[OT] Re: unsubscribe - Procmail Rule

[Phillip Hofmeister]

Can anynone enlighten me why my rule didn't catch this message?

:0
* ^X-Mailing-List:[EMAIL PROTECTED]
* ^Subject: .{0,2}sub.{1,5}ibe
/dev/null


I would appreciate it...Thanks.

On Fri, 25 Apr 2003 at 08:20:27AM +0300, Andres wrote:
> unsubscribe
> 
> -
> Hot Mobiil - helinad, logod ja pilts?numid!
> http://portal.hot.ee
> 
> 
> 

-- 
Phillip Hofmeister
Network Administrator/Systems Engineer
IP3 Inc.
http://www.ip3security.com

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
--
Excuse #4: Global warming 

Apache http server 2.0

[Kim De Smaele]

Hi all,

I experienced a very strange apache responce today in our production
environment at work. A user in a discussion room a posting containing
the following characters:

,,''

This gave the result that several pages could not longer be displayed.
I also tried this on search engine http://www.google.com which gave the
same result. Nothing of results and not even the message "no results
found..." could be display. If you even keep on refreshing you will
notice that also the google logo will disappear.
On our servers, we didn't notice anything in the logs.

I have done a test with several browsers and I had every time the same
result as described above:

Internet Explorer
Netscape (windows)
Mozilla (Linux)
Opera (Linux)

Personally I'm not sure but I'm getting the idea that this might me
exploitable. For example, executing code/commands after using the
characters as mentioned above followed by the code or the commands in a
search engine, discussion rooms,...

Kind regards,

Kim De Smaele

Re: Snort exploit in wild.

[Noah Meyerhans]

On Fri, Apr 25, 2003 at 10:44:49PM +0100, Nick Boyce wrote:
> The general consensus of opinion (including the Debian packager) was
> that *nobody* should even consider using the V1.8.4 Snort package in
> Woody - it's much too old, and has a number of security issues.

It's not really that it has a number of security issues; It's more that
no new rulesets are being developed for it, and thus it can't detect any
attempts to exploit vulnerabilities more recent than its last ruleset.
Obviously that defeats the purpose of using a rule-based traffic
analyzer like snort.

> Most people's advice was to stop using the Debian package, and instead
> download & compile the latest source from www.snort.org, and keep
> tracking new releases from there - and get signature updates from
> there as well.  This is what I do now.

Yes, that's generally the least disruptive to your Debian system.  I've
seen people run a hybrid woody/sid system just to get the new snort.  If
you build it yourself, you don't need to worry about upgrading to
unstable and unsupported (by the sec team) software.

> Some people think Snort should actually be removed from the Debian
> package collection, because it will always drift seriously out of date
> over time, and because there's no easy way to incorporate up-to-date
> signatures (rules) into Debian.

It would be less of an issue if you could actually *get* new rules for
the version of snort that's in woody.  There wouldn't be anything to
stop you from downloading the new rules (which are distributed
independently of snort itself and updated regularly) and untarring them
into the right place and having the right thing happened.

Yes, snort should probably not be shipping with Debian.  Sticking with
an outdated version of snort is counterproductive and, at the very
least, likely to give you a false sense of security regarding the
traffic hitting your machines.

I wish people were more open to the idea of letting a wholly new version
(say, an up to date 1.9) enter woody with its next revision, but that's
not going to happen.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgpIvSmbRka4m.pgp
Description: PGP signature

Re: Snort exploit in wild.

[Nick Boyce]

On Fri, 25 Apr 2003 10:19:59 +0100, David Ramsden wrote:

>Noticed on vil.mcafee.com that a proof of concept exploit for Snort to
>exploit the vuln. found in v1.8 through to 1.9.1.
[...]
>What's the status of a patch from Debian Security? No DSA yet either.
>I know this has been brought up a few times already but now an exploit
>exists in the wild.

David, you probably want to look at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=173254
which I submitted after a previous discussion on this list (December
2002) about problems with the Debian stable Snort package being out of
date.

The general consensus of opinion (including the Debian packager) was
that *nobody* should even consider using the V1.8.4 Snort package in
Woody - it's much too old, and has a number of security issues.

Most people's advice was to stop using the Debian package, and instead
download & compile the latest source from www.snort.org, and keep
tracking new releases from there - and get signature updates from
there as well.  This is what I do now.

Some people think Snort should actually be removed from the Debian
package collection, because it will always drift seriously out of date
over time, and because there's no easy way to incorporate up-to-date
signatures (rules) into Debian.

Cheers,

Nick Boyce
Bristol, UK
--
Boycott Amazon till they relent on the 1-click software patent
- http://www.gnu.org/philosophy/amazon.html

Re: Woody security updates

[Drew Scott Daniels]

Woody CD updates afaik are only done when stable releases are done.
See http://people.debian.org/~joey/stable.html for details. There are
nightly builds of CD's for Sarge and Sid, but I don't think I've seen any
such thing for stable or oldstable that includes security updates. The
nightly builds can be found through the debian-boot mailing list or
perhaps the debian-installer (d-i) web site (
http://people.debian.org/~mbc/di.html ).

A further note, security updates for Potato are still being done (and will
stop soon iirc), but no further releases will be done. Again see
http://people.debian.org/~joey/stable.html for details.

 Drew Daniels

Information in DSAs on necessary restarts due to library-security-updates

[Markus Amersdorfer]

Hi!

As I described in a mail to debian-devel [1], it seems that with library
updates programs using the libraries are generally not restarted.
Nevertheless, for programs/services to use the updated libraries a
restart would be necessary.

Especially with security-updates for such central libraries as the
glibc (e.g. DSA-282), IMHO there should be a warning that programs and
services are _not_ restarted automatically but _must_ be restarted
manually in order to benefit from the security-update. As long as the
programs keep on running, they are still vulnerable.

A generic solution which can be used by all library-packages to inform
the user about this fact was proposed on debian-devel, but does not
exist currently.

I therefore suggest putting this kind of information in any Debian
Security Advisory for library packages (or possibly others too which
need similar actions to be taken by the user).

I'd be glad about any comments. :)


So long,
Max

PS:
If this is not the right list, please let me know and point me to the
correct place where I can suggest this DSA-addon. Thanks

[1]
http://lists.debian.org/debian-devel/2003/debian-devel-200304/msg01189.html

-- 
The first time any man's freedom is trodden on, we're all damaged.
   

http://homex.subnet.at/~max/

Re: apt-check-sigs.pl

[Javier Fernández-Sanguino Peña]

On Thu, Apr 24, 2003 at 06:46:11PM +0200, Adam ENDRODI wrote:
> Comments, corrections and enhancements are always welcome.

Please add a proper license in the file. GPL?
http://www.gnu.org/licenses/gpl-howto.html

Regards

Javi


pgp7fRNrY2gL1.pgp
Description: PGP signature

Re: Woody security updates

[Paul Hink]

Matthias Faulstich <[EMAIL PROTECTED]> wrote:

> Does this jigdo - file load the latest security updates or are there any 
> other 
> places to download / create CD-Images?

AFAIK no. I think you'll have to apt-get update && apt-get upgrade
immediately after the installation because CDs can never be as up to
date as security.debian.org is.

Paul

Re: pptpd

[Martin Hermanowski]

On Fri, Apr 18, 2003 at 07:54:32PM -0400, Noah Meyerhans wrote:
> On Fri, Apr 18, 2003 at 11:09:14PM +0200, Martin Hermanowski wrote:
> > am I missing an update of pptpd? Today an exploit has been posted to
> > bugtraq.
> 
> The update has not yet been released.

What is the problem with this security patch? AFAIK there is only one
line that has to be changed. I am running the Debian Stable pptpd with
this patch and it works (and exploit says the patched version is not
vulnerable, but the original one is).

Regards,
Martin


pgpobJM4Qzfvf.pgp
Description: PGP signature

Team to patch vulnerabilities

[Drew Scott Daniels]

Hi,
There are a large number of security issues discussed in the BTS.
http://qa.debian.org/bts-security.html lists almost all of them. I'm
looking at them and trying to create patches for some and bring them to
the attention of the appropriate parties. Any help would be appreciated.

The security team has been releasing advisories like crazy and they seem
very overworked. If non security team people can help patch known security
issues, then Debian, and OpenSource software would be even more secure.
There are other social benefits too...

I've been looking at creating a security audit team, but it looks like far
more help is needed to patch known problems.

 Drew Daniels

fakechroot

[Drew Scott Daniels]

For those that missed it on Debian-devel, there's a patched version of
fakeroot that does chroot too. You can read about it and better/worse
alternatives in the thread at:
http://lists.debian.org/debian-devel/2003/debian-devel-200304/msg00747.html

 Drew Daniels

Re: Secure remote syslogging?

[Lars Ellenberg]

On Thu, Apr 24, 2003 at 08:52:10PM +0200, Jose Luis Domingo Lopez wrote:

8< syslog-ng --> named pipe --> perl script --> ssh tunnel --> SQL DB

> destination d_logpipe { pipe("/tmp/pipe" owner("someone") template("\(
>   '$HOST', '$ISODATE', '$FACILITY', +'$PRIORITY', '$MESSAGE' \)\n") ); };

you need syslog-ng >= 1.5.3 for the template to work, iirc.
and if you go thus far, why not
template("INSERT INTO logs VALUES ... \( ... \);\n"), and then simply
mysql -h 127.0.0.1 -... -D logs < /tmp/pipe ?
what about forged messages containing queries themselves?
logger -p kern.err "'); DELETE *.* FROM logs;#"  =]
you need to quote the input somehow.

so here my suggestion (despite the fact that you hit plenty stuff when
googling on that matter):
since the content of the other macros is well defined, 
and you use a perl script anyways, why not use
template("$HOST $ISODATE $FACILITY $PRIORITY $MESSAGE\n"), which can
be split on the spaces into its parts, and let perl do the quoting?

and, btw, why not just use the syslog format as is?
works with syslog (old generation), too.
(ok, with -og, and the default format, to preserve facility/priority
 you'd need to setup one pipe for each class you want to distinguish...)

and, if you don't mind, please use DBI/DBD::mysql
(or whatever DBD submodule you like).

old syslog.conf:
*.* |/some/fifo
-ng:
destination d_logpipe { pipe("/some/fifo"); } ...
  with $syslog_ng_template=0 below!
or 
destination d_logpipe { pipe("/some/fifo"); 
  template("$HOST $ISODATE $FACILITY $PRIORITY $MESSAGE\n"); }
  and set $syslog_ng_template=1 below.

use strict;
use DBI ();

my $syslog_ng_template=1;

my $driver="mysql";
my $sqlhost="127.0.0.1"; # possibly (ssh) tunnel to somewhere else
my $port=3306;
my $database="logs";
my $user="joseluis";
my $password="joseluis";
my ($sth,$dbh, $host,$time,$facility,$priority,$msg);

# RaiseError will raise an exception, i.e. die(), on errors.
# ->prepare("... ?,?,? ") and execute(arg1,arg2,...) will do the
# necessary quoting and interpolation for you, and even perform better.

sub try_connect() {
  # you may want to ping the db here
  # or eval { $dbh->disconnect } if $dbh;
  $dbh = 
DBI->connect("DBI:$driver:database=$database;host=$sqlhost;port=$port;",
  $user,$password,
  { RaiseError => 1 , AutoCommit => 1 });
  if ($syslog_ng_template) {
$sth = $dbh->prepare("INSERT INTO logs.testbox "
."(host,time,facility,priority,message) "
."VALUES (?,?,?,?,?)");
  } else {
$sth = $dbh->prepare("INSERT INTO logs.testbox "
."(host,time,message) "
."VALUES (?,?,?)");
  }
}

# you might want to move this into the eval below
open ( LOGPIPE, "< /tmp/pipe" ) or die "open LOGPIP: $!\n";

while(1) { # forever
  eval { # catch db errors
try_connect;
while ( my $log =  ) {
  if ($syslog_ng_template) {
($host,$time,$facility,$priority,$msg) =
  $log =~ /^(\S+) (\S+) (\S+) (\S+) (.*)$/;
$sth->execute($host,$time,$facility,$priority,$msg);
  } else {
($time,$host,$msg) = $log =~ /^(\S+ \S+ \S+) (\S+) (.*)$/;
$sth->execute($host,$time,$msg);
  }
};
  };
  warn($@) if $@;
}

> Hope it helps.
dito :)

Lars

Woody security updates

[Matthias Faulstich]

Hi all!

Regularily, security updates for Debian Woody are beeing anounced and 
recomended for installation. The update packages, as I understand, are 
available from network for installation with apt under
deb http://security.debian.org/ woody/updates main contrib non-free.

But what about CD Images for update?
The jigdo file for the woody - update -CD
http://non-us.cdimage.debian.org/jigdo-area/3.0_r1/jigdo/i386/debian-update-3.0r1-i386.jigdo
shows the modification date 10-Jan-2003.

Does this jigdo - file load the latest security updates or are there any other 
places to download / create CD-Images?

Thanks a lot,
Matthias.

Re: SPAMMED ONCE AGIN !!! (Was: Re: Under 10 bucks, cell phone antenna boosters. qmnh coxehywqphhnsg)

[Michelle Konzack]

Hello Rich, 

Am 10:42 2003-04-14 -0500 hat Rich Puhek geschrieben:

>Well, no. If you look carefully, you have managed to leak that address 
>to the list before. On March 17, 2003, for instance (Message-Id: 
><[EMAIL PROTECTED]>) you posted a 
>reply to a question. Although you set your From address to be the 
>"linux4michelle" address, you also ended up with the following line:
>
>X-Sender: [EMAIL PROTECTED] (Unverified)

Because I have no internet access at home, I can not use mutt to 
send the messages... need to use a Windows-Client and the I transfer 
it on Floppyst to the Internet-Cafee and send it with a windows 
program... 

So I can not rewrite anything... 

>So, your MUA or MTA has leaked that address, without anyone needing to 
>do a lookup on the Debian servers.

In some days I will get my new Mobil-Telephone, 
which I will connect to my router at home... 

If it works, I can use mutt in the futur. - uff ! (But only for Sending, 
because downloading of 1 MByte of Debian-Lists each day ist to expensive)

>That is a nice approach to handling the spam problem, but as you can 
>see, one must be very careful to prevent leaking the subscribed to address.

have a nice Evening
Michelle

-- 
Registered Linux-User #280138 with the Linux Counter, http://counter.li.org.

Re: Snort exploit in wild.

[David Ramsden]

- Forwarded message from Marcel Weber <[EMAIL PROTECTED]> -

From: Marcel Weber <[EMAIL PROTECTED]>
To: David Ramsden <[EMAIL PROTECTED]>
Cc: debian-security@lists.debian.org
Subject: Re: Snort exploit in wild.
X-Virus-Scanned: by AMaViS and OpenAntivirus ScannerDaemon
X-Spam-Status: No, hits=-4.4 required=5.0 tests=IN_REP_TO version=2.20
X-Spam-Level: 

David Ramsden wrote:

>Hi,
>
>Noticed on vil.mcafee.com that a proof of concept exploit for Snort to
>exploit the vuln. found in v1.8 through to 1.9.1.
>
>Packet Storm Security have this proof of concept on their site (local
>exploit at the moment).
>It uses a call-back technique to spawn a shell on the attackers machine,
>via a connection from the compromised machine.
>I've not tried this on my Debian machines yet, so can't say if it works
>- You'd need the return address for Debian as only Slackware is support
>in this proof of concept.
>
>What's the status of a patch from Debian Security? No DSA yet either.
>I know this has been brought up a few times already but now an exploit
>exists in the wild.
>
>As a workaround, I could disable snort (granted) but also, how can I use
>/etc/apt/preferences to update /just/ snort to a non-vuln. version from
>another branch (unstable/testing)? What line do I need in
>/etc/apt/sources.list? And how easy is it to downgrade to the stable
>version if something goes wrong or a patch is released from Debian?
>
>Thanks for all the help and regards,
>David.

Hi

Following the advice from heise.de [1] it should be enough to comment 
out the line:

preprocessor stream4_reassemble

in your /etc/snort/snort.conf

as the vulnerability is in this module. Of course you will loose some 
information. But saver is better ;-)

Regards

Marcel

[1] 
(http://www.heise.de/newsticker/result.xhtml?url=/newsticker/data/pab-16.04.03-000/default.shtml&words=Snort)

- End forwarded message -

-- 
 .''`. David Ramsden <[EMAIL PROTECTED]>
: :'  :http://portal.hexstream.eu.org/
`. `'` PGP key ID: 507B379B on wwwkeys.pgp.net
  `-  Debian - when you have better things to do than to fix a system.


pgpKunnn53SX5.pgp
Description: PGP signature

Re: Snort exploit in wild.

[Gian Piero Carrubba]

Il ven, 2003-04-25 alle 11:19, David Ramsden ha scritto:

> Noticed on vil.mcafee.com that a proof of concept exploit for Snort to
> exploit the vuln. found in v1.8 through to 1.9.1.

up to 2.0rc1 as reported by cert

> What's the status of a patch from Debian Security? No DSA yet either.
> I know this has been brought up a few times already but now an exploit
> exists in the wild.

don't know if the debian package is affected, however it should

> As a workaround, I could disable snort (granted) but also, how can I use
> /etc/apt/preferences to update /just/ snort to a non-vuln. version from
> another branch (unstable/testing)? What line do I need in
> /etc/apt/sources.list? And how easy is it to downgrade to the stable
> version if something goes wrong or a patch is released from Debian?

don't do it... unstable/snort depends on a libc version not available in
stable, and maybe there are some other unresolved dependencies...
instead get the deb-src and try to recompile... i think it's not so
linear, but it should work... 

in the meantime (from the cert advisory):

> Disable affected preprocessor modules
>
> Sites  that  are  unable to immediately upgrade affected Snort sensors
> may  prevent  exploitation of this vulnerability by commenting out the
> affected preprocessor modules in the "snort.conf" configuration file.
> 
> To prevent exploitation of VU#139129, comment out the following line:
>
> preprocessor stream4_reassemble
>
> To prevent exploitation of VU#916785, comment out the following line:
>
> preprocessor rpc_decode: 111 32771
>
> After commenting out the affected modules, send a SIGHUP signal to the
> affected   Snort  process  to  update  the  configuration.  Note  that
> disabling these modules may have adverse affects on a sensor's ability
> to correctly process RPC record fragments and TCP packet fragments. In
> particular,  disabling  the "stream4" preprocessor module will prevent
> the Snort sensor from detecting a variety of IDS evasion attacks.

Regards,
Gian Piero.

PS: about the pinning question, please read the apt-howto

Re: Snort exploit in wild.

[David Ramsden]

On Fri, Apr 25, 2003 at 12:13:38PM +0200, Marcel Weber wrote:
> David Ramsden wrote:
> 
[snip]
> 
> Following the advice from heise.de [1] it should be enough to comment 
> out the line:
> 
> preprocessor stream4_reassemble
> 
> in your /etc/snort/snort.conf
> 
> as the vulnerability is in this module. Of course you will loose some 
> information. But saver is better ;-)
> 
[snip]
> 
> [1] 
> (http://www.heise.de/newsticker/result.xhtml?url=/newsticker/data/pab-16.04.03-000/default.shtml&words=Snort)

Thank you for the information.
I had a quick look on the bug tracking system for Debian and found
information for the RPC decoder exploit, so have commented that out.

I'll now disable what's been suggested and wait for a DSA.

Thanks for the information on this Marcel.
Kind regards,
David.
-- 
 .''`. David Ramsden <[EMAIL PROTECTED]>
: :'  :http://portal.hexstream.eu.org/
`. `'` PGP key ID: 507B379B on wwwkeys.pgp.net
  `-  Debian - when you have better things to do than to fix a system.


pgp5yi8ycYeGX.pgp
Description: PGP signature

Re: Snort exploit in wild.

[Marcel Weber]

David Ramsden wrote:


Hi,

Noticed on vil.mcafee.com that a proof of concept exploit for Snort to
exploit the vuln. found in v1.8 through to 1.9.1.

Packet Storm Security have this proof of concept on their site (local
exploit at the moment).
It uses a call-back technique to spawn a shell on the attackers machine,
via a connection from the compromised machine.
I've not tried this on my Debian machines yet, so can't say if it works
- You'd need the return address for Debian as only Slackware is support
in this proof of concept.

What's the status of a patch from Debian Security? No DSA yet either.
I know this has been brought up a few times already but now an exploit
exists in the wild.

As a workaround, I could disable snort (granted) but also, how can I use
/etc/apt/preferences to update /just/ snort to a non-vuln. version from
another branch (unstable/testing)? What line do I need in
/etc/apt/sources.list? And how easy is it to downgrade to the stable
version if something goes wrong or a patch is released from Debian?

Thanks for all the help and regards,
David.


Hi

Following the advice from heise.de [1] it should be enough to comment 
out the line:


preprocessor stream4_reassemble

in your /etc/snort/snort.conf

as the vulnerability is in this module. Of course you will loose some 
information. But saver is better ;-)


Regards

Marcel

[1] 
(http://www.heise.de/newsticker/result.xhtml?url=/newsticker/data/pab-16.04.03-000/default.shtml&words=Snort)

Snort exploit in wild.

[David Ramsden]

Hi,

Noticed on vil.mcafee.com that a proof of concept exploit for Snort to
exploit the vuln. found in v1.8 through to 1.9.1.

Packet Storm Security have this proof of concept on their site (local
exploit at the moment).
It uses a call-back technique to spawn a shell on the attackers machine,
via a connection from the compromised machine.
I've not tried this on my Debian machines yet, so can't say if it works
- You'd need the return address for Debian as only Slackware is support
in this proof of concept.

What's the status of a patch from Debian Security? No DSA yet either.
I know this has been brought up a few times already but now an exploit
exists in the wild.

As a workaround, I could disable snort (granted) but also, how can I use
/etc/apt/preferences to update /just/ snort to a non-vuln. version from
another branch (unstable/testing)? What line do I need in
/etc/apt/sources.list? And how easy is it to downgrade to the stable
version if something goes wrong or a patch is released from Debian?

Thanks for all the help and regards,
David.
-- 
 .''`. David Ramsden <[EMAIL PROTECTED]>
: :'  :http://portal.hexstream.eu.org/
`. `'` PGP key ID: 507B379B on wwwkeys.pgp.net
  `-  Debian - when you have better things to do than to fix a system.


pgpHiO0wzneXY.pgp
Description: PGP signature

Re: Chkrootkit

[Sven . Riedel]

Hi,
this is not exactly a reply to your question, just a general pointer:
whatever you do, don't rely solely on chkrootkit. One woody-box I know
of just recently got cracked, and had the viceroy rootkit installed. It
was a very poorly done rootkit to boot (ls, ps, netstat etc were all
dynamically linked to libc.so.5, which didn't exist on the machine,
/sbin, /bin and /usr/sbin had tons of ext2-attrs attached, /var/log was
wiped and syslogd killed etc).

Turns out, the latest debian chkrootkit (0.40?) didn't find a thing and 
declared the box as clean. 

After seeing that I recommend tripwire over chkrootkit to anyone that
asks, even if tripwire is higher in maintanance.

Regs,
Sven

-- 
Sven Riedel  [EMAIL PROTECTED]
Osteroeder Str. 6 / App. 13  [EMAIL PROTECTED]
38678 Clausthal  "Python is merely Perl for those who
  prefer Pascal to C" (anon)

Re: Presentation

[Stefan Neufeind]

Seems like again somebody is willing to pay the "donation" to debian? 
List-admin ... go ahead :-)

unsubscribe

[Andres]

unsubscribe

-
Hot Mobiil - helinad, logod ja piltsõnumid!
http://portal.hot.ee