SecurityFocus Linux Newsletter #107

SecurityFocus Linux Newsletter #107

This Issue is Sponsored by: SpiDynamics

ALERT! -Cross-Site Scripting Holes in Web Applications! Cross-site scripting vulnerabilities in web applications allow hackers to collect confidential user information, manipulate or steal cookies, and create requests that can be mistaken for those of a valid user!! All undetectable by IDS!

Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! http://www.spidynamics.com/mktg/xss20

I. FRONT AND CENTER

1. Alien Autopsy: Reverse Engineering Win32 Trojans on Linux
2. .NET/MSIL malicious code and AV/heuristic Engines
3. Locking Down the Pop-up Perps
4. Back to the Insecure Future
5. SecurityFocus DPP Program
6. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL) II. LINUX VULNERABILITY SUMMARY
7. Pine From: Field Heap Corruption Vulnerability
8. Macromedia JRun IIS ISAPI Filter GET Request Buffer Overrun...
9. Macromedia JRun Log File/JRun.INI File Disclosure Vulnerability
10. TCPDump / LIBPCap Trojan Horse Vulnerability
11. Macromedia JRun Web Server Unicode Source Disclosure Vulnerability
12. CuteCast User Credential Disclosure Vulnerability
13. Zeus Web Server Admin Interface Cross Site Scripting Vulnerability
14. Simple Web Server File Disclosure Vulnerability
15. MailScanner Attachment Filename Validation Vulnerability
16. KGPG Key Generation Empty Passphrase Vulnerability
17. EZ Systems HTTPBench Information Disclosure Vulnerability
18. KDE Network RESLISA Buffer Overflow Vulnerability
19. ISC BIND 8 Invalid Expiry Time Denial Of Service Vulnerability
20. ISC BIND SIG Cached Resource Record Buffer Overflow Vulnerability
21. Light HTTPD GET Request Buffer Overflow Vulnerability
22. Xoops WebChat Module Remote SQL Injection Vulnerability
23. W3Mail File Disclosure Vulnerability
24. LibHTTPD POST Buffer Overflow Vulnerability
25. ISC BIND OPT Record Large UDP Denial of Service Vulnerability III. LINUX FOCUS LIST SUMMARY
26. NO NEW POSTS FOR THE WEEK ENDING 11.15.02 IV. NEW PRODUCTS FOR LINUX PLATFORM
27. PakSecured Firewall
28. Hardlock
29. InsideOut Firewall Reporter
30. NEW TOOLS FOR LINUX PLATFORMS
31. shell watchdog v1.1 (dev)
32. Fast OnlineUpdate for SuSE v0.8.1
33. RSA implementation in Haskell v1.0.0
34. Safer Password Generator
35. NetSplitter v20021112 VI. SPONSOR INFORMATION
36. FRONT AND CENTER

    ---

37. Alien Autopsy: Reverse Engineering Win32 Trojans on Linux By Joe Stewart

In a previous SecurityFocus article, the author described the tools and processes involved in basic reverse engineering of a simple trojan. This article will offer a more detailed examination of the reversing process, using a trojan found in the wild, and focusing on techniques for reversing Windows-native code entirely under Linux.

http://online.securityfocus.com/infocus/1641

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. .NET/MSIL malicious code and AV/heuristic Engines By Markus Schmall

While the Windows .NET strategy incorporates numerous aspects, this article will focus on what aspects to cover in developing an AV/heuristic engine for this new platform. Specifically, it will address the additions introduced by .NET technologies to standard Windows PE (portable executable) file format and how that will affect the development of an effective heuristic engine. It will also briefly discuss the existing malicious codes for the .NET environment.

http://online.securityfocus.com/infocus/1642

3. Locking Down the Pop-up Perps
By Mark Rasch

Pop-up ads have already inspired civil lawsuits. Here's how federal computer crime law and the USA-PATRIOT Act could put obnoxious advertisers in the pokey ...

http://online.securityfocus.com/columnists/124

4. Back to the Insecure Future
By Richard Forno

Web services, such as Microsoft's .NET platform, represent a return to centralized computing. They also pose some serious security issues.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

http://online.securityfocus.com/columnists/123

5. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

6. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today’s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

II. BUGTRAQ SUMMARY

1. Pine From: Field Heap Corruption Vulnerability BugTraq ID: 6120 Remote: Yes Date Published: Nov 07 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6120 Summary:

Pine is an open source mail user agent distributed by the University of Washington. It is freely available for Unix, Linux, and Microsoft operating systems.

It is possible to cause a denial of service in Pine by sending an email message with a specially crafted "From:" address. According to the report, the crash can be reproduced by setting the "From:" address to a value such as:

"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""@host.tld

When the condition is triggered, heap memory may be corrupted. It is possible to exploit this memory corruption to cause execution of arbitrary code.

Note that the user does not have to view the message in order for the denial of service to take place; the message simply has to be present in the user's Inbox. While a message with this address is present in the Pine Inbox, it is not possible to start Pine again. The message containing this address must be manually removed from the spool or by using another MUA.

It is important to note that this specially crafted "From:" address is RFC legal.

This issue will reportedly be fixed in Pine 4.50.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. Macromedia JRun IIS ISAPI Filter GET Request Buffer Overrun Vulnerability BugTraq ID: 6122
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6122
Summary:

Macromedia JRun is a J2EE (Java 2 Platform Enterprise Edition) application server for use with IIS (Internet Information Server) 4/5 on the Microsoft Windows operating systems. Versions are also available for Unix and Linux variants.

The Macromedia JRun IIS ISAPI handler is prone to a remotely exploitable buffer overrun condition. The issue is due to a lack of bounds checking on requested filenames. It is possible to trigger the overrun by requesting a filename (with extension ".jsp") of length 4096 characters or greater.

For example:

GET /[buffer].jsp HTTP/1.0

The overrun reportedly occurs in stack memory and may be trivially exploited to execute instructions on the target host. The instructions will run with the privileges of IIS.

3. Macromedia JRun Log File/JRun.INI File Disclosure Vulnerability BugTraq ID: 6125
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6125
Summary:

Macromedia JRun is a J2EE (Java 2 Platform Enterprise Edition) application server for use with IIS (Internet Information Server) 4/5 on the Microsoft Windows operating systems. Versions are also available for Unix and Linux variants.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Macromedia JRun is prone to a file disclosure vulnerability.

It has been reported that this issue may be exploited by remote attackers to retrieve sensitive resources such as JRun log files or the 'jrun.ini' configuration file. This issue is likely due to insufficient input validation of incoming HTTP requests, causing the vulnerable software to serve sensitive content.

Disclosure of this type of sensitive information may lead to further attacks against the vulnerable host.

This issue is specific to JRun running on Microsoft Windows platforms.

4. TCPDump / LIBPCap Trojan Horse Vulnerability BugTraq ID: 6171
Remote: Yes
Date Published: Nov 13 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6171
Summary:

tcpdump is a freely available , open source tool for analyzing network traffic. libpcap provides network packet sniffing libraries used by many popular network intrusion detection systems. Both tools are available for the Unix and Linux operating systems.

It has been announced that the server hosting tcpdump and libpcap, www.tcpdump.org, was compromised recently. It has been reported that the intruder made modifications to the source code of tcpdump and libpcap to include trojan horse code. Downloads of the source code of tcpdump and libpcap from www.tcpdump.org, and numerous mirrors, likely contain the trojan code.

Reports say that the trojan will run once upon compilation of tcpdump or libpcap. Once the trojan is executed, it attempts to connect to host 212.146.0.34 on port 1963.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The trojan horse modifications can be found in the configure script and the 'gencode.c' source file. The 'gencode.c' modification affects only libpcap. Reportedly, 'gencode.c' is modified to force libpcap to ignore packets to and from the backdoor program. This is an attempt to hide the back door program's traffic.

The MD5 sums of the trojaned versions are reported to be: MD5 Sum

73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz MD5 Sum
3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz MD5 Sum
3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz

The MD5 sums of the non-trojaned versions are: MD5 Sum

0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz MD5 Sum
6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz MD5 Sum
03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz

The non-trojaned versions of these tools are available at the following locations:

http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7.1.tar.gzhttp://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.6.2.tar.gzhttp://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.7.1.tar.gz

Additionally, the trojan displays similarity to those found in irssi, fragroute, fragrouter, BitchX, OpenSSH, and Sendmail.

5. Macromedia JRun Web Server Unicode Source Disclosure Vulnerability BugTraq ID: 6126
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6126
Summary:

Macromedia JRun is a J2EE (Java 2 Platform Enterprise Edition) application server for use with IIS (Internet Information Server) 4/5 on the Microsoft Windows operating systems. Versions are also available for Unix and Linux variants.

Macromedia JRun ships with a non-production web server, which is intended to be used on internal networks.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The Macromedia JRun Web Server component is prone to a source code disclosure issue. The cause of this issue is reportedly insufficient validation of unicode characters in HTTP requests. A remote attacker may submit a malicious request containing unicode characters and cause the source code of the requested script resource to be displayed instead of interpreted.

Information gathered from a successful attack may aid in further attacks.

This issue is specific to Macromedia JRun running on Unix and Linux platforms.

6. CuteCast User Credential Disclosure Vulnerability BugTraq ID: 6127
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6127
Summary:

CuteCast is web forum software. It is implemented in Perl and is available for Unix and Linux variants as well as Microsoft Windows operating systems.

CuteCast is prone to an issue which may cause user credentials to be disclosed to remote attackers. CuteCast stores user information in a publicly accessible directory. User information is also stored in plaintext.

Remote attackers may request any individual user files and gain access to user credentials. The attacker may use these credentials to gain unauthorized access to user accounts.

7. Zeus Web Server Admin Interface Cross Site Scripting Vulnerability BugTraq ID: 6144
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6144
Summary:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Zeus Web Server is a proprietary webserver for Unix, Linux, Sun, BSD, HP-UX, and Apple OS X platforms.

The web based administration interface included in Zeus Web Server is vulnerable to cross site scripting attacks. Due to insufficient sanitization of user-supplied input it is possible for an attacker to construct a malicious link which contains arbitrary HTML and script code. Attacker-supplied HTML and script code may be executed on a web client visiting the malicious link in the context of the vulnerable server.

Attacks of this nature may make it possible for attackers to steal cookie-based authentication credentials.

It is important to note that the user must supply a username and password for the administrative interface before the script will execute. This also compounds the problem, since it is now likely that an attacker exploiting this vulnerability may be able to steal the administrative user's credentials.

8. Simple Web Server File Disclosure Vulnerability BugTraq ID: 6145
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6145
Summary:

Simple Web Server is a simple lightweight webserver available for the Linux platform.

It has been reported that Simple Web Server does not properly sanitize web requests. By sending a malicious web request to the vulnerable server, containing a slash-slash sequence ('//'), it is possible for a remote attacker to disclose files, effectively bypassing any access control measures in place.

Disclosure of sensitive files may aid the attacker in launching further attacks against the target system.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

9. MailScanner Attachment Filename Validation Vulnerability BugTraq ID: 6148
Remote: Yes
Date Published: Nov 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6148
Summary:

MailScanner is an e-mail security product. It is designed to be deployed on gateway systems and provides the ability to detect e-mail based attacks such as viruses. It will run on Unix and Linux variants and provides support for a number of anti-virus products.

A vulnerability has been reported in how MailScanner handles filenames for attachments. MailScanner does not sufficiently validate certain types of malformed filenames.

It may be possible to bypass MailScanner security with attachment filenames that contain excessive trailing/leading whitespace, are blank, or use character encodings that are unknown to MailScanner.

The exact consequences of this vulnerability are not known, but it is possible that some attachments with malicious filenames may slip through MailScanner or that a malformed filename may cause other aspects of MailScanner to fail.

1. KGPG Key Generation Empty Passphrase Vulnerability BugTraq ID: 6152 Remote: Yes Date Published: Nov 11 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6152 Summary:

KGPG is a KDE graphical front-end for GPG (GNU Privacy Guard). It is designed for use with the KDE Desktop Environment and GPG. It is available for Unix and Linux variant operating systems.

A vulnerability has been reported for KGPG. Reportedly, KGPG generates secret keys in an unsafe manner. The vulnerability is the result of how KGPG sends command line arguments to GPG. The vulnerability occurs when keys are generated using the key generation graphical wizard. All keys generated using the wizard will have an empty passphrase.

An attacker can exploit this vulnerability to obtain access to some potentially sensitive information.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability was reported for KGPG versions 0.6 to 0.8.2.

1. EZ Systems HTTPBench Information Disclosure Vulnerability BugTraq ID: 6153 Remote: Yes Date Published: Nov 11 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6153 Summary:

eZ Systems httpbench is a benchmarking utility implemented in PHP. It is available for Unix and Linux variant as well as Microsoft Windows operating environments.

An information disclosure vulnerability has been reported for httpbench. Reportedly, httpbench may disclose the contents of web server readable files to remote attackers.

This vulnerability can be exploited by a remote attacker to obtain potentially sensitive information on a vulnerable system. Information obtained in this manner may be used to launch further, destructive attacks against a vulnerable system.

This vulnerability was reported for httpbench 1.1. It is not known whether other versions are affected.

1. KDE Network RESLISA Buffer Overflow Vulnerability BugTraq ID: 6157 Remote: Yes Date Published: Nov 11 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6157 Summary:

LISa (LAN Information Server) is a service designed for Linux variant operating systems. It provides LAN browsing capabilities on Linux systems. resLISa is a restricted version of LISa and is distributed with LISa.

A buffer overflow vulnerability has been reported for resLISa. The vulnerability results due to inadequate checks on the LOGNAME environment variable.

An attacker can exploit this vulnerability by setting a LOGNAME environment variable with an overly long value. When the attacker invokes resLISa, it will result in the service crashing and will result in the attacker obtaining control over the execution of the vulnerable service.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

resLISa is typically installed as a setUID root binary.

1. ISC BIND 8 Invalid Expiry Time Denial Of Service Vulnerability BugTraq ID: 6159 Remote: Yes Date Published: Nov 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6159 Summary:

BIND is a server program that implements the domain name service protocol. It is used widely on the Internet.

A denial of service vulnerability has been reported for ISC BIND 8. The vulnerability is due to caching of SIG RR (resource records) with invalid expiry times.

An attacker who controls an authoritative name server may be able to cause vulnerable BIND 8 servers to cache invalid SIG RR elements. When the vulnerable DNS server attempts to reference the SIG RR elements it will result in the denial of service condition.

It has been reported that ISC BIND 8 versions up to 8.3.3 are vulnerable to this issue.

1. ISC BIND SIG Cached Resource Record Buffer Overflow Vulnerability BugTraq ID: 6160 Remote: Yes Date Published: Nov 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6160 Summary:

BIND is a server program that implements the domain name service protocol. It is widely used on the Internet.

It has been reported that DNS servers, running BIND with recursive DNS functionality enabled, are prone to a buffer overflow condition. This issue is triggered when the vulnerable DNS server is constructing DNS responses for cached information.

An attacker-controlled authoritative DNS server may cause BIND to cache information into an internal database, when recursion is enabled. Cached information is accessed when a DNS client request is received. A vulnerability exists when creating a DNS response containing, SIG resource records (RR), which may lead to the buffer overflow condition.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

By causing the vulnerable DNS server to cache information, and sending a malicious client request, it may be possible for a remote attacker to cause a buffer to be overrun. Exploitation of this issue could result in the execution of arbitrary attacker-supplied code with the privileges of the vulnerable BIND daemon.

It should be noted that recursive DNS functionality is enabled by default.

1. Light HTTPD GET Request Buffer Overflow Vulnerability BugTraq ID: 6162 Remote: Yes Date Published: Nov 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6162 Summary:

Light httpd is a small HTTP server, derived from ghttpd. It is available for a large variety of platforms, including Linux, BSD, Solaris, and Microsoft Windows operating systems.

A vulnerability has been discovered in Light httpd, when processing GET requests. Passing an excessively long GET request to a vulnerable server, containing roughly 1024 or more bytes of data, will trigger a buffer overflow. This will typically result in sensitive memory being overwritten with attacker-supplied values.

Exploitation of this issue will result in the execution of arbitrary commands with the privileges of the target web server. As Light httpd drops privileges, commands will be executed with the privileges of the
'nobody' user.

1. Xoops WebChat Module Remote SQL Injection Vulnerability BugTraq ID: 6165 Remote: Yes Date Published: Nov 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6165 Summary:

Xoops is open-source, freely available web portal software written in object-oriented PHP. It is back-ended by a MySQL database and will run on most Unix and Linux distributions.

A vulnerability exists in the WebChat module included with Xoops. The vulnerability is due to insufficient sanitization of variables used to construct SQL queries in the 'index.php' script. Specifically, the
'roomid' variable is not sanitized of malicious SQL input. It is possible
to modify the logic of SQL queries through malformed query strings in requests for the vulnerable script.

By injecting SQL code into the 'roomid' variable, it may be possible for an attacker to corrupt database information.

1. W3Mail File Disclosure Vulnerability BugTraq ID: 6170 Remote: Yes Date Published: Nov 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6170 Summary:

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

W3Mail is a full featured open source web mail application implemented as a collection of Perl scripts that runs on Linux and Unix systems. It includes support for fetching mail from POP3 servers, MIME attachments, and for sending outgoing mail.

To fix the vulnerability described as BID 5314, the email attachments directory was moved out of the webroot tree. To view attachments, the script "viewAttachment.cgi" accepts the parameter "file". The value of this parameter is passed to the open() function as the filename argument without being sanitized. Attackers may cause any file on the filesystem to open by specifying its relative path using directory traversal characters.

As a result, attackers may retrieve any file and download its contents if it is readable by the webserver process.

It should be noted that a valid session ID is required to exploit this vulnerability.

1. LibHTTPD POST Buffer Overflow Vulnerability BugTraq ID: 6172 Remote: Yes Date Published: Nov 13 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6172 Summary:

LibHTTPD is a library used to add basic web server functionality to an application or embedded device. It is available for various Unix and Linux operating systems.

A remotely exploitable buffer overflow condition has been discovered in the httpdProcessRequest() function, used by the api.c file in the library.

By sending a malicious POST of excessive length to a vulnerable web server, it may be possible to overrun the dirName buffer. This may allow a remote attacker to overwrite sensitive locations in memory with malicious values, which could be used to redirect typical program flow.

Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary code with super user privileges.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It should be noted that this vulnerability was reported in LibHTTPD v1.2. It is not yet known whether earlier versions are affected.

1. ISC BIND OPT Record Large UDP Denial of Service Vulnerability BugTraq ID: 6161 Remote: Yes Date Published: Nov 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6161 Summary:

BIND is a server program that implements the domain name service protocol. It is in extremely wide use on the Internet, in use by most of the DNS servers.

Recursive BIND 8 servers are vulnerable to a denial of service condition. Requesting a DNS lookup on a non-existant sub-domain of a valid domain may cause BIND to fail.

The attacker would have to attach an OPT resource record with a large UDP payload size in order to exploit this vulnerability.

The denial of service may also occur when a domain is queried and the authoritative DNS servers are unreachable.

II. LINUX FOCUS LIST SUMMARY

1. NO NEW POSTS FOR THE WEEK ENDING 11.15.02

1. PakSecured Firewall by Paktronix Systems Platforms: Linux http://www.paktronix.com/products/pakfirewall.html Summary:

Our secure firewall systems connect your networks to the Internet without worry. The PakSecured Firewall can connect over ISDN, 56K-T1/E1 Frame Relay/Dedicated, dial-on-demand, and any LAN interface supported under Linux. We use full Policy Routing Security Structures along with the standard IPChains/NetFilter stateful packet filtering code to provide full data level protection for your networks. The advanced modular design of the runtime firewall permits adding a wide array of enhancement functions on the fly. Report Generators, Specialized Port Forwarders, and Proxy Inspection Services are among the enhancements offered. Due to the extensive customization possible under the modular setup we can design and build an optimal solution for your specific scenario.

2. Hardlock
by Aladdin Knowledge Systems
Platforms: Propietary Hardware
http://www.ealaddin.com/hardlock/index.asp Summary:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

If you develop applications for multiple operating environments, we invite you to test drive the new HASP4, the latest generation in software protection solutions. HASP4 is the only true cross-platform solution available on the market, providing a solid foundation of reliability, ease-of-use and state-of-the-art security. With HASP4 USB, a single key will protect Windows, Mac and Linux applications.

3. InsideOut Firewall Reporter
by Stonylake Solutions
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT http://www.stonylakesolutions.com/insideout.asp Summary:

InsideOut Firewall Reporter is an easy to use, powerful, real time, browser based reporting application for firewall logs. It provides over 150 useful reports. Windows and Linux versions available. Visit the site for a live demo.

V. NEW TOOLS FOR LINUX PLATFORMS

1. shell watchdog v1.1 (dev) by D. Westfal Relevant URL: http://www.nwst.de/ Platforms: UNIX Summary:

The shell watchdog is a simple shell script daemon to monitor system resources and report failures via local syslog, wall, mail, console sound, or user-definable actions. It is intended to be used as a simple failure recognition system. Tests are defined in a macro-like style in user-definable files, allowing you to create monitored resource groups. It currently includes tests to check the availability of an IP address, the availability of a service on a local or remote IP address, whether a process is running or not, and the usage of filesystems.

2. Fast OnlineUpdate for SuSE v0.8.1
by Markus Gaugusch
Relevant URL:
http://fou4s.gaugusch.at/
Platforms: Linux, POSIX
Summary:

Fast OnlineUpdate for SuSE (fou4s) is a bash script that provides the functionality of YOU (YaST OnlineUpdate), but can also work in background and check for updates every night. It supports resumed downloads and proxies by using wget. GPG signatures are also checked.

3. RSA implementation in Haskell v1.0.0
by David J. Sankel
Relevant URL:
http://www.electronconsulting.com/rsa-haskell Platforms: Os Independent
Summary:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

RSA implementation in Haskell (rsa-haskell) is a Haskell implementation of the RSA algorithm. It contains simple programs for encrypting and decrypting anything that can be piped, as well as an easy-to-use RSA and number theory library.

4. Safer Password Generator
by Tom Veatch tv@sprex.com
Relevant URL:
http://cassandra.sprex.com/passwd.html
Platforms: N/A
Summary:

Safer Password Generator creates English-like passwords, although they are not English words, or even (usually) combinations of English words or names. So password-cracking algorithms which search for English words and names and combinations of them will have a very hard time with Sprex passwords.

5. NetSplitter v20021112
by Fabio Yamamoto
Relevant URL:
http://www.hostname.org/netsplitter
Platforms: FreeBSD, Linux, NetBSD, POSIX Summary:

NetSplitter is a 'reverse' load balance like EQLPlus or bounding, but at the firewall/NAT level. If more than one internet connection exists, it will balance the NAT connections on those links. It runs on FreeBSD and Linux.

VI. SPONSOR INFORMATION

ALERT! -Cross-Site Scripting Holes in Web Applications! Cross-site scripting vulnerabilities in web applications allow hackers to collect confidential user information, manipulate or steal cookies, and create requests that can be mistaken for those of a valid user!! All undetectable by IDS!

Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! http://www.spidynamics.com/mktg/xss20

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek