SecurityFocus Linux Newsletter #197
------------------------------------
This Issue is Sponsored By: SecurityFocus
Want to keep up on the latest security vulnerabilities? Don't have time to
visit a myriad of mailing lists and websites to read the news? Just add the
new SecurityFocus RSS feeds to your freeware RSS reader, and see all the
latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!
I. FRONT AND CENTER
1. Examining a Public Exploit, Part 1
2. Detecting Worms and Abnormal Activities with NetFlow, Part 1
3. Big Brother's Last Mile
4. The Panacea of Information Security
II. LINUX VULNERABILITY SUMMARY
1. PluggedOut Blog Blog_Exec.PHP Cross-Site Scripting Vulnerabi...
2. Linux Kernel Unspecified chown Inode Time Vulnerability
3. Linux Kernel Unspecified Signal Denial Of Service Vulnerabil...
4. Xine-Lib Remote Buffer Overflow Vulnerability
5. Linux Kernel Unspecified USB Vulnerability
6. PluggedOut Blog Calendar Module Cross-Site Scripting Vulnera...
7. GNU CFEngine AuthenticationDialogue Remote Heap Based Buffer...
8. GNU CFEngine AuthenticationDialogue Remote Denial Of Service...
9. KDE Konqueror Cross-Domain Frame Loading Vulnerability
10. KDE Insecure Temporary Directory Symlink Vulnerability
11. KDE DCOPServer Insecure Temporary File Creation Vulnerabilit...
12. Mutt PGP/GnuPG Verified Email Signature Spoofing Vulnerabili...
13. Adobe Acrobat Reader Shell Metacharacter Remote Arbitrary Co...
14. RealNetwork RealPlayer Unspecified Remote Vulnerability
15. Kerio Mailserver Embedded HTTP Server Multiple Unspecified V...
16. Rsync Sanitize_path Function Module Path Escaping Vulnerabil...
17. HanSoft 4tH Unspecified Vulnerability
18. Sympa List Creation Authentication Bypass Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. can Hopster traffic be blocked? (Thread)
2. LIDS 1.2.2rc2 for Linux kernel 2.4.27 released (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Cyber-Ark Inter-Business Vault
2. EnCase Forensic Edition
3. KeyGhost SX
4. SafeKit
5. Astaro Linux Firewall
6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
1. Pads 1.1
2. cenfw 0.3b
3. Firewall Builder 2.0
4. Lepton's Crack 20031130
5. popa3d v0.6.4.1
6. tinysofa enterprise server 2.0-rc1
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Examining a Public Exploit, Part 1
By Don Parker
The purpose of this article is to analyze a public exploit in a lab
environment, see the alerts generated by an intrusion detection system, and
then do some packet analysis of the malicious binary in order to better
understand it.
http://www.securityfocus.com/infocus/1795
2. Detecting Worms and Abnormal Activities with NetFlow, Part 1
By Yiming Gong
This paper discusses the use of NetFlow, a traffic profile monitoring
technology available on many routers, for use in the early detection of
worms, spammers, and other abnormal network activity in large enterprise
networks and service providers.
http://www.securityfocus.com/infocus/1796
3. Big Brother's Last Mile
By Mark Rasch
The FCC's new ruling on broadband wiretaps will force customers to pay for
the privilege of making the Internet less secure.
http://www.securityfocus.com/columnists/261
4. The Panacea of Information Security
By Jason Miller
Step away from all the vendor hype. The one device that will always be the
best tool for information security is a competent security professional.
http://www.securityfocus.com/columnists/260
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. PluggedOut Blog Blog_Exec.PHP Cross-Site Scripting Vulnerabi...
BugTraq ID: 10885
Remote: Yes
Date Published: Aug 07 2004
Relevant URL: http://www.securityfocus.com/bid/10885
Summary:
PluggedOut Blog is reported prone to a cross-site scripting vulnerability.
This could allow for execution of hostile HTML and script code in the web client of a user who visits a malicious link to the vulnerable site. This code execution would occur in the security context of the site hosting the vulnerable software.
Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible.
2. Linux Kernel Unspecified chown Inode Time Vulnerability
BugTraq ID: 10887
Remote: No
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10887
Summary:
An unspecified vulnerability has been announced in the Linux Kernel implementation of the chown(2) system call. This issue is related to how inode time data is updated by the system call. The impact is not known at this time, though it is speculated that this could affect system integrity.
3. Linux Kernel Unspecified Signal Denial Of Service Vulnerabil...
BugTraq ID: 10888
Remote: No
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10888
Summary:
An unspecified denial of service vulnerability has been reported to exist in the Linux Kernel. This issue could occur when signals are handled by the kernel. Further details are not available at this time.
4. Xine-Lib Remote Buffer Overflow Vulnerability
BugTraq ID: 10890
Remote: Yes
Date Published: Aug 08 2004
Relevant URL: http://www.securityfocus.com/bid/10890
Summary:
It is reported that the xine media library is affected by a remote buffer overflow vulnerability. This issue can allow a remote attacker to gain unauthorized access to a vulnerable computer.
xine-lib rc-5 and prior versions are reportedly affected by this issue. xine versions 0.99.2 and prior are also vulnerable.
5. Linux Kernel Unspecified USB Vulnerability
BugTraq ID: 10892
Remote: No
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10892
Summary:
The Linux Kernel implementation of USB is reported prone to an unspecified vulnerability. The impact is not known at this time, though it is speculated that this vulnerability could affect system stability.
6. PluggedOut Blog Calendar Module Cross-Site Scripting Vulnera...
BugTraq ID: 10894
Remote: Yes
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10894
Summary:
The Blog 'calendar' module does not sufficiently sanitize data supplied via URI parameters, making it prone to cross-site scripting attacks. This could allow for execution of hostile HTML and script code in the web client of a user who visits a malicious link to the vulnerable site.
7. GNU CFEngine AuthenticationDialogue Remote Heap Based Buffer...
BugTraq ID: 10899
Remote: Yes
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10899
Summary:
GNU cfengine cfservd is reported prone to a remote heap-based buffer overrun vulnerability. The vulnerability presents itself in the cfengine cfservd AuthenticationDialogue() function.
The issue exists due to a lack of sufficient boundary checks performed on challenge data that is received from a client.
Because the size of the buffer, the size of data copied in a memcpy() operation, and the data copied are all controlled by the attacker, a remote attacker may likely exploit this condition to corrupt in-line heap based memory management data.
cfservd employs an IP based access control method. This access control must be bypassed prior to exploitation. This may hinder exploitation attempts.
This vulnerability is reported to affect versions 2.0.0 to 2.1.7p1 of cfengine cfservd.
8. GNU CFEngine AuthenticationDialogue Remote Denial Of Service...
BugTraq ID: 10900
Remote: Yes
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10900
Summary:
GNU cfengine cfservd is reported prone to a remote denial of service vulnerability. The vulnerability presents itself in the cfengine cfservd AuthenticationDialogue() function that is responsible for processing SAUTH commands and also performing RSA based authentication.
The vulnerability presents itself because return values for several statements within the AuthenticationDialogue() function are not checked.
This memcpy() operation based on the return values will fail resulting in a daemon crash. A remote attacker may exploit this vulnerability to crash the affected daemon effectively denying service to legitimate users.
cfservd employs an IP based access control method (AllowConnectionsFrom). This access control must be bypassed prior to exploitation. This may hinder exploitation attempts.
This vulnerability is reported to affect versions 2.0.0 to 2.1.7p1 of cfengine cfservd.
9. KDE Konqueror Cross-Domain Frame Loading Vulnerability
BugTraq ID: 10921
Remote: Yes
Date Published: Aug 11 2004
Relevant URL: http://www.securityfocus.com/bid/10921
Summary:
Konqueror reported prone to a cross-domain frame loading vulnerability. It is reported that if the name of a frame rendered in a target site is known, then an attacker may potentially render arbitrary HTML in the frame of the target site.
An attacker may exploit this vulnerability to spoof an interface of a trusted web site.
All versions of KDE up to KDE 3.2.3 are vulnerable to this issue.
10. KDE Insecure Temporary Directory Symlink Vulnerability
BugTraq ID: 10922
Remote: No
Date Published: Aug 11 2004
Relevant URL: http://www.securityfocus.com/bid/10922
Summary:
KDE is reported to contain a temporary directory symlink vulnerability. This vulnerability is due to improper validation of the ownership of temporary directories.
Local attackers can cause KDE applications to fail, denying service to users, or to overwrite arbitrary files with the privileges of the target user. Privilege escalation may be possible.
Source patches have been made available by KDE to resolve this issue.
11. KDE DCOPServer Insecure Temporary File Creation Vulnerabilit...
BugTraq ID: 10924
Remote: No
Date Published: Aug 11 2004
Relevant URL: http://www.securityfocus.com/bid/10924
Summary:
KDEs DCOPServer is reported to contain an insecure temporary file creation vulnerability. This is due to the use of the mktemp() function.
Since temporary files are used by the DCOP daemon for authentication purposes, a local attacker may possibly exploit this vulnerability to compromise the account of a targeted user running KDE.
A local attacker may also possibly exploit this vulnerability to execute symbolic link file overwrite attacks. This may allow an attacker to overwrite arbitrary files with the privileges of the targeted user. Privilege escalation may also be possible using this method of attack.
KDE versions from 3.2.0 to 3.2.3 are reported susceptible to this vulnerability.
12. Mutt PGP/GnuPG Verified Email Signature Spoofing Vulnerabili...
BugTraq ID: 10929
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10929
Summary:
It is reported that Mutt contains a vulnerability that allows attackers to send email that spoofs the look of a successfully verified PGP/GnuPG email message.
An attacker may potentially simulate the look of the PGP/GnuPG output that Mutt usually includes when processing signed email messages. If a user employs Mutt with a specific configuration, the attacker may make email messages look almost identical to a properly signed and verified email.
This may allow an attacker to create a message that falsifies a correctly verified PGP/GnuPG signature. This could allow an attacker to spoof email from trusted sources. This will likely greatly increase the effectiveness of social engineering attacks.
In the index mode, messages with signatures have the 's' flag. Verified signatures change to 'S'. Ensuring that messages have the proper attributes will aid in the mitigation of this vulnerability.
Versions 1.3.28 and 1.5.6 are reported affected by this vulnerability. Other versions are also likely affected.
13. Adobe Acrobat Reader Shell Metacharacter Remote Arbitrary Co...
BugTraq ID: 10931
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10931
Summary:
A remote code execution vulnerability is identified in Adobe Acrobat Reader. This issue may allow an attacker gain unauthorized access to a vulnerable computer.
Acrobat Reader is affected by a shell metacharacter command execution vulnerability. This issue exists due to insufficient sanitization of user-supplied data by Acrobat Reader for Unix and Linux platforms. Successful exploitation can allow an attacker to use a specially crafted file name to execute arbitrary commands and applications through the shell.
Adobe Acrobat Reader version 5.0 for Unix and Linux platforms is reported vulnerable to this issue. Acrobat Reader for Microsoft Windows platforms is not affected by this issue.
14. RealNetwork RealPlayer Unspecified Remote Vulnerability
BugTraq ID: 10934
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10934
Summary:
It is reported that RealNetwork RealPlayer contains an unspecified vulnerability that allows for execution of arbitrary code in the context of the user running the player.
No further information is available at this time. This BID will be updated as further information is disclosed.
15. Kerio Mailserver Embedded HTTP Server Multiple Unspecified V...
BugTraq ID: 10936
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10936
Summary:
Kerio MailServer version 6.0.1 has been released. This release addresses various unspecified security vulnerabilities in the embedded HTTP server implemented with the Kerio MailServer application. The cause and impact of these issues is currently unknown.
All versions of Kerio MailServer prior to 6.0.1 are considered vulnerable.
16. Rsync Sanitize_path Function Module Path Escaping Vulnerabil...
BugTraq ID: 10938
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10938
Summary:
If an rsync server is installed as a daemon with a read/write enabled module without using the 'chroot' option, it is possible that a remote attacker could read/write files outside of the configured module path. Rsync does not properly sanitize the paths when not running with chroot. The problem exists in the 'sanitize_path' function.
This could potentially be exploited to execute arbitrary code by corrupting or place arbitrary files on the system. Destruction of data could also result, possibly causing a denial of service condition. Other attacks could also occur, depending on the attacker's motives.
17. HanSoft 4tH Unspecified Vulnerability
BugTraq ID: 10939
Remote: Unknown
Date Published: Aug 13 2004
Relevant URL: http://www.securityfocus.com/bid/10939
Summary:
An unspecified vulnerability is reported in the HanSoft 4tH compiler.
This vulnerability is reported to be fixed in version 3.4e-pre4.
No further information was reported. This BID will be updated as new information is disclosed.
18. Sympa List Creation Authentication Bypass Vulnerability
BugTraq ID: 10941
Remote: Yes
Date Published: Aug 13 2004
Relevant URL: http://www.securityfocus.com/bid/10941
Summary:
Sympa is reported to be prone to an authentication bypass vulnerability when creating new mailing lists.
This vulnerability presents itself upon creating a new mailing list. The list master approval process could reportedly be skipped by an attacker.
An attacker may exploit this issue to create unauthorized mailing lists. This may possibly be used to forward UCE messages, or possibly other attacks.
Versions prior to 4.1.2 are reportedly affected by this vulnerability.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. can Hopster traffic be blocked? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/371590
2. LIDS 1.2.2rc2 for Linux kernel 2.4.27 released (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/371540
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business Vault, an information security solution that enables organizations to safely overcome traditional network boundaries in order to securely share business information among customers, business partners, and remote branches. It provides a seamless, LAN-like experience over the Internet that includes all the security, performance, accessibility, and ease of administration required to allow organizations to share everyday information worldwide. To learn more about these core attributes of the Inter-Business Vault click on the relevant link below:
2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features for computer forensics and investigations. With an intuitive GUI and superior performance, EnCase Version 4 provides investigators with the tools to conduct large-scale and complex investigations with accuracy and efficiency. Guidance Software?s award winning solution yields completely non-invasive computer forensic investigations while allowing examiners to easily manage large volumes of computer evidence and view all relevant files, including "deleted" files, file slack and unallocated space.
The integrated functionality of EnCase allows the examiner to perform all functions of the computer forensic investigation process. EnCase's EnScript, a powerful macro-programming language and API included within EnCase, allows investigators to build customized and reusable forensic scripts.
3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed, including chat conversations, email, word processor, or even activity within an accounting or specialist system. It is completely undetectable by software scanners and provides you with one of the most powerful stealth surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded data in it?s own internal memory (not on the hard drive), it is impossible for a network intruder to gain access to any sensitive data stored within the device.
4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any application available 24 hours per day. With no extra hardware: just use your existing servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to do is add more standard servers into the cluster. With the load balancing features of SafeKit, you can distribute applications over multiple servers. If one system fails completely, the others will continue to serve your users.
5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary:
Astaro Linux Firewall: All-in-one firewall, virus protection, content filtering and spam protection internet security software package for Linux.
Free download for home users.
6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris, UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary:
Low cost, easy to use Two Factor Authentication One Time Password token using the Cellular. Does not use SMS or communication, manages multiple OTP accounts - new technology. For any business that want a safer access to its Internet Services. More information at our site.
We also provide eAuthentication service for businesses that will not buy an Authentication product but would prefer to pay a monthly charge for authentication services from our our CAT Server.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Pads 1.1
By: Matt Shelton
Relevant URL: http://freshmeat.net/projects/pads/?branch_id=52504&release_id=169973
Platforms: Linux
Summary:
Pads (Passive Asset Detection System) is a signature-based detection engine used to passively detect network assets. It is designed to complement IDS technology by providing context to IDS alerts.
2. cenfw 0.3b
By: Peter Robinson
Relevant URL: http://www.securegateway.org
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Summary:
The Centron IPTables Firewall Gui is an object oriented, database driven, windows interface to linux IPtables firewall rules.
3. Firewall Builder 2.0
By: Vadim Kurland
Relevant URL: http://www.fwbuilder.org/
Platforms: FreeBSD, Linux, MacOS, Solaris, Windows 2000, Windows XP
Summary:
Firewall Builder consists of a GUI and set of policy compilers for various firewall platforms. It helps users maintain a database of objects and allows policy editing using simple drag-and-drop operations. The GUI and policy compilers are completely independent, and support for a new firewall platform can be added to the GUI without any changes to the program (only a new policy compiler is needed). This provides for a consistent abstract model and the same GUI for different firewall platforms. It currently supports iptables, ipfilter, and OpenBSD pf.
4. Lepton's Crack 20031130
By: Lepton and Nekromancer
Relevant URL: http://www.nestonline.com/lcrack/lcrack-20031130-beta.zip
Platforms: Linux, MacOS, Os Independent, UNIX, Windows 2000, Windows NT, Windows XP
Summary:
Lepton's Crack is a generic password cracker. It is easily-customizable with a simple plugin system and allows system administrators to review the quality of the passwords being used on their systems. It can perform a dictionary-based (wordlist) attack as well as a brute force (incremental) password scan. It supports standard MD4 hash, standard MD5 hash, NT MD4/Unicode, Lotus Domino HTTP password (R4), and SHA-1 hash formats. LM (LAN Manager) plus appending and prepending
5. popa3d v0.6.4.1
By: Solar Designer, solar (at) openwall (dot) com [email concealed]
Relevant URL: http://www.openwall.com/popa3d/
Platforms: Linux, Solaris
Summary:
popa3d is a POP3 daemon which attempts to be extremely secure, reliable, RFC compliant, and fast (in that order).
tinysofa enterprise server is a secure server targeted enterprise grade operating system. It is based on Trustix Secure Linux and includes a complete distribution port to Python 2.3 and RPM 4.2, an overhauled PAM authentication system providing system-wide authentication configuration, the latest upstream packages, the replacement of ncftp with lftp, the addition of gdb and screen, feature additions to the swup updater that provide multiple configuration file support, user login FTP support, enable/disable support, variable expansion support (allows multiple architectures), and many enhancements.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to linux-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and ask to be manually removed.
VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: SecurityFocus
Want to keep up on the latest security vulnerabilities? Don't have time to
visit a myriad of mailing lists and websites to read the news? Just add the
new SecurityFocus RSS feeds to your freeware RSS reader, and see all the
latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!
------------------------------------
This Issue is Sponsored By: SecurityFocus
Want to keep up on the latest security vulnerabilities? Don't have time to
visit a myriad of mailing lists and websites to read the news? Just add the
new SecurityFocus RSS feeds to your freeware RSS reader, and see all the
latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!
http://www.securityfocus.com/rss/index.shtml
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Examining a Public Exploit, Part 1
2. Detecting Worms and Abnormal Activities with NetFlow, Part 1
3. Big Brother's Last Mile
4. The Panacea of Information Security
II. LINUX VULNERABILITY SUMMARY
1. PluggedOut Blog Blog_Exec.PHP Cross-Site Scripting Vulnerabi...
2. Linux Kernel Unspecified chown Inode Time Vulnerability
3. Linux Kernel Unspecified Signal Denial Of Service Vulnerabil...
4. Xine-Lib Remote Buffer Overflow Vulnerability
5. Linux Kernel Unspecified USB Vulnerability
6. PluggedOut Blog Calendar Module Cross-Site Scripting Vulnera...
7. GNU CFEngine AuthenticationDialogue Remote Heap Based Buffer...
8. GNU CFEngine AuthenticationDialogue Remote Denial Of Service...
9. KDE Konqueror Cross-Domain Frame Loading Vulnerability
10. KDE Insecure Temporary Directory Symlink Vulnerability
11. KDE DCOPServer Insecure Temporary File Creation Vulnerabilit...
12. Mutt PGP/GnuPG Verified Email Signature Spoofing Vulnerabili...
13. Adobe Acrobat Reader Shell Metacharacter Remote Arbitrary Co...
14. RealNetwork RealPlayer Unspecified Remote Vulnerability
15. Kerio Mailserver Embedded HTTP Server Multiple Unspecified V...
16. Rsync Sanitize_path Function Module Path Escaping Vulnerabil...
17. HanSoft 4tH Unspecified Vulnerability
18. Sympa List Creation Authentication Bypass Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. can Hopster traffic be blocked? (Thread)
2. LIDS 1.2.2rc2 for Linux kernel 2.4.27 released (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Cyber-Ark Inter-Business Vault
2. EnCase Forensic Edition
3. KeyGhost SX
4. SafeKit
5. Astaro Linux Firewall
6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
1. Pads 1.1
2. cenfw 0.3b
3. Firewall Builder 2.0
4. Lepton's Crack 20031130
5. popa3d v0.6.4.1
6. tinysofa enterprise server 2.0-rc1
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Examining a Public Exploit, Part 1
By Don Parker
The purpose of this article is to analyze a public exploit in a lab
environment, see the alerts generated by an intrusion detection system, and
then do some packet analysis of the malicious binary in order to better
understand it.
http://www.securityfocus.com/infocus/1795
2. Detecting Worms and Abnormal Activities with NetFlow, Part 1
By Yiming Gong
This paper discusses the use of NetFlow, a traffic profile monitoring
technology available on many routers, for use in the early detection of
worms, spammers, and other abnormal network activity in large enterprise
networks and service providers.
http://www.securityfocus.com/infocus/1796
3. Big Brother's Last Mile
By Mark Rasch
The FCC's new ruling on broadband wiretaps will force customers to pay for
the privilege of making the Internet less secure.
http://www.securityfocus.com/columnists/261
4. The Panacea of Information Security
By Jason Miller
Step away from all the vendor hype. The one device that will always be the
best tool for information security is a competent security professional.
http://www.securityfocus.com/columnists/260
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. PluggedOut Blog Blog_Exec.PHP Cross-Site Scripting Vulnerabi...
BugTraq ID: 10885
Remote: Yes
Date Published: Aug 07 2004
Relevant URL: http://www.securityfocus.com/bid/10885
Summary:
PluggedOut Blog is reported prone to a cross-site scripting vulnerability.
This could allow for execution of hostile HTML and script code in the web client of a user who visits a malicious link to the vulnerable site. This code execution would occur in the security context of the site hosting the vulnerable software.
Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible.
2. Linux Kernel Unspecified chown Inode Time Vulnerability
BugTraq ID: 10887
Remote: No
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10887
Summary:
An unspecified vulnerability has been announced in the Linux Kernel implementation of the chown(2) system call. This issue is related to how inode time data is updated by the system call. The impact is not known at this time, though it is speculated that this could affect system integrity.
3. Linux Kernel Unspecified Signal Denial Of Service Vulnerabil...
BugTraq ID: 10888
Remote: No
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10888
Summary:
An unspecified denial of service vulnerability has been reported to exist in the Linux Kernel. This issue could occur when signals are handled by the kernel. Further details are not available at this time.
4. Xine-Lib Remote Buffer Overflow Vulnerability
BugTraq ID: 10890
Remote: Yes
Date Published: Aug 08 2004
Relevant URL: http://www.securityfocus.com/bid/10890
Summary:
It is reported that the xine media library is affected by a remote buffer overflow vulnerability. This issue can allow a remote attacker to gain unauthorized access to a vulnerable computer.
xine-lib rc-5 and prior versions are reportedly affected by this issue. xine versions 0.99.2 and prior are also vulnerable.
5. Linux Kernel Unspecified USB Vulnerability
BugTraq ID: 10892
Remote: No
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10892
Summary:
The Linux Kernel implementation of USB is reported prone to an unspecified vulnerability. The impact is not known at this time, though it is speculated that this vulnerability could affect system stability.
6. PluggedOut Blog Calendar Module Cross-Site Scripting Vulnera...
BugTraq ID: 10894
Remote: Yes
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10894
Summary:
The Blog 'calendar' module does not sufficiently sanitize data supplied via URI parameters, making it prone to cross-site scripting attacks. This could allow for execution of hostile HTML and script code in the web client of a user who visits a malicious link to the vulnerable site.
7. GNU CFEngine AuthenticationDialogue Remote Heap Based Buffer...
BugTraq ID: 10899
Remote: Yes
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10899
Summary:
GNU cfengine cfservd is reported prone to a remote heap-based buffer overrun vulnerability. The vulnerability presents itself in the cfengine cfservd AuthenticationDialogue() function.
The issue exists due to a lack of sufficient boundary checks performed on challenge data that is received from a client.
Because the size of the buffer, the size of data copied in a memcpy() operation, and the data copied are all controlled by the attacker, a remote attacker may likely exploit this condition to corrupt in-line heap based memory management data.
cfservd employs an IP based access control method. This access control must be bypassed prior to exploitation. This may hinder exploitation attempts.
This vulnerability is reported to affect versions 2.0.0 to 2.1.7p1 of cfengine cfservd.
8. GNU CFEngine AuthenticationDialogue Remote Denial Of Service...
BugTraq ID: 10900
Remote: Yes
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10900
Summary:
GNU cfengine cfservd is reported prone to a remote denial of service vulnerability. The vulnerability presents itself in the cfengine cfservd AuthenticationDialogue() function that is responsible for processing SAUTH commands and also performing RSA based authentication.
The vulnerability presents itself because return values for several statements within the AuthenticationDialogue() function are not checked.
This memcpy() operation based on the return values will fail resulting in a daemon crash. A remote attacker may exploit this vulnerability to crash the affected daemon effectively denying service to legitimate users.
cfservd employs an IP based access control method (AllowConnectionsFrom). This access control must be bypassed prior to exploitation. This may hinder exploitation attempts.
This vulnerability is reported to affect versions 2.0.0 to 2.1.7p1 of cfengine cfservd.
9. KDE Konqueror Cross-Domain Frame Loading Vulnerability
BugTraq ID: 10921
Remote: Yes
Date Published: Aug 11 2004
Relevant URL: http://www.securityfocus.com/bid/10921
Summary:
Konqueror reported prone to a cross-domain frame loading vulnerability. It is reported that if the name of a frame rendered in a target site is known, then an attacker may potentially render arbitrary HTML in the frame of the target site.
An attacker may exploit this vulnerability to spoof an interface of a trusted web site.
All versions of KDE up to KDE 3.2.3 are vulnerable to this issue.
10. KDE Insecure Temporary Directory Symlink Vulnerability
BugTraq ID: 10922
Remote: No
Date Published: Aug 11 2004
Relevant URL: http://www.securityfocus.com/bid/10922
Summary:
KDE is reported to contain a temporary directory symlink vulnerability. This vulnerability is due to improper validation of the ownership of temporary directories.
Local attackers can cause KDE applications to fail, denying service to users, or to overwrite arbitrary files with the privileges of the target user. Privilege escalation may be possible.
Source patches have been made available by KDE to resolve this issue.
11. KDE DCOPServer Insecure Temporary File Creation Vulnerabilit...
BugTraq ID: 10924
Remote: No
Date Published: Aug 11 2004
Relevant URL: http://www.securityfocus.com/bid/10924
Summary:
KDEs DCOPServer is reported to contain an insecure temporary file creation vulnerability. This is due to the use of the mktemp() function.
Since temporary files are used by the DCOP daemon for authentication purposes, a local attacker may possibly exploit this vulnerability to compromise the account of a targeted user running KDE.
A local attacker may also possibly exploit this vulnerability to execute symbolic link file overwrite attacks. This may allow an attacker to overwrite arbitrary files with the privileges of the targeted user. Privilege escalation may also be possible using this method of attack.
KDE versions from 3.2.0 to 3.2.3 are reported susceptible to this vulnerability.
12. Mutt PGP/GnuPG Verified Email Signature Spoofing Vulnerabili...
BugTraq ID: 10929
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10929
Summary:
It is reported that Mutt contains a vulnerability that allows attackers to send email that spoofs the look of a successfully verified PGP/GnuPG email message.
An attacker may potentially simulate the look of the PGP/GnuPG output that Mutt usually includes when processing signed email messages. If a user employs Mutt with a specific configuration, the attacker may make email messages look almost identical to a properly signed and verified email.
This may allow an attacker to create a message that falsifies a correctly verified PGP/GnuPG signature. This could allow an attacker to spoof email from trusted sources. This will likely greatly increase the effectiveness of social engineering attacks.
In the index mode, messages with signatures have the 's' flag. Verified signatures change to 'S'. Ensuring that messages have the proper attributes will aid in the mitigation of this vulnerability.
Versions 1.3.28 and 1.5.6 are reported affected by this vulnerability. Other versions are also likely affected.
13. Adobe Acrobat Reader Shell Metacharacter Remote Arbitrary Co...
BugTraq ID: 10931
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10931
Summary:
A remote code execution vulnerability is identified in Adobe Acrobat Reader. This issue may allow an attacker gain unauthorized access to a vulnerable computer.
Acrobat Reader is affected by a shell metacharacter command execution vulnerability. This issue exists due to insufficient sanitization of user-supplied data by Acrobat Reader for Unix and Linux platforms. Successful exploitation can allow an attacker to use a specially crafted file name to execute arbitrary commands and applications through the shell.
Adobe Acrobat Reader version 5.0 for Unix and Linux platforms is reported vulnerable to this issue. Acrobat Reader for Microsoft Windows platforms is not affected by this issue.
14. RealNetwork RealPlayer Unspecified Remote Vulnerability
BugTraq ID: 10934
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10934
Summary:
It is reported that RealNetwork RealPlayer contains an unspecified vulnerability that allows for execution of arbitrary code in the context of the user running the player.
No further information is available at this time. This BID will be updated as further information is disclosed.
15. Kerio Mailserver Embedded HTTP Server Multiple Unspecified V...
BugTraq ID: 10936
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10936
Summary:
Kerio MailServer version 6.0.1 has been released. This release addresses various unspecified security vulnerabilities in the embedded HTTP server implemented with the Kerio MailServer application. The cause and impact of these issues is currently unknown.
All versions of Kerio MailServer prior to 6.0.1 are considered vulnerable.
16. Rsync Sanitize_path Function Module Path Escaping Vulnerabil...
BugTraq ID: 10938
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10938
Summary:
If an rsync server is installed as a daemon with a read/write enabled module without using the 'chroot' option, it is possible that a remote attacker could read/write files outside of the configured module path. Rsync does not properly sanitize the paths when not running with chroot. The problem exists in the 'sanitize_path' function.
This could potentially be exploited to execute arbitrary code by corrupting or place arbitrary files on the system. Destruction of data could also result, possibly causing a denial of service condition. Other attacks could also occur, depending on the attacker's motives.
17. HanSoft 4tH Unspecified Vulnerability
BugTraq ID: 10939
Remote: Unknown
Date Published: Aug 13 2004
Relevant URL: http://www.securityfocus.com/bid/10939
Summary:
An unspecified vulnerability is reported in the HanSoft 4tH compiler.
This vulnerability is reported to be fixed in version 3.4e-pre4.
No further information was reported. This BID will be updated as new information is disclosed.
18. Sympa List Creation Authentication Bypass Vulnerability
BugTraq ID: 10941
Remote: Yes
Date Published: Aug 13 2004
Relevant URL: http://www.securityfocus.com/bid/10941
Summary:
Sympa is reported to be prone to an authentication bypass vulnerability when creating new mailing lists.
This vulnerability presents itself upon creating a new mailing list. The list master approval process could reportedly be skipped by an attacker.
An attacker may exploit this issue to create unauthorized mailing lists. This may possibly be used to forward UCE messages, or possibly other attacks.
Versions prior to 4.1.2 are reportedly affected by this vulnerability.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. can Hopster traffic be blocked? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/371590
2. LIDS 1.2.2rc2 for Linux kernel 2.4.27 released (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/371540
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business Vault, an information security solution that enables organizations to safely overcome traditional network boundaries in order to securely share business information among customers, business partners, and remote branches. It provides a seamless, LAN-like experience over the Internet that includes all the security, performance, accessibility, and ease of administration required to allow organizations to share everyday information worldwide. To learn more about these core attributes of the Inter-Business Vault click on the relevant link below:
2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features for computer forensics and investigations. With an intuitive GUI and superior performance, EnCase Version 4 provides investigators with the tools to conduct large-scale and complex investigations with accuracy and efficiency. Guidance Software?s award winning solution yields completely non-invasive computer forensic investigations while allowing examiners to easily manage large volumes of computer evidence and view all relevant files, including "deleted" files, file slack and unallocated space.
The integrated functionality of EnCase allows the examiner to perform all functions of the computer forensic investigation process. EnCase's EnScript, a powerful macro-programming language and API included within EnCase, allows investigators to build customized and reusable forensic scripts.
3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed, including chat conversations, email, word processor, or even activity within an accounting or specialist system. It is completely undetectable by software scanners and provides you with one of the most powerful stealth surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded data in it?s own internal memory (not on the hard drive), it is impossible for a network intruder to gain access to any sensitive data stored within the device.
4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any application available 24 hours per day. With no extra hardware: just use your existing servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to do is add more standard servers into the cluster. With the load balancing features of SafeKit, you can distribute applications over multiple servers. If one system fails completely, the others will continue to serve your users.
5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary:
Astaro Linux Firewall: All-in-one firewall, virus protection, content filtering and spam protection internet security software package for Linux.
Free download for home users.
6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris, UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary:
Low cost, easy to use Two Factor Authentication One Time Password token using the Cellular. Does not use SMS or communication, manages multiple OTP accounts - new technology. For any business that want a safer access to its Internet Services. More information at our site.
We also provide eAuthentication service for businesses that will not buy an Authentication product but would prefer to pay a monthly charge for authentication services from our our CAT Server.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Pads 1.1
By: Matt Shelton
Relevant URL: http://freshmeat.net/projects/pads/?branch_id=52504&release_id=169973
Platforms: Linux
Summary:
Pads (Passive Asset Detection System) is a signature-based detection engine used to passively detect network assets. It is designed to complement IDS technology by providing context to IDS alerts.
2. cenfw 0.3b
By: Peter Robinson
Relevant URL: http://www.securegateway.org
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Summary:
The Centron IPTables Firewall Gui is an object oriented, database driven, windows interface to linux IPtables firewall rules.
3. Firewall Builder 2.0
By: Vadim Kurland
Relevant URL: http://www.fwbuilder.org/
Platforms: FreeBSD, Linux, MacOS, Solaris, Windows 2000, Windows XP
Summary:
Firewall Builder consists of a GUI and set of policy compilers for various firewall platforms. It helps users maintain a database of objects and allows policy editing using simple drag-and-drop operations. The GUI and policy compilers are completely independent, and support for a new firewall platform can be added to the GUI without any changes to the program (only a new policy compiler is needed). This provides for a consistent abstract model and the same GUI for different firewall platforms. It currently supports iptables, ipfilter, and OpenBSD pf.
4. Lepton's Crack 20031130
By: Lepton and Nekromancer
Relevant URL: http://www.nestonline.com/lcrack/lcrack-20031130-beta.zip
Platforms: Linux, MacOS, Os Independent, UNIX, Windows 2000, Windows NT, Windows XP
Summary:
Lepton's Crack is a generic password cracker. It is easily-customizable with a simple plugin system and allows system administrators to review the quality of the passwords being used on their systems. It can perform a dictionary-based (wordlist) attack as well as a brute force (incremental) password scan. It supports standard MD4 hash, standard MD5 hash, NT MD4/Unicode, Lotus Domino HTTP password (R4), and SHA-1 hash formats. LM (LAN Manager) plus appending and prepending
5. popa3d v0.6.4.1
By: Solar Designer, solar (at) openwall (dot) com [email concealed]
Relevant URL: http://www.openwall.com/popa3d/
Platforms: Linux, Solaris
Summary:
popa3d is a POP3 daemon which attempts to be extremely secure, reliable, RFC compliant, and fast (in that order).
6. tinysofa enterprise server 2.0-rc1
By: Omar Kilani
Relevant URL: http://www.tinysofa.org
Platforms: Linux, POSIX
Summary:
tinysofa enterprise server is a secure server targeted enterprise grade operating system. It is based on Trustix Secure Linux and includes a complete distribution port to Python 2.3 and RPM 4.2, an overhauled PAM authentication system providing system-wide authentication configuration, the latest upstream packages, the replacement of ncftp with lftp, the addition of gdb and screen, feature additions to the swup updater that provide multiple configuration file support, user login FTP support, enable/disable support, variable expansion support (allows multiple architectures), and many enhancements.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to linux-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and ask to be manually removed.
VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: SecurityFocus
Want to keep up on the latest security vulnerabilities? Don't have time to
visit a myriad of mailing lists and websites to read the news? Just add the
new SecurityFocus RSS feeds to your freeware RSS reader, and see all the
latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!
http://www.securityfocus.com/rss/index.shtml
------------------------------------------------------------------------
[ reply ]