SecurityFocus Linux Newsletter #172
------------------------------------
I. FRONT AND CENTER
1. Knock, Knock, Knock
II. LINUX VULNERABILITY SUMMARY
1. Symantec AntiVirus Scan Engine For Red Hat Linux Insecure Te...
2. YABB SE Quote Parameter SQL Injection Vulnerability
3. YaBB Information Leakage Weakness
4. Linux Kernel do_mremap Function VMA Limit Local Privilege Es...
5. Linux Kernel Vicam USB Driver Userspace/Kernel Memory Copyin...
6. Linux Kernel NCPFS ncp_lookup() Unspecified Local Privilege ...
7. Metamail Multiple Buffer Overflow/Format String Handling Vul...
8. Linux Kernel execve() Malformed ELF File Unspecified Local D...
III. LINUX FOCUS LIST SUMMARY
1. how to change OS idenfication? (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Immunity CANVAS
2. SecretAgent
3. Cyber-Ark Inter-Business Vault
4. EnCase Forensic Edition
5. KeyGhost SX
6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
1. Openwall Linux kernel patch v2.4.25-ow1
2. IVS Milter v1-0-5
3. Nast v0.2.0
4. pasmal v0.5 beta
5. RC-Crypt v1.5
6. Stunnel v4.05
VI. UNSUBSCRIBE INSTRUCTIONS
I. FRONT AND CENTER
-------------------
1. Knock, Knock, Knock
By Kelly Martin
If hundreds of thousands of people are still blindly clicking on
attachments in their email, is there any hope of mitigating the threat of
hundreds of thousands of compromised systems with open backdoors?
http://www.securityfocus.com/columnists/221
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Symantec AntiVirus Scan Engine For Red Hat Linux Insecure Te...
BugTraq ID: 9662
Remote: No
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9662
Summary:
Multiple issues related to insecure creation of temporary files were
reported in Symantec AntiVirus Scan Engine for Red Hat Linux. These
issues are exposed during installation and prior to the software being run
for the first time.
The following specific issues were reported:
Log files for LiveUpdate are created in /tmp using a predictable name
(LiveUpdate.log) by default when the software is first run. If a
malicious local user were to create a symbolic link that was named after
the temporary file, then it would be possible to corrupt a file pointed to
by the symbolic link when the LiveUpdate is first run. LiveUpdate would
typically be run as the 'symantec' user but could also be run as root
under some circumstances.
Various temporary directories are also created with predictable names
during the software installation. In particular, one directory is created
using the PID, for example: symcinstXXXX (where XXXX equals the process
ID). Another directory will also be created in /tmp using a static name
(savsetmp).
A temporary directory (with a name derived from the current Unix time)
created by LiveUpdate will be given world-writeable permissions when it is
created.
These issues could potentially allow malicious local users to corrupt
files in the context of the user invoking the software, most likely
resulting in a denial of service or loss of data.
2. YABB SE Quote Parameter SQL Injection Vulnerability
BugTraq ID: 9674
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9674
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for Unix, Linux, and Microsoft Operating
Systems.
A vulnerability in YaBB SE could make it possible for a remote user to
launch SQL injection attacks.
It has been reported that the issue exists due to insufficient sanitizing
of the 'quote' URI parameter, it is possible for a remote user to inject
arbitrary SQL queries into the database used by YaBB SE. This could permit
remote attackers to pass malicious input to database queries, resulting in
modification of query logic or other attacks.
Successful exploitation could result in compromise of the YaBB SE,
disclosure or modification of data or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.
Proof of concept supplied within the reported allows an attacker to gain
access to users' password hash.
YaBB SE versions 1.5.4 and 1.5.5 have been reported to be affected by this
issue, however, other versions could be affected as well.
3. YaBB Information Leakage Weakness
BugTraq ID: 9677
Remote: Yes
Date Published: Feb 17 2004
Relevant URL: http://www.securityfocus.com/bid/9677
Summary:
YaBB (Yet Another Bulletin Board) is freely available web forum software
that is written in Perl. YaBB will run on most Unix/Linux variants, Mac
OS, and Microsoft Windows platforms.
YaBB is prone to a weakness that may permit remote users to enumerate
usernames. The cause of this issue is that YaBB returns different
responses based on whether or not a guessed username is valid or invalid
when the user attempts to log in. This information could aid in further
attacks.
It should be noted that this issue would only present a security risk on
installations that do not allow guests or anonymous web users to browse
the forum, in which case remote users would not be privy to usernames.
Otherwise this information would already be publicly accessible.
This issue was reported in YaBB 1 Gold - SP 1.3.1. Other versions may
also be affected.
4. Linux Kernel do_mremap Function VMA Limit Local Privilege Es...
BugTraq ID: 9686
Remote: No
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9686
Summary:
A vulnerability involving the do_mremap system function has been reported
in the Linux kernel, allowing for local privilege escalation. The
mremap(2) system call is used to resize and relocate Virtual Memory Areas
(VMA).
It has been reported that in order to move a part of the virtual memory
from inside a VMA area to a new location, it is required that a new VMA
descriptor is created and the underlying page table entries are copied as
described by the VMA from the old to the new location in the process's
page table. The do_mremap function is responsible for this task and it
calls the calls the kernel do_munmap() function to eliminate the old
virtual memory mapping and any existing virtual memory mapping in the new
location. The issue presents itself because the return value of the
do_munmap() function is not properly verified. If the maximum amount of
VMAs (65535) for a process has been achieved and part of an existing
memory mapping is unmapped, the maximum number of available VMA
descriptors may be exceeded. The missing return value check allows the
corresponding page table entries from one VMA to be inserted into the page
table location described by the previous VMA are therefore subject to the
previous VMA's page protection flags.
Furthermore, it has been reported that due to two other unchecked calls by
do_mremap() to do_munmap() another exploitable incidence of do_munmap()
may be presented. This occurs when the VMA to be remapped is truncated.
Successful exploitation of this issue may allow a local attacker with
limited privileges on a host to fully compromise the system because
special privileges are not required to use the mremap(2) system call. The
issue may also allow a denial of service condition on available system
memory.
5. Linux Kernel Vicam USB Driver Userspace/Kernel Memory Copyin...
BugTraq ID: 9690
Remote: No
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9690
Summary:
It has been reported that the Vicam USB driver does not access userspace
memory in a safe manner. The source of the problem is that the
copy_from_user function is not used by the driver. This function is used
to copy a block of memory from userspace into kernel memory. This is
reported to present unspecified local security risks.
Though unconfirmed, this could theoretically present a situation where
memory in userspace is copied into kernel memory in a manner that causes
kernel structures or other sensitive variables in kernel memory to be
corrupted. This type of issue could possibly lead to privilege escalation
or a denial of service condition, though this is also not confirmed.
This issue is reported to exist in kernel versions prior to 2.4.25.
Further technical details related to this issue are not known at this
time. This BID will be updated as more information is made available.
6. Linux Kernel NCPFS ncp_lookup() Unspecified Local Privilege ...
BugTraq ID: 9691
Remote: No
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9691
Summary:
NCPFS is a suite of programs that allow users to access a Novell server.
NetWare servers can be mounted under Linux by NCPFS and functionality to
print with NetWare printers is provided.
An unspecified local privilege escalation vulnerability has been reported
to exist due to the ncp_lookup() function of NCPFS. This issue may allow
for a local user to gain elevated privileges. Exploitation of this
vulnerability may result in a compromise of root access by local
attackers.
Due to a lack of details further information cannot be provided at the
moment. This BID will be updated as more information becomes available.
7. Metamail Multiple Buffer Overflow/Format String Handling Vul...
BugTraq ID: 9692
Remote: Yes
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9692
Summary:
Metamail is a multi-platform utility that was originally developed by
Bellcore, but is no longer maintained. Metamail parses and decodes MIME
encoded email.
Metamail has been reported prone to multiple vulnerabilities that may
provide for arbitrary code execution.
The first issue, a format string handling vulnerability, is reported to
present itself when metamail handles a message that consists of a
multipart/alternative data type. Format specifiers that exist as a value
for the Content-Type header in one of the message body parts will be
interpreted literally, providing for arbitrary writes into process memory.
The issue exists due to programmatical errors in fprintf() calls in the
function SaveSquirrelFile() of the source file metamail.c.
The second issue, again a format string handling vulnerability, is
reported to present itself when a processed email message contains
specially encoded non-ASCII characters including malicious format
specifiers in the email header. This vulnerability may provide a conduit
for an attacker to influence arbitrary writes into process memory space.
The issue exists due to programmatical errors in a printf() call in the
function PrintHeader() of the source file metamail.c.
A third issue, resulting from a lack of sufficient boundary checks has
been reported to exist due to a unsafe strcpy() call in the function
PrintHeader() of the source file metamail.c. The issue is triggered when
the value in an email message header used to identify a character set is
of excessive length, it has been reported that the message headers must
also consist of encoded non-ASCII characters.
The final vulnerability exists in the splitmail executable. This issue is
due to a lack of sufficient boundary checks performed on Subject values
contained in email headers. The issue may be triggered if the splitmail
executable is used to process a malicious email that contains a Subject
line of sufficient length to overflow the bounds of a reserved buffer in
process memory. The issue exists due to an unsafe strcpy() call in the
function ShareThisHeader() of the source file splitmail.c.
This BID will be broken up into unique BIDs, as further analysis of these
issues is completed. The following CVE IDs have been associated with these
vulnerabilities (CAN-2004-0104) and (CAN-2004-0105).
8. Linux Kernel execve() Malformed ELF File Unspecified Local D...
BugTraq ID: 9695
Remote: No
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9695
Summary:
It has been reported that the Linux Kernel is prone to a local denial of
service vulnerability due to an inability of the exceve() system function
to handle exceptional conditions.
The issue surrounds the failure of the execve() system function to
properly handle malformed ELF (Executable Linking Format) binaries. The
immediate consequences of this issue may allow an attacker to cause the
linux kernel to fail, denying service to legitimate users.
This BID will be updated with further technical details if more
information is made available.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. how to change OS idenfication? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/354587
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.
2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:
SecretAgent is a file encryption and digital signature utility, supporting
cross-platform interoperability over a wide range of platforms: Windows,
Linux, Mac OS X, and UNIX systems.
It's the perfect solution for your data security requirements, regardless
of the size of your organization.
Using the latest recognized standards in encryption and digital signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.
3. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:
4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features for
computer forensics and investigations. With an intuitive GUI and superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields completely
non-invasive computer forensic investigations while allowing examiners to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.
The integrated functionality of EnCase allows the examiner to perform all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded data
in it?s own internal memory (not on the hard drive), it is impossible for
a network intruder to gain access to any sensitive data stored within the
device.
6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any application
available 24 hours per day. With no extra hardware: just use your existing
servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to serve
your users.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Openwall Linux kernel patch v2.4.25-ow1
By: Solar Designer <solar (at) openwall (dot) com [email concealed]>
Relevant URL: http://www.openwall.com/linux/
Platforms: Linux
Summary:
The Openwall Linux kernel patch is a collection of security "hardening"
features for the Linux kernel. In addition to the new features, some
versions of the patch contain various security fixes. The "hardening"
features of the patch, while not a complete method of protection, provide
an extra layer of security against the easier ways to exploit certain
classes of vulnerabilities and/or reduce the impact of those
vulnerabilities. The patch can also add a little bit more privacy to the
system by restricting access to parts of /proc so that users may not see
what others are doing.
IVS Milter is a virus, spam, and content milter. It makes use of the
antivirus package ClamAV, and can also seamlessly integrate SpamAssassin
(either spamc or libspamc). IVS Milter is also plugin based and currently
supports virus scanning, spam scanning, content-type matching, attachment
type matching, and attachment filename matching.
Nast is a packet sniffer and a LAN analyzer based on Libnet and Libpcap.
It can sniff the packets on a network interface in normal mode or in
promiscuous mode. It dumps the headers of packets and the payload in ASCII
or ASCII-hex format. Various packet filters can be applied. The data
sniffed can be saved in a separate file. As an analysis tool, it can check
for other NICs on the network which are set in promiscuous mode, build a
list of all hosts on a LAN, find a gateway, perform port scanning on a
multiple hosts, catch daemon banners, follow the TCP data stream, reset a
connection, and determine whether a link type is a hub or switch.
pasmal is a TCP/IP packet authentication system. When it receives a
sequence of ICMP or TCP packets to any port (open/closed), it will issue a
command on the server.
5. RC-Crypt v1.5
By: Richard Jones
Relevant URL: http://www.ricksoft.co.uk/downloads/rccrypt/rccrypt.htm
Platforms: Linux
Summary:
RC-Crypt can be used to encrypt or decrypt data using the RC5 algorithm.
It operates on 128-bit data blocks, adding random characters for padding
if necessary. The word size is 64 bits. It has many input/output options,
making this a versatile piece of software suitable for embedding into
scripts.
6. Stunnel v4.05
By: Michal Trojnara, <Michal.Trojnara (at) mirt (dot) net [email concealed]>
Relevant URL: http://stunnel.mirt.net/
Platforms: FreeBSD, Linux, Windows 2000, Windows 95/98, Windows NT
Summary:
The stunnel program is designed to work as an SSL encryption wrapper
between remote client and local (inetd-startable) or remote server. It can
be used to add SSL functionality to commonly used inetd daemons like POP2,
POP3, and IMAP servers without any changes in the programs' code. It will
negotiate an SSL connection using the OpenSSL or SSLeay libraries. It
calls the underlying crypto libraries, so stunnel supports whatever
cryptographic algorithms you compiled into your crypto package.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
linux-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address.
The contents of the subject or message body do not matter. You will
receive a confirmation request message to which you will have to answer.
Alternatively you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and
ask to be manually removed.
SecurityFocus Linux Newsletter #172
------------------------------------
I. FRONT AND CENTER
1. Knock, Knock, Knock
II. LINUX VULNERABILITY SUMMARY
1. Symantec AntiVirus Scan Engine For Red Hat Linux Insecure Te...
2. YABB SE Quote Parameter SQL Injection Vulnerability
3. YaBB Information Leakage Weakness
4. Linux Kernel do_mremap Function VMA Limit Local Privilege Es...
5. Linux Kernel Vicam USB Driver Userspace/Kernel Memory Copyin...
6. Linux Kernel NCPFS ncp_lookup() Unspecified Local Privilege ...
7. Metamail Multiple Buffer Overflow/Format String Handling Vul...
8. Linux Kernel execve() Malformed ELF File Unspecified Local D...
III. LINUX FOCUS LIST SUMMARY
1. how to change OS idenfication? (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Immunity CANVAS
2. SecretAgent
3. Cyber-Ark Inter-Business Vault
4. EnCase Forensic Edition
5. KeyGhost SX
6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
1. Openwall Linux kernel patch v2.4.25-ow1
2. IVS Milter v1-0-5
3. Nast v0.2.0
4. pasmal v0.5 beta
5. RC-Crypt v1.5
6. Stunnel v4.05
VI. UNSUBSCRIBE INSTRUCTIONS
I. FRONT AND CENTER
-------------------
1. Knock, Knock, Knock
By Kelly Martin
If hundreds of thousands of people are still blindly clicking on
attachments in their email, is there any hope of mitigating the threat of
hundreds of thousands of compromised systems with open backdoors?
http://www.securityfocus.com/columnists/221
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Symantec AntiVirus Scan Engine For Red Hat Linux Insecure Te...
BugTraq ID: 9662
Remote: No
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9662
Summary:
Multiple issues related to insecure creation of temporary files were
reported in Symantec AntiVirus Scan Engine for Red Hat Linux. These
issues are exposed during installation and prior to the software being run
for the first time.
The following specific issues were reported:
Log files for LiveUpdate are created in /tmp using a predictable name
(LiveUpdate.log) by default when the software is first run. If a
malicious local user were to create a symbolic link that was named after
the temporary file, then it would be possible to corrupt a file pointed to
by the symbolic link when the LiveUpdate is first run. LiveUpdate would
typically be run as the 'symantec' user but could also be run as root
under some circumstances.
Various temporary directories are also created with predictable names
during the software installation. In particular, one directory is created
using the PID, for example: symcinstXXXX (where XXXX equals the process
ID). Another directory will also be created in /tmp using a static name
(savsetmp).
A temporary directory (with a name derived from the current Unix time)
created by LiveUpdate will be given world-writeable permissions when it is
created.
These issues could potentially allow malicious local users to corrupt
files in the context of the user invoking the software, most likely
resulting in a denial of service or loss of data.
2. YABB SE Quote Parameter SQL Injection Vulnerability
BugTraq ID: 9674
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9674
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for Unix, Linux, and Microsoft Operating
Systems.
A vulnerability in YaBB SE could make it possible for a remote user to
launch SQL injection attacks.
It has been reported that the issue exists due to insufficient sanitizing
of the 'quote' URI parameter, it is possible for a remote user to inject
arbitrary SQL queries into the database used by YaBB SE. This could permit
remote attackers to pass malicious input to database queries, resulting in
modification of query logic or other attacks.
Successful exploitation could result in compromise of the YaBB SE,
disclosure or modification of data or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.
Proof of concept supplied within the reported allows an attacker to gain
access to users' password hash.
YaBB SE versions 1.5.4 and 1.5.5 have been reported to be affected by this
issue, however, other versions could be affected as well.
3. YaBB Information Leakage Weakness
BugTraq ID: 9677
Remote: Yes
Date Published: Feb 17 2004
Relevant URL: http://www.securityfocus.com/bid/9677
Summary:
YaBB (Yet Another Bulletin Board) is freely available web forum software
that is written in Perl. YaBB will run on most Unix/Linux variants, Mac
OS, and Microsoft Windows platforms.
YaBB is prone to a weakness that may permit remote users to enumerate
usernames. The cause of this issue is that YaBB returns different
responses based on whether or not a guessed username is valid or invalid
when the user attempts to log in. This information could aid in further
attacks.
It should be noted that this issue would only present a security risk on
installations that do not allow guests or anonymous web users to browse
the forum, in which case remote users would not be privy to usernames.
Otherwise this information would already be publicly accessible.
This issue was reported in YaBB 1 Gold - SP 1.3.1. Other versions may
also be affected.
4. Linux Kernel do_mremap Function VMA Limit Local Privilege Es...
BugTraq ID: 9686
Remote: No
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9686
Summary:
A vulnerability involving the do_mremap system function has been reported
in the Linux kernel, allowing for local privilege escalation. The
mremap(2) system call is used to resize and relocate Virtual Memory Areas
(VMA).
It has been reported that in order to move a part of the virtual memory
from inside a VMA area to a new location, it is required that a new VMA
descriptor is created and the underlying page table entries are copied as
described by the VMA from the old to the new location in the process's
page table. The do_mremap function is responsible for this task and it
calls the calls the kernel do_munmap() function to eliminate the old
virtual memory mapping and any existing virtual memory mapping in the new
location. The issue presents itself because the return value of the
do_munmap() function is not properly verified. If the maximum amount of
VMAs (65535) for a process has been achieved and part of an existing
memory mapping is unmapped, the maximum number of available VMA
descriptors may be exceeded. The missing return value check allows the
corresponding page table entries from one VMA to be inserted into the page
table location described by the previous VMA are therefore subject to the
previous VMA's page protection flags.
Furthermore, it has been reported that due to two other unchecked calls by
do_mremap() to do_munmap() another exploitable incidence of do_munmap()
may be presented. This occurs when the VMA to be remapped is truncated.
Successful exploitation of this issue may allow a local attacker with
limited privileges on a host to fully compromise the system because
special privileges are not required to use the mremap(2) system call. The
issue may also allow a denial of service condition on available system
memory.
5. Linux Kernel Vicam USB Driver Userspace/Kernel Memory Copyin...
BugTraq ID: 9690
Remote: No
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9690
Summary:
It has been reported that the Vicam USB driver does not access userspace
memory in a safe manner. The source of the problem is that the
copy_from_user function is not used by the driver. This function is used
to copy a block of memory from userspace into kernel memory. This is
reported to present unspecified local security risks.
Though unconfirmed, this could theoretically present a situation where
memory in userspace is copied into kernel memory in a manner that causes
kernel structures or other sensitive variables in kernel memory to be
corrupted. This type of issue could possibly lead to privilege escalation
or a denial of service condition, though this is also not confirmed.
This issue is reported to exist in kernel versions prior to 2.4.25.
Further technical details related to this issue are not known at this
time. This BID will be updated as more information is made available.
6. Linux Kernel NCPFS ncp_lookup() Unspecified Local Privilege ...
BugTraq ID: 9691
Remote: No
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9691
Summary:
NCPFS is a suite of programs that allow users to access a Novell server.
NetWare servers can be mounted under Linux by NCPFS and functionality to
print with NetWare printers is provided.
An unspecified local privilege escalation vulnerability has been reported
to exist due to the ncp_lookup() function of NCPFS. This issue may allow
for a local user to gain elevated privileges. Exploitation of this
vulnerability may result in a compromise of root access by local
attackers.
Due to a lack of details further information cannot be provided at the
moment. This BID will be updated as more information becomes available.
7. Metamail Multiple Buffer Overflow/Format String Handling Vul...
BugTraq ID: 9692
Remote: Yes
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9692
Summary:
Metamail is a multi-platform utility that was originally developed by
Bellcore, but is no longer maintained. Metamail parses and decodes MIME
encoded email.
Metamail has been reported prone to multiple vulnerabilities that may
provide for arbitrary code execution.
The first issue, a format string handling vulnerability, is reported to
present itself when metamail handles a message that consists of a
multipart/alternative data type. Format specifiers that exist as a value
for the Content-Type header in one of the message body parts will be
interpreted literally, providing for arbitrary writes into process memory.
The issue exists due to programmatical errors in fprintf() calls in the
function SaveSquirrelFile() of the source file metamail.c.
The second issue, again a format string handling vulnerability, is
reported to present itself when a processed email message contains
specially encoded non-ASCII characters including malicious format
specifiers in the email header. This vulnerability may provide a conduit
for an attacker to influence arbitrary writes into process memory space.
The issue exists due to programmatical errors in a printf() call in the
function PrintHeader() of the source file metamail.c.
A third issue, resulting from a lack of sufficient boundary checks has
been reported to exist due to a unsafe strcpy() call in the function
PrintHeader() of the source file metamail.c. The issue is triggered when
the value in an email message header used to identify a character set is
of excessive length, it has been reported that the message headers must
also consist of encoded non-ASCII characters.
The final vulnerability exists in the splitmail executable. This issue is
due to a lack of sufficient boundary checks performed on Subject values
contained in email headers. The issue may be triggered if the splitmail
executable is used to process a malicious email that contains a Subject
line of sufficient length to overflow the bounds of a reserved buffer in
process memory. The issue exists due to an unsafe strcpy() call in the
function ShareThisHeader() of the source file splitmail.c.
This BID will be broken up into unique BIDs, as further analysis of these
issues is completed. The following CVE IDs have been associated with these
vulnerabilities (CAN-2004-0104) and (CAN-2004-0105).
8. Linux Kernel execve() Malformed ELF File Unspecified Local D...
BugTraq ID: 9695
Remote: No
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9695
Summary:
It has been reported that the Linux Kernel is prone to a local denial of
service vulnerability due to an inability of the exceve() system function
to handle exceptional conditions.
The issue surrounds the failure of the execve() system function to
properly handle malformed ELF (Executable Linking Format) binaries. The
immediate consequences of this issue may allow an attacker to cause the
linux kernel to fail, denying service to legitimate users.
This BID will be updated with further technical details if more
information is made available.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. how to change OS idenfication? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/354587
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.
2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:
SecretAgent is a file encryption and digital signature utility, supporting
cross-platform interoperability over a wide range of platforms: Windows,
Linux, Mac OS X, and UNIX systems.
It's the perfect solution for your data security requirements, regardless
of the size of your organization.
Using the latest recognized standards in encryption and digital signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.
3. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:
4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features for
computer forensics and investigations. With an intuitive GUI and superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields completely
non-invasive computer forensic investigations while allowing examiners to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.
The integrated functionality of EnCase allows the examiner to perform all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded data
in it?s own internal memory (not on the hard drive), it is impossible for
a network intruder to gain access to any sensitive data stored within the
device.
6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any application
available 24 hours per day. With no extra hardware: just use your existing
servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to serve
your users.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Openwall Linux kernel patch v2.4.25-ow1
By: Solar Designer <solar (at) openwall (dot) com [email concealed]>
Relevant URL: http://www.openwall.com/linux/
Platforms: Linux
Summary:
The Openwall Linux kernel patch is a collection of security "hardening"
features for the Linux kernel. In addition to the new features, some
versions of the patch contain various security fixes. The "hardening"
features of the patch, while not a complete method of protection, provide
an extra layer of security against the easier ways to exploit certain
classes of vulnerabilities and/or reduce the impact of those
vulnerabilities. The patch can also add a little bit more privacy to the
system by restricting access to parts of /proc so that users may not see
what others are doing.
2. IVS Milter v1-0-5
By: Nigel Kukard
Relevant URL: http://ivs-milter.lbsd.net
Platforms: Linux
Summary:
IVS Milter is a virus, spam, and content milter. It makes use of the
antivirus package ClamAV, and can also seamlessly integrate SpamAssassin
(either spamc or libspamc). IVS Milter is also plugin based and currently
supports virus scanning, spam scanning, content-type matching, attachment
type matching, and attachment filename matching.
3. Nast v0.2.0
By: embyte
Relevant URL: http://nast.berlios.de
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, POSIX
Summary:
Nast is a packet sniffer and a LAN analyzer based on Libnet and Libpcap.
It can sniff the packets on a network interface in normal mode or in
promiscuous mode. It dumps the headers of packets and the payload in ASCII
or ASCII-hex format. Various packet filters can be applied. The data
sniffed can be saved in a separate file. As an analysis tool, it can check
for other NICs on the network which are set in promiscuous mode, build a
list of all hosts on a LAN, find a gateway, perform port scanning on a
multiple hosts, catch daemon banners, follow the TCP data stream, reset a
connection, and determine whether a link type is a hub or switch.
4. pasmal v0.5 beta
By: James Meehan
Relevant URL: http://www.sourceforge.net/projects/pasmal/
Platforms: Linux, POSIX
Summary:
pasmal is a TCP/IP packet authentication system. When it receives a
sequence of ICMP or TCP packets to any port (open/closed), it will issue a
command on the server.
5. RC-Crypt v1.5
By: Richard Jones
Relevant URL: http://www.ricksoft.co.uk/downloads/rccrypt/rccrypt.htm
Platforms: Linux
Summary:
RC-Crypt can be used to encrypt or decrypt data using the RC5 algorithm.
It operates on 128-bit data blocks, adding random characters for padding
if necessary. The word size is 64 bits. It has many input/output options,
making this a versatile piece of software suitable for embedding into
scripts.
6. Stunnel v4.05
By: Michal Trojnara, <Michal.Trojnara (at) mirt (dot) net [email concealed]>
Relevant URL: http://stunnel.mirt.net/
Platforms: FreeBSD, Linux, Windows 2000, Windows 95/98, Windows NT
Summary:
The stunnel program is designed to work as an SSL encryption wrapper
between remote client and local (inetd-startable) or remote server. It can
be used to add SSL functionality to commonly used inetd daemons like POP2,
POP3, and IMAP servers without any changes in the programs' code. It will
negotiate an SSL connection using the OpenSSL or SSLeay libraries. It
calls the underlying crypto libraries, so stunnel supports whatever
cryptographic algorithms you compiled into your crypto package.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
linux-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address.
The contents of the subject or message body do not matter. You will
receive a confirmation request message to which you will have to answer.
Alternatively you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and
ask to be manually removed.
[ reply ]