RE: [Full-Disclosure] Packet/Signature-based Firewall
PacketShaper is a Firewall; well I didn't know that... :P FYI: It is a network traffic management product (maybe somewhat more than that but now a Firewall) Regards, Debasis Mohanty www.hackingspirits.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Sent: Saturday, January 22, 2005 11:31 AM To: full-disclosure@lists.netsys.com Subject: [Full-Disclosure] Packet/Signature-based Firewall Hi I was wondering are there any Budget/OpenSource signature-based firewall around like the one Packeteer has? (packetshaper) Thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200501-30 ] CUPS: Stack overflow in included Xpdf code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200501-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: CUPS: Stack overflow in included Xpdf code Date: January 22, 2005 Bugs: #78249 ID: 200501-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis CUPS includes Xpdf code and therefore is vulnerable to the recent stack overflow issue, potentially resulting in the remote execution of arbitrary code. Background == The Common UNIX Printing System (CUPS) is a cross-platform print spooler. It makes use of Xpdf code to handle PDF files. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-print/cups 1.1.23-r1 = 1.1.23-r1 Description === The Decrypt::makeFileKey2 function in Xpdf's Decrypt.cc insufficiently checks boundaries when processing /Encrypt /Length tags in PDF files (GLSA 200501-28). Impact == This issue could be exploited by a remote attacker to execute arbitrary code by sending a malicious print job to a CUPS spooler. Workaround == There is no known workaround at this time. Resolution == All CUPS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-print/cups-1.1.23-r1 References == [ 1 ] CAN-2005-0064 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064 [ 2 ] GLSA 200501-28 http://www.gentoo.org/security/en/glsa/glsa-200501-28.xml Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200501-30.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Scan for IRC
How do u know that you are looking for the irc traffic ? Somewhere you must have see connections going out to some host or some connection attempts. You could always try sniffing using that ip address on all ports if you have set up everthing else correctly... How ever if something is not setup correctly then you would have trouble shoot this. Maybe posting some more info will help us all diagnose this for you and help u out - maybe offlist ? -aditya -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of RandallM Sent: Saturday, January 22, 2005 05:04 AM To: full-disclosure@lists.netsys.com Subject: [Full-Disclosure] Scan for IRC I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Packet/Signature-based Firewall
I was wondering are there any Budget/OpenSource signature-based firewall around like the one Packeteer has? (packetshaper) Snort with pf on openbsd ? Works for me always, snort is a good IDS and control pf via command execution to dynamically stop attacks as well as it has traffic shaping -aditya Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Packet/Signature-based Firewall
Yeah. Sorry for the huge mistake, i was thinking since it does reject/block packets, so it actually does a big component of what Firewall is for (correct me if i'm wrong). According to their website its, PacketShaper is just one component of Packeteer's application traffic management system. This system is delivered in a single appliance with multiple software options that provide: Thanks. Are there anymore solutions apart from snort with pf on openbsd? Debasis Mohanty wrote: PacketShaper is a Firewall; well I didn't know that... :P FYI: It is a network traffic management product (maybe somewhat more than that but now a Firewall) Regards, Debasis Mohanty www.hackingspirits.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Sent: Saturday, January 22, 2005 11:31 AM To: full-disclosure@lists.netsys.com Subject: [Full-Disclosure] Packet/Signature-based Firewall Hi I was wondering are there any Budget/OpenSource signature-based firewall around like the one Packeteer has? (packetshaper) Thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scan for IRC
Use ngrep to look for signs of irc (i.e. PRIVMSG) instead of just looking for the ports irc (ususally, but not always) runs on. something like: ngrep -qitd eth0 'privmsg' will probably get you much better results. HTH, Harry ALD, Aditya, Aditya Lalit Deshmukh wrote: How do u know that you are looking for the irc traffic ? Somewhere you must have see connections going out to some host or some connection attempts. You could always try sniffing using that ip address on all ports if you have set up everthing else correctly... How ever if something is not setup correctly then you would have trouble shoot this. Maybe posting some more info will help us all diagnose this for you and help u out - maybe offlist ? -aditya -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of RandallM Sent: Saturday, January 22, 2005 05:04 AM To: full-disclosure@lists.netsys.com Subject: [Full-Disclosure] Scan for IRC I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] NOVL-2005-10096251 GroupWise WebAccess error handling modules (report)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 For Immediate Disclosure == Summary == Security Alert: NOVL-2005-10096251 Title: GroupWise WebAccess Error modules loading (report) Date: 21-January-2005 Revision: Original Product Name: GroupWise 6.5, GroupWise 6.5 WebAccess OS/Platform(s): NetWare, Windows, Linux Reference URL: http://support.novell.com/servlet/tidfinder/10096251 Vendor Name: Novell, Inc. Vendor URL: http://www.novell.com Security Alerts: http://support.novell.com/security-alerts Affects: login.htt, about.htt Identifiers: BugTraq 387566 - http://www.securityfocus.com/archive/1/387566 Credits: Marc Ruef maru scip ch, but thanks, too, to Pete Connolly pete connolly btinternet com for actually notifying Novell's security team Description By specifying a query string (?error=value, or ?merge=value) on the WebAccess login URL (for example http://webacc.company.com/servlet/webacc?merge=about), an unauthenticated user is able get read-only access to various public templates and informational files, including the about page for the WebAccess server which includes the version of GroupWise that is installed. == Impact === The server is not granting access to private files, and no files can be modified through this attack. The about page which contains the version of the GroupWise software installed is available, however, it is not considered restricted information, since this same information is available on the normal login URL page. Customers that are concerned about the version information being made public can edit login.htt and about.htt template files to remove this information. These templates are located in the following default locations: NetWare - sys:\tomcat\4\webapps\ROOT\WEB-INF\classes\com\novell\webaccess\templates\frames Linux - /var/opt/novell/gw/WEB-INF/classes/com/novell/webaccess/templates/frames Windows - C:\NOVELL\JAVA\SERVLETS\COM\NOVELL\WEBACCESS\TEMPLATES\FRAMES Remove line 313 in login.htt and line 37 in about.htt. Additionally, Novell will be making changes in the next update of GroupWise, version 6.5.4, to address these issues. The changes will be to ignore any query string parameters if the user is not authenticated. Q. What files do non-authenticated users have access to? A. Read only access to template files are allowed, which are stored in a public directory on the server, as well as a version file, which contains the version of the GroupWise software that is installed. There is no security risk in displaying the template files without data--the template files themselves do not contain confidential information. For the GroupWise 6.5.4 release, this will be addressed so that no unauthenticated users will be able to access any information other than the login page. Q. What query strings expose this behavior? A. The error query string and the merge query string can be used to access read-only versions of the WebAccess templates and the about information for the server. Note that there is no user data in these templates since the user is not authenticated. The merge query string works in the following way: when a user is logged in, actions that return data are performed. The resulting data is merged into the template specified by merge (or error if an error condition occurred) to produce useable output for the authenticated user. In the case where there is no authentication, there is no data to merge into the template. Authentication is not bypassed and there is no generic or ghost user logged in. Q. What information or access is inappropriately divulged to unauthenticated users? A. This approach offers no means for accessing restricted files on the server. If the version information about the server is deemed restricted, the administrator can edit the about.htt and login.htt template files to remove this information. These templates are located at template\frames on an installed WebAccess server. Q. Is there any way for an attacker to write data into the server through this method? A. The approach outlined provides no mechanism for modifying data or files on the server. Q. Is it possible to use HTML injection to carry out a social engineering attack? A. This supposition is false as the attack described has no ability to modify data or files on the server in order to inject malicious code into WebAccess pages. Recommended Actions See detailed instructions in the referenced Technical Information Document (TID) http://support.novell.com/servlet/tidfinder/10096251 DISCLAIMER = The content of this document
Re: [Full-Disclosure] Packet/Signature-based Firewall
I was wondering are there any Budget/OpenSource signature-based firewall around like the one Packeteer has? (packetshaper) If you want to make a linux-based solution, you can use Linux netfilter + l7-filter: http://l7-filter.sourceforge.net/. Check also p-o-m on http://www.netfilter.org for additionnal features. -- Greg Leclercq ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Packet/Signature-based Firewall
The l7-filter isn't working. What is pom? I was wondering are there any Budget/OpenSource signature-based firewall around like the one Packeteer has? (packetshaper) If you want to make a linux-based solution, you can use Linux netfilter + l7-filter: http://l7-filter.sourceforge.net/. Check also p-o-m on http://www.netfilter.org for additionnal features. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Packet/Signature-based Firewall
The l7-filter isn't working. What do you mean by 'not working' ? What is pom? P-o-m is Patch O Matic. It provides additionnal features by patching netfilter. I'm not sure I understand what you want. Is 'signature-based firewall' an IPS (Intrusion Prevention System) for you ? Or is it a firewall which recognizes protocols signatures ? -- Greg Leclercq ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Packet/Signature-based Firewall
Greg Leclercq wrote: The l7-filter isn't working. What do you mean by 'not working' ? What is pom? P-o-m is Patch O Matic. It provides additionnal features by patching netfilter. I'm not sure I understand what you want. Is 'signature-based firewall' an IPS (Intrusion Prevention System) for you ? Or is it a firewall which recognizes protocols signatures ? A firewall that recognises protocol signatures. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[sb] [Full-Disclosure] [USN-65-1] Apache utility script vulnerability
=== Ubuntu Security Notice USN-65-1January 19, 2005 apache vulnerabilities http://bugs.debian.org/290974 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: apache-utils The problem can be corrected by upgrading the affected package to version 1.3.31-6ubuntu0.4. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Javier Fernández-Sanguino Peña noticed that the check_forensic script created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program. Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache_1.3.31-6ubuntu0.4.diff.gz Size/MD5: 369655 7ec465eece404f6ddd1d45a8292b1fe6 http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache_1.3.31-6ubuntu0.4.dsc Size/MD5: 1102 9165d920ac5f269f5abf886ee392613c http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache_1.3.31.orig.tar.gz Size/MD5: 3104170 ca475fbb40087eb157ec51334f260d1b Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-dev_1.3.31-6ubuntu0.4_all.deb Size/MD5: 329424 f05e89912051a57e3a0f4b439d813bcf http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-doc_1.3.31-6ubuntu0.4_all.deb Size/MD5: 1186432 b7490f2099b1bd5b512cb2dba9fc3fcf amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-common_1.3.31-6ubuntu0.4_amd64.deb Size/MD5: 873090 4de4ad38fa7021c3666349134f3f3939 http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.31-6ubuntu0.4_amd64.deb Size/MD5: 9131010 8dfb8f02f5cd07223069a08c3156a015 http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.31-6ubuntu0.4_amd64.deb Size/MD5: 520354 81033c5317f6d50b69a796df54f56f90 http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.31-6ubuntu0.4_amd64.deb Size/MD5: 510288 f986a142140d051b3d2590e7add86a54 http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-utils_1.3.31-6ubuntu0.4_amd64.deb Size/MD5: 271078 bcb58f9b5a102f4109a0e6bd7b80a1c1 http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.31-6ubuntu0.4_amd64.deb Size/MD5: 397916 6f039537fd6365bd5627a6004f445e45 http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.2-14ubuntu0.1_amd64.deb Size/MD5: 491306 86f3c435f888d78e6a03456af0eb7101 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-common_1.3.31-6ubuntu0.4_i386.deb Size/MD5: 838326 6e8c39afade6e140502592602c180f81 http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.31-6ubuntu0.4_i386.deb Size/MD5: 9080282 3555a952ded8b3370691d8585163587a http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.31-6ubuntu0.4_i386.deb Size/MD5: 494050 62489a77ba210430b8803aea05be968c http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.31-6ubuntu0.4_i386.deb Size/MD5: 483720 5cc3c2014e2b30b1a0906c2748d6bef3 http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-utils_1.3.31-6ubuntu0.4_i386.deb Size/MD5: 264974 65e6aed85dd4ac7c1485f8eae951788f http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.31-6ubuntu0.4_i386.deb Size/MD5: 377152 55d3b656566987d140d2677d1c0de61c http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.2-14ubuntu0.1_i386.deb Size/MD5: 484640 da71290705c6f6f6faf1d6dc254bf4a6 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-common_1.3.31-6ubuntu0.4_powerpc.deb Size/MD5: 917362 652d1cd08236a6557e44d87b67e4dd16 http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.31-6ubuntu0.4_powerpc.deb Size/MD5: 9225702 033e91323439c25a000b604423d71d46 http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.31-6ubuntu0.4_powerpc.deb Size/MD5: 511036 e66e2283e7a70758989198fbf9ebb613 http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.31-6ubuntu0.4_powerpc.deb Size/MD5: 506852 a8bd4a1633e5d6c8ba51d01134fee992 http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-utils_1.3.31-6ubuntu0.4_powerpc.deb Size/MD5: 278286 b25fd9ebbeeafeeb3867828251218d08 http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.31-6ubuntu0.4_powerpc.deb Size/MD5: 395396 4eafd593de2508a0c574929718476320