SecurityFocus Linux Newsletter #161
------------------------------------
This Issue Sponsored by: RSA Conference 2004
Network with over 10,000 of the brightest minds in information security at
the largest, most highly-anticipated industry event of the year. Don't
miss RSA Conference 2004! Choose from over 200 class sessions and see
demos from more than 250 industry vendors. If your job touches security,
you need to be here. Learn more or register at:
http://www.securityfocus.com/sponsor/RSA_linux-secnews_031117 and use
priority code SF4.
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Debian's Response
2. Simulating and optimising worm propagation algorithms (PDF)
3. The Rise of the Spammers
II. LINUX VULNERABILITY SUMMARY
1. SuSE XScreenSaver Package Multiple Vulnerabilities
2. Apache mod_python Module Malformed Query Denial of Service V...
3. IlohaMail User Parameter Cross-Site Scripting Vulnerability
4. Surfboard Web Server File Disclosure Vulnerability
5. MoinMoin Unspecified Cross-Site Scripting Vulnerability
6. Linux Kernel do_brk Function Boundary Condition Vulnerabilit...
7. IBM Directory Server Web Administration Interface Cross-Site...
8. Linux Kernel Concurrent Threaded Function Calls Local Denial...
9. RSync Daemon Mode Undisclosed Remote Heap Overflow Vulnerabi...
10. Linux Kernel 2.4 RTC Handling Routines Memory Disclosure Vul...
III. LINUX FOCUS LIST SUMMARY
1. Password Questions (Thread)
2. FW: tripwire (Thread)
3. tripwire (Thread)
4. anti-ptrace (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Immunity CANVAS
2. SecretAgent
3. Cyber-Ark Inter-Business Vault
4. EnCase Forensic Edition
5. KeyGhost SX
6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
1. ThePacketMaster v1.1.0
2. CommNav Systems Navigator v4.2
3. Firewall Builder v1.1.1
4. DansGuardian v2.7.6-3(unstable)
5. MailStripper Pro v1.1.2
6. ClarkConnect Internet Gateway v2.1
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Debian's Response
By Scott Granneman
Debian's response to the recent compromise of four debian.org machines was
quick, open and honest, and they also engaged other Linux vendors.
Companies and organizations, as well as other OS vendors, should take
note.
http://www.securityfocus.com/columnists/202
2.Simulating and optimising worm propagation algorithms (PDF)
by Tom Vogt
This paper describes a series of simulations run to estimate various worm
growth patterns and their corresponding propagation algorithms. It also
tests and verifies the impact of various improvements, starting from a
trivial simulation of worm propagation and the underlying network
infrastructure to more re ned models, it attempts to determine the
theoretical maximum propagation speed of worms and how it can be achieved.
It also estimates the impact a malicious worm could have on the overall
infrastructure.
3.The Rise of the Spammers
by David Barroso Berrueta
Spammers are becoming more intelligent and more difficult to detect, which
is a strange issue, just because in my opinion, an intelligent person is
smart enough for not bothering millions of people. So, why these people
keep on helping unethical companies and individuals that send out
unsolicited e-mails? The reason should be simple and common these days:
money.
http://www.securityfocus.com/guest/24043
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. SuSE XScreenSaver Package Multiple Vulnerabilities
BugTraq ID: 9125
Remote: No
Date Published: Nov 28 2003
Relevant URL: http://www.securityfocus.com/bid/9125
Summary:
The xscreensaver program waits until the keyboard and mouse have been idle
for a configurable duration of time and then outputs graphics to the
screen. xscreensaver can be configured to lock the screen and will prompt
for authentication credentials to unlock the screen and peripherals.
SuSE have reported that xscreensaver packages shipped with SuSE Linux 9.0
are prone to multiple vulnerabilities. These issues include a crash when
xscreensaver is handling the verification of authentication credentials,
although unconfirmed it has been conjectured that this crash is likely due
to a memory corruption condition. SuSE has also reported that xscreensaver
is prone to several insecure temporary file creation vulnerabilities, an
attacker may exploit these issues to potentially elevate system
privileges.
SuSE fixes are pending for these issues and it is likely that more
technical information will be made available with the release of an
official advisory. This BID will be updated appropriately at that time.
2. Apache mod_python Module Malformed Query Denial of Service V...
BugTraq ID: 9129
Remote: Yes
Date Published: Nov 29 2003
Relevant URL: http://www.securityfocus.com/bid/9129
Summary:
Apache's mod_python is a module which allows the web server to interpret
Python scripts. mod_python supports Apache 1.3.x and 2.x, and is available
for Windows, Linux and most Unix systems.
Apache has reported that some versions of mod_python may be prone to
denial of service attacks when handling malformed queries. The details
regarding this vulnerability are currently unknown, however the vendor has
stated that a remote user may be capable of crashing a vulnerable Apache
server.
This issue has been addressed in the 3.0.4 and 2.7.9 releases of the
module.
When further information regarding the technical details of this issue are
made available, this BID will be updated accordingly.
3. IlohaMail User Parameter Cross-Site Scripting Vulnerability
BugTraq ID: 9131
Remote: Yes
Date Published: Dec 01 2003
Relevant URL: http://www.securityfocus.com/bid/9131
Summary:
IlohaMail is a freely available, open source web e-mail package. It is
available for the Unix and Linux platforms.
A problem in the handling of user-supplied parameters has been identified
in IlohaMail. Because of this, it may be possible for an attacker to
execute malicious script code in the browser of target victims.
The problem is in the filtering of user-supplied input in the user
parameter. An attacker could create a URI containing HTML or script in
this parameter that, when visited by the target victim, would result in
the execution of code in the security context of the site hosting the
vulnerable IlohaMail implementation.
4. Surfboard Web Server File Disclosure Vulnerability
BugTraq ID: 9132
Remote: Yes
Date Published: Dec 01 2003
Relevant URL: http://www.securityfocus.com/bid/9132
Summary:
Surfboard is a freely available web server implementation for Unix/Linux
variants.
Surfboard is reported to be prone to directory traversal attacks. By
submitting directory traversal sequences in a web request, it is possible
to break out of the server root directory and browse the file system. A
remote attacker may exploit this vulnerability to gain access to sensitive
server-readable files on the system hosting the software.
Successful exploitation could allow an attacker to gain access to
sensitive information that may be useful when launching further attacks
against a system hosting the vulnerable software.
5. MoinMoin Unspecified Cross-Site Scripting Vulnerability
BugTraq ID: 9135
Remote: Yes
Date Published: Dec 01 2003
Relevant URL: http://www.securityfocus.com/bid/9135
Summary:
MoinMoin is a Wiki-type program written in Python. It is available for
the Unix and Linux platforms, and is freely-available and open source.
Problems have been identified in the handling of some types of input by
MoinMoin. Because of this, an attacker may be able to execute code in the
browser of target victims.
Specific details concerning the issue are not available. Like any
cross-site scripting attack, this issue is conjectured to require the
click of a malicious link by a target victim, which in turn executes
script code in the security context of the site hosting the vulnerable
software. This Bugtraq ID will be updated if more information is made
available.
6. Linux Kernel do_brk Function Boundary Condition Vulnerabilit...
BugTraq ID: 9138
Remote: No
Date Published: Dec 01 2003
Relevant URL: http://www.securityfocus.com/bid/9138
Summary:
do_brk() is a function called indirectly by a number of kernel procedures,
including the brk() system call and the ELF and a.out loading mechanisms.
The do_brk() function is used to shrink and expand anonymous
(uninitialized) heap memory for a given process.
On Linux systems, each process is granted limited access to a specific
range of virtual memory, ranging from 0 to that defined by the TASK_SIZE
variable. This range is further subdivided into logical sections; these
sections may also be referred to as virtual memory areas. The contents of
memory outside of this range is deemed inaccessible to userland and is
used to store the kernel code and its various data structures, this region
of memory is protected with page protection mechanisms.
A flaw has been discovered in the do_brk() function when handling
user-supplied addresses. By passing a specially formatted address, it may
be possible to gain access to an anonymous map of memory exceeding the
TASK_SIZE limit and extending into a region of protected memory used by
the kernel. As a result, an attacker may be capable of ultimately reading
or writing to almost arbitrary kernel memory, allowing for reliable
attacks against vulnerable systems. It has been reported that it is also
possible to reliably exploit this issue on systems running memory
protection mechanisms such as grsecurity.
It should be noted that the impact of these type of vulnerabilities are
exaggerated by the fact that they can be coupled with less severe remote
vulnerabilities to allow for effective remote root exploits, including
chroot() breaking and other facilities.
This issue was addressed in release 2.4.23-pre7 and 2.6.0-test6 of the
Linux kernel. All prior versions are believed to be vulnerable.
7. IBM Directory Server Web Administration Interface Cross-Site...
BugTraq ID: 9140
Remote: Yes
Date Published: Dec 02 2003
Relevant URL: http://www.securityfocus.com/bid/9140
Summary:
IBM Directory Server is an LDAP server that is available for numerous
platforms including HP-UX, Microsoft Windows and Linux.
IBM Directory Server is prone to cross-site scripting attacks. It is
possible to embed hostile HTML and script code in a malicious link to the
server, which when followed will be rendered in the victim user's browser.
This vulnerability is known to exist in the web administrative interface
(ldacgi.exe), which does not sanitize HTML and script code that is
supplied via the 'Action' URI parameter. Exploitation would occur in the
context of the server.
This could permit for theft of administrative cookie-based authentication
credentials or other attacks. Exploitation could potentially compromise
the LDAP server.
This issue was reported in Directory Server 4.1. Other versions may also
be affected.
8. Linux Kernel Concurrent Threaded Function Calls Local Denial...
BugTraq ID: 9148
Remote: No
Date Published: Dec 02 2003
Relevant URL: http://www.securityfocus.com/bid/9148
Summary:
A local denial of service vulnerability has been discovered in the Linux
kernel. The problem is said to occur due to an incorrect error return if a
fork() operation was carried out concurrently with a threaded exit() call.
Although unconfirmed, it is likely that the erroneous error value returned
might cause the kernel to believe that no error actually occurred and
subsequently carry out some operation that would cause it to panic.
Successful exploitation of this issue could result in a malicious
unprivileged userland application crashing a vulnerable system,
effectively denying service to all other users.
The precise technical details regarding this issue are currently unknown,
however this BID will be updated has further analysis is carried out on
the problem.
The affected version information regarding this issue has not yet been
confirmed. Please see the Solutions information for further details.
9. RSync Daemon Mode Undisclosed Remote Heap Overflow Vulnerabi...
BugTraq ID: 9153
Remote: Yes
Date Published: Dec 04 2003
Relevant URL: http://www.securityfocus.com/bid/9153
Summary:
The rsync program is used to synchronize files and directory structures
across a network. It is commonly used to maintain mirrors of ftp sites,
often through anonymous access to the rsync server. It is available for
Linux and other Unix operating systems.
rsync has been reported prone to an undisclosed heap overflow
vulnerability when running in daemon mode. The issue has been reported to
be remotely exploitable and will provide for an execution of arbitrary
code. It has been reported that exploitation of this issue is made easier
if the "use chroot = no" option is set in the rsyncd.conf configuration
file.
There have been reports that this issue is being exploited in conjunction
with the Linux Kernel do_brk function boundary condition vulnerability
described in BID 9138. Customers are advised to apply fixes that address
the issue described in BID 9138.
This BID will be updated as further information regarding this
vulnerability is disclosed.
This vulnerability has been reported to affect rsync version 2.5.6 and
earlier versions.
10. Linux Kernel 2.4 RTC Handling Routines Memory Disclosure Vul...
BugTraq ID: 9154
Remote: No
Date Published: Dec 04 2003
Relevant URL: http://www.securityfocus.com/bid/9154
Summary:
The Linux kernel 2.4 tree has been reported prone to a memory disclosure
vulnerability. The issue is reported to present itself in kernel real time
clock interface procedures, and may result in kernel memory stack data
being leaked into userland when the RTC is read. It is likely that this
data will be random.
An attacker may exploit this condition to disclose potentially sensitive
data such as credentials that may aid in further attacks against the
affected system.
Few details regarding this vulnerability are currently known. This BID
will be updated as further details are disclosed.
It should be noted that although this vulnerability has been reported to
affect the 2.4 kernel tree, other versions might also be affected.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. Password Questions (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346589
2. FW: tripwire (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346470
3. tripwire (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346205
4. anti-ptrace (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346202
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.
2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:
SecretAgent is a file encryption and digital signature utility, supporting
cross-platform interoperability over a wide range of platforms: Windows,
Linux, Mac OS X, and UNIX systems.
It's the perfect solution for your data security requirements, regardless
of the size of your organization.
Using the latest recognized standards in encryption and digital signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.
3. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:
4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features for
computer forensics and investigations. With an intuitive GUI and superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields completely
non-invasive computer forensic investigations while allowing examiners to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.
The integrated functionality of EnCase allows the examiner to perform all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded data
in it?s own internal memory (not on the hard drive), it is impossible for
a network intruder to gain access to any sensitive data stored within the
device.
6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any application
available 24 hours per day. With no extra hardware: just use your existing
servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to serve
your users.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. ThePacketMaster v1.1.0
By: thepacketmaster
Relevant URL: http://www.thepacketmaster.com/
Platforms: Linux
Summary:
ThePacketMaster Linux Security Server is a CD-based security auditing tool
that boots and runs penetration testing and forensic analysis tools. It is
handy for security auditors. Some tools included are nessus, ethereal, The
Coroner's Toolkit, chntpw, and minicom. It includes modules for any Linux
2.4.20 SCSI driver.
Based on CommNav's Navigator portal architecture, Systems Navigator lets
you administer your entire network via a secure Web interface. It helps
protect your infrastructure with a set of monitoring and metric trending
tools including Big Brother, Orca, Nessus, Integrit, and Larrd. The portal
utilizes LDAP to store site-specific preferences for SysNav components.
These preferences are templated and then used by SysNav's middle layer to
generate Cfengine and component configuration files.
Firewall Builder consists of a GUI and set of policy compilers for various
firewall platforms. It helps users maintain a database of objects and
allows policy editing using simple drag-and-drop operations. The GUI and
policy compilers are completely independent, and support for a new
firewall platform can be added to the GUI without any changes to the
program (only a new policy compiler is needed). This provides for a
consistent abstract model and the same GUI for different firewall
platforms. It currently supports iptables, ipfilter, and OpenBSD pf.
4. DansGuardian v2.7.6-3(unstable)
By: Daniel Barron
Relevant URL: http://dansguardian.org/
Platforms: Linux
Summary:
DansGuardian is a Web content filtering proxy that uses Squid to do all
the fetching. It filters using multiple methods including, but not limited
to, phrase matching, file extension matching, MIME type matching, PICS
filtering, and URL/domain blocking. It has the ability to switch off
filtering by certain criteria including username, domain name, source IP,
etc. The configurable logging produces a log in an easy to read format. It
has the option to only log text-based pages, thus significantly reducing
redundant information (such as every image on a page).
5. MailStripper Pro v1.1.2
By: Michael McConnell
Relevant URL: http://www.eridani.co.uk/MailStripper/
Platforms: Linux, Os Independent, POSIX
Summary:
MailStripper Pro is a mail scanner that aims to remove spam and viruses
from incoming mail using the F-Prot anti-virus. It is written in Tcl and
was designed to be MTA-independent.
6. ClarkConnect Internet Gateway v2.1
By: Peter Baldwin
Relevant URL: http://www.clarkconnect.org/download/
Platforms: Linux
Summary:
ClarkConnect is a software package that transforms an old beat up PC into
a smart, simple, and secure Internet gateway and server for your home or
small office network. In addition to connection sharing, the software
comes with a strong firewall, Apache, dynamic DNS utilities, and Samba
filesharing. The software is based on Red Hat Linux.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
linux-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address.
The contents of the subject or message body do not matter. You will
receive a confirmation request message to which you will have to answer.
Alternatively you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and
ask to be manually removed.
VII. SPONSOR INFORMATION
-----------------------
This Issue Sponsored by: RSA Conference 2004
Network with over 10,000 of the brightest minds in information security at
the largest, most highly-anticipated industry event of the year. Don't
miss RSA Conference 2004! Choose from over 200 class sessions and see
demos from more than 250 industry vendors. If your job touches security,
you need to be here. Learn more or register at:
http://www.securityfocus.com/sponsor/RSA_linux-secnews_031117 and use
priority code SF4.
------------------------------------------------------------------------
SecurityFocus Linux Newsletter #161
------------------------------------
This Issue Sponsored by: RSA Conference 2004
Network with over 10,000 of the brightest minds in information security at
the largest, most highly-anticipated industry event of the year. Don't
miss RSA Conference 2004! Choose from over 200 class sessions and see
demos from more than 250 industry vendors. If your job touches security,
you need to be here. Learn more or register at:
http://www.securityfocus.com/sponsor/RSA_linux-secnews_031117 and use
priority code SF4.
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Debian's Response
2. Simulating and optimising worm propagation algorithms (PDF)
3. The Rise of the Spammers
II. LINUX VULNERABILITY SUMMARY
1. SuSE XScreenSaver Package Multiple Vulnerabilities
2. Apache mod_python Module Malformed Query Denial of Service V...
3. IlohaMail User Parameter Cross-Site Scripting Vulnerability
4. Surfboard Web Server File Disclosure Vulnerability
5. MoinMoin Unspecified Cross-Site Scripting Vulnerability
6. Linux Kernel do_brk Function Boundary Condition Vulnerabilit...
7. IBM Directory Server Web Administration Interface Cross-Site...
8. Linux Kernel Concurrent Threaded Function Calls Local Denial...
9. RSync Daemon Mode Undisclosed Remote Heap Overflow Vulnerabi...
10. Linux Kernel 2.4 RTC Handling Routines Memory Disclosure Vul...
III. LINUX FOCUS LIST SUMMARY
1. Password Questions (Thread)
2. FW: tripwire (Thread)
3. tripwire (Thread)
4. anti-ptrace (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Immunity CANVAS
2. SecretAgent
3. Cyber-Ark Inter-Business Vault
4. EnCase Forensic Edition
5. KeyGhost SX
6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
1. ThePacketMaster v1.1.0
2. CommNav Systems Navigator v4.2
3. Firewall Builder v1.1.1
4. DansGuardian v2.7.6-3(unstable)
5. MailStripper Pro v1.1.2
6. ClarkConnect Internet Gateway v2.1
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Debian's Response
By Scott Granneman
Debian's response to the recent compromise of four debian.org machines was
quick, open and honest, and they also engaged other Linux vendors.
Companies and organizations, as well as other OS vendors, should take
note.
http://www.securityfocus.com/columnists/202
2.Simulating and optimising worm propagation algorithms (PDF)
by Tom Vogt
This paper describes a series of simulations run to estimate various worm
growth patterns and their corresponding propagation algorithms. It also
tests and verifies the impact of various improvements, starting from a
trivial simulation of worm propagation and the underlying network
infrastructure to more re ned models, it attempts to determine the
theoretical maximum propagation speed of worms and how it can be achieved.
It also estimates the impact a malicious worm could have on the overall
infrastructure.
http://www.securityfocus.com/data/library/WormPropagation.pdf
3.The Rise of the Spammers
by David Barroso Berrueta
Spammers are becoming more intelligent and more difficult to detect, which
is a strange issue, just because in my opinion, an intelligent person is
smart enough for not bothering millions of people. So, why these people
keep on helping unethical companies and individuals that send out
unsolicited e-mails? The reason should be simple and common these days:
money.
http://www.securityfocus.com/guest/24043
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. SuSE XScreenSaver Package Multiple Vulnerabilities
BugTraq ID: 9125
Remote: No
Date Published: Nov 28 2003
Relevant URL: http://www.securityfocus.com/bid/9125
Summary:
The xscreensaver program waits until the keyboard and mouse have been idle
for a configurable duration of time and then outputs graphics to the
screen. xscreensaver can be configured to lock the screen and will prompt
for authentication credentials to unlock the screen and peripherals.
SuSE have reported that xscreensaver packages shipped with SuSE Linux 9.0
are prone to multiple vulnerabilities. These issues include a crash when
xscreensaver is handling the verification of authentication credentials,
although unconfirmed it has been conjectured that this crash is likely due
to a memory corruption condition. SuSE has also reported that xscreensaver
is prone to several insecure temporary file creation vulnerabilities, an
attacker may exploit these issues to potentially elevate system
privileges.
SuSE fixes are pending for these issues and it is likely that more
technical information will be made available with the release of an
official advisory. This BID will be updated appropriately at that time.
2. Apache mod_python Module Malformed Query Denial of Service V...
BugTraq ID: 9129
Remote: Yes
Date Published: Nov 29 2003
Relevant URL: http://www.securityfocus.com/bid/9129
Summary:
Apache's mod_python is a module which allows the web server to interpret
Python scripts. mod_python supports Apache 1.3.x and 2.x, and is available
for Windows, Linux and most Unix systems.
Apache has reported that some versions of mod_python may be prone to
denial of service attacks when handling malformed queries. The details
regarding this vulnerability are currently unknown, however the vendor has
stated that a remote user may be capable of crashing a vulnerable Apache
server.
This issue has been addressed in the 3.0.4 and 2.7.9 releases of the
module.
When further information regarding the technical details of this issue are
made available, this BID will be updated accordingly.
3. IlohaMail User Parameter Cross-Site Scripting Vulnerability
BugTraq ID: 9131
Remote: Yes
Date Published: Dec 01 2003
Relevant URL: http://www.securityfocus.com/bid/9131
Summary:
IlohaMail is a freely available, open source web e-mail package. It is
available for the Unix and Linux platforms.
A problem in the handling of user-supplied parameters has been identified
in IlohaMail. Because of this, it may be possible for an attacker to
execute malicious script code in the browser of target victims.
The problem is in the filtering of user-supplied input in the user
parameter. An attacker could create a URI containing HTML or script in
this parameter that, when visited by the target victim, would result in
the execution of code in the security context of the site hosting the
vulnerable IlohaMail implementation.
4. Surfboard Web Server File Disclosure Vulnerability
BugTraq ID: 9132
Remote: Yes
Date Published: Dec 01 2003
Relevant URL: http://www.securityfocus.com/bid/9132
Summary:
Surfboard is a freely available web server implementation for Unix/Linux
variants.
Surfboard is reported to be prone to directory traversal attacks. By
submitting directory traversal sequences in a web request, it is possible
to break out of the server root directory and browse the file system. A
remote attacker may exploit this vulnerability to gain access to sensitive
server-readable files on the system hosting the software.
Successful exploitation could allow an attacker to gain access to
sensitive information that may be useful when launching further attacks
against a system hosting the vulnerable software.
5. MoinMoin Unspecified Cross-Site Scripting Vulnerability
BugTraq ID: 9135
Remote: Yes
Date Published: Dec 01 2003
Relevant URL: http://www.securityfocus.com/bid/9135
Summary:
MoinMoin is a Wiki-type program written in Python. It is available for
the Unix and Linux platforms, and is freely-available and open source.
Problems have been identified in the handling of some types of input by
MoinMoin. Because of this, an attacker may be able to execute code in the
browser of target victims.
Specific details concerning the issue are not available. Like any
cross-site scripting attack, this issue is conjectured to require the
click of a malicious link by a target victim, which in turn executes
script code in the security context of the site hosting the vulnerable
software. This Bugtraq ID will be updated if more information is made
available.
6. Linux Kernel do_brk Function Boundary Condition Vulnerabilit...
BugTraq ID: 9138
Remote: No
Date Published: Dec 01 2003
Relevant URL: http://www.securityfocus.com/bid/9138
Summary:
do_brk() is a function called indirectly by a number of kernel procedures,
including the brk() system call and the ELF and a.out loading mechanisms.
The do_brk() function is used to shrink and expand anonymous
(uninitialized) heap memory for a given process.
On Linux systems, each process is granted limited access to a specific
range of virtual memory, ranging from 0 to that defined by the TASK_SIZE
variable. This range is further subdivided into logical sections; these
sections may also be referred to as virtual memory areas. The contents of
memory outside of this range is deemed inaccessible to userland and is
used to store the kernel code and its various data structures, this region
of memory is protected with page protection mechanisms.
A flaw has been discovered in the do_brk() function when handling
user-supplied addresses. By passing a specially formatted address, it may
be possible to gain access to an anonymous map of memory exceeding the
TASK_SIZE limit and extending into a region of protected memory used by
the kernel. As a result, an attacker may be capable of ultimately reading
or writing to almost arbitrary kernel memory, allowing for reliable
attacks against vulnerable systems. It has been reported that it is also
possible to reliably exploit this issue on systems running memory
protection mechanisms such as grsecurity.
It should be noted that the impact of these type of vulnerabilities are
exaggerated by the fact that they can be coupled with less severe remote
vulnerabilities to allow for effective remote root exploits, including
chroot() breaking and other facilities.
This issue was addressed in release 2.4.23-pre7 and 2.6.0-test6 of the
Linux kernel. All prior versions are believed to be vulnerable.
7. IBM Directory Server Web Administration Interface Cross-Site...
BugTraq ID: 9140
Remote: Yes
Date Published: Dec 02 2003
Relevant URL: http://www.securityfocus.com/bid/9140
Summary:
IBM Directory Server is an LDAP server that is available for numerous
platforms including HP-UX, Microsoft Windows and Linux.
IBM Directory Server is prone to cross-site scripting attacks. It is
possible to embed hostile HTML and script code in a malicious link to the
server, which when followed will be rendered in the victim user's browser.
This vulnerability is known to exist in the web administrative interface
(ldacgi.exe), which does not sanitize HTML and script code that is
supplied via the 'Action' URI parameter. Exploitation would occur in the
context of the server.
This could permit for theft of administrative cookie-based authentication
credentials or other attacks. Exploitation could potentially compromise
the LDAP server.
This issue was reported in Directory Server 4.1. Other versions may also
be affected.
8. Linux Kernel Concurrent Threaded Function Calls Local Denial...
BugTraq ID: 9148
Remote: No
Date Published: Dec 02 2003
Relevant URL: http://www.securityfocus.com/bid/9148
Summary:
A local denial of service vulnerability has been discovered in the Linux
kernel. The problem is said to occur due to an incorrect error return if a
fork() operation was carried out concurrently with a threaded exit() call.
Although unconfirmed, it is likely that the erroneous error value returned
might cause the kernel to believe that no error actually occurred and
subsequently carry out some operation that would cause it to panic.
Successful exploitation of this issue could result in a malicious
unprivileged userland application crashing a vulnerable system,
effectively denying service to all other users.
The precise technical details regarding this issue are currently unknown,
however this BID will be updated has further analysis is carried out on
the problem.
The affected version information regarding this issue has not yet been
confirmed. Please see the Solutions information for further details.
9. RSync Daemon Mode Undisclosed Remote Heap Overflow Vulnerabi...
BugTraq ID: 9153
Remote: Yes
Date Published: Dec 04 2003
Relevant URL: http://www.securityfocus.com/bid/9153
Summary:
The rsync program is used to synchronize files and directory structures
across a network. It is commonly used to maintain mirrors of ftp sites,
often through anonymous access to the rsync server. It is available for
Linux and other Unix operating systems.
rsync has been reported prone to an undisclosed heap overflow
vulnerability when running in daemon mode. The issue has been reported to
be remotely exploitable and will provide for an execution of arbitrary
code. It has been reported that exploitation of this issue is made easier
if the "use chroot = no" option is set in the rsyncd.conf configuration
file.
There have been reports that this issue is being exploited in conjunction
with the Linux Kernel do_brk function boundary condition vulnerability
described in BID 9138. Customers are advised to apply fixes that address
the issue described in BID 9138.
This BID will be updated as further information regarding this
vulnerability is disclosed.
This vulnerability has been reported to affect rsync version 2.5.6 and
earlier versions.
10. Linux Kernel 2.4 RTC Handling Routines Memory Disclosure Vul...
BugTraq ID: 9154
Remote: No
Date Published: Dec 04 2003
Relevant URL: http://www.securityfocus.com/bid/9154
Summary:
The Linux kernel 2.4 tree has been reported prone to a memory disclosure
vulnerability. The issue is reported to present itself in kernel real time
clock interface procedures, and may result in kernel memory stack data
being leaked into userland when the RTC is read. It is likely that this
data will be random.
An attacker may exploit this condition to disclose potentially sensitive
data such as credentials that may aid in further attacks against the
affected system.
Few details regarding this vulnerability are currently known. This BID
will be updated as further details are disclosed.
It should be noted that although this vulnerability has been reported to
affect the 2.4 kernel tree, other versions might also be affected.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. Password Questions (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346589
2. FW: tripwire (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346470
3. tripwire (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346205
4. anti-ptrace (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346202
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.
2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:
SecretAgent is a file encryption and digital signature utility, supporting
cross-platform interoperability over a wide range of platforms: Windows,
Linux, Mac OS X, and UNIX systems.
It's the perfect solution for your data security requirements, regardless
of the size of your organization.
Using the latest recognized standards in encryption and digital signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.
3. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:
4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features for
computer forensics and investigations. With an intuitive GUI and superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields completely
non-invasive computer forensic investigations while allowing examiners to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.
The integrated functionality of EnCase allows the examiner to perform all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded data
in it?s own internal memory (not on the hard drive), it is impossible for
a network intruder to gain access to any sensitive data stored within the
device.
6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any application
available 24 hours per day. With no extra hardware: just use your existing
servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to serve
your users.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. ThePacketMaster v1.1.0
By: thepacketmaster
Relevant URL: http://www.thepacketmaster.com/
Platforms: Linux
Summary:
ThePacketMaster Linux Security Server is a CD-based security auditing tool
that boots and runs penetration testing and forensic analysis tools. It is
handy for security auditors. Some tools included are nessus, ethereal, The
Coroner's Toolkit, chntpw, and minicom. It includes modules for any Linux
2.4.20 SCSI driver.
2. CommNav Systems Navigator v4.2
By: CommNav Inc <info (at) commnav (dot) com [email concealed]>
Relevant URL: http://www.commnav.com/products/systems_navigator.php
Platforms: IRIX, Linux, Solaris, SunOS
Summary:
Based on CommNav's Navigator portal architecture, Systems Navigator lets
you administer your entire network via a secure Web interface. It helps
protect your infrastructure with a set of monitoring and metric trending
tools including Big Brother, Orca, Nessus, Integrit, and Larrd. The portal
utilizes LDAP to store site-specific preferences for SysNav components.
These preferences are templated and then used by SysNav's middle layer to
generate Cfengine and component configuration files.
3. Firewall Builder v1.1.1
By: Vadim Kurland
Relevant URL: http://www.fwbuilder.org/
Platforms: FreeBSD, Linux, Solaris
Summary:
Firewall Builder consists of a GUI and set of policy compilers for various
firewall platforms. It helps users maintain a database of objects and
allows policy editing using simple drag-and-drop operations. The GUI and
policy compilers are completely independent, and support for a new
firewall platform can be added to the GUI without any changes to the
program (only a new policy compiler is needed). This provides for a
consistent abstract model and the same GUI for different firewall
platforms. It currently supports iptables, ipfilter, and OpenBSD pf.
4. DansGuardian v2.7.6-3(unstable)
By: Daniel Barron
Relevant URL: http://dansguardian.org/
Platforms: Linux
Summary:
DansGuardian is a Web content filtering proxy that uses Squid to do all
the fetching. It filters using multiple methods including, but not limited
to, phrase matching, file extension matching, MIME type matching, PICS
filtering, and URL/domain blocking. It has the ability to switch off
filtering by certain criteria including username, domain name, source IP,
etc. The configurable logging produces a log in an easy to read format. It
has the option to only log text-based pages, thus significantly reducing
redundant information (such as every image on a page).
5. MailStripper Pro v1.1.2
By: Michael McConnell
Relevant URL: http://www.eridani.co.uk/MailStripper/
Platforms: Linux, Os Independent, POSIX
Summary:
MailStripper Pro is a mail scanner that aims to remove spam and viruses
from incoming mail using the F-Prot anti-virus. It is written in Tcl and
was designed to be MTA-independent.
6. ClarkConnect Internet Gateway v2.1
By: Peter Baldwin
Relevant URL: http://www.clarkconnect.org/download/
Platforms: Linux
Summary:
ClarkConnect is a software package that transforms an old beat up PC into
a smart, simple, and secure Internet gateway and server for your home or
small office network. In addition to connection sharing, the software
comes with a strong firewall, Apache, dynamic DNS utilities, and Samba
filesharing. The software is based on Red Hat Linux.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
linux-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address.
The contents of the subject or message body do not matter. You will
receive a confirmation request message to which you will have to answer.
Alternatively you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and
ask to be manually removed.
VII. SPONSOR INFORMATION
-----------------------
This Issue Sponsored by: RSA Conference 2004
Network with over 10,000 of the brightest minds in information security at
the largest, most highly-anticipated industry event of the year. Don't
miss RSA Conference 2004! Choose from over 200 class sessions and see
demos from more than 250 industry vendors. If your job touches security,
you need to be here. Learn more or register at:
http://www.securityfocus.com/sponsor/RSA_linux-secnews_031117 and use
priority code SF4.
------------------------------------------------------------------------
[ reply ]