SecurityFocus Linux Newsletter #106

SecurityFocus Linux Newsletter #106

This issue sponsored by: SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

I. FRONT AND CENTER

1. Complete Snort-based IDS Architecture, Part One
2. Polymorphic Macro Viruses, Part Two
3. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL) II. LINUX VULNERABILITY SUMMARY
4. PHP-Nuke 5.6 Modules.PHP SQL Injection Vulnerability
5. Michael Krax log2mail Remote Buffer Overflow Vulnerability
6. Monkey HTTP Server Invalid POST Request Denial Of Service Vulnerability
7. Jason Orcutt Prometheus Remote File Include Vulnerability
8. Abuse Local Buffer Overflow Vulnerability
9. PERL-MailTools Remote Command Execution Vulnerability
10. The Magic Notebook Invalid Username Denial Of Service Vulnerability
11. Networking_Utils Remote Command Execution Vulnerability
12. Frank McIngvale LuxMan Memory File Descriptor Leakage Vulnerability
13. Linux Kernel 2.4 System Call TF Flag Denial Of Service Vulnerability
14. Pine From: Field Heap Corruption Vulnerability
15. Linuxconf mailconf Module Mail Relay Vulnerability III. LINUX FOCUS LIST SUMMARY [No Messages on Focus-Linux This Week] IV. NEW PRODUCTS FOR LINUX PLATFORM
16. NetPilot Plus
17. ServerCluster
18. BlackBerry (RIM)
19. NEW TOOLS FOR LINUX PLATFORMS
20. MAILMILL
21. Annoyance Filter
22. Tnefclean
23. IP Blocker
24. MailStripper VI. SPONSOR INFORMATION
25. FRONT AND CENTER

    ---

26. Complete Snort-based IDS Architecture, Part One

Many companies find it hard to justify acquiring the IDS systems due to their perceived high cost of ownership. However, not all IDS systems are prohibitively expensive. This two-part article will provide a set of detailed directions to build an affordable intrusion detection architecture from hardware and freely available software.

http://online.securityfocus.com/infocus/1640

2. Polymorphic Macro Viruses, Part Two

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This article is the second of a two-part series that will offer a brief overview of polymorphic strategies in macro viruses. This installment will look at the first serious polymorphic macro viruses, as well as the evolution of viruses into true polymorphic and, ultimately, metamorphic viruses.

http://online.securityfocus.com/infocus/1638

3. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today^Òs security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all! Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY

1. PHP-Nuke 5.6 Modules.PHP SQL Injection Vulnerability BugTraq ID: 6088 Remote: Yes Date Published: Nov 01 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6088 Summary:

PHP-Nuke is a web based Portal system. Implemented in PHP, it is available for a range of systems, including Microsoft Windows and Linux.

A SQL injection vulnerability has been reported for PHP-Nuke 5.6.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The vulnerability is due to insufficient sanitization of variables used to construct SQL queries in the 'modules.php' script. It is possible to modify the logic of SQL queries through malformed query strings in requests for the vulnerable script.

By injecting SQL code into variables, it may be possible for an attacker to corrupt database information.

This issue was reported in PHPNuke version 5.6. Other versions may also be affected.

2. Michael Krax log2mail Remote Buffer Overflow Vulnerability BugTraq ID: 6089
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6089
Summary:

The log2mail daemon is a small utility used to watch logfiles and send mail when specified patterns are matched. It is available for Linux and Unix operating systems.

Typically, the log2mail daemon is invoked, by init scripts, during the boot process and is run with root privileges.

A remotely exploitable buffer overflow has been discovered in the log2mail daemon. By generating malicious log entries, it is possible for a remote attacker to cause a static buffer to be overrun, resulting in memory corruption.

By exploiting this vulnerability, it may be possible to overwrite sensitive memory variables with attacker-supplied values, resulting in the execution of arbitrary code with the privileges of the daemon.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability was reported in log2mail v0.2.5. It is not yet known if this issue affects earlier versions.

3. Monkey HTTP Server Invalid POST Request Denial Of Service Vulnerability BugTraq ID: 6096
Remote: Yes
Date Published: Nov 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6096
Summary:

Monkey is an open source Web server written in C, based on the HTTP/1.1 protocol. It is available for the Linux platform.

A denial of service vulnerability has been reported for Monkey HTTP server. The vulnerability is due to inadequate checks being performed when decoding POST requests.

An attacker can exploit this vulnerability by issuing a POST request with an invalid Content-Length header, or without a Content-Length value. When the server attempts to service the request, it will crash and lead to the denial of service condition.

This vulnerability was reported for Monkey HTTP server 0.50. Earlier versions are likely to be affected by this vulnerability.

4. Jason Orcutt Prometheus Remote File Include Vulnerability BugTraq ID: 6087
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6087
Summary:

Jason Orcutt Prometheus is a collection of tools to facilitate the design and implementation of active content Web sites. It is implemented in PHP and is available for Unix and Linux variants as well as Microsoft Windows operating systems.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Prometheus is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers. This issue is present in the following PHP script files provided with Prometheus: index.php
install.php
test_*.php

An attacker may exploit this by supplying a path to a maliciously created 'autoload.lib' file, located on an attacker-controlled host as a value for the 'PROMETHEUS_LIBRARY_BASE' parameter.

If the remote file is a PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the webserver. Successful exploitation may provide local access to the attacker.

5. Abuse Local Buffer Overflow Vulnerability BugTraq ID: 6094
Remote: No
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6094
Summary:

Abuse is a popular side-scrolling video game. It is available for Linux and Unix operating systems.

Buffer overflow vulnerabilities have been discovered in both the abuse.console and abuse.x11R6 files, which are installed setuid 'root' and setgid 'games' respectively.

It is possible to trigger the overflow by passing an execessively long string, containing roughly 500 bytes, as a parameter to the '-net' command line argument.

Exploiting this issue would allow a local attacker to overwrite sensitive memory variables, potentially resulting in the execution of arbitrary code with super user privileges.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It should be noted that Abuse 2.00, packaged and distributed with the x86 architecture of Debian Linux 3.0 has been reported vulnerable. It is not yet known if other packages are affected by this

6. PERL-MailTools Remote Command Execution Vulnerability BugTraq ID: 6104
Remote: Yes
Date Published: Nov 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6104
Summary:

The perl-MailTools package is a collection of PERL modules related to mail applications.

A vulnerability has been reported for the Mail::Mailer module, included in the perl-MailTools package, which may allow remote attackers to execute arbitrary commands on the underlying shell with the privileges of the mailx process.

User-supplied input is passed to the mailx mailer, a simple MUA (Mail User Agent), but is not sufficiently sanitized of shell metacharacters before being passed through the shell.

Any applications that use Mail::Mailer directly or indirectly, like custom auto reply programs or spam filters, are vulnerable to attack.

7. The Magic Notebook Invalid Username Denial Of Service Vulnerability BugTraq ID: 6106
Remote: Yes
Date Published: Nov 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6106
Summary:

The Magic Notebook is a web-based application for creating and organizing notes. It will run on Unix and Linux variants.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The Magic Notebook is prone to a denial of service vulnerability. The Magic Notebook reportedly crashes when attempting to handle an invalid username.

Remote attackers may be able to exploit this condition to deny service to legitimate users of the web application.

8. Networking_Utils Remote Command Execution Vulnerability BugTraq ID: 6107
Remote: Yes
Date Published: Nov 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6107
Summary:

Networking_Utils is an application for supplying web access to networking tools such as ping, traceroute and nslookup. Networking_Utils is implemented in PHP and intended to run on Unix and Linux variants.

Networking_Utils is prone to a remote command execution vulnerability.

The issue exists in the implementation of the ping command. Shell metacharacters are not sufficiently sanitized from the domain name or IP address fields. This input will be passed directly through the shell. An attacker may exploit this issue by supplying malicious input which includes shell metacharacters and arbitrary commands, which will be interpreted by the underlying shell. The attacker may execute commands with the privileges of the webserver.

Exploitation of this issue will allow a remote attacker to gain local, interactive access to the underlying host.

Implementations of the other commands may also be affected by this vulnerability.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

9. Frank McIngvale LuxMan Memory File Descriptor Leakage Vulnerability BugTraq ID: 6113
Remote: No
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6113
Summary:

Frank McIngvale LuxMan is a video game similar to Pac Man for Linux based systems.

A vulnerability exists in LuxMan that could allow a local user read and write access to the Memory.

It has been reported that the 'maped' setuid binary in LuxMan is vulnerable to a leakage of open file descriptors that may result in unauthorized disclosure of memory. It is allegedly possible for attackers to inherit open file descriptors with read/write access to /dev/mem by executing a malicious program through maped. Since maped calls gzip without using the explicit path, an attacker could create a malicious binary named gzip and add its directory to the PATH environment variable. When gzip is called by maped, the malicious gzip will be called rather than the legitimate version.

Upon exploiting this vulnerability, an attacker would have read and write access to memory. The attacker could use this access to gain sensitive information such as passwords, or other information. Additionally, an attacker could remap system calls. It should be assumed that total compromise is imminent if an attacker has read or write access to memory.

1. Linux Kernel 2.4 System Call TF Flag Denial Of Service Vulnerability BugTraq ID: 6115 Remote: No Date Published: Nov 06 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6115 Summary:

A denial of service vulnerability has been reported for the Linux kernel. Reportedly, it is possible to cause the kernel from responding by triggering a system call with the TF flag enabled.

When a native Linux binary makes a system call, the 'int 0x80' instruction is called, effectively triggering a trap into kernel mode. Non-native Linux binaries use the 'lcall7' instruction to trigger a kernel trap. If the TF (TRAP FLAG) bit is set when a trap is triggered using the 'lcall7' instruction, the kernel will hang.

An attacker can exploit this vulnerability by executing a malicious application that uses the lcall7/lcall27 functions to execute system calls. By ensuring that the TF flag is set when the kernel attempts to execute the system call, it is possible to cause the kernel to hang and cause the denial of service condition. A reboot is necessary to restore functionality.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability was fixed in the Linux Kernel 2.4.19.

1. Pine From: Field Heap Corruption Vulnerability BugTraq ID: 6120 Remote: Yes Date Published: Nov 07 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6120 Summary:

Pine is an open source mail user agent distributed by the University of Washington. It is freely available for Unix, Linux, and Microsoft operating systems.

It is possible to cause a denial of service in Pine by sending an email message with a specially crafted "From:" address. According to the report, the crash can be reproduced by setting the "From:" address to a value such as:

"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""@host.tld

A stack trace suggests that this behaviour may be due to corruption of data in the heap. If that is the case, execution of arbitrary code may be possible.

Note that the user does not have to view the message in order for the denial of service to take place; the message simply has to be present in the user's Inbox. While a message with this address is present in the Pine Inbox, it is not possible to start Pine again. The message containing this address must be manually removed from the spool or by using another MUA.

It is important to note that this specially crafted "From:" address is RFC legal.

This issue will reportedly be fixed in Pine 4.50.

1. Linuxconf mailconf Module Mail Relay Vulnerability BugTraq ID: 6118 Remote: Yes Date Published: Nov 06 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6118 Summary:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Linuxconf is an administration system which is divided in several modules. The mailconf module is responsible for the configuration of Sendmail.

A vulnerability has been discovered in the mailconf module included with Linuxconf.

It has been reported that the sendmail.cf configuration file created by the mailconf module, contains a bug which could allow message relaying. By specifying a recipient in the format of "user%domain@", it is possible to relay messages outside of the mail daemon's served network.

Exploitation of this issue could allow an attacker to send unauthorized messages from the vulnerable server.

It should be noted that the default configuration file distributed with Sendmail is not vulnerable to this issue. It must have been created by Linuxconf for this vulnerability to be introduced.

III. LINUX FOCUS LIST SUMMARY

IV. NEW PRODUCTS FOR LINUX PLATFORMS

1. NetPilot Plus by Equiinet Platforms: N/A

NetPilot Plus is an enhanced version of the market-leading NetPilot. This product enables organisations to easily and securely deploy secure Internet based IPSec-based VPNs, Internet access and email facilities, while integrating key communications, networking and server elements into a single secure appliance.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. ServerCluster
by Stonesoft
Platforms: Linux, Solaris

ServerCluster is a High Availability software solution that: • clusters up to 32 servers and applications such as databases, web, mail etc. • Provides continuous 24x7 monitoring with comprehensive fault detection and automated failover to secondary nodes in the cluster and therefore service continuity in the event of a failure, without the need for immediate on-site manual intervention.

3. BlackBerry (RIM)
by Research In Motion
Platforms: N/A

BlackBerry™ is an end-to-end wireless email solution that provides quick, easy access to your email, contacts, calendar and task list wherever you go. With BlackBerry, mobile professionals get effortless access to email while on the road and IT departments get centralized administration in a secure solution.

V. NEW TOOLS FOR LINUX PLATFORMS

1. MAILMILL v0.1 by less random Relevant URL: http://www.metamagix.net/mailmill.html Platforms: UNIX

MAILMILL is a lightweight mail-receiving component built in Java. It listens on the SMTP port for incoming messages, and once they arrive it looks in its XML-based ruleset for corresponding filters to apply. It is intended for Java developers who need mailserver functionality and want to build their own Java classes for processing incoming mail. Standard filters include forwarding, SMS, SMTP/HTTP conversion (e.g., send a google request by mail) and more.

2. Annoyance Filter v1.0-RC1
by John Walker (kelvin@fourmilab.ch)
Relevant URL: http://www.fourmilab.ch/annoyance-filter/ Platforms: OS Independent

Annoyance Filter sifts mail you wish to read from junk arriving in your mailbox by an adaptive process which gives priority to mail you're interested in reading, and evolves to block cleverly disguised junk mail.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

3. Tnefclean v1.0
by The Midnite Marauder
Relevant URL: http://www.dread.net/~striker/tnefclean/ Platforms: UNIX

tnefclean is a Perl script to convert attachments from Microsoft Outlook to a readable format. Previously, people would have to find a way to decipher the winmail.dat attachments that came from Outlook users. This tool will either remove the attachment if there is nothing in it, or change it to represent the proper attachment if it actually exists.

4. IP Blocker v1.0.20021107
by Rob Patrick (freshmeat.net@NOSPAMrpatrick.com) Relevant URL: http://www.ipblocker.org/
Platforms: UNIX

IP Blocker is an incident response tool for network admins that automatically updates access control lists (ACL) on Cisco routers and other devices. Web and CLI are both supported. Logging, email notification, and automatic expiration of blocks using policy-based TTL values are all supported.

5. MailStripper v0.62
by Michael McConnell
Relevant URL: http://www.eridani.co.uk/MailStripper/ Platforms: Linux, Os Independent, POSIX

MailStripper is a mail scanner that aims to remove spam and viruses from incoming mail. AV capability is provided by a hook to an external virus scanner. Written from the ground up in Tcl, it aims to be MTA-independent, by working on the SMTP transaction.

VI. SPONSOR INFORMATION

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml Received on Mon Nov 11 14:55:04 2002