SecurityFocus Linux Newsletter #114

SecurityFocus Linux Newsletter #114

This issue is sponsored by: Qualys

Strengthening Network Security: FREE Guide Network security is a constantly moving target - even proven solutions lose their punch over time. Find out how to get COMPLETE PROTECTION against ever-growing security threats with our FREE new Guide.

Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php

I. FRONT AND CENTER

1. Windows Forensics: A Case Study, Part 1
2. The Briscoe Syndrome
3. SecurityFocus DPP Program
4. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL) II. LINUX VULNERABILITY SUMMARY
5. Web-cyradm Remote Denial of Service Vulnerability
6. ShadowJAAS Command Line Password Disclosure Vulnerability
7. Typespeed Local Buffer Overflow Vulnerability
8. monopd Remote Buffer Overflow Vulnerability
9. PHP wordwrap() Heap Corruption Vulnerability
10. Gallery Remote Code Execution Vulnerability
11. Leafnode Resource Exhaustion Denial Of Service Vulnerability III. LINUX FOCUS LIST SUMMARY
12. User?s and Shells (Thread)
13. RE : quotas on Redhat 7.3 problem (Thread) IV. NEW PRODUCTS FOR LINUX PLATFORM
14. ipPulse
15. Rainwall for Check Point FireWall-1 and VPN-1
16. T.REX Firewall
17. NEW TOOLS FOR LINUX PLATFORMS
18. Nate Kohari's regular expression pipe v1.32
19. HotSaNIC v0.5.0-pre3
20. AlarmMon v0.35 VI. SPONSOR INFORMATION
21. FRONT AND CENTER

    ---

22. Windows Forensics: A Case Study, Part One by Stephen Barish

It's a security person's worst nightmare. You've just inherited a large, diverse enterprise with relatively few security controls when something happens. We all try to detect malicious activity at the perimeter of the network by monitoring our intrusion detection systems, and watching attackers bang futilely on our firewall. Even those attackers tricky enough to slip through the firewall bounce harmlessly off our highly secured servers, and trip alarms off throughout the network as they attempt to compromise it. Reality is usually somewhat different: most of us simply don't have the tools, or at least we don't have expensive, dedicated tools. But we do have ways to stop the pain.

http://online.securityfocus.com/infocus/1653

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. The Briscoe Syndrome
By Mark Rasch

Fear of terrorism and a desire to cooperate with law enforcement has led many corporate insiders to pony up sensitive information on their customers to anyone with a badge... with no court order required.

http://online.securityfocus.com/columnists/132

3. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

4. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Solutions to today’s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY

1. Web-cyradm Remote Denial of Service Vulnerability BugTraq ID: 6491 Remote: Yes Date Published: Dec 30 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6491 Summary:

Web-cryadm is a management tool written in PHP. It is used with a Mailsystem built on Cyrus IMAP and Postfix. It is available for the Unix and Linux operating systems.

A vulnerability has been discovered in Web-cyradm. A denial of service may be triggered when attempting to administrate a domain when the necessary IMAP daemon is not running. If this situation occurs the Web-cyradm process will enter an infinite loop, generating errors. This issue occurs due to invalid checks for a running IMAP daemon by the browseaccounts.php, deleteaccount.php, and newaccount.php PHP scripts.

By exploiting this vulnerability it may be possible to consume network resources causing legitimate requests to be denied. Under some circumstances it may also cause the system to crash due to excessive CPU utilization.

2. ShadowJAAS Command Line Password Disclosure Vulnerability BugTraq ID: 6498
Remote: No
Date Published: Dec 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6498
Summary:

ShadowJAAS is authentication software that allows users to authenticate to Java applications using a local Linux user account with a shadowed password.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

ShadowJAAS is prone to a design error that may cause user credentials to be disclosed to other local users.

Vulnerable versions of ShadowJAAS require that username and password credentials are passed via the command line instead of through standard input when a user authenticates. As a result, this information may be accessible to other local users through various means (such as the 'ps' utility).

3. Typespeed Local Buffer Overflow Vulnerability BugTraq ID: 6485
Remote: No
Date Published: Dec 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6485
Summary:

Typespeed is a game designed to test typing skills. It is available for the Linux operating system. Typespeed is installed setgid 'games' by default on the Debian Linux distribution.

A vulnerability has been discovered in Typespeed. It is possible to trigger a buffer overflow in Typespeed by passing excessive data as a user-supplied parameter. By exploiting this issue to overwrite sensitive locations in memory it may be possible for a local attacker to execute commands with elevated privileges.

The precise technical details regarding this vulnerability are not yet known. This BID will be updated as further information becomes available.

4. monopd Remote Buffer Overflow Vulnerability BugTraq ID: 6487
Remote: Yes
Date Published: Dec 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6487
Summary:

monopd is game server for Monopoly-like board games. It is designed for use with Linux variant operating systems.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A buffer overflow vulnerability has been reported for monopd. The vulnerability occurs due to improper use of the vsprintf() function.

An attacker can exploit this vulnerability by supplying an overly long command to the monopd server. This will trigger the buffer overflow condition and result in the process corrupting memory with attacker supplied values.

This vulnerability was reported for monopd 0.6.1 and earlier.

5. PHP wordwrap() Heap Corruption Vulnerability BugTraq ID: 6488
Remote: Yes
Date Published: Dec 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6488
Summary:

PHP is a freely available, open source web scripting language package. It is available for Microsoft Windows, Linux, and Unix operating systems.

A vulnerability has been discovered in the wordwrap() function which is a built-in PHP function. Under some circumstances it may be possible to trigger a heap corruption bug when supplying input to a script which uses the vulnerable wordwrap() function. This issue exists due to insufficient allocation of memory used to store wrapped text. Memory corrupted through the wordwrap() function may be later referenced by the web server calling the vulnerable script.

A malicious attacker may be able to exploit this issue to overwrite a malloc header stored in the heap. This may cause an arbitrary word in memory to be overwritten when corrupted chunk is released with the free() function. By replacing a Global Offset Table entry with an address pointed to attacker-supplied data, it may be possible for the attacker to execute malicious instructions. Any code executed will be run with the privileges of the web server that ran the vulnerable script.

6. Gallery Remote Code Execution Vulnerability BugTraq ID: 6489
Remote: Yes
Date Published: Dec 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6489
Summary:

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Gallery is an open source web based photo album. It is written in PHP and is available for Linux and Unix variant as well as Microsoft Windows operating systems.

A new feature supporting the Windows XP publishing subsystem in Gallery 1.3.2 has introduced a security vulnerability nearly identical to that described in BID 5375.

The PHP script 'publish_xp_docs.php' attempts to include a file, 'init.php', from a path constructed using an uninitiated PHP variable. Malicious remote clients may pass a value for that variable, specifying a remote server as the location of the include file. By doing so, attackers may force a remote server to execute arbitrary PHP code with the privileges of the webserver.

7. Leafnode Resource Exhaustion Denial Of Service Vulnerability BugTraq ID: 6490
Remote: Yes
Date Published: Dec 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6490
Summary:

Leafnode is a USENET proxy server intended for sites with a small number of readers.

A denial of service vulnerability has been reported for Leafnode. The vulnerability occurs when Leafnode tries to retrieve certain news postings. Specifically, Leafnode will consume all available CPU resources when it tries to retrieve messages that have been cross-posted to several groups.

An attacker can exploit this vulnerability by cross-posting to several newsgroups where some groups are prefixes of others. When leafnode attempts to retrieve these news articles by the message-id, the leafnode nntpd server will will go into an infinite loop and consume all CPU resources thereby leading to a denial of service condition.

This vulnerability affects Leafnode 1.9.20 to 1.9.29. The default installation of Leafnode is not affected by this vulnerabilty.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

III. LINUX FOCUS LIST SUMMARY

1. User?s and Shells (Thread) Relevant URL:

http://online.securityfocus.com/archive/91/304877

2. RE : quotas on Redhat 7.3 problem (Thread) Relevant URL:

http://online.securityfocus.com/archive/91/304596

IV. NEW PRODUCTS FOR LINUX PLATFORM

1. ipPulse by Northwest Performance Software Platforms: Windows 95/98, Windows NT http://www.ippulse.com/ippulsemain.html Summary:

ipPulse is a Remote Status Monitoring Tool. Use ipPulse to monitor the up/down status of IP connected devices (nodes) on any IP connected network. ipPulse uses a variety of methods, including SNMP, to poll and check the network connectivity of a list of user-defined nodes. ipPulse alerts you to failures using a variety of techniques ranging from audible messages to email and pager notification. You can even control ipPulse remotely by logging into Remote Control using any Telnet application.

2. Rainwall for Check Point FireWall-1 and VPN-1 by RAINfinity
Platforms: Solaris, Windows NT
http://www.rainfinity.com/products/ds_rainwall.html Summary:

RAINfinity's first product is Rainwall® , a fully-scalable high-availability software solution for corporate firewalls and VPNs. Rainwall is designed to address three critical issues that affect mission-critical firewalls: availability, scalability, and performance. With Rainwall, your firewall and VPN are always available. When Rainwall detects a hardware or software failure, it automatically shifts traffic to a healthy firewall gateway, reconfiguring without interrupting service . Rainwall is scalable to any number of firewall gateways. Should your firewall requirements change, you can scale up the size of your firewall cluster to increase your firewall bandwidth, throughput and processing power, and do it on-the-fly, without ever bringing your firewall or VPN gateways down. Rainwall is the first fully distributed gateway clustering software product, which means that that there is no hidden single-point of failure. Since Rainwall is not a hot-standby solution, all firewall and VPN gateways can be active and operational at any given time, giving you the most out of your hardware and firewall software.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

3. T.REX Firewall
by Freemont Avenue Software, Inc.
Platforms: AIX, HP-UX, Linux, Solaris
http://www.opensourcefirewall.com/trex.html Summary:

The T.REX Firewall provides a mission critical, fault tolerant Firewall for Linux, AIX and Solaris. Features include High Availibility, Load Balancing, Web Caching, Content Filtering, NAT, VPN support, an advanced Application Proxy, and the ability to produce up to 52 unique reports.

V. NEW TOOLS FOR LINUX PLATFORMS

1. Nate Kohari's regular expression pipe v1.32 by Nate Kohari Relevant URL: http://www.lagfactory.net/projects/re/ Platforms: Perl (any system supporting perl) Summary:

RE is a simple utility designed to aid in the management of files. Given a directory name, a regular expression, and a regular shell command, it will parse the filenames in the specified directory, matching them against the regular expression, and then execute the command once for each matched file using the filename as a parameter. It was originally designed to mass-rename MP3 files based on part of the original filenames.

2. HotSaNIC v0.5.0-pre3
by Bernd Pissny bernisys@prima.de
Relevant URL:
http://www.sourceforge.net/projects/hotsanic/ Platforms: Linux, POSIX
Summary:

HotSaNIC is a Web-based information center for Unix-based systems. It gives you a graphical overview about certain network- and system statistics. HotSaNIC is programmed (mainly in Perl 5) in a modular way to give you a great flexibility of which items you like to use, and it can be extended with further modules written by yourself or others.

3. AlarmMon v0.35
by Konstantin N. Terskikh
Relevant URL:
http://sourceforge.net/projects/alarmmon/ Platforms: Os Independent
Summary:

AlarmMon is an alarm monitoring system for TCP/IP networks. It consists of an "alarm" client, an "alarmsvr" server, and several agents that work with a central registration database. It can track the status of verious services, including BIND, Sendmail, and modems, and send notifications by email, SMS, or pager.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

VI. SPONSOR INFORMATION

Strengthening Network Security: FREE Guide Network security is a constantly moving target - even proven solutions lose their punch over time. Find out how to get COMPLETE PROTECTION against ever-growing security threats with our FREE new Guide.

Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php