Originally to: All
SecurityFocus Linux Newsletter #123
-----------------------------------
I. FRONT AND CENTER
1. Open Source Honeypots, Part Two: Deploying Honeyd in the Wild
2. IP Spoofing: An Introduction
3. Iraqi Cyberwar: an Ageless Joke
4. SecurityFocus DPP Program
II. LINUX VULNERABILITY SUMMARY
1. SimpleBBS Users.php Insecure File Permissions Vulnerability
2. Ethereal SOCKS Dissector Format String Vulnerability
3. Ethereal NTLMSSP Dissector Heap Corruption Vulnerability
4. MySQL mysqld Privilege Escalation Vulnerability
5. PHP-Nuke Multiple SQL Injection Vulnerabilities
6. MySQL Control Center Insecure Default File Permission...
7. DeleGate HTTP Proxy Robot.TXT User-Agent: Buffer Overflow...
8. Multiple PHP-Nuke Forums/Private_Messages SQL Injection...
9. SaveMyModem Statusbar_Set_Text Buffer Overflow Vulnerability
10. Multiple Vendor 802.11b Authentication-Failed DOS...
11. GreyMatter WebLog Remote Command Execution Vulnerability
12. Man Program Unsafe Return Value Command Execution Vulnerability
13. Opera Long Filename Download Buffer Overrun Vulnerability
14. Qpopper Remote Memory Corruption Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. Port 113 security (Thread)
2. Traffic Shaping. (Thread)
3. SecurityFocus Article Announcement (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. EverLink SRAC Gateway
2. iChain
3. NetOp Remote Control
V. NEW TOOLS FOR LINUX PLATFORMS
1. eXtended Allow - Deny list for PAM v0.4
2. C-Kermit v8.0.208
3. trafcalc v1.0
I. FRONT AND CENTER
-------------------
1. Open Source Honeypots, Part Two: Deploying Honeyd in the Wild By Lance
Spitzner
This is the second part of a three-part series looking at Honeyd, the open
source honeypot. In this paper we we will deploy Honeyd on the Internet for one
week and watch what happens. The intent is to test Honeyd by letting real bad
guys interact with and attack it. We will then analyze how the honeypot
performed and what it discovered
http://www.securityfocus.com/infocus/1675
2. IP Spoofing: An Introduction
by Matthew Tanase
Criminals have long employed the tactic of masking their true identity, from
disguises to aliases to caller-id blocking. It should come as no surprise then,
that criminals who conduct their nefarious activities on networks and computers
should employ such techniques. IP spoofing is one of the most common forms of
on-line camouflage. In IP spoofing, an attacker gains unauthorized access to a
computer or a network by making it appear that a malicious message has come from
a trusted machine by spoofing” the IP address of that machine. In this article,
we will examine the concepts of IP spoofing: why it is possible, how it works,
what it is used for and how to defend against it.
http://www.securityfocus.com/infocus/1674
3. Iraqi Cyberwar: an Ageless Joke
By George Smith
Did U.S. infowar commandos smuggle a deadly computer virus into Iraq inside a
printer? Of course not. So why does it keep getting reported?
http://www.securityfocus.com/columnists/147
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only global
early-warning system for cyber attacks - SecurityFocus DeepSight Threat
Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
II. BUGTRAQ SUMMARY
-------------------
1. SimpleBBS Users.php Insecure File Permissions Vulnerability BugTraq ID: 7045
Remote: Yes
Date Published: Mar 07 2003 12:00AM Relevant URL:
http://www.securityfocus.com/bid/7045
Summary:
SimpleBBS is a freely available, open source PHP Bulletin Board. It is available
for the Unix and Linux operating systems.
SimpleBBS reportedly creates the user database 'users.php' with world-readable
permissions in the SimpleBBS web root. User credentials are stored in plain text
format. As a result anyone who may have access to the SimpleBBS website may view
stored user information contained in the SimpleBBS user database.
This vulnerability was reported for SimpleBBS 1.0.6. It is not known if earlier
versions are affected by this vulnerability.
2. Ethereal SOCKS Dissector Format String Vulnerability BugTraq ID: 7049
Remote: Yes
Date Published: Mar 08 2003 12:00AM Relevant URL:
http://www.securityfocus.com/bid/7049
Summary:
Ethereal is a freely available, open source network traffic analysis tool. It is
maintained by the Ethereal Project and is available for most Unix and Linux
variants as well as Microsoft Windows operating systems.
The Ethereal SOCKS dissector is a mechanism for decoding the SOCKS protocol. A
format string vulnerability has been reported in some versions of this
dissector. The vulnerability exists in the packet-socks.c source file.
An attacker can exploit this vulnerability by connecting to a vulnerable SOCKS
server and sending malicious format string specifiers to the SOCKS server. If
Ethereal is being used as a security tool to monitor network packets, it is
possible that sensitive memory may be corrupted.
This has been confirmed to result in a denial of service condition.
Additionally, it may be possible to cause Ethereal to execute malicious
attacker-supplied code.
This vulnerability affects Ethereal 0.9.9 and earlier.
3. Ethereal NTLMSSP Dissector Heap Corruption Vulnerability BugTraq ID: 7050
Remote: Yes
Date Published: Mar 08 2003 12:00AM Relevant URL:
http://www.securityfocus.com/bid/7050
Summary:
Ethereal is a freely available, open source network traffic analysis tool. It is
maintained by the Ethereal Project and is available for most Unix and Linux
variants as well as Microsoft Windows operating systems.
The NTLMSSP (NTLM Security Support Provider) dissector is a mechanism for
evaluating packets that use the NTLM protocol. A heap corruption vulnerability
has been reported for some versions of the dissector.
The precise technical details of this vulnerability are currently unknown. This
BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a specially
formed packet and sending it to a system using the NTLMSSP dissector or by
convincing a victim user to use Ethereal to read a malformed packet trace file.
Due to the nature of this vulnerability it may be possible for an attacker to
create a situation in which sensitive memory could be overwritten. If successful
this may allow for the execution of arbitrary code with the privileges of the
Ethereal process.
This vulnerability affects Ethereal 0.9.9 and earlier.
4. MySQL mysqld Privilege Escalation Vulnerability BugTraq ID: 7052
Remote: Yes
Date Published: Mar 08 2003 12:00AM Relevant URL:
http://www.securityfocus.com/bid/7052
Summary:
MySQL is an open source relational database project. It is available for the
Microsoft Windows, Linux, and Unix operating systems.
A vulnerability has been discovered for MySQL that may allow the mysqld service
to start with elevated privileges.
MySQL uses a series of configuration files to set the privileges of the service.
The configuration files are typically stored in /etc/my.cnf, DATADIR/my.cnf and
~/.my.cnf. When executed, the mysqld service reads configuration information
from /etc/my.cnf first, then DATADIR/my.cnf and finally ~/.my.cnf.
An attacker can exploit this vulnerability by creating a DATADIR/my.cnf that
includes the line 'user=root' under the '[mysqld]' option section. Furthermore,
the ~/.my.cnf file must not exist.
When the mysqld service is executed, it will run as the root user instead of the
default user.
This may allow an attacker to obtain elevated privileges on a compromised
system.
This vulnerability was reported for MySQL 3.23.55.
5. PHP-Nuke Multiple SQL Injection Vulnerabilities BugTraq ID: 7031
Remote: Yes
Date Published: Mar 06 2003 12:00AM Relevant URL:
http://www.securityfocus.com/bid/7031
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available for a
range of systems, including Unix, Linux, and Microsoft Windows.
Multiple SQL injection vulnerabilities were reported in the
'Members_List' and 'Your_Account' modules of PHP-Nuke. This is due to
insufficient sanitization of externally supplied data which is used to construct
SQL queries. This data may be supplied via URI parameters in requests for
certain module functions. A remote attacker may take advantage of these issues
to inject malicious data into SQL queries, possibly resulting in modification of
query logic.
The consequences may vary depending on the particular database implementation
and the nature of the specific queries. At the very least, it is possible to
compromise the PHP-Nuke web portal. SQL injection also makes it possible, under
some circumstances, to exploit vulnerabilities that may exist in the database
implementation.
This BID will be divided into separate BIDs for each distinct issue and retired
when further analysis of these vulnerabilities is complete.
6. MySQL Control Center Insecure Default File Permission Vulnerability BugTraq
ID: 7041
Remote: No
Date Published: Mar 07 2003 12:00AM Relevant URL:
http://www.securityfocus.com/bid/7041
Summary:
MySQL Control Center (MySQLCC) is a visual administration interface for MySQL
database servers and is available for multiple platforms.
A vulnerability has been discovered in MySQLCC. The problem lies in the
permissions set on various files used by MySQLCC. Specifically, configuration
and connection files used by the application are set world-readable. This may
allow a malicious local user to obtain access to sensitive information regarding
various MySQL configuration settings.
Access to these files may allow an attacker to obtain information required to
carry out further attacks against a target system.
This issue has been addressed in MySQLCC 0.8.9.
7. DeleGate HTTP Proxy Robot.TXT User-Agent: Buffer Overflow Vulnerability
BugTraq ID: 7054
Remote: Yes
Date Published: Mar 10 2003 12:00AM Relevant URL:
http://www.securityfocus.com/bid/7054
Summary:
DeleGate is an open source proxy server developed by Yutaka Sato. DeleGate
allows for proxying of several application protocols, including HTTP. It is
available for multiple platforms, including Microsoft Windows and Unix and Linux
variants.
The DeleGate HTTP Proxy component is prone to a remotely exploitable buffer
overflow vulnerability. This is due to insufficient bounds checking of
User-Agent: fields in remote 'robot.txt' files. It is reported that it is
possible to trigger this issue by specifying multiple lines of User-Agent: data
in the file, which will cause an internal array of pointers to be overflowed
with attacker-supplied data. This will occur when a malicious 'robot.txt' file
is retrieved via the proxy.
Successful exploitation may result in execution of malicious code in the
security context of the DeleGate proxy server.
This issue was reported in DeleGate versions 8.3.4 and 8.4.0. Other versions
may also be affected.
8. Multiple PHP-Nuke Forums/Private_Messages SQL Injection Vulnerabilities
BugTraq ID: 7060
Remote: Yes
Date Published: Mar 10 2003 12:00AM Relevant URL:
http://www.securityfocus.com/bid/7060
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available for a
range of systems, including Unix, Linux, and Microsoft Windows.
Multiple SQL injection vulnerabilities were reported in the Forums scripts and
'Private_Messages' module of PHP-Nuke. This is due to insufficient sanitization
of externally supplied data which is used to construct SQL queries. This data
may be supplied via URI parameters in requests for certain functions. A remote
attacker may take advantage of these issues to inject malicious data into SQL
queries, possibly resulting in modification of query logic.
The consequences may vary depending on the particular database implementation
and the nature of the specific queries. At the very least, it is possible to
compromise the PHP-Nuke web portal. SQL injection also makes it possible, under
some circumstances, to exploit vulnerabilities that may exist in the database
implementation.
This BID will be divided into separate BIDs for each distinct issue and retired
when further analysis of these vulnerabilities is complete.
9. SaveMyModem Statusbar_Set_Text Buffer Overflow Vulnerability BugTraq ID: 7068
Remote: Yes
Date Published: Mar 10 2003 12:00AM Relevant URL:
http://www.securityfocus.com/bid/7068
Summary:
SaveMyModem is mail filtering software. It is available for Microsoft Windows
and Unix and Linux platforms.
SaveMyModem is prone to a buffer overflow in the 'statusbar_set_text' function.
In some instances, this function will be called with externally supplied data,
such as when messages are processed. The vulnerable function includes a call to
vsnprintf(), specifying a source buffer that is much larger than the destination
buffer.
When the vulnerable function is called with externally supplied data, it may be
possible to corrupt sensitive regions of data. This may potentially occur if a
message is processed with an excessively long subject.
Successful exploitation will result in code execution in the context of the
SaveMyModem process.
10. Multiple Vendor 802.11b Authentication-Failed Denial Of Service
Vulnerability
BugTraq ID: 7069
Remote: Yes
Date Published: Mar 11 2003 12:00AM Relevant URL:
http://www.securityfocus.com/bid/7069
Summary:
A vulnerability has been reported in some operating systems that are capable of
handling 802.11b traffic. This issue has been reported as affecting Linux and
Microsoft Windows operating systems.
Some operating systems do not handle specific types of 802.11b traffic properly.
Upon receiving maliciously crafted packets, the client driver may drop all
active sessions and fail. A reboot may be required to resume normal
functionality.
The problem is in the handling of Authentication-Failed packets. By sending a
Authentication-Failed packet to a host with a reason code of failed
authentication that has previously occurred, a host may react unpredictably,
dropping all sessions, and the client software potentially failing. It should
be noted that the source and destination MAC addresses of the
Authentication-Failed packets are spoofed to appear as though their origin is
the Wireless Access Point.
The attack is typically performed by sending the packets directly to a 802.11b
client. Therefore, this type of attack will evade network intrusion detection,
and may additionally circumvent WEP.
11. GreyMatter WebLog Remote Command Execution Vulnerability BugTraq ID: 7055
Remote: Yes
Date Published: Mar 10 2003 12:00AM Relevant URL:
http://www.securityfocus.com/bid/7055
Summary:
GreyMatter WebLog is an open source weblog software package available for the
Unix and Linux operating systems.
A problem in the software may allow unauthorized access to systems using the
vulnerable software.
It has been reported that a problem in GreyMatter weblog may allow unauthorized
access to systems. Due to improper sanitization of untrusted input, it may be
possible for a remote user to execute commands on the local system.
The problem is in the handling of user comments by the weblog software. Due to
improper sanitization of the input passed through the weblog comments fields, an
attacker could potentially insert specially crafted commands such as <?php
system(echo($cmd)) ?>. This would in turn result in the execution of these
commands with the privileges of the web server process.
12. Man Program Unsafe Return Value Command Execution Vulnerability BugTraq ID:
7066
Remote: No
Date Published: Mar 11 2003 12:00AM Relevant URL:
http://www.securityfocus.com/bid/7066
Summary:
Man is a freely available, open source manual page program. It is available
mainly for Linux operating systems, though it can be used on other UNIX
operating system variants.
A problem with the program may make it possible to launch local attacks on users
through malicious man pages.
It has been reported that the man program does not properly handle some types of
input. When a man page is processed that could pose a potential security risk,
the program reacts in a way that may open a window of opportunity for an
attacker to execute arbitrary commands.
The problem is in the value returned by the man program when a potentially
dangerous man page is processed. The man program returns the string 'unsafe'
which is in turn passed to a system() call. If a program located in the user's
path was named 'unsafe' the program would be executed with the privileges of the
man program user.
13. Opera Long Filename Download Buffer Overrun Vulnerability BugTraq ID: 7056
Remote: Yes
Date Published: Mar 10 2003 12:00AM Relevant URL:
http://www.securityfocus.com/bid/7056
Summary:
Opera is a web browser available for a number of platforms, including Microsoft
Windows, Linux and Unix variants and Apple MacOS.
A vulnerability has been discovered in various versions of Opera on the
Microsoft Windows platform.
When specific types of files are downloaded by Opera, the transfer is displayed
within a 'Download Dialog'. Due to insufficient bounds checking when processing
the requested filename, it may be possible for memory to be corrupted.
Specifically, when a filename is to be displayed within the 'Download Dialog'
the type of file must be verified. When this occurs, the filename in question is
copied into a static buffer on the stack.
By hosting a downloadable file containing a name of excessive length, it may be
possible for an attacker to overwrite sensitive memory locations within Opera.
Successful exploitation of this issue would result in the execution of arbitrary
attacker-supplied commands.
It should be noted that this issue affects Opera versions 6 and 7 on the
Microsoft Windows platform.
14. Qpopper Remote Memory Corruption Vulnerability BugTraq ID: 7058
Remote: Yes
Date Published: Mar 10 2003 12:00AM Relevant URL:
http://www.securityfocus.com/bid/7058
Summary:
Qpopper is a POP3 mail server available for Linux and Unix based systems. A
vulnerability has been discovered when calling the 'mdef' command. The issue
presents itself due to the incorrect assumption of the Qvsnprintf() function.
The function is meant to be a replacement for the C function vsnprintf() but,
unlike the latter function, Qvsnprintf() fails to NULL terminate buffers.
A memory corruption vulnerability has been discovered in Qpopper when processing
a malicious 'mdef' command, as a result of the lack of NULL termination by
Qvsnprintf(). The vulnerability specifically occurs in the pop_msg() function
when filling the 'message' buffer with a user-supplied macro name. The pop_msg()
function incorrectly assumes that the 'message' buffer will be null terminated
after being filled via the Qvsnprintf() function. A CRLF sequence and null
terminator (CRLF+N) is later appended to the data which may overwrite memory at
a location adjacent to the buffer.
By exploiting this to overwrite the LSB of a saved frame pointer, it is possible
to influence the program in such a way that attacker-supplied instructions can
be executed.
This vulnerability affects Qpopper versions 4.0.4 and earlier. It should be
noted that the exploitability of this issue is highly dependant on the memory
layout, which will likely be influenced by compiler optimization.
III. LINUX FOCUS LIST SUMMARY
----------------------------
1. Port 113 security (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/314827
2. Traffic Shaping. (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/314730
3. SecurityFocus Article Announcement (Thread) Relevant URL:
http://online.securityfocus.com/archive/91/314566
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. EverLink SRAC Gateway
by Anyware Technology
Platforms: N/A
Relevant URL:
http://www.anywareusa.com/products/srac_gateway.htm
Summary:
EverLink SRAC Gateway is a high performance network appliance that integrates
many security technologies into a simple network device. Operating at the
application layer, the Gateway allows enterprises to build fully secured Virtual
Private Network as easy as PLUG AND PLAY. By incorporating all authentication
methods, including PKI and dynamic password, the Gateway provides the most
thorough check of a user's identity. For those who have installed VPNs, the
Gateway provides enterprises with significant added functionalities and security
features to instantly accommodate mobile users anywhere in the world.
2. iChain
by Novell
Platforms: N/A
Relevant URL:
http://www.novell.com/products/ichain/
Summary:
iChain provides identity-based web security services that control access to
application and network resources across technical and organizational
boundaries, as one Net.
3. NetOp Remote Control
by CrossTec Corporation
Platforms: DOS, Linux, OS/2, Windows 2000, Windows 95/98, Windows CE, Windows
NT, Windows XP
Relevant URL:
http://www.crossteccorp.com/netopremote/index.html
Summary:
With New NetOp Remote Control v7.5 you can easily reach any Windows, Linux, Sun
Solaris or legacy OS/2 and DOS PC from your desktop or even via any Internet
connected PC via our new IE browser Guest. View the remote PC's screen, control
its keyboard and mouse, synchronize files, inventory its hardware and software,
launch applications or chat with someone at the remote PC -- just as if you were
seated at that computer.
V. NEW TOOLS FOR LINUX PLATFORMS
---------------------------------
eXtended Allow - Deny list for PAM v0.4 by Adrian Ber [EMAIL PROTECTED]
Relevant URL:
http://www.geocities.com/beradrian/soft/xad/index.html
Platforms: Linux, POSIX
Summary:
XAD is a very easy to configure PAM module. Through a very easy language you can
allow/deny access to users.
2. C-Kermit v8.0.208
by Frank da Cruz
Relevant URL:
http://www.columbia.edu/kermit/ckermit.html
Platforms: AIX, FreeBSD, HP-UX, Linux, MacOS, NetBSD, OpenBSD, SCO, Solaris,
SunOS
Summary:
C-Kermit is a combined serial and network communication software package
offering a consistent, medium-independent, cross-platform approach to connection
establishment, terminal sessions, file transfer, character-set translation,
numeric and alphanumeric paging, and automation of communication tasks. Recent
versions include FTP and HTTP clients as well as an SSH interface, all of which
can be scripted and aware of character-sets. It supports built-in security
methods, including Kerberos IV, Kerberos V, SSL/TLS, and SRP, FTP protocol
features such as MLSD, and source-code parity with Kermit 95 2.1 for Windows and
OS/2.
3. trafcalc v1.0
by cyberny
Relevant URL:
http://trafcalc.sourceforge.net/
Platforms: Linux, POSIX
Summary:
Trafcalc calculates the size of the TCP-payload on a system via packet capturing
and connection tracking at the user level instead of the IP level.
Posted at TCOB1 - Must not be crossposted to any other echo or network without
the prior permission of Sean Rima
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
