Linux Security News
SecurityFocus Linux Newsletter #118 Feb 10 2003 06:42PM
John Boletta (jboletta securityfocus com)

SecurityFocus Linux Newsletter #118
-----------------------------------

This Issue is Sponsored by: BlackHat

Spooked about Windows security? Getting "slammed" hard by worms? Find
all of the solutions at Black Hat Windows Security Briefings & Training,
February 24-27 in Seattle, the world's premier technical event for Windows
security experts. All of the top experts you've read about recently are
speaking. Fully supported by Microsoft, with new MS hosted training
sessions just added!

Visit www.blackhat.com to register.
------------------------------------------------------------------------
-------

I. FRONT AND CENTER
1. SunScreen, Part Two: Policies, Rules, and NAT
2. The Great IDS Debate : Signature Analysis Versus Protocol Analysis
3. Smallpot: Tracking the Slapper and Scalper Unix Worms
4. Lessons From the Slammer
5. Something Needs to Change
6. SecurityFocus DPP Program
7. InfoSec World Conference and Expo/2003(March10-12,2003,Orlando,FL)
II. LINUX VULNERABILITY SUMMARY
1. Macromedia ColdFusion MX Windows User File Authorization...
3. Bladeenc Signed Integer Memory Corruption Vulnerability
4. PHP-Nuke Avatar HTML Injection Vulnerability
5. Opera JavaScript Console Attribute Injection Vulnerability
8. Majordomo Default Configuration Remote List Subscriber...
9. SpamProbe Remote Denial of Service Vulnerability
10. PAM pam_xauth Module Unintended X Session Cookie Access...
11. Opera History Object Information Disclosure Weakness
12. Opera Cross Domain Scripting Vulnerability
13. Opera Image Rendering HTML Injection Vulnerability
14. Linux O_DIRECT Direct Input/Output Information Leak Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. openSSL Key generation (Thread)
2. ezmlm warning (Thread)
3. Perl administration for Linux fileserver (Thread)
4. Secure Web-Based Administration (Thread)
5. NIS with local root (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORM
1. Firebox II FastVPN
2. PENS
3. hp secure OS software for Linux
V. NEW TOOLS FOR LINUX PLATFORMS
1. WatchLog v0.1b
2. FieryFilter v0.3
3. apachelogrotate.pl v0.1.2
VI. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. SunScreen, Part Two: Policies, Rules, and NAT
By Ido Dubrawsky

This is the second of a two-part series looking at SunScreen, Sun
Microsystem's firewall product, which provides a variety of features that
allow system and network administrators to secure their networks as well
as provide for remote access capabilities. This article will cover the
some of the rudimentary facilities in SunScreen such as adding and
removing rules, setting up a remote management station, and network
address translation.

http://online.securityfocus.com/infocus/1664

2. The Great IDS Debate : Signature Analysis Versus Protocol Analysis
by Matt Tanase

Intrusion detection systems (IDS) have rapidly become a crucial component
of any network defense strategy. Over the past few years, their popularity
has soared as vendors have refined their results and increased performance
capabilities. At the heart of intrusion detection systems lies the
analysis engine. It reviews each packet, determines if it is malicious,
and logs an alert if necessary ? the core tasks of an IDS. Two different
IDS techniques, each favored by separate and loyal camps, have emerged as
the preferred engine behind the software. Despite the copious marketing
material and fiery online debates, each method has distinct strengths and
weaknesses. In this article, we'll examine and compare the two different
techniques: signature analysis and protocol analysis.

http://online.securityfocus.com/infocus/1663

3. Smallpot: Tracking the Slapper and Scalper Unix Worms
by Costin Raiu

Fueled by the old myth that "you can't get a virus in Unix" and by the
increasing popularity of Linux and FreeBSD, Unix viruses passed an
important milestone in 2001 and continued by receiving even more attention
during 2002.

http://online.securityfocus.com/infocus/1662

4. Lessons From the Slammer
By Richard Forno

January's Slammer infection held valuable lessons for all security
stakeholders.

http://online.securityfocus.com/columnists/140

5. Something Needs to Change
By Tim Mullen

That's all there was to "Slammer," 376 bytes. When you think about it,
it's amazing that a piece of code could have wreaked such havoc on the
Internet and caused such widespread system failure -- at about the size of
two paragraphs of this column.

http://online.securityfocus.com/columnists/139

6. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

7. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY
-------------------
1. Macromedia ColdFusion MX Windows User File Authorization Vulnerability
BugTraq ID: 6737
Remote: Yes
Date Published: Jan 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6737
Summary:

ColdFusion MX Enterprise Edition is the application server for developing
and hosting infrastructure distributed by Macromedia. It is available as a
standalone product for Unix, Linux, and Microsoft Operating Systems.

When ColdFusion MX is used in conjunction with Microsoft IIS, Windows NT
authentication, and NTFS file permissions, it may be possible for a user
to access files and templates they do not have permission to access.

This is due to a configuration error. IIS is not configured by default to
determine if files associated with ColdFusion MX are accessible or not by
the authenticated user. Consequently, user supplied file names are passed
directly to ColdFusion MX which apparently does not check NTFS permissions
against the user itself.

2. eL DAPo Authentication Information Disclosure Weakness
BugTraq ID: 6735
Remote: Yes
Date Published: Jan 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6735
Summary:

eL DAPo is a Web application for managing and querying LDAP servers
implemented in PHP. It is available for a variety of platforms including
Linux and Unix variant operating systems.

An information disclosure weakness has been reported for eL DAPo. The
issue exists in the login.php script used by eL DAPo. Specifically, when
sending authentication information to query LDAP servers, any information
submitted may be visible in URI parameters.

It is possible to exploit this weakness to obtain authentication
credentials of unsuspecting users.

This vulnerability was reported for eL DAPo 1.13 and earlier.

3. Bladeenc Signed Integer Memory Corruption Vulnerability
BugTraq ID: 6745
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6745
Summary:

Bladeenc is an open-source MP3 encoder and is available for a variety of
platforms including Microsoft Windows and Linux and Unix variant operating
systems.

A memory corruption vulnerability has been reported for Bladeenc. Bladeenc
encodes WAV files in 'chunks' of data. The vulnerability exists when
Bladeenc is seeking a WAV file chunk. Specifically, in the function
__myfseek() in the samplein.c source file, an integer value is not
properly verified. When this function is given a negative value, it will
result in the corruption of sensitive areas of memory with
attacker-supplied values.

An attacker can exploit this vulnerability by creating a malicious WAV
file with carefully crafted headers that will cause Bladeenc to execute
malicious attacker-supplied code.

This vulnerability was reported for Bladeenc 0.94.2 and earlier.

4. PHP-Nuke Avatar HTML Injection Vulnerability
BugTraq ID: 6750
Remote: Yes
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6750
Summary:

PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.

A vulnerability has been reported in PHP-Nuke that may result in HTML
injection. The vulnerability occurs because PHP-Nuke does not sanitize
some user-supplied input submitted to a site when selecting 'avatar'
images. Due to this condition, a malicious user may be able to insert
malicious HTML code which will then be displayed to unsuspecting users of
PHP-Nuke forums. Any attacker-supplied code will be interpreted in a
victim user's web browser in the security context of the site hosting the
software.

It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. It is
also possible to modify or corrupt other user's Avatars. Other attacks are
also possible.

This vulnerability was reported for PHP-Nuke 6.0 and earlier.

5. Opera JavaScript Console Attribute Injection Vulnerability
BugTraq ID: 6755
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6755
Summary:

Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.

A vulnerability has been reported for Opera 7 browsers for Microsoft
Windows operating systems. The vulnerability exists in Opera's JavaScript
console program. The console program consists of three HTML files, one of
which is 'console.html'. Any unhandled exceptions thrown by any JavaScript
are listed in the console and are converted into clickable links.

The vulnerability exists in the regular expressions used by 'console.html'
to format exception messages. Specifically, exception messages are not
parsed for quote characters. It is possible, by inserting quote (")
characters, to add additional attributes to URLs that may make it possible
to execute arbitrary attacker-supplied script code in the file:// protocol
context. This may lead to disclosure of local file contents to remote
attackers.

This vulnerability was reported for Opera 7 browser for Microsoft Windows.

6. IBM WebSphere Exported XML Password Encoding Weakness
BugTraq ID: 6758
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6758
Summary:

IBM WebSphere is a commercial web application server which runs on a
number of platforms including Linux and Unix variants and Microsoft
Windows operating environments.

IBM WebSphere allows administrators to export configuration files to XML.
When the WebSphere configuration file is exported in this manner,
passwords are obfuscated using an easily reversible algorithm.

The algorithm used to obfuscate the password is as follows:

CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_")

where n is the position of the character.

The obfuscated password is then Base64 encoded.

If an attacker gains access to an exported XML configuration file, it is a
trivial task to decode the password.

To exploit this weakness, an administrator must first export the
configuration to XML and then the attacker may gain unauthorized access to
the exported file.

The WebSphere documentation states that exported configurations will
contain encoded (and not encrypted) passwords. Administrators should be
cautious when exporting configuration files.

This issue was reported in IBM WebSphere Advanced Server Edition 4.0.4.
It is not known if the same encoding is used in other versions. Though
the core weakness is that passwords are encoded and may be easier to
reverse than if encrypted using a strong algorithm, so all current
versions should be considered prone to this weakness to some degree.

7. Opera Error Message History Disclosure Weakness
BugTraq ID: 6759
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6759
Summary:

Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux, Unix variants and Apple MacOS.

The Opera console is used to keep a track of any JavaScript error messages
that may have occured when browsing a Web site.

It has been reported that Opera fails to ensure that a remote site has
proper authorization before executing some methods used to access error
messages stored in the Opera console. Specifically, Opera does not
validate any requests for the opera.errorIndex() and opera.errorMessage(i)
methods.

This issue is further exacerbated by the fact that error messages also
contain the URL of the site that caused the issue. This can be exploited
by a malicious attacker to obtain a listing of the victim user's Web
browsing habits for, potentially, malicious purposes.

This vulnerability was reported for Opera 7 browser for Microsoft Windows.

8. Majordomo Default Configuration Remote List Subscriber Disclosure Vulnerability
BugTraq ID: 6761
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6761
Summary:

Majordomo is a freely available, open source mailing list management
software package. It is available for Unix, Linux, and Microsoft Windows
platforms.

A problem with Majordomo may allow remote users to gain access to
sensitive information.

It has been reported that Majordomo does not sufficiently guard list
subscriber information. By sending specific commands to a default
implementation, a remote user may be able to gain access to the list of
mailing list subscribers. This issue is documented in the Majordomo
documentation.

The problem is in the default configuration of the mailing list manager.
The software does not place sufficient access controls on the ability of
users to execute the which command. By sending the command "which @",
remote users may be able to list the entire member base of the list,
resulting in a loss of privacy.

It should be noted that in the Majordomo 2 branch, this vulnerability is
limited to gaining access to one address per submission per list.

9. SpamProbe Remote Denial of Service Vulnerability
BugTraq ID: 6739
Remote: Yes
Date Published: Jan 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6739
Summary:

SpamProbe is a spam detection program that uses a Bayesian analysis of the
frequencies of terms used in the email. It is available for the Linux
operating system.

A denial of service vulnerability exists in SpamProbe. The problem occurs
in a regular expression used by the removeHTMLFromText() function, which
is located in MessageFactory.cc.

When SpamProbe attempts to parse HTML located in an emails an issue may
occur on some operating systems which could cause SpamProbe to crash. The
problem reportedly occurs when attempting to parse newline characters (\n)
located within HTML <href> tags.

This issue could be exploited by an attacker to disable a victim's spam
filter. Any subsequent unsolicited email messages sent to the victim would
be successfully delivered.

This condition has been reported to occur on RedHat 8.0. It is not yet
known whether SpamProbe is prone to this issue when running on other
distributions or operating systems.

10. PAM pam_xauth Module Unintended X Session Cookie Access Vulnerability
BugTraq ID: 6753
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6753
Summary:

Pluggable Authentication Modules (PAM) is shipped with RedHat Linux 8.0
and earlier, by default. PAM comes with the pam_xauth module which can be
used in conjuction with the su utility to pass X MIT-Magic-Cookies to
newly created sessions.

A vulnerability has been discovered when the pam_xauth module is used in
conjunction with the su utility within an X session. When a user (user1)
runs the su utility to assume the identity of another user (user2),
pam_xauth will create a temporary .xauth cookie file located in the
assumed users (user2) home directory. The file is created with read-write
only permissions for the assumed user and contains sensitive information
regarding the suing users X session.

This poses a security risk when a user (user1) runs the su utility to
assume the identity of another user. The real user (user2) is able to read
the contents of the cookie file. The vulnerability lies in the fact that
the cookie file contains sensitive information pertaining to the suing
users X session. This issue could be exploited by the real user (user2)
to connect to the X server with the credentials of the suing user (user1).

Accessing another users X session may allow an attacker to obtain
sensitive information otherwise restricted. It may also grant the ability
to run commands with the privileges of the victim user.

This vulnerability could result in elevated privileges in the event that a
higher privileged user made use of the su program to log into the account
of a lower-privileged user. The lower-privileged user could exploit this
issue to gain administrative access to the local system.

It has been reported that this issue does not affect RedHat 7.0.

11. Opera History Object Information Disclosure Weakness
BugTraq ID: 6757
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6757
Summary:

Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.

An information disclosure weakness has been reported for Opera 7 browsers
on the Microsoft Windows platform.

The weakness is due to the way the history object exposes some properties.
Specifically, the properties history.next and history.previous are
exposed.

A vulnerable user, when navigating to a malicious website, may have some
information pertaining to browser history logged by the site. This
information can be used by Web masters for, potentially, malicious
purposes.

This vulnerability was reported for Opera 7 browser for Microsoft Windows.

12. Opera Cross Domain Scripting Vulnerability
BugTraq ID: 6754
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6754
Summary:

Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.

A vulnerability has been reported reported for Opera 7 browsers for
Microsoft Windows operating systems.

Due to flaws in Opera, it is possible for functions in different domains
to be accessed and executed by an attacker with the credentials of the
victim user. This vulnerability is also exacerbated by the fact that an
attacker may also be able to override properties and methods in other
windows to create malicious methods that can be accessed by a victim user.

Exploitation of this vulnerability will allow an attacker to obtain access
to local resources on a vulnerable system.

This issue may be similar to the ones described in BID 6184.

These vulnerabilities were reported for Opera 7 browser for Microsoft
Windows.

13. Opera Image Rendering HTML Injection Vulnerability
BugTraq ID: 6756
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6756
Summary:

Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux, Unix variants and Apple MacOS.

Problems with Opera could make it possible to execute arbitrary HTML code
in a vulnerable client.

It has been reported that, when generating HTML to display images or
embedded media, Opera does not correctly format the provided URL or
sufficiently encode local URLs. Specifically, URLs that use the 'file://'
protocol to access local files are not sufficiently sanitized of malicious
HTML code.

This vulnerability could allow an attacker to inject malicious HTML code
to an unsuspecting user of Opera, through a malformed link. Any code will
be executed in the security context of the local Opera User.

Successful exploitation of this vulnerability may result in the disclosure
of local file contents to remote attackers. Other attacks are possible.

This vulnerability was reported for Opera 7 browser for Microsoft Windows.

14. Linux O_DIRECT Direct Input/Output Information Leak Vulnerability
BugTraq ID: 6763
Remote: No
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6763
Summary:

The Linux Kernel is the core of the Linux operating system. It is
distributed by various Linux distributions.

A problem with the O_DIRECT flag could make it possible for local users to
gain access to potentially sensitive information.

It has been reported that some Linux Kernels do not properly handle
O_DIRECT, which is used for direct input and output. Any user with system
write privileges may be able to read limited information from other files.

This problem could allow a local user to read limited data from current
files, and may be able to read data from previously deleted files. The
ability of an attacker to exploit this issue at will is not known.
Additionally, exploitation could result in minor corruption of the file
system, which would require repair with the fsck utility.

It should be noted that this vulnerability can not be exploited on systems
using a vulnerable kernel and the EXT3 file system.

IV. LINUX FOCUS LIST SUMMARY
----------------------------
1. openSSL Key generation (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/310734

2. ezmlm warning (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/309947

3. Perl administration for Linux fileserver (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/310764

4. Secure Web-Based Administration (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/310014

5. NIS with local root (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/309750

IV. NEW PRODUCTS FOR LINUX PLATFORM
-----------------------------------
1. Firebox II FastVPN
by WatchGuard Technologies
Platforms: Linux
Relevant URL:
http://www.watchguard.com/products/fireboxIIfastvpn.asp
Summary:

The Firebox II FastVPN is the most powerful WatchGuard Firebox and
includes a custom encryption accelerator card for supporting intensive
3DES VPN encryption applications. Equipped with a security-hardened Linux
operating system, the reliable Firebox II FastVPN is dedicated to the
specialized task of Internet security. Solid state architecture removes
the risk of hard drive failure and disk crashes, and dual-image flash
memory enables fall-back to the previously transmitted policy. Three
independent network interfaces allow you to separate your protected office
network from the Internet while providing an optional public network for
hosting Web, e-mail or FTP servers. Each network interface is
independently monitored and visually displayed on the front of the Firebox
II. In addition to LEDs showing connectivity and Armed/Disarmed status,
Firebox II's also display three LEDs: TrafficMeter, LoadMeter and
ThroughputMeter. The triangular TrafficMeter displays LEDs for the
trusted, external and optional interfaces (green bars show the direction
of allowed traffic, red bars indicate denied traffic). The LoadMeter LEDs
display the load average of each Firebox II, up to 100Mb. Lastly, Sys
A/Sys B LEDs indicate whether your Firebox II is running your defined
security policy or if it is in configuration mode.

2. PENS
by Portcullis Computer Security
Platforms: Linux, Netware, Windows 2000, Windows 95/98, Windows NT
Relevant URL:
http://www.securitynet.kirion.net/encryption-software/
Summary:

PENS is an on-the-fly encryption software system with either 56-bit DES
or, new for Version 1.5, 128-bit IDEA and Triple DES algorithms for data
encryption and 1024-bit RSA for key exchange and authentication. Users are
given their own encrypted domains with which they can protect their files.
They can also let other users enter these domains - should the
administrator allow that - making worksharing easier. All they have to do
is send their keys to the person who requires them.

3. hp secure OS software for Linux
by Hewlett-Packard
Platforms: N/A
Relevant URL:
http://www.hp.com/security/products/linux/
Summary:

A secure server platform for Linux as an enhancement to the HP Netaction
software suite. HP Secure OS Software for Linux, will help businesses
secure their Linux environments by offering intrusion prevention,
real-time protection against attacks, and damage containment. HP is first
to market with this business-critical security solution for Linux. HP
Secure OS Software for Linux provides high reliability, performance,
availability, flexibility and scalability. Additionally, it is easy to
install and manage, making it attractive to businesses that don't have
large IT organizations.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. WatchLog v0.1b
by Brian Shellabarger
Relevant URL:
http://www.glug.com/projects/WatchLog/
Platforms: Linux, POSIX, UNIX
Summary:

WatchLog is a Perl program designed to give users a better real-time view
of their Web traffic. Simply doing a 'tail -f' on the server log file
often yields confusing results as you can be bombarded with scrolling with
a single hit. WatchLog attempts to present the same information in a
clean, formatted, real time view of the activity on a Website by watching
the logfile and presenting only the relevant data.

2. FieryFilter v0.3
by Mezcalero
Relevant URL:
http://www.stud.uni-hamburg.de/users/lennart/projects/fieryfilter/
Platforms: Linux
Summary:

FieryFilter is an interactive desktop firewall for Linux. It will ask the
user every time a new network connection is made if they want to allow or
deny it. The user is able to generate rules from connections and thus
minimize the amount of questions asked.

3. apachelogrotate.pl v0.1.2
by Hatto von Hatzfeld
Relevant URL:
http://www.salesianer.de/util/apachelog.html
Platforms: Linux, UNIX
Summary:

apachelogrotate.pl rotates and packs the logfiles of the Apache Web server
on a Linux system without interrupting its service and without the need
for a permanent change in the Web server configuration. Assuming that
Apache is running, it will identify the log files which have to be rotated
without any configuration, making it easy to install. By default, logfiles
with more than 10 MB are rotated, but this parameter may be changed and/or
a daily, monthly, or yearly rotation period can be configured.
Documentation is included in the script itself.

VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: BlackHat

Spooked about Windows security? Getting "slammed" hard by worms? Find
all of the solutions at Black Hat Windows Security Briefings & Training,
February 24-27 in Seattle, the world's premier technical event for Windows
security experts. All of the top experts you've read about recently are
speaking. Fully supported by Microsoft, with new MS hosted training
sessions just added!

Visit www.blackhat.com to register.
------------------------------------------------------------------------
-------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus