Proactive Network Security: FREE Guide Ensure TOTAL security for your
Internet perimeter. Get the most current and most complete Web-based
vulnerability assessment solution designed to keep your network secure
from worms and trojans.
Get your FREE Guide to managing your network vulnerabilities today at:
https://www.qualys.com/forms/guide_230.php
I. FRONT AND CENTER
1. Alien Autopsy: Reverse Engineering Win32 Trojans on Linux
2. .NET/MSIL malicious code and AV/heuristic Engines
3. Locking Down the Pop-up Perps
4. Maintaining Credible IIS Log Files
5. Back to the Insecure Future
6. SecurityFocus DPP Program
7. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL)
II. BUGTRAQ SUMMARY
1. PADL Software nss_ldap DNS Query Response Denial of Service...
2. Microsoft JVM Passed HTML Object Reference Denial Of Service...
3. Perception LiteServe DNS Wildcard Cross Site Scripting...
4. Microsoft JVM Class Loader Buffer Overrun Vulnerability
5. Microsoft JVM Codebase Information Disclosure Vulnerability
6. Microsoft JVM Unauthorized Clipboard Access Vulnerability
7. Microsoft JVM Package Access Restriction Bypassing Vulnerability
8. Microsoft JVM CAB File Loading Vulnerability
9. Microsoft JVM Information Disclosure Vulnerability
10. Microsoft JVM HTML Applet Tag Class Restriction Bypass...
11. Microsoft JVM URI Parsing Vulnerability
12. Microsoft JVM INativeServices Unauthorized Memory Access...
13. Perception LiteServe Directory Query String Cross Site...
14. Zeus Web Server Admin Interface Cross Site Scripting...
15. Simple Web Server File Disclosure Vulnerability
16. QNX RTOS Application Packager Non-Explicit Path Execution...
17. Sun Solaris Network Interface Denial Of Service Vulnerability
18. MailScanner Attachment Filename Validation Vulnerability
19. CVSup-Mirror Insecure Temporary Files Vulnerability
20. Incognito Systems ISMTP Gateway Buffer Overflow Vulnerability
21. KGPG Key Generation Empty Passphrase Vulnerability
22. EZ Systems HTTPBench Information Disclosure Vulnerability
23. Novell Netware eMFrame iManage Buffer Overflow Vulnerability
24. Hotfoon Dialer Plain Text Password Storage Vulnerability
25. Hotfoon Dialer Buffer Overflow Vulnerability
26. KDE Network RESLISA Buffer Overflow Vulnerability
27. ISC BIND 8 Invalid Expiry Time Denial Of Service Vulnerability
28. ISC BIND OPT Record Large UDP Denial of Service Vulnerability
29. ISC BIND SIG Cached Resource Record Buffer Overflow Vulnerability
30. Novell eDirectory Expired Password Vulnerability
31. Light HTTPD GET Request Buffer Overflow Vulnerability
32. TinyHTTPD Directory Traversal Vulnerability
33. MasqMail Buffer Overflow Vulnerability
34. Xoops WebChat Module Remote SQL Injection Vulnerability
35. Traceroute-nanog Local Buffer Overflow Vulnerability
36. APBoard Protected Forum Thread Posting Vulnerability
38. W3Mail File Disclosure Vulnerability
39. TCPDump / LIBPCap Trojan Horse Vulnerability
III. SECURITYFOCUS NEWS ARTICLES
1. Accused Pentagon Hacker's Online Life
2. US gov's 'ultimate database' run by a felon
3. Security concerns hinder remote access
4. When firewalls and intrusion detection just aren't enough
IV. SECURITYFOCUS TOP 6 TOOLS
1. shell watchdog v1.1 (dev)
2. Fast OnlineUpdate for SuSE v0.8.1
3. RSA implementation in Haskell v1.0.0
4. Safer Password Generator
5. NetSplitter v20021112
6. KPassCard v0.1.1
V. SECURITYJOBS LIST SUMMARY
1. CISSP, INFOSEC Engineer Seeking Security Position in...
2. Houston, Texas, CISSP, Web Security Specialist, Attack &...
3. Network Security Engineer - Boston North - KCMO relocation...
4. AVAYA Security Consulting Positions in So. Cal, Silicon...
5. AVAYA Security Manager Position / Western Europe (Thread)
6. Security Sales Evangelist - Boston (Northeast), Atlanta...
7. Incident Response/Security position available in Denver metro...
VI. INCIDENTS LIST SUMMARY
1. Unicode Attack (Thread)
2. Yahoo Messenger Stale Sessions (Thread)
3. Unicode Attack (FOLLOW UP) (Thread)
4. Port 5552? (Thread)
5. scans on port 57 (Thread)
6. new version of aris analyzer? (Thread)
7. ano (at) ano (dot) com [email concealed] ftpd dip.t-dialin.net (Thread)
8. 030 igetnet ignkeywords (Thread)
9. Ip spoof from 0.0.0.0 (Thread)
10. IIS and leech (Thread)
11. 030 ignkeywords igetnet follow up (Thread)
12. Quick question re FTP activity (Thread)
13. 030.com (Thread)
14. What's up with 3014/tcp? (Thread)
15. Ip spoof from 0.0.0.0 (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. shell script cgi (Thread)
2. ColdFusion Heap Overflow (Thread)
3. PHP (Thread)
4. BIND Exploits (Thread)
5. Exploitable pine heap overflow ( Remote pine Denial of Service)...
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Unknown workgroup in Microsoft Windows Network (Thread)
2. Local security settings in W2k adv server causes problems (Thread)
3. Active Directory network security (Thread)
4. Tools (Thread)
5. RES: Tools (Thread)
6. SecurityFocus Microsoft Newsletter #112 (Thread)
7. Win 2000 password Complexity Requirements (Thread)
8. Win 2000 passsword Complexity Requirements (Thread)
9. IIS 5 and client certificates (Thread)
IX. SUN FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 11.15.02
X. LINUX FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 11.15.02
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Alien Autopsy: Reverse Engineering Win32 Trojans on Linux
By Joe Stewart
In a previous SecurityFocus article, the author described the tools and
processes involved in basic reverse engineering of a simple trojan. This
article will offer a more detailed examination of the reversing process,
using a trojan found in the wild, and focusing on techniques for reversing
Windows-native code entirely under Linux.
http://online.securityfocus.com/infocus/1641
2. .NET/MSIL malicious code and AV/heuristic Engines
By Markus Schmall
While the Windows .NET strategy incorporates numerous aspects, this
article will focus on what aspects to cover in developing an AV/heuristic
engine for this new platform. Specifically, it will address the additions
introduced by .NET technologies to standard Windows PE (portable
executable) file format and how that will affect the development of an
effective heuristic engine. It will also briefly discuss the existing
malicious codes for the .NET environment.
http://online.securityfocus.com/infocus/1642
3. Locking Down the Pop-up Perps
By Mark Rasch
Pop-up ads have already inspired civil lawsuits. Here's how federal
computer crime law and the USA-PATRIOT Act could put obnoxious advertisers
in the pokey ...
http://online.securityfocus.com/columnists/124
4. Maintaining Credible IIS Log Files
by Mark Burnett
Many network administrators by now have encountered serious Web server
intrusions that have resulted in legal action. Often IIS logs are the
primary evidence used to track down Web intruders. But what would happen
if the credibility of your IIS logs was challenged in court? What if the
defense claimed the logs were not reliable enough to be admissible as
evidence?
http://online.securityfocus.com/infocus/1639
5. Back to the Insecure Future
By Richard Forno
Web services, such as Microsoft's .NET platform, represent a return to
centralized computing. They also pose some serious security issues.
http://online.securityfocus.com/columnists/123
6. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
7. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. PADL Software nss_ldap DNS Query Response Denial of Service Vulnerability
BugTraq ID: 6130
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6130
Summary:
nss_ldap is a module offered by Padl Software that allows a system to use
LDAP directories as the source of information for user attributes and
related data.
A vulnerability has been discovered in nss_ldap related to the handling of
DNS queries.
It has been reported that nss_ldap fails to verify whether data returned
in DNS query responses has been truncated by resolver libraries. When
processing a DNS query response containing truncated data, nss_ldap will
attempt to parse more data than is available. This could cause the
nss_ldap process to crash.
It is unlikely that this is exploitable to execute arbitrary code, however
this is not confirmed.
2. Microsoft JVM Passed HTML Object Reference Denial Of Service Vulnerability
BugTraq ID: 6135
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6135
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
A vulnerability has been reported in Microsoft JVM that may lead to a
denial of service in Microsoft Internet Explorer.
This problem occurs when references of HTML objects are passed to Java
applets via JavaScript. Applets may potentially invoke methods of
proprietary Microsoft interfaces. In some cases, when a HTML object is
passed to a Java applet which invokes a method of one of these proprietary
interfaces, illegal memory access will occur. This will cause the web
browser to crash.
It is theoretically possible that this problem may be an exploitable
memory corruption vulnerability which may allow arbitrary code execution.
This possibility has not been confirmed.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
3. Perception LiteServe DNS Wildcard Cross Site Scripting Vulnerability
BugTraq ID: 6131
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6131
Summary:
Perception LiteServe is a commercial e-mail, web, and FTP server for
Microsoft Windows operating systems.
A cross site scripting vulnerability has been discovered LiteServe.
It should be noted that this vulnerability is limited to server
configurations with Wildcard DNS enabled.
It has been reported that LiteServe fails to sanitize requests containing
encoded HTML and script code as the hostname when Wildcard DNS is used.
Requests of this nature will be rejected by the server, effectively
returning the request to the sender, without sanitizing the contents of
the request.
This issue may allow an attacker to create a malicious link containing
encoded HTML and script code in the requested hostname. When the malicious
link is clicked by an unsuspecting user, the attacker-supplied HTML and
script code will be executed by their web client.
Attacks of this nature may make it possible for attackers to manipulate
web content or to steal cookie-based authentication credentials. It may be
possible to take arbitrary actions as the victim user.
This issue was reported in LiteServe v2.01. It is not yet known whether
earlier versions are affected by this issue.
4. Microsoft JVM Class Loader Buffer Overrun Vulnerability
BugTraq ID: 6134
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6134
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
Details of a vulnerability in Microsoft JVM have been published.
According to the report, a buffer overrun condition is present in the
class loader. It may be triggered by attempting to load a class with a
name of excessive length. At the very least, attackers may crash victim
browsers when the condition occurs.
This vulnerability may be exploited by malicious webmasters who construct
a Java applet designed to do so. It is not confirmed whether this may be
exploited to execute attacker-supplied instructions or not. It should be
assumed that this is possible.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
5. Microsoft JVM Codebase Information Disclosure Vulnerability
BugTraq ID: 6138
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6138
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer. A vulnerability has been discovered in the Microsoft
Java Virtual Machine.
By including a codebase of 'file://%00' in the applet tag of a malicious
Java applet, it is possible to gain local read access to all local files
on a target system. If the applet is loaded from a publicly readable
network share, it is possible to list directory contents on a target
system.
By gaining local read access to a target system, it may be possible for a
remote attacker to disclose sensitive information, including cookie-based
credentials and passwords. Information gathered through this technique,
may be used by an attacker to launch further attacks against a target
system.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
6. Microsoft JVM Unauthorized Clipboard Access Vulnerability
BugTraq ID: 6132
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6132
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer. A vulnerability has been discovered Microsoft's
implementation of the Java Virtual Machine (JVM).
By implementing the 'INativeServices' class, ClipBoardGetText() and
ClipBoardSetText() methods into a malicious Java applet, it is possible
for a remote attacker to access and modify the contents of a target users
clipboard. The methods must be called indirectly through the
java.lang.reflect.* package.
Exploiting this vulnerability may allow a remote attacker to read and
potentially corrupt sensitive information stored in a users clipboard,
which could be used to launch further attacks against target systems.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
7. Microsoft JVM Package Access Restriction Bypassing Vulnerability
BugTraq ID: 6133
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6133
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
The JVM includes a class named com.ms.security.StandardSecurityManager
which can be extended by any applet. This class contains two protected
static fields named deniedDefinitionPackages and deniedAccessPackages.
These fields contain package access restrictions.
The package access restrictions set in these two fields can be altered or
emptied, allowing any applet to bypass the set restrictions.
These restrictions originate from the registry and are not implemented by
default.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
8. Microsoft JVM CAB File Loading Vulnerability
BugTraq ID: 6137
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6137
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
The JVM contains a class named com.ms.vm.loader.CabCracker. This class
contains a load() method that can be used to load CAB archives from the
local drive. This method performs security checks and queries the user
for permission to access the CAB file from the hard drive. The method
then calls load0() to load the archive from disk.
The load0() method is declared public, which allows any applet to call the
method directly, bypassing the security checks performed by the load()
method.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
9. Microsoft JVM Information Disclosure Vulnerability
BugTraq ID: 6139
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6139
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
Due to insufficient access validation, the JVM may allow applets to
retrieve sensitive information.
By calling new File(".").getAbsolutePath(), the applet may retrieve the
path to the current Internet Explorer directory. On multiuser operating
systems such as Windows NT/2000/XP, this path may also include the current
username.
This information could be used by an attacker to mount further attacks
against the system.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
10. Microsoft JVM HTML Applet Tag Class Restriction Bypass Vulnerability
BugTraq ID: 6136
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6136
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
A vulnerability has been reported in Microsoft JVM that may lead to a
denial of service in Microsoft Internet Explorer.
It is possible to abuse the HTML <applet> tag to bypass Java class
restrictions. Class objects may be instantiated using the HTML <applet>
tag, and since this is not expected by the browser when some native
methods are used, this may crash the browser.
It is theoretically possible that this problem may be an exploitable
memory corruption vulnerability which may allow arbitrary code execution.
This possibility has not been confirmed.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
11. Microsoft JVM URI Parsing Vulnerability
BugTraq ID: 6142
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6142
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
Details of a vulnerability in the Microsoft JVM have been published. The
vulnerability is in the parsing of the location URI string and may result
in an applet being retrieved from an attacker-specified location rather
than that of the document it is embedded in. This may result in a
malicious applet having access to the DOM of the target location. The
applet may retrieve cookie values or manipulate web content.
According to the report, the Microsoft JVM can be fooled into believing
that the HTTP username component of a HTTP URI is the domain. This
allegedly occurs when a colon character is present in the URI that would
normally, when it is in the correct location in the URI string, indicate
the listening port of the server. If the attacker constructs a HTTP URI
with a HTTP username component containing a location and the port, the
Microsoft engine will use that value incorrectly as the document location.
Such a URI may look like:
In this example, if the document served by the server 'www.realsite.tld'
has an embedded applet the Java engine will retrieve it from
'www.attackersite.tld'. The consequences of this are significant. An
attacker may place a rogue applet on a server under their control
('www.attackersite.tld') with the same class name. When invoked, this
applet will have access to the DOM of the document from
'www.realsite.tld'. The applet may then retrieve cookie values or
otherwise access/manipulate the contents of the document.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
12. Microsoft JVM INativeServices Unauthorized Memory Access Vulnerability
BugTraq ID: 6140
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6140
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
INativeServices methods accept memory addresses as parameters. Due to
insufficient checking of these values, it may be possible to pass invalid
memory addresses and cause a denial of service.
Additionally, the pGetFontEnumeratedFamily() methods may also be invoked
to read memory via INativeServices methods. This may lead to disclosure
of various types of sensitive information such as websites visited,
cookies, and filesystem information such as the location of the cache
directory.
Exploitation of this vulnerability may facilitate other attacks,
potentially leading to further information disclosure or execution of
malicious code.
It is possible for a Java applet to access INativeServices methods
directly via other methods such as SystemX.getNativeServices().
Indirectly, the INativeServices methods may be accessed through the the
java.lang.reflect.* methods.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
13. Perception LiteServe Directory Query String Cross Site Scripting Vulnerability
BugTraq ID: 6143
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6143
Summary:
Perception LiteServe is a commercial e-mail, web, and FTP server for
Microsoft Windows operating systems.
A cross site scripting vulnerability has been discovered LiteServe.
It has been reported that LiteServe fails to sanitize query strings from
indexed folders. By constructing a malicious link containing encoded HTML
and script code in the 'dir' variable, it is possible to execute the
script code within the context of a victims web browser.
Attacks of this nature may make it possible for attackers to manipulate
web content or to steal cookie-based authentication credentials. It may be
possible to take arbitrary actions as the victim user.
14. Zeus Web Server Admin Interface Cross Site Scripting Vulnerability
BugTraq ID: 6144
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6144
Summary:
Zeus Web Server is a proprietary webserver for Unix, Linux, Sun, BSD,
HP-UX, and Apple OS X platforms.
The web based administration interface included in Zeus Web Server is
vulnerable to cross site scripting attacks. Due to insufficient
sanitization of user-supplied input it is possible for an attacker to
construct a malicious link which contains arbitrary HTML and script code.
Attacker-supplied HTML and script code may be executed on a web client
visiting the malicious link in the context of the vulnerable server.
Attacks of this nature may make it possible for attackers to steal
cookie-based authentication credentials.
It is important to note that the user must supply a username and password
for the administrative interface before the script will execute. This
also compounds the problem, since it is now likely that an attacker
exploiting this vulnerability may be able to steal the administrative
user's credentials.
15. Simple Web Server File Disclosure Vulnerability
BugTraq ID: 6145
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6145
Summary:
Simple Web Server is a simple lightweight webserver available for the
Linux platform.
It has been reported that Simple Web Server does not properly sanitize web
requests. By sending a malicious web request to the vulnerable server,
containing a slash-slash sequence ('//'), it is possible for a remote
attacker to disclose files, effectively bypassing any access control
measures in place.
Disclosure of sensitive files may aid the attacker in launching further
attacks against the target system.
QNX RTOS is a real-time operating system designed for use on embedded
systems. It is distributed and maintained by QNX.
A vulnerability has been discovered in an application packager shipped
with QNX. It should be noted that the vulnerable packager is setuid root
by default.
It has been reported that the application packager calls the 'cp' command,
without using the programs absolute path. By modifying the PATH
environment variable, it is possible for a local attacker to trick the
vulnerable program into running a trojaned program, containing arbitrary
system commands.
Successful exploitation of this vulnerability could result in an
unauthorized local attacker gaining root access to the target system.
17. Sun Solaris Network Interface Denial Of Service Vulnerability
BugTraq ID: 6147
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6147
Summary:
Sun has reported a denial of service vulnerability in Solaris 8/9.
It has been reported that it is possible for an unprivileged local or
remote attacker to cause some network interfaces to stop responding to TCP
traffic.
If this condition is exploited, then the affected network interfaces must
be manually brought back up for normal functionality to resume.
Further details about the nature of this vulnerability are not known at
this time. This record will be updated if further details become
available.
MailScanner is an e-mail security product. It is designed to be deployed
on gateway systems and provides the ability to detect e-mail based attacks
such as viruses. It will run on Unix and Linux variants and provides
support for a number of anti-virus products.
A vulnerability has been reported in how MailScanner handles filenames for
attachments. MailScanner does not sufficiently validate certain types of
malformed filenames.
It may be possible to bypass MailScanner security with attachment
filenames that contain excessive trailing/leading whitespace, are blank,
or use character encodings that are unknown to MailScanner.
The exact consequences of this vulnerability are not known, but it is
possible that some attachments with malicious filenames may slip through
MailScanner or that a malformed filename may cause other aspects of
MailScanner to fail.
19. CVSup-Mirror Insecure Temporary Files Vulnerability
BugTraq ID: 6150
Remote: No
Date Published: Nov 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6150
Summary:
cvsup-mirror is included in the FreeBSD ports collection and is intended
to be used in combination with cvsup to create easily maintainable FreeBSD
mirrors.
cvsup-mirror is prone to a vulnerability which may enable local attackers
to corrupt critical system files.
This issue is present in the 'cvsupd.sh' shell script. The source of this
issue is that 'cvsupd.sh' creates temporary files in a directory which
malicious local users may potentialy have access to.
The vulnerable shell script creates a file entitled 'cvsupd.out' in the
/var/tmp/ directory. A local attacker could create a symbolic link in
/var/tmp with the same name, pointing to critical system files. Any
actions performed by cvsup-mirror on 'cvsupd.out' will instead be
performed on files pointed to by the symbolic link. Files that are
writeable by the user running the vulnerable software may be overwritten
in this manner.
This may result in a denial of service if critical files are overwritten,
and may potentially allow for privilege escalation.
20. Incognito Systems ISMTP Gateway Buffer Overflow Vulnerability
BugTraq ID: 6151
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6151
Summary:
iSMTP Gateway is a Mail Gateway system developed by Incognito Systems for
use with Banyan VINES Intelligent Messaging users. It is available only
for the Banyan VINES operating system.
A buffer overflow vulnerability has been reported for iSMTP Gateway. The
vulnerability occurs due to inappropriate bounds checking when processing
user-supplied input. Specifically, the vulnerability is a result of
processing the 'MAIL FROM:' command.
An attacker can exploit this vulnerability by sending an overly long 'MAIL
FROM:' command consisting of about 4000 characters. When the system
receives this input it will crash.
As this vulnerability is due to a buffer overflow vulnerability, it is
probable that code execution may be possible. This, however, has not been
confirmed.
This vulnerability was reported for Incognito Software Inc iSMTP Gateway
5.0.1.
KGPG is a KDE graphical front-end for GPG (GNU Privacy Guard). It is
designed for use with the KDE Desktop Environment and GPG. It is available
for Unix and Linux variant operating systems.
A vulnerability has been reported for KGPG. Reportedly, KGPG generates
secret keys in an unsafe manner. The vulnerability is the result of how
KGPG sends command line arguments to GPG. The vulnerability occurs when
keys are generated using the key generation graphical wizard. All keys
generated using the wizard will have an empty passphrase.
An attacker can exploit this vulnerability to obtain access to some
potentially sensitive information.
This vulnerability was reported for KGPG versions 0.6 to 0.8.2.
22. EZ Systems HTTPBench Information Disclosure Vulnerability
BugTraq ID: 6153
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6153
Summary:
eZ Systems httpbench is a benchmarking utility implemented in PHP. It is
available for Unix and Linux variant as well as Microsoft Windows
operating environments.
An information disclosure vulnerability has been reported for httpbench.
Reportedly, httpbench may disclose the contents of web server readable
files to remote attackers.
This vulnerability can be exploited by a remote attacker to obtain
potentially sensitive information on a vulnerable system. Information
obtained in this manner may be used to launch further, destructive attacks
against a vulnerable system.
This vulnerability was reported for httpbench 1.1. It is not known whether
other versions are affected.
Novell Netware eMFrame is web-based application that provides a facility
for role-based management of Novell eDirectory. iManage is a feature of
eMFrame which enables remote management of Netware from the web and
wireless devices.
A buffer overflow vulnerability has been reported for eMFrame. The
vulnerability occurs due to inadequate bounds checking when authenticating
against the system. Specifically, the vulnerability occurs when processing
the DN (Distinguished Name) value supplied by users when authenticating.
If a DN attribute of greater than 256 characters is supplied by the user,
it will cause eMFrame to terminate resulting in a denial of service.
This vulnerability affects eMFrame prior to 1.5.
24. Hotfoon Dialer Plain Text Password Storage Vulnerability
BugTraq ID: 6155
Remote: No
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6155
Summary:
Hotfoon provides PC to Phone services accessible by using its client
program, Hotfoon4.exe.
A problem with Hotfoon4.exe has been discovered that may allow an attacker
to gain access to authentication credentials.
It has been reported that Hotfoon4.exe does not safely store the user's
password. Hotfoon4.exe stores the user's password in plain text in a
registry entry.
This problem could allow an attacker to gain access to the user's password
of vulnerable system. This will allow the attacker to use the services
provided by Hotfoon as the victim user.
Hotfoon provides PC to Phone and other services accessible by using its
client program, Hotfoon4.exe.
A buffer overflow vulnerability has been reported for the Hotfoon dialer.
The vulnerability exists in a text input field for dialing telephone
numbers. Reportedly, Hotfoon4.exe does not adequately perform boundary
checks on this field.
This vulnerability is exacerbated by the fact that Hotfoon4.exe will
define a URL protocol, 'Voice', and register itself as a remote service.
Thus it is possible for a remote attacker to exploit this vulnerability by
issuing a 'Voice' protocol request to launch the Hotfoon4.exe service.
An attacker can exploit this vulnerability by entering an overly long
value, consisting of at least 76 characters, in this text field. This will
cause Hotfoon4.exe to crash. Any malicious attacker-supplied code included
in the specially crafted string will be executed with the privileges of
the Hotfoon4.exe process.
This vulnerability has been reported for Hotfoon dialer 4.0.
26. KDE Network RESLISA Buffer Overflow Vulnerability
BugTraq ID: 6157
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6157
Summary:
LISa (LAN Information Server) is a service designed for Linux variant
operating systems. It provides LAN browsing capabilities on Linux systems.
resLISa is a restricted version of LISa and is distributed with LISa.
A buffer overflow vulnerability has been reported for resLISa. The
vulnerability results due to inadequate checks on the LOGNAME environment
variable.
An attacker can exploit this vulnerability by setting a LOGNAME
environment variable with an overly long value. When the attacker invokes
resLISa, it will result in the service crashing and will result in the
attacker obtaining control over the execution of the vulnerable service.
resLISa is typically installed as a setUID root binary.
27. ISC BIND 8 Invalid Expiry Time Denial Of Service Vulnerability
BugTraq ID: 6159
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6159
Summary:
BIND is a server program that implements the domain name service protocol.
It is used widely on the Internet.
A denial of service vulnerability has been reported for ISC BIND 8. The
vulnerability is due to caching of SIG RR (resource records) with invalid
expiry times.
An attacker who controls an authoritative name server may be able to cause
vulnerable BIND 8 servers to cache invalid SIG RR elements. When the
vulnerable DNS server attempts to reference the SIG RR elements it will
result in the denial of service condition.
It has been reported that ISC BIND 8 versions up to 8.3.3 are vulnerable
to this issue.
28. ISC BIND OPT Record Large UDP Denial of Service Vulnerability
BugTraq ID: 6161
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6161
Summary:
BIND is a server program that implements the domain name service protocol.
It is in extremely wide use on the Internet, in use by most of the DNS
servers.
Recursive BIND 8 servers are vulnerable to a denial of service condition.
Requesting a DNS lookup on a non-existant sub-domain of a valid domain may
cause BIND to fail.
The attacker would have to attach an OPT resource record with a large UDP
payload size in order to exploit this vulnerability.
The denial of service may also occur when a domain is queried and the
authoritative DNS servers are unreachable.
29. ISC BIND SIG Cached Resource Record Buffer Overflow Vulnerability
BugTraq ID: 6160
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6160
Summary:
BIND is a server program that implements the domain name service protocol.
It is widely used on the Internet.
It has been reported that DNS servers, running BIND with recursive DNS
functionality enabled, are prone to a buffer overflow condition. This
issue is triggered when the vulnerable DNS server is constructing DNS
responses for cached information.
An attacker-controlled authoritative DNS server may cause BIND to cache
information into an internal database, when recursion is enabled. Cached
information is accessed when a DNS client request is received. A
vulnerability exists when creating a DNS response containing, SIG resource
records (RR), which may lead to the buffer overflow condition.
By causing the vulnerable DNS server to cache information, and sending a
malicious client request, it may be possible for a remote attacker to
cause a buffer to be overrun. Exploitation of this issue could result in
the execution of arbitrary attacker-supplied code with the privileges of
the vulnerable BIND daemon.
It should be noted that recursive DNS functionality is enabled by default.
Novell has recently reported a vulnerability in eDirectory. According to
Novell, inappropriate privileges may be applied to users logging in from
Remote Manager. This occurs when the user's password has expired.
The precise details of the "inappropriate permissions" are not currently
known. It may be that users retain access they should not have while
their password is expired. It is also possible that users with expired
passwords are granted additional privileges when logging in from Remote
Manager. This has not been confirmed by Novell.
31. Light HTTPD GET Request Buffer Overflow Vulnerability
BugTraq ID: 6162
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6162
Summary:
Light httpd is a small HTTP server, derived from ghttpd. It is available
for a large variety of platforms, including Linux, BSD, Solaris, and
Microsoft Windows operating systems.
A vulnerability has been discovered in Light httpd, when processing GET
requests. Passing an excessively long GET request to a vulnerable server,
containing roughly 1024 or more bytes of data, will trigger a buffer
overflow. This will typically result in sensitive memory being overwritten
with attacker-supplied values.
Exploitation of this issue will result in the execution of arbitrary
commands with the privileges of the target web server. As Light httpd
drops privileges, commands will be executed with the privileges of the
'nobody' user.
32. TinyHTTPD Directory Traversal Vulnerability
BugTraq ID: 6158
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6158
Summary:
It has been reported that TinyHTTPD fails to properly sanitize web
requests. By sending a malicious web request to the vulnerable server,
using directory traversal sequences, it is possible for a remote attacker
to access sensitive resources located outside of the web root.
An attacker is able to traverse outside of the established web root by
using dot-dot-slash (../) directory traversal sequences. An attacker may
be able to obtain any web server readable files from outside of the web
root directory.
Disclosure of sensitive system files may aid the attacker in launching
further attacks against the target system.
33. MasqMail Buffer Overflow Vulnerability
BugTraq ID: 6164
Remote: No
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6164
Summary:
MasqMail is a MTA (mail transport agent) designed for systems without a
permanent Internet connection.
A buffer overflow vulnerability has been reported for MasqMail. The
vulnerability may be exploited by an attacker to execute arbitrary
commands with root privileges.
Although not yet confirmed, it is speculated that the vulnerability may be
triggered through malicious entries in a user-supplied configuration file.
Precise technical details regarding the cause of this issue are not yet
known. This BID will be updated as further information becomes available.
Xoops is open-source, freely available web portal software written in
object-oriented PHP. It is back-ended by a MySQL database and will run on
most Unix and Linux distributions.
A vulnerability exists in the WebChat module included with Xoops. The
vulnerability is due to insufficient sanitization of variables used to
construct SQL queries in the 'index.php' script. Specifically, the
'roomid' variable is not sanitized of malicious SQL input. It is possible
to modify the logic of SQL queries through malformed query strings in
requests for the vulnerable script.
By injecting SQL code into the 'roomid' variable, it may be possible for
an attacker to corrupt database information.
35. Traceroute-nanog Local Buffer Overflow Vulnerability
BugTraq ID: 6166
Remote: No
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6166
Summary:
Traceroute is a tool that is used to track packets in a TCP/IP network to
determine the path of network connections.
Traceroute-nanog fails to drop root privileges after obtaining a RAW
socket. Because of this, it is possible for a local attacker to gain root
privileges by triggering a buffer overflow. Exploiting this issue may
allow a local attacker to overwrite sensitive memory with malicious
values, thereby redirecting typical program flow to execute
attacker-supplied commands with elevated privileges.
Precise technical details regarding the cause of this issue are not yet
known. This BID will be updated as more information becomes available.
36. APBoard Protected Forum Thread Posting Vulnerability
BugTraq ID: 6167
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6167
Summary:
APBoard is a web-based bulletin board package based on PHP and MySQL from
Another PHP Product.
It is possible for any registered APBoard user to create a new thread in a
password protected forum.
The source code of the 'Neues Thema' page contains the following line:
<INPUT TYPE="hidden" NAME="insertinto" VALUE="1">
By changing VALUE= to the value of a password protected forum, then
submitting the page, the thread will be posted to that forum, bypassing
authentication.
Note that it may be possible to modify other variable values to cause
unpredictable results. This has not yet been tested.
37. APBoard Protected Forum Plaintext Password Weakness
BugTraq ID: 6169
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6169
Summary:
APBoard is a web-based bulletin board package based on PHP and MySQL from
Another PHP Product.
When a user is logged into an APboard password protected forum, their
plaintext password is included in the URL:
http://www.your-domain.com/apboard/thread.php3?id=999&passwort=1&thepass
wordhere
By creating a script that logs refering URLs, an attacker could post a
link to the script within the password protected forum. This would allow
the attacker to steal the user's forum password.
38. W3Mail File Disclosure Vulnerability
BugTraq ID: 6170
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6170
Summary:
W3Mail is a full featured open source web mail application implemented as
a collection of Perl scripts that runs on Linux and Unix systems. It
includes support for fetching mail from POP3 servers, MIME attachments,
and for sending outgoing mail.
To fix the vulnerability described as BID 5314, the email attachments
directory was moved out of the webroot tree. To view attachments, the
script "viewAttachment.cgi" accepts the parameter "file". The value of
this parameter is passed to the open() function as the filename argument
without being sanitized. Attackers may cause any file on the filesystem
to open by specifying its relative path using directory traversal
characters.
As a result, attackers may retrieve any file and download its contents if
it is readable by the webserver process.
It should be noted that a valid session ID is required to exploit this
vulnerability.
tcpdump is a freely available , open source tool for analyzing network
traffic. libpcap provides network packet sniffing libraries used by many
popular network intrusion detection systems. Both tools are available for
the Unix and Linux operating systems.
It has been announced that the server hosting tcpdump and libpcap,
www.tcpdump.org, was compromised recently. It has been reported that the
intruder made modifications to the source code of tcpdump and libpcap to
include trojan horse code. Downloads of the source code of tcpdump and
libpcap from www.tcpdump.org, and numerous mirrors, likely contain the
trojan code.
Reports say that the trojan will run once upon compilation of tcpdump or
libpcap. Once the trojan is executed, it attempts to connect to host
212.146.0.34 on port 1963.
The trojan horse modifications can be found in the configure script and
the 'gencode.c' source file. The 'gencode.c' modification affects only
libpcap. Reportedly, 'gencode.c' is modified to force libpcap to ignore
packets to and from the backdoor program. This is an attempt to hide the
back door program's traffic.
The MD5 sums of the trojaned versions are reported to be:
MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz
MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz
MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz
The MD5 sums of the non-trojaned versions are:
MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz
MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz
MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz
The non-trojaned versions of these tools are available at the following locations:
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-
0.7.1.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-
3.6.2.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-
3.7.1.tar.gz
Additionally, the trojan displays similarity to those found in irssi,
fragroute, fragrouter, BitchX, OpenSSH, and Sendmail.
III. SECURITYFOCUS NEWS AND COMMENTARY
------------------------------------------
1. Accused Pentagon Hacker's Online Life
By Kevin Poulsen
Usenet posts show Gary McKinnon was a bit of a phone phreak, knew where to
buy lock picks, and had an early interest in defense computers. A former
employer says he was bored at work.
http://online.securityfocus.com/
2. US gov's 'ultimate database' run by a felon
By Thomas C. Greene, The Register
We all know that truth is stranger than fiction, and here we have an
apparently real item straight from the realm of Tom Clancy. Imagine a
huge, absolutely huge, central database containing both the official and
commercial data of every single citizen, run by the US military ostensibly
for anti-terror and Homeland Security purposes, and all of it under the
direction of a convicted felon.
http://online.securityfocus.com/news/1666
3. Security concerns hinder remote access
By John Leyden, The Register
Security concerns are hampering to roll-out of remote access, particularly
to those working for smaller firms. A survey from In-Stat/MDR, released
this week, which found companies are evenly split, more or less, between
those who allow remote access to the corporate LAN and those that do not.
In-Stat/MDR notes that larger companies more likely to allow remote access
than smaller concerns.
http://online.securityfocus.com/news/1665
4. When firewalls and intrusion detection just aren't enough
By John Leyden, The Register
Firewalls alone are not enough to thwart today's more sophisticated range
of attacks, while Intrusion Detection Systems detect and record attacks,
but do not block them. AV products, properly updated, can help protect
against malicious code but are necessarily limited in their scope.
http://online.securityfocus.com/news/1657
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. shell watchdog v1.1 (dev)
by D. Westfal
Relevant URL:
http://www.nwst.de/
Platforms: UNIX
Summary:
The shell watchdog is a simple shell script daemon to monitor system
resources and report failures via local syslog, wall, mail, console sound,
or user-definable actions. It is intended to be used as a simple failure
recognition system. Tests are defined in a macro-like style in
user-definable files, allowing you to create monitored resource groups. It
currently includes tests to check the availability of an IP address, the
availability of a service on a local or remote IP address, whether a
process is running or not, and the usage of filesystems.
2. Fast OnlineUpdate for SuSE v0.8.1
by Markus Gaugusch
Relevant URL:
http://fou4s.gaugusch.at/
Platforms: Linux, POSIX
Summary:
Fast OnlineUpdate for SuSE (fou4s) is a bash script that provides the
functionality of YOU (YaST OnlineUpdate), but can also work in background
and check for updates every night. It supports resumed downloads and
proxies by using wget. GPG signatures are also checked.
3. RSA implementation in Haskell v1.0.0
by David J. Sankel
Relevant URL:
http://www.electronconsulting.com/rsa-haskell
Platforms: Os Independent
Summary:
RSA implementation in Haskell (rsa-haskell) is a Haskell implementation of
the RSA algorithm. It contains simple programs for encrypting and
decrypting anything that can be piped, as well as an easy-to-use RSA and
number theory library.
4. Safer Password Generator
by Tom Veatch tv (at) sprex (dot) com [email concealed]
Relevant URL:
http://cassandra.sprex.com/passwd.html
Platforms: N/A
Summary:
Safer Password Generator creates English-like passwords, although they are
not English words, or even (usually) combinations of English words or
names. So password-cracking algorithms which search for English words and
names and combinations of them will have a very hard time with Sprex
passwords.
NetSplitter is a 'reverse' load balance like EQLPlus or bounding, but at
the firewall/NAT level. If more than one internet connection exists, it
will balance the NAT connections on those links. It runs on FreeBSD and
Linux.
9. IIS 5 and client certificates (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/298899
IX. SUN FOCUS LIST SUMMARY
----------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 11.15.02
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 11.15.02
XI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: Qualys
Proactive Network Security: FREE Guide Ensure TOTAL security for your
Internet perimeter. Get the most current and most complete Web-based
vulnerability assessment solution designed to keep your network secure
from worms and trojans.
Get your FREE Guide to managing your network vulnerabilities today at:
https://www.qualys.com/forms/guide_230.php
SecurityFocus Newsletter #171
-----------------------------
This Issue is Sponsored By: Qualys
Proactive Network Security: FREE Guide Ensure TOTAL security for your
Internet perimeter. Get the most current and most complete Web-based
vulnerability assessment solution designed to keep your network secure
from worms and trojans.
Get your FREE Guide to managing your network vulnerabilities today at:
https://www.qualys.com/forms/guide_230.php
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Alien Autopsy: Reverse Engineering Win32 Trojans on Linux
2. .NET/MSIL malicious code and AV/heuristic Engines
3. Locking Down the Pop-up Perps
4. Maintaining Credible IIS Log Files
5. Back to the Insecure Future
6. SecurityFocus DPP Program
7. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL)
II. BUGTRAQ SUMMARY
1. PADL Software nss_ldap DNS Query Response Denial of Service...
2. Microsoft JVM Passed HTML Object Reference Denial Of Service...
3. Perception LiteServe DNS Wildcard Cross Site Scripting...
4. Microsoft JVM Class Loader Buffer Overrun Vulnerability
5. Microsoft JVM Codebase Information Disclosure Vulnerability
6. Microsoft JVM Unauthorized Clipboard Access Vulnerability
7. Microsoft JVM Package Access Restriction Bypassing Vulnerability
8. Microsoft JVM CAB File Loading Vulnerability
9. Microsoft JVM Information Disclosure Vulnerability
10. Microsoft JVM HTML Applet Tag Class Restriction Bypass...
11. Microsoft JVM URI Parsing Vulnerability
12. Microsoft JVM INativeServices Unauthorized Memory Access...
13. Perception LiteServe Directory Query String Cross Site...
14. Zeus Web Server Admin Interface Cross Site Scripting...
15. Simple Web Server File Disclosure Vulnerability
16. QNX RTOS Application Packager Non-Explicit Path Execution...
17. Sun Solaris Network Interface Denial Of Service Vulnerability
18. MailScanner Attachment Filename Validation Vulnerability
19. CVSup-Mirror Insecure Temporary Files Vulnerability
20. Incognito Systems ISMTP Gateway Buffer Overflow Vulnerability
21. KGPG Key Generation Empty Passphrase Vulnerability
22. EZ Systems HTTPBench Information Disclosure Vulnerability
23. Novell Netware eMFrame iManage Buffer Overflow Vulnerability
24. Hotfoon Dialer Plain Text Password Storage Vulnerability
25. Hotfoon Dialer Buffer Overflow Vulnerability
26. KDE Network RESLISA Buffer Overflow Vulnerability
27. ISC BIND 8 Invalid Expiry Time Denial Of Service Vulnerability
28. ISC BIND OPT Record Large UDP Denial of Service Vulnerability
29. ISC BIND SIG Cached Resource Record Buffer Overflow Vulnerability
30. Novell eDirectory Expired Password Vulnerability
31. Light HTTPD GET Request Buffer Overflow Vulnerability
32. TinyHTTPD Directory Traversal Vulnerability
33. MasqMail Buffer Overflow Vulnerability
34. Xoops WebChat Module Remote SQL Injection Vulnerability
35. Traceroute-nanog Local Buffer Overflow Vulnerability
36. APBoard Protected Forum Thread Posting Vulnerability
38. W3Mail File Disclosure Vulnerability
39. TCPDump / LIBPCap Trojan Horse Vulnerability
III. SECURITYFOCUS NEWS ARTICLES
1. Accused Pentagon Hacker's Online Life
2. US gov's 'ultimate database' run by a felon
3. Security concerns hinder remote access
4. When firewalls and intrusion detection just aren't enough
IV. SECURITYFOCUS TOP 6 TOOLS
1. shell watchdog v1.1 (dev)
2. Fast OnlineUpdate for SuSE v0.8.1
3. RSA implementation in Haskell v1.0.0
4. Safer Password Generator
5. NetSplitter v20021112
6. KPassCard v0.1.1
V. SECURITYJOBS LIST SUMMARY
1. CISSP, INFOSEC Engineer Seeking Security Position in...
2. Houston, Texas, CISSP, Web Security Specialist, Attack &...
3. Network Security Engineer - Boston North - KCMO relocation...
4. AVAYA Security Consulting Positions in So. Cal, Silicon...
5. AVAYA Security Manager Position / Western Europe (Thread)
6. Security Sales Evangelist - Boston (Northeast), Atlanta...
7. Incident Response/Security position available in Denver metro...
VI. INCIDENTS LIST SUMMARY
1. Unicode Attack (Thread)
2. Yahoo Messenger Stale Sessions (Thread)
3. Unicode Attack (FOLLOW UP) (Thread)
4. Port 5552? (Thread)
5. scans on port 57 (Thread)
6. new version of aris analyzer? (Thread)
7. ano (at) ano (dot) com [email concealed] ftpd dip.t-dialin.net (Thread)
8. 030 igetnet ignkeywords (Thread)
9. Ip spoof from 0.0.0.0 (Thread)
10. IIS and leech (Thread)
11. 030 ignkeywords igetnet follow up (Thread)
12. Quick question re FTP activity (Thread)
13. 030.com (Thread)
14. What's up with 3014/tcp? (Thread)
15. Ip spoof from 0.0.0.0 (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. shell script cgi (Thread)
2. ColdFusion Heap Overflow (Thread)
3. PHP (Thread)
4. BIND Exploits (Thread)
5. Exploitable pine heap overflow ( Remote pine Denial of Service)...
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Unknown workgroup in Microsoft Windows Network (Thread)
2. Local security settings in W2k adv server causes problems (Thread)
3. Active Directory network security (Thread)
4. Tools (Thread)
5. RES: Tools (Thread)
6. SecurityFocus Microsoft Newsletter #112 (Thread)
7. Win 2000 password Complexity Requirements (Thread)
8. Win 2000 passsword Complexity Requirements (Thread)
9. IIS 5 and client certificates (Thread)
IX. SUN FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 11.15.02
X. LINUX FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 11.15.02
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Alien Autopsy: Reverse Engineering Win32 Trojans on Linux
By Joe Stewart
In a previous SecurityFocus article, the author described the tools and
processes involved in basic reverse engineering of a simple trojan. This
article will offer a more detailed examination of the reversing process,
using a trojan found in the wild, and focusing on techniques for reversing
Windows-native code entirely under Linux.
http://online.securityfocus.com/infocus/1641
2. .NET/MSIL malicious code and AV/heuristic Engines
By Markus Schmall
While the Windows .NET strategy incorporates numerous aspects, this
article will focus on what aspects to cover in developing an AV/heuristic
engine for this new platform. Specifically, it will address the additions
introduced by .NET technologies to standard Windows PE (portable
executable) file format and how that will affect the development of an
effective heuristic engine. It will also briefly discuss the existing
malicious codes for the .NET environment.
http://online.securityfocus.com/infocus/1642
3. Locking Down the Pop-up Perps
By Mark Rasch
Pop-up ads have already inspired civil lawsuits. Here's how federal
computer crime law and the USA-PATRIOT Act could put obnoxious advertisers
in the pokey ...
http://online.securityfocus.com/columnists/124
4. Maintaining Credible IIS Log Files
by Mark Burnett
Many network administrators by now have encountered serious Web server
intrusions that have resulted in legal action. Often IIS logs are the
primary evidence used to track down Web intruders. But what would happen
if the credibility of your IIS logs was challenged in court? What if the
defense claimed the logs were not reliable enough to be admissible as
evidence?
http://online.securityfocus.com/infocus/1639
5. Back to the Insecure Future
By Richard Forno
Web services, such as Microsoft's .NET platform, represent a return to
centralized computing. They also pose some serious security issues.
http://online.securityfocus.com/columnists/123
6. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
7. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. PADL Software nss_ldap DNS Query Response Denial of Service Vulnerability
BugTraq ID: 6130
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6130
Summary:
nss_ldap is a module offered by Padl Software that allows a system to use
LDAP directories as the source of information for user attributes and
related data.
A vulnerability has been discovered in nss_ldap related to the handling of
DNS queries.
It has been reported that nss_ldap fails to verify whether data returned
in DNS query responses has been truncated by resolver libraries. When
processing a DNS query response containing truncated data, nss_ldap will
attempt to parse more data than is available. This could cause the
nss_ldap process to crash.
It is unlikely that this is exploitable to execute arbitrary code, however
this is not confirmed.
2. Microsoft JVM Passed HTML Object Reference Denial Of Service Vulnerability
BugTraq ID: 6135
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6135
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
A vulnerability has been reported in Microsoft JVM that may lead to a
denial of service in Microsoft Internet Explorer.
This problem occurs when references of HTML objects are passed to Java
applets via JavaScript. Applets may potentially invoke methods of
proprietary Microsoft interfaces. In some cases, when a HTML object is
passed to a Java applet which invokes a method of one of these proprietary
interfaces, illegal memory access will occur. This will cause the web
browser to crash.
It is theoretically possible that this problem may be an exploitable
memory corruption vulnerability which may allow arbitrary code execution.
This possibility has not been confirmed.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
3. Perception LiteServe DNS Wildcard Cross Site Scripting Vulnerability
BugTraq ID: 6131
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6131
Summary:
Perception LiteServe is a commercial e-mail, web, and FTP server for
Microsoft Windows operating systems.
A cross site scripting vulnerability has been discovered LiteServe.
It should be noted that this vulnerability is limited to server
configurations with Wildcard DNS enabled.
It has been reported that LiteServe fails to sanitize requests containing
encoded HTML and script code as the hostname when Wildcard DNS is used.
Requests of this nature will be rejected by the server, effectively
returning the request to the sender, without sanitizing the contents of
the request.
This issue may allow an attacker to create a malicious link containing
encoded HTML and script code in the requested hostname. When the malicious
link is clicked by an unsuspecting user, the attacker-supplied HTML and
script code will be executed by their web client.
Attacks of this nature may make it possible for attackers to manipulate
web content or to steal cookie-based authentication credentials. It may be
possible to take arbitrary actions as the victim user.
This issue was reported in LiteServe v2.01. It is not yet known whether
earlier versions are affected by this issue.
4. Microsoft JVM Class Loader Buffer Overrun Vulnerability
BugTraq ID: 6134
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6134
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
Details of a vulnerability in Microsoft JVM have been published.
According to the report, a buffer overrun condition is present in the
class loader. It may be triggered by attempting to load a class with a
name of excessive length. At the very least, attackers may crash victim
browsers when the condition occurs.
This vulnerability may be exploited by malicious webmasters who construct
a Java applet designed to do so. It is not confirmed whether this may be
exploited to execute attacker-supplied instructions or not. It should be
assumed that this is possible.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
5. Microsoft JVM Codebase Information Disclosure Vulnerability
BugTraq ID: 6138
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6138
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer. A vulnerability has been discovered in the Microsoft
Java Virtual Machine.
By including a codebase of 'file://%00' in the applet tag of a malicious
Java applet, it is possible to gain local read access to all local files
on a target system. If the applet is loaded from a publicly readable
network share, it is possible to list directory contents on a target
system.
By gaining local read access to a target system, it may be possible for a
remote attacker to disclose sensitive information, including cookie-based
credentials and passwords. Information gathered through this technique,
may be used by an attacker to launch further attacks against a target
system.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
6. Microsoft JVM Unauthorized Clipboard Access Vulnerability
BugTraq ID: 6132
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6132
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer. A vulnerability has been discovered Microsoft's
implementation of the Java Virtual Machine (JVM).
By implementing the 'INativeServices' class, ClipBoardGetText() and
ClipBoardSetText() methods into a malicious Java applet, it is possible
for a remote attacker to access and modify the contents of a target users
clipboard. The methods must be called indirectly through the
java.lang.reflect.* package.
Exploiting this vulnerability may allow a remote attacker to read and
potentially corrupt sensitive information stored in a users clipboard,
which could be used to launch further attacks against target systems.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
7. Microsoft JVM Package Access Restriction Bypassing Vulnerability
BugTraq ID: 6133
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6133
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
The JVM includes a class named com.ms.security.StandardSecurityManager
which can be extended by any applet. This class contains two protected
static fields named deniedDefinitionPackages and deniedAccessPackages.
These fields contain package access restrictions.
The package access restrictions set in these two fields can be altered or
emptied, allowing any applet to bypass the set restrictions.
These restrictions originate from the registry and are not implemented by
default.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
8. Microsoft JVM CAB File Loading Vulnerability
BugTraq ID: 6137
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6137
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
The JVM contains a class named com.ms.vm.loader.CabCracker. This class
contains a load() method that can be used to load CAB archives from the
local drive. This method performs security checks and queries the user
for permission to access the CAB file from the hard drive. The method
then calls load0() to load the archive from disk.
The load0() method is declared public, which allows any applet to call the
method directly, bypassing the security checks performed by the load()
method.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
9. Microsoft JVM Information Disclosure Vulnerability
BugTraq ID: 6139
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6139
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
Due to insufficient access validation, the JVM may allow applets to
retrieve sensitive information.
By calling new File(".").getAbsolutePath(), the applet may retrieve the
path to the current Internet Explorer directory. On multiuser operating
systems such as Windows NT/2000/XP, this path may also include the current
username.
This information could be used by an attacker to mount further attacks
against the system.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
10. Microsoft JVM HTML Applet Tag Class Restriction Bypass Vulnerability
BugTraq ID: 6136
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6136
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
A vulnerability has been reported in Microsoft JVM that may lead to a
denial of service in Microsoft Internet Explorer.
It is possible to abuse the HTML <applet> tag to bypass Java class
restrictions. Class objects may be instantiated using the HTML <applet>
tag, and since this is not expected by the browser when some native
methods are used, this may crash the browser.
It is theoretically possible that this problem may be an exploitable
memory corruption vulnerability which may allow arbitrary code execution.
This possibility has not been confirmed.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
11. Microsoft JVM URI Parsing Vulnerability
BugTraq ID: 6142
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6142
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
Details of a vulnerability in the Microsoft JVM have been published. The
vulnerability is in the parsing of the location URI string and may result
in an applet being retrieved from an attacker-specified location rather
than that of the document it is embedded in. This may result in a
malicious applet having access to the DOM of the target location. The
applet may retrieve cookie values or manipulate web content.
According to the report, the Microsoft JVM can be fooled into believing
that the HTTP username component of a HTTP URI is the domain. This
allegedly occurs when a colon character is present in the URI that would
normally, when it is in the correct location in the URI string, indicate
the listening port of the server. If the attacker constructs a HTTP URI
with a HTTP username component containing a location and the port, the
Microsoft engine will use that value incorrectly as the document location.
Such a URI may look like:
http://www.attackersite.tld:80 (at) www.realsite (dot) tld [email concealed]
^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^
HTTP Auth Username/Password Actual domain
In this example, if the document served by the server 'www.realsite.tld'
has an embedded applet the Java engine will retrieve it from
'www.attackersite.tld'. The consequences of this are significant. An
attacker may place a rogue applet on a server under their control
('www.attackersite.tld') with the same class name. When invoked, this
applet will have access to the DOM of the document from
'www.realsite.tld'. The applet may then retrieve cookie values or
otherwise access/manipulate the contents of the document.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
12. Microsoft JVM INativeServices Unauthorized Memory Access Vulnerability
BugTraq ID: 6140
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6140
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
INativeServices methods accept memory addresses as parameters. Due to
insufficient checking of these values, it may be possible to pass invalid
memory addresses and cause a denial of service.
Additionally, the pGetFontEnumeratedFamily() methods may also be invoked
to read memory via INativeServices methods. This may lead to disclosure
of various types of sensitive information such as websites visited,
cookies, and filesystem information such as the location of the cache
directory.
Exploitation of this vulnerability may facilitate other attacks,
potentially leading to further information disclosure or execution of
malicious code.
It is possible for a Java applet to access INativeServices methods
directly via other methods such as SystemX.getNativeServices().
Indirectly, the INativeServices methods may be accessed through the the
java.lang.reflect.* methods.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
13. Perception LiteServe Directory Query String Cross Site Scripting Vulnerability
BugTraq ID: 6143
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6143
Summary:
Perception LiteServe is a commercial e-mail, web, and FTP server for
Microsoft Windows operating systems.
A cross site scripting vulnerability has been discovered LiteServe.
It has been reported that LiteServe fails to sanitize query strings from
indexed folders. By constructing a malicious link containing encoded HTML
and script code in the 'dir' variable, it is possible to execute the
script code within the context of a victims web browser.
Attacks of this nature may make it possible for attackers to manipulate
web content or to steal cookie-based authentication credentials. It may be
possible to take arbitrary actions as the victim user.
14. Zeus Web Server Admin Interface Cross Site Scripting Vulnerability
BugTraq ID: 6144
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6144
Summary:
Zeus Web Server is a proprietary webserver for Unix, Linux, Sun, BSD,
HP-UX, and Apple OS X platforms.
The web based administration interface included in Zeus Web Server is
vulnerable to cross site scripting attacks. Due to insufficient
sanitization of user-supplied input it is possible for an attacker to
construct a malicious link which contains arbitrary HTML and script code.
Attacker-supplied HTML and script code may be executed on a web client
visiting the malicious link in the context of the vulnerable server.
Attacks of this nature may make it possible for attackers to steal
cookie-based authentication credentials.
It is important to note that the user must supply a username and password
for the administrative interface before the script will execute. This
also compounds the problem, since it is now likely that an attacker
exploiting this vulnerability may be able to steal the administrative
user's credentials.
15. Simple Web Server File Disclosure Vulnerability
BugTraq ID: 6145
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6145
Summary:
Simple Web Server is a simple lightweight webserver available for the
Linux platform.
It has been reported that Simple Web Server does not properly sanitize web
requests. By sending a malicious web request to the vulnerable server,
containing a slash-slash sequence ('//'), it is possible for a remote
attacker to disclose files, effectively bypassing any access control
measures in place.
Disclosure of sensitive files may aid the attacker in launching further
attacks against the target system.
16. QNX RTOS Application Packager Non-Explicit Path Execution Vulnerability
BugTraq ID: 6146
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6146
Summary:
QNX RTOS is a real-time operating system designed for use on embedded
systems. It is distributed and maintained by QNX.
A vulnerability has been discovered in an application packager shipped
with QNX. It should be noted that the vulnerable packager is setuid root
by default.
It has been reported that the application packager calls the 'cp' command,
without using the programs absolute path. By modifying the PATH
environment variable, it is possible for a local attacker to trick the
vulnerable program into running a trojaned program, containing arbitrary
system commands.
Successful exploitation of this vulnerability could result in an
unauthorized local attacker gaining root access to the target system.
17. Sun Solaris Network Interface Denial Of Service Vulnerability
BugTraq ID: 6147
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6147
Summary:
Sun has reported a denial of service vulnerability in Solaris 8/9.
It has been reported that it is possible for an unprivileged local or
remote attacker to cause some network interfaces to stop responding to TCP
traffic.
If this condition is exploited, then the affected network interfaces must
be manually brought back up for normal functionality to resume.
Further details about the nature of this vulnerability are not known at
this time. This record will be updated if further details become
available.
18. MailScanner Attachment Filename Validation Vulnerability
BugTraq ID: 6148
Remote: Yes
Date Published: Nov 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6148
Summary:
MailScanner is an e-mail security product. It is designed to be deployed
on gateway systems and provides the ability to detect e-mail based attacks
such as viruses. It will run on Unix and Linux variants and provides
support for a number of anti-virus products.
A vulnerability has been reported in how MailScanner handles filenames for
attachments. MailScanner does not sufficiently validate certain types of
malformed filenames.
It may be possible to bypass MailScanner security with attachment
filenames that contain excessive trailing/leading whitespace, are blank,
or use character encodings that are unknown to MailScanner.
The exact consequences of this vulnerability are not known, but it is
possible that some attachments with malicious filenames may slip through
MailScanner or that a malformed filename may cause other aspects of
MailScanner to fail.
19. CVSup-Mirror Insecure Temporary Files Vulnerability
BugTraq ID: 6150
Remote: No
Date Published: Nov 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6150
Summary:
cvsup-mirror is included in the FreeBSD ports collection and is intended
to be used in combination with cvsup to create easily maintainable FreeBSD
mirrors.
cvsup-mirror is prone to a vulnerability which may enable local attackers
to corrupt critical system files.
This issue is present in the 'cvsupd.sh' shell script. The source of this
issue is that 'cvsupd.sh' creates temporary files in a directory which
malicious local users may potentialy have access to.
The vulnerable shell script creates a file entitled 'cvsupd.out' in the
/var/tmp/ directory. A local attacker could create a symbolic link in
/var/tmp with the same name, pointing to critical system files. Any
actions performed by cvsup-mirror on 'cvsupd.out' will instead be
performed on files pointed to by the symbolic link. Files that are
writeable by the user running the vulnerable software may be overwritten
in this manner.
This may result in a denial of service if critical files are overwritten,
and may potentially allow for privilege escalation.
20. Incognito Systems ISMTP Gateway Buffer Overflow Vulnerability
BugTraq ID: 6151
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6151
Summary:
iSMTP Gateway is a Mail Gateway system developed by Incognito Systems for
use with Banyan VINES Intelligent Messaging users. It is available only
for the Banyan VINES operating system.
A buffer overflow vulnerability has been reported for iSMTP Gateway. The
vulnerability occurs due to inappropriate bounds checking when processing
user-supplied input. Specifically, the vulnerability is a result of
processing the 'MAIL FROM:' command.
An attacker can exploit this vulnerability by sending an overly long 'MAIL
FROM:' command consisting of about 4000 characters. When the system
receives this input it will crash.
As this vulnerability is due to a buffer overflow vulnerability, it is
probable that code execution may be possible. This, however, has not been
confirmed.
This vulnerability was reported for Incognito Software Inc iSMTP Gateway
5.0.1.
21. KGPG Key Generation Empty Passphrase Vulnerability
BugTraq ID: 6152
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6152
Summary:
KGPG is a KDE graphical front-end for GPG (GNU Privacy Guard). It is
designed for use with the KDE Desktop Environment and GPG. It is available
for Unix and Linux variant operating systems.
A vulnerability has been reported for KGPG. Reportedly, KGPG generates
secret keys in an unsafe manner. The vulnerability is the result of how
KGPG sends command line arguments to GPG. The vulnerability occurs when
keys are generated using the key generation graphical wizard. All keys
generated using the wizard will have an empty passphrase.
An attacker can exploit this vulnerability to obtain access to some
potentially sensitive information.
This vulnerability was reported for KGPG versions 0.6 to 0.8.2.
22. EZ Systems HTTPBench Information Disclosure Vulnerability
BugTraq ID: 6153
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6153
Summary:
eZ Systems httpbench is a benchmarking utility implemented in PHP. It is
available for Unix and Linux variant as well as Microsoft Windows
operating environments.
An information disclosure vulnerability has been reported for httpbench.
Reportedly, httpbench may disclose the contents of web server readable
files to remote attackers.
This vulnerability can be exploited by a remote attacker to obtain
potentially sensitive information on a vulnerable system. Information
obtained in this manner may be used to launch further, destructive attacks
against a vulnerable system.
This vulnerability was reported for httpbench 1.1. It is not known whether
other versions are affected.
23. Novell Netware eMFrame iManage Buffer Overflow Vulnerability
BugTraq ID: 6154
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6154
Summary:
Novell Netware eMFrame is web-based application that provides a facility
for role-based management of Novell eDirectory. iManage is a feature of
eMFrame which enables remote management of Netware from the web and
wireless devices.
A buffer overflow vulnerability has been reported for eMFrame. The
vulnerability occurs due to inadequate bounds checking when authenticating
against the system. Specifically, the vulnerability occurs when processing
the DN (Distinguished Name) value supplied by users when authenticating.
If a DN attribute of greater than 256 characters is supplied by the user,
it will cause eMFrame to terminate resulting in a denial of service.
This vulnerability affects eMFrame prior to 1.5.
24. Hotfoon Dialer Plain Text Password Storage Vulnerability
BugTraq ID: 6155
Remote: No
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6155
Summary:
Hotfoon provides PC to Phone services accessible by using its client
program, Hotfoon4.exe.
A problem with Hotfoon4.exe has been discovered that may allow an attacker
to gain access to authentication credentials.
It has been reported that Hotfoon4.exe does not safely store the user's
password. Hotfoon4.exe stores the user's password in plain text in a
registry entry.
This problem could allow an attacker to gain access to the user's password
of vulnerable system. This will allow the attacker to use the services
provided by Hotfoon as the victim user.
25. Hotfoon Dialer Buffer Overflow Vulnerability
BugTraq ID: 6156
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6156
Summary:
Hotfoon provides PC to Phone and other services accessible by using its
client program, Hotfoon4.exe.
A buffer overflow vulnerability has been reported for the Hotfoon dialer.
The vulnerability exists in a text input field for dialing telephone
numbers. Reportedly, Hotfoon4.exe does not adequately perform boundary
checks on this field.
This vulnerability is exacerbated by the fact that Hotfoon4.exe will
define a URL protocol, 'Voice', and register itself as a remote service.
Thus it is possible for a remote attacker to exploit this vulnerability by
issuing a 'Voice' protocol request to launch the Hotfoon4.exe service.
An attacker can exploit this vulnerability by entering an overly long
value, consisting of at least 76 characters, in this text field. This will
cause Hotfoon4.exe to crash. Any malicious attacker-supplied code included
in the specially crafted string will be executed with the privileges of
the Hotfoon4.exe process.
This vulnerability has been reported for Hotfoon dialer 4.0.
26. KDE Network RESLISA Buffer Overflow Vulnerability
BugTraq ID: 6157
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6157
Summary:
LISa (LAN Information Server) is a service designed for Linux variant
operating systems. It provides LAN browsing capabilities on Linux systems.
resLISa is a restricted version of LISa and is distributed with LISa.
A buffer overflow vulnerability has been reported for resLISa. The
vulnerability results due to inadequate checks on the LOGNAME environment
variable.
An attacker can exploit this vulnerability by setting a LOGNAME
environment variable with an overly long value. When the attacker invokes
resLISa, it will result in the service crashing and will result in the
attacker obtaining control over the execution of the vulnerable service.
resLISa is typically installed as a setUID root binary.
27. ISC BIND 8 Invalid Expiry Time Denial Of Service Vulnerability
BugTraq ID: 6159
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6159
Summary:
BIND is a server program that implements the domain name service protocol.
It is used widely on the Internet.
A denial of service vulnerability has been reported for ISC BIND 8. The
vulnerability is due to caching of SIG RR (resource records) with invalid
expiry times.
An attacker who controls an authoritative name server may be able to cause
vulnerable BIND 8 servers to cache invalid SIG RR elements. When the
vulnerable DNS server attempts to reference the SIG RR elements it will
result in the denial of service condition.
It has been reported that ISC BIND 8 versions up to 8.3.3 are vulnerable
to this issue.
28. ISC BIND OPT Record Large UDP Denial of Service Vulnerability
BugTraq ID: 6161
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6161
Summary:
BIND is a server program that implements the domain name service protocol.
It is in extremely wide use on the Internet, in use by most of the DNS
servers.
Recursive BIND 8 servers are vulnerable to a denial of service condition.
Requesting a DNS lookup on a non-existant sub-domain of a valid domain may
cause BIND to fail.
The attacker would have to attach an OPT resource record with a large UDP
payload size in order to exploit this vulnerability.
The denial of service may also occur when a domain is queried and the
authoritative DNS servers are unreachable.
29. ISC BIND SIG Cached Resource Record Buffer Overflow Vulnerability
BugTraq ID: 6160
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6160
Summary:
BIND is a server program that implements the domain name service protocol.
It is widely used on the Internet.
It has been reported that DNS servers, running BIND with recursive DNS
functionality enabled, are prone to a buffer overflow condition. This
issue is triggered when the vulnerable DNS server is constructing DNS
responses for cached information.
An attacker-controlled authoritative DNS server may cause BIND to cache
information into an internal database, when recursion is enabled. Cached
information is accessed when a DNS client request is received. A
vulnerability exists when creating a DNS response containing, SIG resource
records (RR), which may lead to the buffer overflow condition.
By causing the vulnerable DNS server to cache information, and sending a
malicious client request, it may be possible for a remote attacker to
cause a buffer to be overrun. Exploitation of this issue could result in
the execution of arbitrary attacker-supplied code with the privileges of
the vulnerable BIND daemon.
It should be noted that recursive DNS functionality is enabled by default.
30. Novell eDirectory Expired Password Vulnerability
BugTraq ID: 6163
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6163
Summary:
Novell has recently reported a vulnerability in eDirectory. According to
Novell, inappropriate privileges may be applied to users logging in from
Remote Manager. This occurs when the user's password has expired.
The precise details of the "inappropriate permissions" are not currently
known. It may be that users retain access they should not have while
their password is expired. It is also possible that users with expired
passwords are granted additional privileges when logging in from Remote
Manager. This has not been confirmed by Novell.
31. Light HTTPD GET Request Buffer Overflow Vulnerability
BugTraq ID: 6162
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6162
Summary:
Light httpd is a small HTTP server, derived from ghttpd. It is available
for a large variety of platforms, including Linux, BSD, Solaris, and
Microsoft Windows operating systems.
A vulnerability has been discovered in Light httpd, when processing GET
requests. Passing an excessively long GET request to a vulnerable server,
containing roughly 1024 or more bytes of data, will trigger a buffer
overflow. This will typically result in sensitive memory being overwritten
with attacker-supplied values.
Exploitation of this issue will result in the execution of arbitrary
commands with the privileges of the target web server. As Light httpd
drops privileges, commands will be executed with the privileges of the
'nobody' user.
32. TinyHTTPD Directory Traversal Vulnerability
BugTraq ID: 6158
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6158
Summary:
It has been reported that TinyHTTPD fails to properly sanitize web
requests. By sending a malicious web request to the vulnerable server,
using directory traversal sequences, it is possible for a remote attacker
to access sensitive resources located outside of the web root.
An attacker is able to traverse outside of the established web root by
using dot-dot-slash (../) directory traversal sequences. An attacker may
be able to obtain any web server readable files from outside of the web
root directory.
Disclosure of sensitive system files may aid the attacker in launching
further attacks against the target system.
33. MasqMail Buffer Overflow Vulnerability
BugTraq ID: 6164
Remote: No
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6164
Summary:
MasqMail is a MTA (mail transport agent) designed for systems without a
permanent Internet connection.
A buffer overflow vulnerability has been reported for MasqMail. The
vulnerability may be exploited by an attacker to execute arbitrary
commands with root privileges.
Although not yet confirmed, it is speculated that the vulnerability may be
triggered through malicious entries in a user-supplied configuration file.
Precise technical details regarding the cause of this issue are not yet
known. This BID will be updated as further information becomes available.
34. Xoops WebChat Module Remote SQL Injection Vulnerability
BugTraq ID: 6165
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6165
Summary:
Xoops is open-source, freely available web portal software written in
object-oriented PHP. It is back-ended by a MySQL database and will run on
most Unix and Linux distributions.
A vulnerability exists in the WebChat module included with Xoops. The
vulnerability is due to insufficient sanitization of variables used to
construct SQL queries in the 'index.php' script. Specifically, the
'roomid' variable is not sanitized of malicious SQL input. It is possible
to modify the logic of SQL queries through malformed query strings in
requests for the vulnerable script.
By injecting SQL code into the 'roomid' variable, it may be possible for
an attacker to corrupt database information.
35. Traceroute-nanog Local Buffer Overflow Vulnerability
BugTraq ID: 6166
Remote: No
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6166
Summary:
Traceroute is a tool that is used to track packets in a TCP/IP network to
determine the path of network connections.
Traceroute-nanog fails to drop root privileges after obtaining a RAW
socket. Because of this, it is possible for a local attacker to gain root
privileges by triggering a buffer overflow. Exploiting this issue may
allow a local attacker to overwrite sensitive memory with malicious
values, thereby redirecting typical program flow to execute
attacker-supplied commands with elevated privileges.
Precise technical details regarding the cause of this issue are not yet
known. This BID will be updated as more information becomes available.
36. APBoard Protected Forum Thread Posting Vulnerability
BugTraq ID: 6167
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6167
Summary:
APBoard is a web-based bulletin board package based on PHP and MySQL from
Another PHP Product.
It is possible for any registered APBoard user to create a new thread in a
password protected forum.
The source code of the 'Neues Thema' page contains the following line:
<INPUT TYPE="hidden" NAME="insertinto" VALUE="1">
By changing VALUE= to the value of a password protected forum, then
submitting the page, the thread will be posted to that forum, bypassing
authentication.
Note that it may be possible to modify other variable values to cause
unpredictable results. This has not yet been tested.
37. APBoard Protected Forum Plaintext Password Weakness
BugTraq ID: 6169
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6169
Summary:
APBoard is a web-based bulletin board package based on PHP and MySQL from
Another PHP Product.
When a user is logged into an APboard password protected forum, their
plaintext password is included in the URL:
http://www.your-domain.com/apboard/thread.php3?id=999&passwort=1&thepass
wordhere
By creating a script that logs refering URLs, an attacker could post a
link to the script within the password protected forum. This would allow
the attacker to steal the user's forum password.
38. W3Mail File Disclosure Vulnerability
BugTraq ID: 6170
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6170
Summary:
W3Mail is a full featured open source web mail application implemented as
a collection of Perl scripts that runs on Linux and Unix systems. It
includes support for fetching mail from POP3 servers, MIME attachments,
and for sending outgoing mail.
To fix the vulnerability described as BID 5314, the email attachments
directory was moved out of the webroot tree. To view attachments, the
script "viewAttachment.cgi" accepts the parameter "file". The value of
this parameter is passed to the open() function as the filename argument
without being sanitized. Attackers may cause any file on the filesystem
to open by specifying its relative path using directory traversal
characters.
As a result, attackers may retrieve any file and download its contents if
it is readable by the webserver process.
It should be noted that a valid session ID is required to exploit this
vulnerability.
39. TCPDump / LIBPCap Trojan Horse Vulnerability
BugTraq ID: 6171
Remote: Yes
Date Published: Nov 13 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6171
Summary:
tcpdump is a freely available , open source tool for analyzing network
traffic. libpcap provides network packet sniffing libraries used by many
popular network intrusion detection systems. Both tools are available for
the Unix and Linux operating systems.
It has been announced that the server hosting tcpdump and libpcap,
www.tcpdump.org, was compromised recently. It has been reported that the
intruder made modifications to the source code of tcpdump and libpcap to
include trojan horse code. Downloads of the source code of tcpdump and
libpcap from www.tcpdump.org, and numerous mirrors, likely contain the
trojan code.
Reports say that the trojan will run once upon compilation of tcpdump or
libpcap. Once the trojan is executed, it attempts to connect to host
212.146.0.34 on port 1963.
The trojan horse modifications can be found in the configure script and
the 'gencode.c' source file. The 'gencode.c' modification affects only
libpcap. Reportedly, 'gencode.c' is modified to force libpcap to ignore
packets to and from the backdoor program. This is an attempt to hide the
back door program's traffic.
The MD5 sums of the trojaned versions are reported to be:
MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz
MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz
MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz
The MD5 sums of the non-trojaned versions are:
MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz
MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz
MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz
The non-trojaned versions of these tools are available at the following locations:
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-
0.7.1.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-
3.6.2.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-
3.7.1.tar.gz
Additionally, the trojan displays similarity to those found in irssi,
fragroute, fragrouter, BitchX, OpenSSH, and Sendmail.
III. SECURITYFOCUS NEWS AND COMMENTARY
------------------------------------------
1. Accused Pentagon Hacker's Online Life
By Kevin Poulsen
Usenet posts show Gary McKinnon was a bit of a phone phreak, knew where to
buy lock picks, and had an early interest in defense computers. A former
employer says he was bored at work.
http://online.securityfocus.com/
2. US gov's 'ultimate database' run by a felon
By Thomas C. Greene, The Register
We all know that truth is stranger than fiction, and here we have an
apparently real item straight from the realm of Tom Clancy. Imagine a
huge, absolutely huge, central database containing both the official and
commercial data of every single citizen, run by the US military ostensibly
for anti-terror and Homeland Security purposes, and all of it under the
direction of a convicted felon.
http://online.securityfocus.com/news/1666
3. Security concerns hinder remote access
By John Leyden, The Register
Security concerns are hampering to roll-out of remote access, particularly
to those working for smaller firms. A survey from In-Stat/MDR, released
this week, which found companies are evenly split, more or less, between
those who allow remote access to the corporate LAN and those that do not.
In-Stat/MDR notes that larger companies more likely to allow remote access
than smaller concerns.
http://online.securityfocus.com/news/1665
4. When firewalls and intrusion detection just aren't enough
By John Leyden, The Register
Firewalls alone are not enough to thwart today's more sophisticated range
of attacks, while Intrusion Detection Systems detect and record attacks,
but do not block them. AV products, properly updated, can help protect
against malicious code but are necessarily limited in their scope.
http://online.securityfocus.com/news/1657
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. shell watchdog v1.1 (dev)
by D. Westfal
Relevant URL:
http://www.nwst.de/
Platforms: UNIX
Summary:
The shell watchdog is a simple shell script daemon to monitor system
resources and report failures via local syslog, wall, mail, console sound,
or user-definable actions. It is intended to be used as a simple failure
recognition system. Tests are defined in a macro-like style in
user-definable files, allowing you to create monitored resource groups. It
currently includes tests to check the availability of an IP address, the
availability of a service on a local or remote IP address, whether a
process is running or not, and the usage of filesystems.
2. Fast OnlineUpdate for SuSE v0.8.1
by Markus Gaugusch
Relevant URL:
http://fou4s.gaugusch.at/
Platforms: Linux, POSIX
Summary:
Fast OnlineUpdate for SuSE (fou4s) is a bash script that provides the
functionality of YOU (YaST OnlineUpdate), but can also work in background
and check for updates every night. It supports resumed downloads and
proxies by using wget. GPG signatures are also checked.
3. RSA implementation in Haskell v1.0.0
by David J. Sankel
Relevant URL:
http://www.electronconsulting.com/rsa-haskell
Platforms: Os Independent
Summary:
RSA implementation in Haskell (rsa-haskell) is a Haskell implementation of
the RSA algorithm. It contains simple programs for encrypting and
decrypting anything that can be piped, as well as an easy-to-use RSA and
number theory library.
4. Safer Password Generator
by Tom Veatch tv (at) sprex (dot) com [email concealed]
Relevant URL:
http://cassandra.sprex.com/passwd.html
Platforms: N/A
Summary:
Safer Password Generator creates English-like passwords, although they are
not English words, or even (usually) combinations of English words or
names. So password-cracking algorithms which search for English words and
names and combinations of them will have a very hard time with Sprex
passwords.
5. NetSplitter v20021112
by Fabio Yamamoto
Relevant URL:
http://www.hostname.org/netsplitter
Platforms: FreeBSD, Linux, NetBSD, POSIX
Summary:
NetSplitter is a 'reverse' load balance like EQLPlus or bounding, but at
the firewall/NAT level. If more than one internet connection exists, it
will balance the NAT connections on those links. It runs on FreeBSD and
Linux.
6. KPassCard v0.1.1
by Tobias Bayer
Relevant URL:
http://kpasscard.berlios.de/
Platforms: Linux, POSIX
Summary:
KPassCard is a KDE application for storing passwords on a chipcard
encrypted with a master password.
V. SECURITY JOBS SUMMARY
------------------------
1. CISSP, INFOSEC Engineer Seeking Security Position in Northern VA (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/299616
2. Houston, Texas, CISSP, Web Security Specialist, Attack & Penetration. (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/299566
3. Network Security Engineer - Boston North - KCMO relocation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/299367
4. AVAYA Security Consulting Positions in So. Cal, Silicon Valley, and Western Europe (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/299366
5. AVAYA Security Manager Position / Western Europe (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/299364
6. Security Sales Evangelist - Boston (Northeast), Atlanta (Southeast) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/299190
7. Incident Response/Security position available in Denver metro area (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/299189
VI. INCIDENTS LIST SUMMARY
-------------------------
1. Unicode Attack (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299878
2. Yahoo Messenger Stale Sessions (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299839
3. Unicode Attack (FOLLOW UP) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299713
4. Port 5552? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299688
5. scans on port 57 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299767
6. new version of aris analyzer? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299572
7. ano (at) ano (dot) com [email concealed] ftpd dip.t-dialin.net (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299560
8. 030 igetnet ignkeywords (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299538
9. Ip spoof from 0.0.0.0 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299595
10. IIS and leech (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299564
11. 030 ignkeywords igetnet follow up (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299539
12. Quick question re FTP activity (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299550
13. 030.com (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299558
14. What's up with 3014/tcp? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299030
15. Ip spoof from 0.0.0.0 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/298989
VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. shell script cgi (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/299916
2. ColdFusion Heap Overflow (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/299825
3. PHP (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/299890
4. BIND Exploits (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/299874
5. Exploitable pine heap overflow ( Remote pine Denial of Service) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/299156
VIII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Unknown workgroup in Microsoft Windows Network (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299922
2. Local security settings in W2k adv server causes problems (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299879
3. Active Directory network security (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299795
4. Tools (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299692
5. RES: Tools (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299613
6. SecurityFocus Microsoft Newsletter #112 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299440
7. Win 2000 password Complexity Requirements (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299434
8. Win 2000 passsword Complexity Requirements (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/298907
9. IIS 5 and client certificates (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/298899
IX. SUN FOCUS LIST SUMMARY
----------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 11.15.02
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 11.15.02
XI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: Qualys
Proactive Network Security: FREE Guide Ensure TOTAL security for your
Internet perimeter. Get the most current and most complete Web-based
vulnerability assessment solution designed to keep your network secure
from worms and trojans.
Get your FREE Guide to managing your network vulnerabilities today at:
https://www.qualys.com/forms/guide_230.php
------------------------------------------------------------------------
-------
[ reply ]