implemented in PHP and
is available for Unix and Linux variants and Microsoft Windows operating
systems.
Invision Power Board has been reported prone to a configuration issue that
could allow attackers with local interactive access to modify Invision
Power Board '.php' source files. The issue has been reported to present
itself because Invision Power Board does not correctly set permissions on
folders during the installation process. Specifically all folders are
created with group write permissions. Any local user who is a member of
the same group as Invision Power Board may make modifications to Invision
Power Board source files.
A local attacker may exploit this condition to execute arbitrary code with
the privileges of the web server.
It should be noted that although this vulnerability has been reported to
affect Invision Power Board versions 1.1.1 and 1.1.2, other versions might
also be affected.
8. IBM DB2 Remote LOAD Command Buffer Overrun Vulnerability
BugTraq ID: 8742
Remote: Yes
Date Published: Oct 01 2003
Relevant URL: http://www.securityfocus.com/bid/8742
Summary:
IBM DB2 is a commercial relational database implementation that is
available for a number of operating systems including Microsoft Windows
and Unix/Linux variants.
IBM DB2 includes the LOAD command, which allows for data located in files,
pipes or devices to be stored within a database table. It has been
discovered that the application fails to carry out sufficient bounds
checking when handling the LOAD command.
An attacker with 'Connect' privileges could exploit this vulnerability
remotely, likely by passing excessive data as an argument to the LOAD
command. This would allow for sensitive stack variables adjacent to the
affected memory buffer to be overrun. An attacker could leverage this
memory corruption to influence the execution flow of IBM DB2, possibly
redirecting execution into a malicious payload.
All code executed in this manner will be run with the privileges of the
IBM DB2 process. This is typically the 'Administrators' group on Microsoft
Windows environments and either the 'db2as' or 'db2inst1' users on Linux
systems.
It should be noted that IBM has confirmed that the affected code is shared
amongst IBM DB2 v7 and v8, making both vulnerable to this condition.
9. IBM DB2 Invoke Stored Procedure Buffer Overflow Vulnerabilit...
BugTraq ID: 8743
Remote: Yes
Date Published: Oct 01 2003
Relevant URL: http://www.securityfocus.com/bid/8743
Summary:
DB2 is the database implementation maintained and distributed by IBM. It
is available for the UNIX, Linux, and Microsoft Windows platforms.
A problem in IBM DB2 has been reported when specific queries are passed to
the INVOKE stored procedure. Because of this, an attacker may be able to
gain unauthorized access to system resources.
The problem is in the checking of bounds on the INVOKE stored procedure.
By passing a maliciously crafted string to the procedure, it is possible
to overwrite sensitive regions of stack memory. An attacker could take
advantage of this issue to execute code at an arbitrary location in memory
with the privileges of the database process.
This problem has been reported to occur in version 7.2 for Microsoft
Windows only.
10. Inter7 VPopMail Configuration File Insecure Default Permissi...
BugTraq ID: 8751
Remote: No
Date Published: Oct 02 2003
Relevant URL: http://www.securityfocus.com/bid/8751
Summary:
vpopmail is a freely available, open source virtual domain handling
software package. It is available for the Unix and Linux operating
systems.
A problem has been identified in the default configuration of vpopmail.
Because of this, an attacker may be able to gain access to potentially
sensitive information.
The problem is in the creation of the configuration file. When vpopmail
is compiled with MySQL support, authentication data is stored in the
/etc/vpopmail.conf file. This file is created with world-readable
permissions, which may reveal sensitive information such as authentication
credentials for the database. An attacker could use these credentials to
potentially gain access to the database as the vpopmail database user.
This problem has been reported on Gentoo Linux, but may affect other
operating systems.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
NO NEW POSTS FOR THE WEEK 2003-09-29 to 2003-10-06.
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Sophos Anti-Virus
By: Sophos
Platforms: AIX, DOS, FreeBSD, HP-UX, Linux, MacOS, Netware, OS/2, Solaris,
UNIX, VMS, Windows 3.x, Windows 95/98, Windows NT
Relevant URL: http://www.sophos.com/products/sav/
Summary:
Sophos Anti-Virus is a unique solution to the virus problem, providing
true cross-platform protection in a single, fully integrated product. The
network-centric design provides a host of benefits for the protection of
servers, workstations and portables. Sophos's ground-breaking architecture
maximises protection, while minimising performance and administrative
overheads.
2. F-Secure Policy Manager
By: F-Secure Corporation
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.f-secure.com/products/policy-man/index.shtml
Summary:
With F-Secure Policy Manager, your system administrator can manage all the
critical security applications from antivirus protection to file and
network encryption from one single console. The administrator can
automatically and remotely install, configure and update the applications.
It is possible to manage the security applications on almost any device
and across the enterprise so that even the security of mobile workers'
laptops is guaranteed. In addition to all this, the administrator can
easily monitor the network by generating extensive reports on the security
status of the network.
3. Gordano Messaging Suite
By: Gordano
Platforms: AIX, Linux, Solaris, Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.gordano.com/
Summary:
Gordano's Messaging Suite provides robust and secure email, instant and
SMS messaging for small, medium and large businesses.
4. LANDesk Management Suite 7
By: LANDesk Software
Platforms: AIX, HP-UX, Linux, MacOS, Solaris, Windows 2000, Windows 95/98,
Windows NT, Windows XP
Relevant URL: http://www.landesk.com/products/ilms/
Summary:
LANDesk Management Suite 7 is a comprehensive, integrated management
solution that's easy to use. Enabling proactive management of desktops,
server and mobile devices across heterogeneous IT environments.
- Keep up with security patches and virus updates
- Efficiently install and maintain software on the desktop
- Decrease software license costs and respond to audits
- Reduce the cost of helpdesk support
- Discover and manage hardware and software assets
- Migrate many users and their profiles to new operating systems
5. ActiveScout Enterprise
By: ForeScout Technologies
Platforms: Linux, Solaris, Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.forescout.com/enterprise.html
Summary:
ActiveScout Enterprises actively protects a network with multiple access
points. In addition to the identification of attackers and automatic
action to stop them, this solution offers full management capabilities,
from configuration and reporting, to the sharing of threat information
between multiple deployed scouts.
6. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. pmacct v0.5.1
By: Paolo Lucente
Relevant URL: http://www.ba.cnr.it/~paolo/pmacct/
Platforms: Linux, OpenBSD
Summary:
pmacct is a network tool to gather IP traffic information (source address,
bytes counter, and number of packets). Data is stored in an in-memory
table whose content could be retrieved by a client program via a local
stream-oriented connection. Gathering packets off the wire is done using
the pcap library and one or more network interfaces in promiscuous mode.
Scapy is a powerful interactive packet manipulation tool, packet
generator, network scanner, network discovery tool, and packet sniffer. It
provides classes to interactively create packets or sets of packets,
manipulate them, send them over the wire, sniff other packets from the
wire, match answers and replies, and more. Interaction is provided by the
Python interpreter, so Python programming structures can be used (such as
variables, loops, and functions). Report modules are possible and easy to
make. It is intended to do about the same things as ttlscan, nmap, hping,
queso, p0f, xprobe, arping, arp-sk/arpspoof, firewalk, irpas, tethereal,
and tcpdump.
3. NSA Security-enhanced Linux v2003100110
By: National Security Agency
Relevant URL: http://www.nsa.gov/selinux/
Platforms: Linux
Summary:
NSA Security-enhanced Linux is a set of patches to the Linux kernel and
some utilities to incorporate a strong, flexible mandatory access control
architecture into the major subsystems of the kernel. It provides a
mechanism to enforce the separation of information based on
confidentiality and integrity requirements, which allows threats of
tampering and bypassing of application security mechanisms to be addressed
and enables the confinement of damage that can be caused by malicious or
flawed applications. It includes a set of sample security policy
configuration files designed to meet common, general-purpose security
goals.
NuFW is a set of daemons providing filtering of packets at the user level.
On the client side, users have to run a client that sends authentication
packets to the gateway. On the server side, the gateway associates userids
to packets, thus enabling the possibility to filter packets on a user
basis. Furthermore, the server architecture is done to use external
authentication source such as an LDAP server.
Sentry Firewall CD-ROM Version 1.0 is a Linux based bootable CD-ROM
suitable for use as an inexpensive and easy to maintain Firewall or
IDS(Intrusion Detection System) Node. The system is designed to be
immediately configurable for a variety of different operating environments
via a configuration file located on a floppy disk or a local hard drive.
IMAPFilter connects to remote IMAP mail servers and processes messages
according to defined filters (rules). It is intended to be executed before
a user accesses his/her mailboxes.
------------------------------------
I. FRONT AND CENTER
1. Wireless Policy Development (Part Two)
2. Exploiting Cisco Routers (Part One)
3. Fame, Infame, All the Same
4. Linux vs. Windows Viruses
5. SPECIAL ANNOUNCEMENT
II. LINUX VULNERABILITY SUMMARY
1. marbles Local Home Environment Variable Buffer Overflow Vuln...
2. Webfs HTTP Server Information Disclosure Vulnerability
3. WebFS Long Pathname Buffer Overrun Vulnerability
4. Mah-Jong MJ-Player Server Flag Local Buffer Overflow Vulnera...
5. OpenSSL ASN.1 Parsing Vulnerabilities
6. Silly Poker Local HOME Environment Variable Buffer Overrun V...
7. Invision Power Board Insecure Permissions Vulnerability
8. IBM DB2 Remote LOAD Command Buffer Overrun Vulnerability
9. IBM DB2 Invoke Stored Procedure Buffer Overflow Vulnerabilit...
10. Inter7 VPopMail Configuration File Insecure Default Permissi...
III. LINUX FOCUS LIST SUMMARY
NO NEW POSTS FOR THE WEEK 2003-09-29 to 2003-10-06.
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Sophos Anti-Virus
2. F-Secure Policy Manager
3. Gordano Messaging Suite
4. LANDesk Management Suite 7
5. ActiveScout Enterprise
6. Immunity CANVAS
V. NEW TOOLS FOR LINUX PLATFORMS
1. pmacct v0.5.1
2. Scapy v0.9.15
3. NSA Security-enhanced Linux v2003100110
4. NuFW v0.5.1
5. Sentry Firewall CD-ROM v1.5.0-rc5(dev)
6. IMAPFilter v0.9.4
I. FRONT AND CENTER
-------------------
1. Wireless Policy Development (Part Two)
By Jamil Farshchi
This is the second of a two-part series that will help create a framework
for the most important aspect of any wireless security strategy -- policy
development.
http://www.securityfocus.com/infocus/1735
2. Exploiting Cisco Routers (Part One)
By Mark Wolfgang
This is the first of a three-part series that will focus on identifying
and then exploiting vulnerabilities and poor configurations in Cisco
routers.
http://www.securityfocus.com/infocus/1734
3. Fame, Infame, All the Same
By George Smith
Blowing the lid off the altruistic computer security town-crier angle.
http://www.securityfocus.com/columnists/189
4. Linux vs. Windows Viruses
By Scott Granneman
To mess up a Linux box, you need to work at it; to mess up your Windows
box, you just need to work on it.
http://www.securityfocus.com/columnists/188
5. SPECIAL ANNOUNCEMENT
SecurityFocus is pleased to announce the relaunch of our RSS feeds.
http://www.securityfocus.com/rss/index.shtml
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. marbles Local Home Environment Variable Buffer Overflow Vuln...
BugTraq ID: 8710
Remote: No
Date Published: Sep 26 2003
Relevant URL: http://www.securityfocus.com/bid/8710
Summary:
marbles is a freely available, open source game for the Linux platform.
A problem in the handling of data in the Home environment variable has
been reported in the marbles program. This may make it possible for a
local attacker to gain elevated privileges.
The problem is in the checking of bounds on data stored in the Home
environment variable. By placing a string of excessive length in the
environment variable, it is possible to overwrite sensitive process
memory. This could lead to the execution of arbitrary code, and
potentially privilege escalation to groupid games.
2. Webfs HTTP Server Information Disclosure Vulnerability
BugTraq ID: 8724
Remote: Yes
Date Published: Sep 29 2003
Relevant URL: http://www.securityfocus.com/bid/8724
Summary:
WebFS is a simple web server that serves static content. It is available
for Linux and Unix variant operating environments.
An information disclosure vulnerability has been discovered in Webfs HTTP
server. The problem occurs due to insufficient sanitization of
user-supplied hostnames when accessing virtual hosts. Specifically,
placing dot-dot (..) sequences within a requested hostname can effectively
trigger this issue.
An attacker exploiting this issue may be capable of viewing the contents
of directories and files outside of the established web root. This issue
may only exist if the server has been configured to use virtual hosting.
3. WebFS Long Pathname Buffer Overrun Vulnerability
BugTraq ID: 8726
Remote: Yes
Date Published: Sep 29 2003
Relevant URL: http://www.securityfocus.com/bid/8726
Summary:
WebFS is a simple web server that serves static content. It is available
for Linux and Unix variant operating environments.
It has been discovered that WebFS is prone to a buffer overrun
vulnerability when handling path names of excessive length. As a result,
an attacker may be capable of triggering the condition and overwriting
sensitive memory with malicious data. This could ultimately allow for the
execution of arbitrary code with the privileges of the WebFS HTTP server.
It should be noted that for this condition to occur, an attacker must have
the ability to create directories on the affected system. This may be
accomplished by obtaining legitimate credentials, which allow for such
access, or possibly through the exploitation of another unrelated
vulnerability such as that described in BID 8724.
4. Mah-Jong MJ-Player Server Flag Local Buffer Overflow Vulnera...
BugTraq ID: 8729
Remote: No
Date Published: Sep 29 2003
Relevant URL: http://www.securityfocus.com/bid/8729
Summary:
Mah-Jong is a freely available, open source implementation of the Mah-Jong
game. It is available for the Linux platform.
A problem in the handling of large requests supplied with certain flags
has been reported in Maj-Jong. Because of this, it may be possible for a
local attacker to gain elevated privileges.
The problem is in the handling of long parameters by mj-player. When
supplying a long parameter with the server flag (--server), a boundary
condition error occurs. This is due to insufficient bounds checking
during a strcpy() operation where the user-supplied server string is
copied into an internal buffer. As this program is typically installed
with privileges, it is possible for a user with local access to a system
with the vulnerable program installed to execute code with elevated
privileges.
This vulnerability may be related to the issues described that were
addressed in Debian Security Advisory DSA 378-1 and described in BID 8557.
If this is the case, this BID will be updated accordingly.
5. OpenSSL ASN.1 Parsing Vulnerabilities
BugTraq ID: 8732
Remote: Yes
Date Published: Sep 30 2003
Relevant URL: http://www.securityfocus.com/bid/8732
Summary:
Multiple vulnerabilities were reported in the ASN.1 parsing code in
OpenSSL. OpenSSL does not directly implement ASN.1 but does use ASN.1
objects in X.509 certificates and various other cryptographic elements.
The following issues were reported:
Two flaws in the ASN.1 parser could lead to denial of service attacks.
The first bug may be exploited to cause an out of bounds read operation to
occur, most likely resulting in a denial of service. This can be
triggered by a malformed or unusual ASN.1 tag value. The second of the
described bugs occurs if an application is configured to ignore public key
decode errors (specifically the
X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY error). This is reportedly
not a common configuration in production setups but some applications may
ignore decode errors for debugging reasons. As a result, the impact and
exposure will vary depending on the targeted application and some
applications may be more vulnerable to attacks than others. Remote
attackers can exploit this issue with a maliciously crafted SSL client
certificate. CAN-2003-0543 and CAN-2003-0544 correspond to these two
denial of service issues. The issues are reported to exist in SSLeay and
OpenSSL versions prior to 0.9.7c or 0.9.6k.
Another vulnerability related to ASN.1 parsing was reported in OpenSSL
0.9.7. ASN.1 encodings that are rejected by the parser due to being
invalid may potentially trigger a memory management error. In particular,
a double free may result due to an ASN.1 structure (ASN1_TYPE) being
deallocated incorrectly. This reportedly could be leveraged to corrupt
stack memory. In this manner, sensitive stack variables such as
instruction pointers could be overwritten with attacker-supplied values.
The issue could be exploited by remote attacks via a maliciously crafted
SSL client certificate. This issue has been assigned CVE name
CAN-2003-0545.
An additional weakness was reported that may aid in exploitation of these
issues. In some circumstances, a client may force a server to parse a
client certificate when one has not been specifically requested. This
could even occur with server implementations that don't enable client
authentication.
Any applications which use the OpenSSL ASN.1 library to handle external
data may present an attack vector for these vulnerabilities.
These issues are pending further analysis and will be separated into
individual BIDs when analysis is complete.
6. Silly Poker Local HOME Environment Variable Buffer Overrun V...
BugTraq ID: 8736
Remote: No
Date Published: Sep 30 2003
Relevant URL: http://www.securityfocus.com/bid/8736
Summary:
Silly Poker is a simple poker card game developed for the Linux operating
system. It has been reported that on the Debian Linux distribution, the
sillypoker binary is installed setgid games by default.
*** It should be noted that new details released suggest that the
sillypoker binary is in fact not installed setgid games on Debian systems.
As such, the impact of this issue may be greatly limited.
A local buffer overrun vulnerability has been reported for Silly Poker.
The problem occurs due to insufficient bounds checking when handling
user-supplied data. As a result, an attacker may be capable of controlling
the execution flow of the sillypoker program and effectively executing
arbitrary code with elevated privileges.
Exploiting this condition may allow an attacker to gain group 'games'
privileges which could be used to modify sensitive information or could be
used to leverage attacks against other previously inaccessible utilities.
7. Invision Power Board Insecure Permissions Vulnerability
BugTraq ID: 8737
Remote: No
Date Published: Sep 30 2003
Relevant URL: http://www.securityfocus.com/bid/8737
Summary:
Invision Power Board is web forum software. It is implemented in PHP and
is available for Unix and Linux variants and Microsoft Windows operating
systems.
Invision Power Board has been reported prone to a configuration issue that
could allow attackers with local interactive access to modify Invision
Power Board '.php' source files. The issue has been reported to present
itself because Invision Power Board does not correctly set permissions on
folders during the installation process. Specifically all folders are
created with group write permissions. Any local user who is a member of
the same group as Invision Power Board may make modifications to Invision
Power Board source files.
A local attacker may exploit this condition to execute arbitrary code with
the privileges of the web server.
It should be noted that although this vulnerability has been reported to
affect Invision Power Board versions 1.1.1 and 1.1.2, other versions might
also be affected.
8. IBM DB2 Remote LOAD Command Buffer Overrun Vulnerability
BugTraq ID: 8742
Remote: Yes
Date Published: Oct 01 2003
Relevant URL: http://www.securityfocus.com/bid/8742
Summary:
IBM DB2 is a commercial relational database implementation that is
available for a number of operating systems including Microsoft Windows
and Unix/Linux variants.
IBM DB2 includes the LOAD command, which allows for data located in files,
pipes or devices to be stored within a database table. It has been
discovered that the application fails to carry out sufficient bounds
checking when handling the LOAD command.
An attacker with 'Connect' privileges could exploit this vulnerability
remotely, likely by passing excessive data as an argument to the LOAD
command. This would allow for sensitive stack variables adjacent to the
affected memory buffer to be overrun. An attacker could leverage this
memory corruption to influence the execution flow of IBM DB2, possibly
redirecting execution into a malicious payload.
All code executed in this manner will be run with the privileges of the
IBM DB2 process. This is typically the 'Administrators' group on Microsoft
Windows environments and either the 'db2as' or 'db2inst1' users on Linux
systems.
It should be noted that IBM has confirmed that the affected code is shared
amongst IBM DB2 v7 and v8, making both vulnerable to this condition.
9. IBM DB2 Invoke Stored Procedure Buffer Overflow Vulnerabilit...
BugTraq ID: 8743
Remote: Yes
Date Published: Oct 01 2003
Relevant URL: http://www.securityfocus.com/bid/8743
Summary:
DB2 is the database implementation maintained and distributed by IBM. It
is available for the UNIX, Linux, and Microsoft Windows platforms.
A problem in IBM DB2 has been reported when specific queries are passed to
the INVOKE stored procedure. Because of this, an attacker may be able to
gain unauthorized access to system resources.
The problem is in the checking of bounds on the INVOKE stored procedure.
By passing a maliciously crafted string to the procedure, it is possible
to overwrite sensitive regions of stack memory. An attacker could take
advantage of this issue to execute code at an arbitrary location in memory
with the privileges of the database process.
This problem has been reported to occur in version 7.2 for Microsoft
Windows only.
10. Inter7 VPopMail Configuration File Insecure Default Permissi...
BugTraq ID: 8751
Remote: No
Date Published: Oct 02 2003
Relevant URL: http://www.securityfocus.com/bid/8751
Summary:
vpopmail is a freely available, open source virtual domain handling
software package. It is available for the Unix and Linux operating
systems.
A problem has been identified in the default configuration of vpopmail.
Because of this, an attacker may be able to gain access to potentially
sensitive information.
The problem is in the creation of the configuration file. When vpopmail
is compiled with MySQL support, authentication data is stored in the
/etc/vpopmail.conf file. This file is created with world-readable
permissions, which may reveal sensitive information such as authentication
credentials for the database. An attacker could use these credentials to
potentially gain access to the database as the vpopmail database user.
This problem has been reported on Gentoo Linux, but may affect other
operating systems.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
NO NEW POSTS FOR THE WEEK 2003-09-29 to 2003-10-06.
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Sophos Anti-Virus
By: Sophos
Platforms: AIX, DOS, FreeBSD, HP-UX, Linux, MacOS, Netware, OS/2, Solaris,
UNIX, VMS, Windows 3.x, Windows 95/98, Windows NT
Relevant URL: http://www.sophos.com/products/sav/
Summary:
Sophos Anti-Virus is a unique solution to the virus problem, providing
true cross-platform protection in a single, fully integrated product. The
network-centric design provides a host of benefits for the protection of
servers, workstations and portables. Sophos's ground-breaking architecture
maximises protection, while minimising performance and administrative
overheads.
2. F-Secure Policy Manager
By: F-Secure Corporation
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.f-secure.com/products/policy-man/index.shtml
Summary:
With F-Secure Policy Manager, your system administrator can manage all the
critical security applications from antivirus protection to file and
network encryption from one single console. The administrator can
automatically and remotely install, configure and update the applications.
It is possible to manage the security applications on almost any device
and across the enterprise so that even the security of mobile workers'
laptops is guaranteed. In addition to all this, the administrator can
easily monitor the network by generating extensive reports on the security
status of the network.
3. Gordano Messaging Suite
By: Gordano
Platforms: AIX, Linux, Solaris, Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.gordano.com/
Summary:
Gordano's Messaging Suite provides robust and secure email, instant and
SMS messaging for small, medium and large businesses.
4. LANDesk Management Suite 7
By: LANDesk Software
Platforms: AIX, HP-UX, Linux, MacOS, Solaris, Windows 2000, Windows 95/98,
Windows NT, Windows XP
Relevant URL: http://www.landesk.com/products/ilms/
Summary:
LANDesk Management Suite 7 is a comprehensive, integrated management
solution that's easy to use. Enabling proactive management of desktops,
server and mobile devices across heterogeneous IT environments.
- Keep up with security patches and virus updates
- Efficiently install and maintain software on the desktop
- Decrease software license costs and respond to audits
- Reduce the cost of helpdesk support
- Discover and manage hardware and software assets
- Migrate many users and their profiles to new operating systems
5. ActiveScout Enterprise
By: ForeScout Technologies
Platforms: Linux, Solaris, Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.forescout.com/enterprise.html
Summary:
ActiveScout Enterprises actively protects a network with multiple access
points. In addition to the identification of attackers and automatic
action to stop them, this solution offers full management capabilities,
from configuration and reporting, to the sharing of threat information
between multiple deployed scouts.
6. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. pmacct v0.5.1
By: Paolo Lucente
Relevant URL: http://www.ba.cnr.it/~paolo/pmacct/
Platforms: Linux, OpenBSD
Summary:
pmacct is a network tool to gather IP traffic information (source address,
bytes counter, and number of packets). Data is stored in an in-memory
table whose content could be retrieved by a client program via a local
stream-oriented connection. Gathering packets off the wire is done using
the pcap library and one or more network interfaces in promiscuous mode.
2. Scapy v0.9.15
By: Philippe Biondi
Relevant URL: http://www.cartel-securite.fr/pbiondi/scapy.html
Platforms: Linux, POSIX
Summary:
Scapy is a powerful interactive packet manipulation tool, packet
generator, network scanner, network discovery tool, and packet sniffer. It
provides classes to interactively create packets or sets of packets,
manipulate them, send them over the wire, sniff other packets from the
wire, match answers and replies, and more. Interaction is provided by the
Python interpreter, so Python programming structures can be used (such as
variables, loops, and functions). Report modules are possible and easy to
make. It is intended to do about the same things as ttlscan, nmap, hping,
queso, p0f, xprobe, arping, arp-sk/arpspoof, firewalk, irpas, tethereal,
and tcpdump.
3. NSA Security-enhanced Linux v2003100110
By: National Security Agency
Relevant URL: http://www.nsa.gov/selinux/
Platforms: Linux
Summary:
NSA Security-enhanced Linux is a set of patches to the Linux kernel and
some utilities to incorporate a strong, flexible mandatory access control
architecture into the major subsystems of the kernel. It provides a
mechanism to enforce the separation of information based on
confidentiality and integrity requirements, which allows threats of
tampering and bypassing of application security mechanisms to be addressed
and enables the confinement of damage that can be caused by malicious or
flawed applications. It includes a set of sample security policy
configuration files designed to meet common, general-purpose security
goals.
4. NuFW v0.5.1
By: regit
Relevant URL: http://www.nufw.org
Platforms: Linux, POSIX
Summary:
NuFW is a set of daemons providing filtering of packets at the user level.
On the client side, users have to run a client that sends authentication
packets to the gateway. On the server side, the gateway associates userids
to packets, thus enabling the possibility to filter packets on a user
basis. Furthermore, the server architecture is done to use external
authentication source such as an LDAP server.
5. Sentry Firewall CD-ROM v1.5.0-rc5(dev)
By: Obsid
Relevant URL: http://www.SentryFirewall.com/
Platforms: Linux
Summary:
Sentry Firewall CD-ROM Version 1.0 is a Linux based bootable CD-ROM
suitable for use as an inexpensive and easy to maintain Firewall or
IDS(Intrusion Detection System) Node. The system is designed to be
immediately configurable for a variety of different operating environments
via a configuration file located on a floppy disk or a local hard drive.
6. IMAPFilter v0.9.4
By: Lefteris Chatzibarbas
Relevant URL: http://imapfilter.hellug.gr/
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, POSIX
Summary:
IMAPFilter connects to remote IMAP mail servers and processes messages
according to defined filters (rules). It is intended to be executed before
a user accesses his/her mailboxes.
[ reply ]