SecurityFocus Linux Newsletter #162
------------------------------------
This Issue is Sponsored by: SPIDynamics
Test for the Top Web Application Vulnerabilities- FREE Product Trial
Hackers are exploiting web apps with attacks such as; SQL Injection,
XSS and Session Hijacking, all undetectable by Firewalls and IDS!
Are you vulnerable? Run a FREE Test of your Web Apps via our FREE 15
Day Product Trial that delivers a comprehensive Vulnerability Report.
http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_031215
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Worm Propagation In Protected Networks
2. RETRO-FOCUS
3. IP Spoofing: An Introduction
II. LINUX VULNERABILITY SUMMARY
1. Cdwrite Insecure Temporary File Vulnerability
2. Abyss Web Server Authentication Bypass Vulnerability
3. MyServer HTTP File Name Request Handler Remote Denial Of Ser...
4. HSFTP Username Command Line Argument Buffer Overrun Vulnerab...
5. HSFTP Hostname Command Line Argument Buffer Overrun Vulnerab...
6. CVS Malformed Request System Root File Creation Vulnerabilit...
7. Multiple Vendor XML Parser SOAP Server Denial Of Service Vul...
8. IRSSI Remote Denial of Service Vulnerability
9. Mozilla Browser URI MouseOver Obfuscation Weakness
10. Multiple Vendor XML DTD Parameter Entity SOAP Server Denial ...
III. LINUX FOCUS LIST SUMMARY
1. Static ARP table in Linux (Thread)
2. Firewall Inquiry (Thread)
3. Re[2]: Firewall Inquiry (Thread)
4. Password Questions (Thread)
5. Firewall continued (Thread)
6. tripwire (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Immunity CANVAS
2. SecretAgent
3. Cyber-Ark Inter-Business Vault
4. EnCase Forensic Edition
5. KeyGhost SX
6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
1. Cryptonit v0.9.1
2. floppyfw v2.9.5
3. Hsftp v1.13
4. Capability Override LSM v0.9.1
5. Wolverine Firewall and VPN Server v1.2beta6
6. Enforcer v0.3alpha
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Worm Propagation In Protected Networks
By SecurityFocus
Many documents explore worm propagation methods across the global
Internet. In contrast, this analysis focuses on the impact of three
prominent worms (Blaster, Slammer, and Code Red I/II) inside protected
networks, once the security perimeter has been breached.
http://www.securityfocus.com/infocus/1752
2. Due to an increase in interest, SecurityFocus has decided to bring back
past Infocus articles still relevant to the security industry. These
articles will be featured at the bottom of the homepage, in the middle
column.
3. IP Spoofing: An Introduction
By Matthew Tanase
Published March 11, 2003
IP spoofing allows an attacker to gain unauthorized access to a computer
or a network by making it appear that a malicious message has come from a
trusted machine by ?spoofing? the IP address of that machine. In this
article, we will examine the concepts of IP spoofing: why it is possible,
how it works, what it is used for and how to defend against it.
http://www.securityfocus.com/infocus/1674
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Cdwrite Insecure Temporary File Vulnerability
BugTraq ID: 9165
Remote: No
Date Published: Dec 06 2003
Relevant URL: http://www.securityfocus.com/bid/9165
Summary:
Cdwrite is a CD writing application for Unix/Linux variants.
Cdwrite creates files in the temporary directory in an insecure manner.
As a result, a local attacker may launch symlink attacks that could cause
system files to be corrupted. In particular, the program creates
'/tmp/.tempfile' when it is run. An attacker could take advantage of this
by creating a symbolic link in the same location as where the temporary
file will be created. When the program is run, any operations that are
intended to be performed on the temporary file will instead be performed
on the file pointed to by the symbolic link (provided the file is
writeable by the user invoking Cdwrite).
This will most likely result in a denial of service or loss of data. This
type of vulnerability could also result in privilege escalation if the
attacker can influence what is written during the symbolic link attack.
2. Abyss Web Server Authentication Bypass Vulnerability
BugTraq ID: 9171
Remote: Yes
Date Published: Dec 08 2003
Relevant URL: http://www.securityfocus.com/bid/9171
Summary:
Abyss Web Server is a freely available personal web server. It is
maintained by Aprelium Technologies and runs on Microsoft Windows
operating systems, as well as Linux.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to bypass authentication in order to access the
resources. It has been reported that this issue only presents itself if
the server is installed on a Linux system running FAT32. An attacker may
access the password protected directory under which the server is running
by adding a period as '.' or '%2e' at the end of a URL request. It has
also been reported that adding a space ' ' or colon ':' to a URL may have
the same affect, however it may also just cause a 404 server error.
Successful exploitation of this issue may allow an attacker to bypass
authentication and gain access to server resources in order to launch
further attacks.
Abyss Web Server versions prior to 1.2 have been reported prone to this
issue.
3. MyServer HTTP File Name Request Handler Remote Denial Of Ser...
BugTraq ID: 9172
Remote: Yes
Date Published: Dec 08 2003
Relevant URL: http://www.securityfocus.com/bid/9172
Summary:
MyServer is an application and web server for Microsoft Windows and Linux
operating systems.
MyServer has been reported prone to a remotely triggered denial of service
vulnerability. The issue presents itself when a remote attacker requests a
file that contains spaces in its name. This activity will cause an
exception in the affected server, effectively denying service to
legitimate users.
An attacker may exploit this vulnerability to deny service to legitimate
users.
4. HSFTP Username Command Line Argument Buffer Overrun Vulnerab...
BugTraq ID: 9174
Remote: No
Date Published: Dec 07 2003
Relevant URL: http://www.securityfocus.com/bid/9174
Summary:
hsftp is an FTP emulation program that is available for Unix/Linux
variants.
hsftp is prone to a locally exploitable buffer overrun vulnerability due
to insufficient bounds checking of username arguments supplied as command
line input. By supplying an overly long argument as a username argument
when invoking the program, it will be possible to corrupt adjacent regions
of memory with superfluous user-supplied data. In this manner, it may be
possible to corrupt sensitive variables in memory and control execution
flow, resulting in execution of arbitrary code.
This could occur in situations where hsftp is installed setuid root and
not configured to drop privileges, this could be exploited to execute
arbitrary code with elevated privileges.
5. HSFTP Hostname Command Line Argument Buffer Overrun Vulnerab...
BugTraq ID: 9175
Remote: No
Date Published: Dec 07 2003
Relevant URL: http://www.securityfocus.com/bid/9175
Summary:
hsftp is an FTP emulation program that is available for Unix/Linux
variants.
hsftp is prone to a locally exploitable buffer overrun vulnerability due
to insufficient bounds checking of hostname arguments supplied as command
line input. By supplying an overly long argument as a host argument when
invoking the program, it will be possible to corrupt adjacent regions of
memory with superfluous user-supplied data. In this manner, it may be
possible to corrupt sensitive variables in memory and control execution
flow, resulting in execution of arbitrary code.
This could occur in situations where hsftp is installed setuid root and
not configured to drop privileges, this could be exploited to execute
arbitrary code with elevated privileges.
6. CVS Malformed Request System Root File Creation Vulnerabilit...
BugTraq ID: 9178
Remote: Yes
Date Published: Dec 09 2003
Relevant URL: http://www.securityfocus.com/bid/9178
Summary:
CVS is the Concurrent Versions System, which is a freely available
open-source version management package. It is available for the Unix and
Linux operating systems.
A vulnerability has been discovered in the handling of some types of
requests by CVS. Because of this, it may be possible for an attacker to
create files in the root directory of a system hosting the vulnerable
server.
The problem involves the handling of malformed requests by modules. An
attacker supplying a maliciously crafted request to the server could,
depending upon the permissions of the CVS server, create files and/or
directories in the system root directory. However, this problem is
limited by the write permissions of the root directory, and the privileges
with which the CVS server executes.
7. Multiple Vendor XML Parser SOAP Server Denial Of Service Vul...
BugTraq ID: 9185
Remote: Yes
Date Published: Dec 09 2003
Relevant URL: http://www.securityfocus.com/bid/9185
Summary:
SOAP is the Simple Object Access Protocol, which is implemented in
numerous web service software packages by various vendors. SOAP servers
are available for the Unix, Linux, and Microsoft Windows platforms.
A problem has been identified in several different SOAP servers when
handling certain types of requests. Because of this, it is possible for
an attacker to force a denial of service on systems using a vulnerable
implementation.
The problem is in the handling of specially crafted SOAP requests. By
making a SOAP request with maliciously crafted XML data, it is possible to
cause the SOAP server to consume excessive amounts of system resources.
This issue can be used to make the server unavailable while it handles the
requests, and could be continuously used to create a prolonged denial of
web services.
8. IRSSI Remote Denial of Service Vulnerability
BugTraq ID: 9201
Remote: Yes
Date Published: Dec 11 2003
Relevant URL: http://www.securityfocus.com/bid/9201
Summary:
irssi is a freely available, open source irc client. irssi is available
for the Linux and Unix operating systems.
A remote denial of service vulnerability has been discovered in IRSSI that
could allow a person to crash an IRSSI client process. The problem occurs
due to an erroneously formatted call to an internal function that could
allow a malicious user to trigger an unexpected condition.
Specifically, the problematic code occurs within the format_send_to_gui()
function in the src/fe-common/core/formats.c source file. The
aforementioned function calls signal_emit_id() erroneously, supplying it
an unintended string, causing the following argument to be interpreted in
an unexpected context.
A user who is running an IRSSI client which is either running on a system
architecture that enforces word alignment or that is implementing a script
which makes use of the "print gui text" signal, may be prone to denial of
service attacks.
The issue can likely be triggered by a malicious user printing some form
of content which will trigger a specific signal handler or that will cause
memory to be misaligned.
9. Mozilla Browser URI MouseOver Obfuscation Weakness
BugTraq ID: 9203
Remote: Yes
Date Published: Dec 11 2003
Relevant URL: http://www.securityfocus.com/bid/9203
Summary:
It has been discovered that the Mozilla browser is prone to a URI
obfuscation weakness that may hide the true contents of a link. The
problem occurs when a user@location URI is formatted in such a way that a
NULL byte is located after the user value. It is said that, when doing a
mouseover of such a URI, it will cause it to only display the contents of
the user value, not the entire link.
This could be used in conjunction with other URI obfuscation attacks and
browser vulnerabilities to trick a user into following a malicious link.
An attacker could exploit this issue by supplying a malicious URI pointing
to a page designed to mimic that of a trusted site. If an unsuspecting
victim were to mouseover the link in an attempt to verify the authenticity
of where it references, they may be deceived into believing they are at
the actual trusted site will be accessed. This could potentially cause a
false sense of security for the victim.
This weakness allegedly affects Mozilla 1.5 for Linux, however due to the
nature of the bug it is likely that other versions, and possibly other
browsers, are also affected.
It should be noted that this method of attack is identical to that
described in 9182, however it appears that various browsers may exhibit
differing behavior depending on the supplied URI.
10. Multiple Vendor XML DTD Parameter Entity SOAP Server Denial ...
BugTraq ID: 9204
Remote: Yes
Date Published: Dec 11 2003
Relevant URL: http://www.securityfocus.com/bid/9204
Summary:
SOAP is the Simple Object Access Protocol, which is implemented in
numerous web service software packages by various vendors. SOAP servers
are available for the Unix, Linux, and Microsoft Windows platforms.
XML DTD (Document Type Definition) defines how XML markup tags should be
interpreted by the application handling the XML document.
A problem has been identified in several different SOAP servers when
handling certain types of SOAP requests. Because of this, it is possible
for an attacker to force a denial of service on systems using a vulnerable
implementation.
The problem is in the handling of SOAP requests that contain references to
DTD parameter entities. By making a SOAP request with maliciously crafted
DTD data, it is possible to cause the SOAP server to consume excessive
amounts of system resources. This issue can be used to make the server
unavailable while it handles the requests, and could be continuously used
to create a prolonged denial of web services.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. Static ARP table in Linux (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/347479
2. Firewall Inquiry (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346855
3. Re[2]: Firewall Inquiry (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346854
4. Password Questions (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346853
5. Firewall continued (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346851
6. tripwire (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346771
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.
2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:
SecretAgent is a file encryption and digital signature utility, supporting
cross-platform interoperability over a wide range of platforms: Windows,
Linux, Mac OS X, and UNIX systems.
It's the perfect solution for your data security requirements, regardless
of the size of your organization.
Using the latest recognized standards in encryption and digital signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.
3. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:
4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features for
computer forensics and investigations. With an intuitive GUI and superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields completely
non-invasive computer forensic investigations while allowing examiners to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.
The integrated functionality of EnCase allows the examiner to perform all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded data
in it?s own internal memory (not on the hard drive), it is impossible for
a network intruder to gain access to any sensitive data stored within the
device.
6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any application
available 24 hours per day. With no extra hardware: just use your existing
servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to serve
your users.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Cryptonit v0.9.1
By: IDEALX <idx-pki (at) idealx (dot) org [email concealed]>
Relevant URL: http://cryptonit.org/
Platforms: Linux, MacOS, Windows 2000, Windows NT, Windows XP
Summary:
Cryptonit is a client side cryptographic tool which allows you to
encrypt/decrypt and sign/verify files with PKI (Public Key Infrastructure)
certificates.
2. floppyfw v2.9.5
By: Thomas Lundquist, thomasez (at) zelow (dot) no [email concealed]
Relevant URL: http://www.zelow.no/floppyfw/
Platforms: Linux
Summary:
floppyfw is a router and simple firewall on one single floppy. It uses
Linux basic firewall capabilities and have a very simple packaging system.
It is perfect for masquerading and securing networks on ADSL and cable
lines using both static IP and DHCP. It has a simple installation, mostly
only needed to edit one file on the floppy.
hsftp is an ftp emulator that provides the look-and-feel of an ftp
session, but uses ssh to transport commands and data. hsftp executes UNIX
commands on the remote host, and thus will fail on non-Unix remote hosts.
If hsftp is not set SUID root, and you have supplied a
password/passphrase, it might get paged out to your swap partition during
prolonged inactivity. For security, hsftp can be compiled to drop SUID
root privileges irrevocably on startup, immediately after locking the
memory for the password.
For RSA authentication, you can avoid to have hsftp caching the
passphrase if you use ssh-agent. In this case, you can use hsftp securely
without setting it SUID root. hsftp has been developed on Linux. It is
known to compile on a variety of other UNIX flavours (at least FreeBSD,
Solaris, AIX, and HP-UX), but may not work on all. Fixes for portability
are welcome for inclusion.
4. Capability Override LSM v0.9.1
By: Jack Lloyd <lloyd (at) randombit (dot) net [email concealed]>
Relevant URL: http://www.randombit.net/projects/cap_over/
Platforms: Linux
Summary:
The Capability Override LSM is a Linux kernel module which, when
installed, gives processes running with certain (admin-configured) user or
group IDs access to one or more POSIX.1e capabilities.
5. Wolverine Firewall and VPN Server v1.2beta6
By: Joshua Jackson
Relevant URL: http://www.coyotelinux.com
Platforms: Linux, POSIX
Summary:
Wolverine is a firewall and VPN server that is based on the Embedded
Coyote Linux distribution of Linux. This product is intended as an
alternative to commercial devices such as the Cisco PIX, the FireBox, etc.
Wolverine features a hardened Linux 2.4-based stateful firewall along with
IPSEC and PPTP VPN services. As it is intended to be an embedded solution,
the overall installation size is roughly 8Mb.
Enforcer is a Linux security module designed to help improve integrity of
a computer running Linux. The Enforcer provides a subset of Tripwire-like
functionality. It runs continuously and as each protected file is opened
its SHA1 is calculated and compared to a previously stored value. The
Enforcer is designed to integrate with TCPA hardware to provide a secure
boot when booted with a TCPA enabled boot loader. TCPA hardware can
protect secrets and other sensitive data (for example, the secrets for an
encrypted loopback file system) and bind those secrets to specific
software.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
linux-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address.
The contents of the subject or message body do not matter. You will
receive a confirmation request message to which you will have to answer.
Alternatively you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and
ask to be manually removed.
VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: SPIDynamics
Test for the Top Web Application Vulnerabilities- FREE Product Trial
Hackers are exploiting web apps with attacks such as; SQL Injection,
XSS and Session Hijacking, all undetectable by Firewalls and IDS!
Are you vulnerable? Run a FREE Test of your Web Apps via our FREE 15
Day Product Trial that delivers a comprehensive Vulnerability Report.
http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_031215
------------------------------------------------------------------------
SecurityFocus Linux Newsletter #162
------------------------------------
This Issue is Sponsored by: SPIDynamics
Test for the Top Web Application Vulnerabilities- FREE Product Trial
Hackers are exploiting web apps with attacks such as; SQL Injection,
XSS and Session Hijacking, all undetectable by Firewalls and IDS!
Are you vulnerable? Run a FREE Test of your Web Apps via our FREE 15
Day Product Trial that delivers a comprehensive Vulnerability Report.
http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_031215
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Worm Propagation In Protected Networks
2. RETRO-FOCUS
3. IP Spoofing: An Introduction
II. LINUX VULNERABILITY SUMMARY
1. Cdwrite Insecure Temporary File Vulnerability
2. Abyss Web Server Authentication Bypass Vulnerability
3. MyServer HTTP File Name Request Handler Remote Denial Of Ser...
4. HSFTP Username Command Line Argument Buffer Overrun Vulnerab...
5. HSFTP Hostname Command Line Argument Buffer Overrun Vulnerab...
6. CVS Malformed Request System Root File Creation Vulnerabilit...
7. Multiple Vendor XML Parser SOAP Server Denial Of Service Vul...
8. IRSSI Remote Denial of Service Vulnerability
9. Mozilla Browser URI MouseOver Obfuscation Weakness
10. Multiple Vendor XML DTD Parameter Entity SOAP Server Denial ...
III. LINUX FOCUS LIST SUMMARY
1. Static ARP table in Linux (Thread)
2. Firewall Inquiry (Thread)
3. Re[2]: Firewall Inquiry (Thread)
4. Password Questions (Thread)
5. Firewall continued (Thread)
6. tripwire (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Immunity CANVAS
2. SecretAgent
3. Cyber-Ark Inter-Business Vault
4. EnCase Forensic Edition
5. KeyGhost SX
6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
1. Cryptonit v0.9.1
2. floppyfw v2.9.5
3. Hsftp v1.13
4. Capability Override LSM v0.9.1
5. Wolverine Firewall and VPN Server v1.2beta6
6. Enforcer v0.3alpha
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Worm Propagation In Protected Networks
By SecurityFocus
Many documents explore worm propagation methods across the global
Internet. In contrast, this analysis focuses on the impact of three
prominent worms (Blaster, Slammer, and Code Red I/II) inside protected
networks, once the security perimeter has been breached.
http://www.securityfocus.com/infocus/1752
2. Due to an increase in interest, SecurityFocus has decided to bring back
past Infocus articles still relevant to the security industry. These
articles will be featured at the bottom of the homepage, in the middle
column.
3. IP Spoofing: An Introduction
By Matthew Tanase
Published March 11, 2003
IP spoofing allows an attacker to gain unauthorized access to a computer
or a network by making it appear that a malicious message has come from a
trusted machine by ?spoofing? the IP address of that machine. In this
article, we will examine the concepts of IP spoofing: why it is possible,
how it works, what it is used for and how to defend against it.
http://www.securityfocus.com/infocus/1674
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Cdwrite Insecure Temporary File Vulnerability
BugTraq ID: 9165
Remote: No
Date Published: Dec 06 2003
Relevant URL: http://www.securityfocus.com/bid/9165
Summary:
Cdwrite is a CD writing application for Unix/Linux variants.
Cdwrite creates files in the temporary directory in an insecure manner.
As a result, a local attacker may launch symlink attacks that could cause
system files to be corrupted. In particular, the program creates
'/tmp/.tempfile' when it is run. An attacker could take advantage of this
by creating a symbolic link in the same location as where the temporary
file will be created. When the program is run, any operations that are
intended to be performed on the temporary file will instead be performed
on the file pointed to by the symbolic link (provided the file is
writeable by the user invoking Cdwrite).
This will most likely result in a denial of service or loss of data. This
type of vulnerability could also result in privilege escalation if the
attacker can influence what is written during the symbolic link attack.
2. Abyss Web Server Authentication Bypass Vulnerability
BugTraq ID: 9171
Remote: Yes
Date Published: Dec 08 2003
Relevant URL: http://www.securityfocus.com/bid/9171
Summary:
Abyss Web Server is a freely available personal web server. It is
maintained by Aprelium Technologies and runs on Microsoft Windows
operating systems, as well as Linux.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to bypass authentication in order to access the
resources. It has been reported that this issue only presents itself if
the server is installed on a Linux system running FAT32. An attacker may
access the password protected directory under which the server is running
by adding a period as '.' or '%2e' at the end of a URL request. It has
also been reported that adding a space ' ' or colon ':' to a URL may have
the same affect, however it may also just cause a 404 server error.
Successful exploitation of this issue may allow an attacker to bypass
authentication and gain access to server resources in order to launch
further attacks.
Abyss Web Server versions prior to 1.2 have been reported prone to this
issue.
3. MyServer HTTP File Name Request Handler Remote Denial Of Ser...
BugTraq ID: 9172
Remote: Yes
Date Published: Dec 08 2003
Relevant URL: http://www.securityfocus.com/bid/9172
Summary:
MyServer is an application and web server for Microsoft Windows and Linux
operating systems.
MyServer has been reported prone to a remotely triggered denial of service
vulnerability. The issue presents itself when a remote attacker requests a
file that contains spaces in its name. This activity will cause an
exception in the affected server, effectively denying service to
legitimate users.
An attacker may exploit this vulnerability to deny service to legitimate
users.
4. HSFTP Username Command Line Argument Buffer Overrun Vulnerab...
BugTraq ID: 9174
Remote: No
Date Published: Dec 07 2003
Relevant URL: http://www.securityfocus.com/bid/9174
Summary:
hsftp is an FTP emulation program that is available for Unix/Linux
variants.
hsftp is prone to a locally exploitable buffer overrun vulnerability due
to insufficient bounds checking of username arguments supplied as command
line input. By supplying an overly long argument as a username argument
when invoking the program, it will be possible to corrupt adjacent regions
of memory with superfluous user-supplied data. In this manner, it may be
possible to corrupt sensitive variables in memory and control execution
flow, resulting in execution of arbitrary code.
This could occur in situations where hsftp is installed setuid root and
not configured to drop privileges, this could be exploited to execute
arbitrary code with elevated privileges.
5. HSFTP Hostname Command Line Argument Buffer Overrun Vulnerab...
BugTraq ID: 9175
Remote: No
Date Published: Dec 07 2003
Relevant URL: http://www.securityfocus.com/bid/9175
Summary:
hsftp is an FTP emulation program that is available for Unix/Linux
variants.
hsftp is prone to a locally exploitable buffer overrun vulnerability due
to insufficient bounds checking of hostname arguments supplied as command
line input. By supplying an overly long argument as a host argument when
invoking the program, it will be possible to corrupt adjacent regions of
memory with superfluous user-supplied data. In this manner, it may be
possible to corrupt sensitive variables in memory and control execution
flow, resulting in execution of arbitrary code.
This could occur in situations where hsftp is installed setuid root and
not configured to drop privileges, this could be exploited to execute
arbitrary code with elevated privileges.
6. CVS Malformed Request System Root File Creation Vulnerabilit...
BugTraq ID: 9178
Remote: Yes
Date Published: Dec 09 2003
Relevant URL: http://www.securityfocus.com/bid/9178
Summary:
CVS is the Concurrent Versions System, which is a freely available
open-source version management package. It is available for the Unix and
Linux operating systems.
A vulnerability has been discovered in the handling of some types of
requests by CVS. Because of this, it may be possible for an attacker to
create files in the root directory of a system hosting the vulnerable
server.
The problem involves the handling of malformed requests by modules. An
attacker supplying a maliciously crafted request to the server could,
depending upon the permissions of the CVS server, create files and/or
directories in the system root directory. However, this problem is
limited by the write permissions of the root directory, and the privileges
with which the CVS server executes.
7. Multiple Vendor XML Parser SOAP Server Denial Of Service Vul...
BugTraq ID: 9185
Remote: Yes
Date Published: Dec 09 2003
Relevant URL: http://www.securityfocus.com/bid/9185
Summary:
SOAP is the Simple Object Access Protocol, which is implemented in
numerous web service software packages by various vendors. SOAP servers
are available for the Unix, Linux, and Microsoft Windows platforms.
A problem has been identified in several different SOAP servers when
handling certain types of requests. Because of this, it is possible for
an attacker to force a denial of service on systems using a vulnerable
implementation.
The problem is in the handling of specially crafted SOAP requests. By
making a SOAP request with maliciously crafted XML data, it is possible to
cause the SOAP server to consume excessive amounts of system resources.
This issue can be used to make the server unavailable while it handles the
requests, and could be continuously used to create a prolonged denial of
web services.
8. IRSSI Remote Denial of Service Vulnerability
BugTraq ID: 9201
Remote: Yes
Date Published: Dec 11 2003
Relevant URL: http://www.securityfocus.com/bid/9201
Summary:
irssi is a freely available, open source irc client. irssi is available
for the Linux and Unix operating systems.
A remote denial of service vulnerability has been discovered in IRSSI that
could allow a person to crash an IRSSI client process. The problem occurs
due to an erroneously formatted call to an internal function that could
allow a malicious user to trigger an unexpected condition.
Specifically, the problematic code occurs within the format_send_to_gui()
function in the src/fe-common/core/formats.c source file. The
aforementioned function calls signal_emit_id() erroneously, supplying it
an unintended string, causing the following argument to be interpreted in
an unexpected context.
A user who is running an IRSSI client which is either running on a system
architecture that enforces word alignment or that is implementing a script
which makes use of the "print gui text" signal, may be prone to denial of
service attacks.
The issue can likely be triggered by a malicious user printing some form
of content which will trigger a specific signal handler or that will cause
memory to be misaligned.
9. Mozilla Browser URI MouseOver Obfuscation Weakness
BugTraq ID: 9203
Remote: Yes
Date Published: Dec 11 2003
Relevant URL: http://www.securityfocus.com/bid/9203
Summary:
It has been discovered that the Mozilla browser is prone to a URI
obfuscation weakness that may hide the true contents of a link. The
problem occurs when a user@location URI is formatted in such a way that a
NULL byte is located after the user value. It is said that, when doing a
mouseover of such a URI, it will cause it to only display the contents of
the user value, not the entire link.
This could be used in conjunction with other URI obfuscation attacks and
browser vulnerabilities to trick a user into following a malicious link.
An attacker could exploit this issue by supplying a malicious URI pointing
to a page designed to mimic that of a trusted site. If an unsuspecting
victim were to mouseover the link in an attempt to verify the authenticity
of where it references, they may be deceived into believing they are at
the actual trusted site will be accessed. This could potentially cause a
false sense of security for the victim.
This weakness allegedly affects Mozilla 1.5 for Linux, however due to the
nature of the bug it is likely that other versions, and possibly other
browsers, are also affected.
It should be noted that this method of attack is identical to that
described in 9182, however it appears that various browsers may exhibit
differing behavior depending on the supplied URI.
10. Multiple Vendor XML DTD Parameter Entity SOAP Server Denial ...
BugTraq ID: 9204
Remote: Yes
Date Published: Dec 11 2003
Relevant URL: http://www.securityfocus.com/bid/9204
Summary:
SOAP is the Simple Object Access Protocol, which is implemented in
numerous web service software packages by various vendors. SOAP servers
are available for the Unix, Linux, and Microsoft Windows platforms.
XML DTD (Document Type Definition) defines how XML markup tags should be
interpreted by the application handling the XML document.
A problem has been identified in several different SOAP servers when
handling certain types of SOAP requests. Because of this, it is possible
for an attacker to force a denial of service on systems using a vulnerable
implementation.
The problem is in the handling of SOAP requests that contain references to
DTD parameter entities. By making a SOAP request with maliciously crafted
DTD data, it is possible to cause the SOAP server to consume excessive
amounts of system resources. This issue can be used to make the server
unavailable while it handles the requests, and could be continuously used
to create a prolonged denial of web services.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. Static ARP table in Linux (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/347479
2. Firewall Inquiry (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346855
3. Re[2]: Firewall Inquiry (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346854
4. Password Questions (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346853
5. Firewall continued (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346851
6. tripwire (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/346771
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.
2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:
SecretAgent is a file encryption and digital signature utility, supporting
cross-platform interoperability over a wide range of platforms: Windows,
Linux, Mac OS X, and UNIX systems.
It's the perfect solution for your data security requirements, regardless
of the size of your organization.
Using the latest recognized standards in encryption and digital signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.
3. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:
4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features for
computer forensics and investigations. With an intuitive GUI and superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields completely
non-invasive computer forensic investigations while allowing examiners to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.
The integrated functionality of EnCase allows the examiner to perform all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded data
in it?s own internal memory (not on the hard drive), it is impossible for
a network intruder to gain access to any sensitive data stored within the
device.
6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any application
available 24 hours per day. With no extra hardware: just use your existing
servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to serve
your users.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Cryptonit v0.9.1
By: IDEALX <idx-pki (at) idealx (dot) org [email concealed]>
Relevant URL: http://cryptonit.org/
Platforms: Linux, MacOS, Windows 2000, Windows NT, Windows XP
Summary:
Cryptonit is a client side cryptographic tool which allows you to
encrypt/decrypt and sign/verify files with PKI (Public Key Infrastructure)
certificates.
2. floppyfw v2.9.5
By: Thomas Lundquist, thomasez (at) zelow (dot) no [email concealed]
Relevant URL: http://www.zelow.no/floppyfw/
Platforms: Linux
Summary:
floppyfw is a router and simple firewall on one single floppy. It uses
Linux basic firewall capabilities and have a very simple packaging system.
It is perfect for masquerading and securing networks on ADSL and cable
lines using both static IP and DHCP. It has a simple installation, mostly
only needed to edit one file on the floppy.
3. Hsftp v1.13
By: Rainer Wichmann
Relevant URL: http://la-samhna.de/hsftp/index.html
Platforms: Linux, UNIX
Summary:
hsftp is an ftp emulator that provides the look-and-feel of an ftp
session, but uses ssh to transport commands and data. hsftp executes UNIX
commands on the remote host, and thus will fail on non-Unix remote hosts.
If hsftp is not set SUID root, and you have supplied a
password/passphrase, it might get paged out to your swap partition during
prolonged inactivity. For security, hsftp can be compiled to drop SUID
root privileges irrevocably on startup, immediately after locking the
memory for the password.
For RSA authentication, you can avoid to have hsftp caching the
passphrase if you use ssh-agent. In this case, you can use hsftp securely
without setting it SUID root. hsftp has been developed on Linux. It is
known to compile on a variety of other UNIX flavours (at least FreeBSD,
Solaris, AIX, and HP-UX), but may not work on all. Fixes for portability
are welcome for inclusion.
4. Capability Override LSM v0.9.1
By: Jack Lloyd <lloyd (at) randombit (dot) net [email concealed]>
Relevant URL: http://www.randombit.net/projects/cap_over/
Platforms: Linux
Summary:
The Capability Override LSM is a Linux kernel module which, when
installed, gives processes running with certain (admin-configured) user or
group IDs access to one or more POSIX.1e capabilities.
5. Wolverine Firewall and VPN Server v1.2beta6
By: Joshua Jackson
Relevant URL: http://www.coyotelinux.com
Platforms: Linux, POSIX
Summary:
Wolverine is a firewall and VPN server that is based on the Embedded
Coyote Linux distribution of Linux. This product is intended as an
alternative to commercial devices such as the Cisco PIX, the FireBox, etc.
Wolverine features a hardened Linux 2.4-based stateful firewall along with
IPSEC and PPTP VPN services. As it is intended to be an embedded solution,
the overall installation size is roughly 8Mb.
6. Enforcer v0.3alpha
By: omen
Relevant URL: http://enforcer.sf.net/
Platforms: Linux, POSIX
Summary:
Enforcer is a Linux security module designed to help improve integrity of
a computer running Linux. The Enforcer provides a subset of Tripwire-like
functionality. It runs continuously and as each protected file is opened
its SHA1 is calculated and compared to a previously stored value. The
Enforcer is designed to integrate with TCPA hardware to provide a secure
boot when booted with a TCPA enabled boot loader. TCPA hardware can
protect secrets and other sensitive data (for example, the secrets for an
encrypted loopback file system) and bind those secrets to specific
software.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
linux-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address.
The contents of the subject or message body do not matter. You will
receive a confirmation request message to which you will have to answer.
Alternatively you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and
ask to be manually removed.
VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: SPIDynamics
Test for the Top Web Application Vulnerabilities- FREE Product Trial
Hackers are exploiting web apps with attacks such as; SQL Injection,
XSS and Session Hijacking, all undetectable by Firewalls and IDS!
Are you vulnerable? Run a FREE Test of your Web Apps via our FREE 15
Day Product Trial that delivers a comprehensive Vulnerability Report.
http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_031215
------------------------------------------------------------------------
[ reply ]