SecurityFocus Linux Newsletter #119

SecurityFocus Linux Newsletter #119

I. FRONT AND CENTER

1. Are You Infected? Detecting Malware Infection
2. Forensics on the Windows Platform, Part Two
3. New Linux Support Policies are Ominous
4. Suing Over Slammer
5. The First Honeyd Challenge
6. SecurityFocus DPP Program
7. InfoSec World Conference and Expo/2003(March10-12,2003,Orlando,FL) II. LINUX VULNERABILITY SUMMARY
8. Cedric Email Reader Skin Configuration Script Remote File...
9. W3M Image Attribute Cross Site Scripting Vulnerability
10. Red Hat Linux User Mode Linux SetUID Installation Vulnerability
11. Eset Software NOD32 Antivirus Local Buffer Overflow Vulnerability
12. Opera opera.PluginContext Native Method Denial Of Service...
13. Cedric Email Reader Global Configuration Script Remote File...
14. APC apcupsd Client Syslog Format String Vulnerability
15. W3M Frame Enabled Browsing Cross Site Scripting Vulnerability
16. Nethack Local Buffer Overflow Vulnerability
17. Opera Username URI Warning Dialog Buffer Overflow Vulnerability III. LINUX FOCUS LIST SUMMARY
18. openSSL Key generation (Thread)
19. LKM Trojan installed (Thread)
20. SSL and Kerberos (Thread)
21. IPTables stops logging after long uptime (Thread)
22. Perl administration for Linux fileserver (Thread) IV. NEW PRODUCTS FOR LINUX PLATFORM
23. East-Tec DiskSanitizer GOV
24. Disk Amnesia
25. NOD32
26. NEW TOOLS FOR LINUX PLATFORMS
27. NetProtect Firewall Router v1.0
28. SURVIVOR v0.9b
29. Intrusion Detection Exchange Architecture v1.0.1
30. FRONT AND CENTER

    ---

31. Are You Infected? Detecting Malware Infection By Jong Purisima

Once executed, malware can perform its intended malicious function on a system. Unfortunately, it may not always be apparent to users that their system is indeed infected. This article will discuss how to determine whether or not the system has been infected and will offer some tips on to manually disinfect the system.

http://online.securityfocus.com/infocus/1666

2. Forensics on the Windows Platform, Part Two by Jamie Morris

This is the second of a two-part series of articles discussing the use of computer forensics in the examination of Windows-based computers. In Part One we discussed the wider legal issues raised by computer forensics and the benefits of pre-investigation preparation. In this article we will concentrate on the areas of a Windows file system that are likely to be of most interest to forensic investigators and the software tools that can be used to carry out an investigation.

http://online.securityfocus.com/infocus/1665

3. New Linux Support Policies are Ominous By Jon Lasser

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Red Hat and Mandrake are cutting support for older versions of their Linux distributions... The results will be a security nightmare for the Internet.

http://online.securityfocus.com/columnists/142

4. Suing Over Slammer
By Mark Rasch

In the aftermath of the SQL Slammer worm, companies have once again claimed massive financial losses as a result of malicious code. As with the Code Red and Nimda worms, the Melissa virus and the Mafiaboy distributed denial of service attack, the press has reported widespread system disruption with "losses" in the hundreds of millions -- if not billions -- of dollars worldwide.

http://online.securityfocus.com/columnists/141

5. The First Honeyd Challenge

With the release of Honeyd 0.5 over the weekend, Niels Provos is pleased to also announce the first Honeyd challenge!

Honeyd is a virtual honeypot running as a small daemon to create virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The goal of this challenge is to develop interesting feature additions to Honeyd. Possible improvements are forensic analysis tools for Honeyd log files, passive fingerprinting of connections, realistic routing topologies, etc. Your submissions will be judged by a panel of experienced volunteers, rated, and shared with the security community.

We are able to award prizes to the best submissions. Top prizes include a free pass to CanSecWest/core03 including a free hotel room for up to four days, a $200 and a $100 Amazon gift certificate. Furthermore, the top ten entries receive a copy of Lance Spitzner's new book "Honeypots: Tracking Hackers," signed by Lance and Niels. Judges include:

• Mike Clark
• Job de Haas
• Niels Provos
• Rain Forest Puppy
• Lance Spitzner

The challenge officially begins on Monday the 17th of February. You have four weeks to complete your submissions. Please, send your results no later than 24:00 GMT, Friday, March 14th. Submissions will be judged and released on Friday the 21th of March. More information on the challenge and submission requirements can be found at

  http://www.citi.umich.edu/u/provos/honeyd/challenge.html

All questions, concerns, and submissions should be sent with a subject including "Honeyd Challenge" to provos-honeyd@citi.umich.edu.

6. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

7. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today’s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY

1. Cedric Email Reader Skin Configuration Script Remote File Include Vulnerability BugTraq ID: 6818 Remote: Yes Date Published: Feb 09 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6818 Summary:

Cedric Email Reader is a web mail application. It is implemented in PHP and available for Unix and Linux variants as well as Microsoft Windows operating systems.

It has been reported that Cedric Email Reader is prone to an issue that may allow remote attackers to include files located on remote servers. This issue is present in the 'email.php' script.

Under some circumstances, it is possible for remote attackers to influence the include path for a configuration file to point to an external file on a remote server. The attacker may cause this to occur by submitting a path to an external file as the '$cer_skin' URI parameter.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

If the remote file is a PHP script, this may be exploited to execute arbitrary system commands in the context of the web server.

It has also been reported that it is possible to cause local files to be included, resulting in disclosure of webserver readable files to the attacker. This has not been confirmed.

2. W3M Image Attribute Cross Site Scripting Vulnerability BugTraq ID: 6794
Remote: Yes
Date Published: Feb 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6794
Summary:

W3M is a text-based Web browser. It is developed for several platforms including Linux and Unix variant operating systems.

A cross site scripting vulnerability has been reported for W3M. Due to inadequate sanitization of some HTML tags, it is possible for an attacker to steal another user's cookie information or other sensitive data. Specifically, W3M does not fully sanitize malicious HTML code from IMAGE tags.

This vulnerability has been reported to affect W3M 0.3.2.2 and earlier.

3. Red Hat Linux User Mode Linux SetUID Installation Vulnerability BugTraq ID: 6801
Remote: No
Date Published: Feb 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6801
Summary:

Red Hat Linux is a freely available, open source operating system distributed by Red Hat Incorporated.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A problem with a component of the kernel-utils package may make it possible for local users to perform unauthorized activities.

It has been reported that under some circumstances, Red Hat Linux may allow unauthorized actions through User-Mode-Linux compatibility. Due to permissions on some components installed with the User-Mode-Linux utilities, a local user could perform actions on the system that require privilege, potentially affecting local host security.

The problem is in the setuid bit given to the uml_net program. When installed with the kernel-utils package, the program is installed setuid root. A local user could execute this program to control network interfaces, or manipulate some network settings.

4. Eset Software NOD32 Antivirus Local Buffer Overflow Vulnerability BugTraq ID: 6803
Remote: No
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6803
Summary:

Eset Software's NOD32 Antivirus System is a cross-platform anti-virus application. It is available for a variety of platforms including the Microsoft Windows, Linux, and BSD-derived operating systems.

A vulnerability has been discovered in NOD32 for the Linux and Unix platforms. Due to insufficient bounds checking a buffer overflow occurs when NOD32 processes file system paths of excessive length. Specifically, a path name containing 500, or more, bytes of data will trigger memory corruption.

This vulnerability could be exploited by coaxing a user to scan a malicious location with the NOD32 Antivirus software. When the path of excessive length is processed by NOD32, sensitive memory will be corrupted. By exploiting this issue to execute code it is possible run arbitrary commands with the privileges of the user running NOD32.

This issue affects NOD32 versions 1.012 and earlier.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

5. Opera opera.PluginContext Native Method Denial Of Service Vulnerability BugTraq ID: 6814
Remote: Yes
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6814
Summary:

Opera is a web client available for a number of platforms including Unix and Linux variants, and Microsoft Windows operating systems.

Opera ships with a trusted Java class ('opera.PluginContext') that includes a native method that is reportedly vulnerable to denial of service attacks. This issue exists in the 'showDocument' method of the 'opera.PluginContext' class. If a URL object containing a URL String of excessive length is passed to the method, the JVM and browser will crash. Other malformed data may also trigger this condition.

The issue is apparently caused when the PluginContext constructor handles unacceptable data.

This issue was reported in versions of Opera for Microsoft Windows operating systems. It is not known if other platforms are also affected. Java support must enabled for this issue to be present and can be disabled to prevent attacks.

6. Cedric Email Reader Global Configuration Script Remote File Include Vulnerability BugTraq ID: 6820
Remote: Yes
Date Published: Feb 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6820
Summary:

Cedric Email Reader is a web mail application. It is implemented in PHP and available for Unix and Linux variants as well as Microsoft Windows operating systems.

It has been reported that Cedric Email Reader is prone to an issue that may allow remote attackers to include files located on remote servers. This issue is present in the 'emailreader_execute_on_each_page.inc.php' script.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Under some circumstances, it is possible for remote attackers to influence the include path for a configuration file to point to an external file on a remote server. The attacker may cause this to occur by submitting a path to an external file as the '$emailreader_ini' URI parameter.

If the remote file is a PHP script, this may be exploited to execute arbitrary system commands in the context of the web server.

It has also been reported that it is possible to cause local files to be included, resulting in disclosure of webserver readable files to the attacker. This has not been confirmed.

7. APC apcupsd Client Syslog Format String Vulnerability BugTraq ID: 6828
Remote: Unknown
Date Published: Feb 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6828
Summary:

Apcupsd provides UPS power management under Linux and BSD systems for APC Products.

A vulnerability has been reported for apcupsd client that may result in an attacker obtaining elevated privileges on the vulnerable system.

The 'log_event' function in 'apclog.c' contains an insecure instance of a syslog() call. Due to this programming error, it may be possible to exploit a format string vulnerability in the apcupsd 'log_event' function.

When the program is invoked using the vulnerable function, it may be possible to exploit a format string vulnerability through the generation of a malicious log event that contains attacker-supplied format strings. In the event that this vulnerability is exploited, an attacker could cause arbitrary locations in memory to be corrupted with attacker-specified data and execute code with the privileges of the apcupsd user.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

8. W3M Frame Enabled Browsing Cross Site Scripting Vulnerability BugTraq ID: 6793
Remote: Yes
Date Published: Feb 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6793
Summary:

W3M is a text-based Web browser. It is developed for several platforms including Linux and Unix variant operating systems.

A cross site scripting vulnerability has been reported for W3M if frames support is enabled. Due to inadequate sanitization of some HTML tags, it is possible for an attacker to steal another user's cookie information or other sensitive data. Specifically, W3M does not fully sanitize malicious HTML code from FRAME tags.

It should be noted that this vulnerability is exploitable only if W3M is executed with the '-F' commandline option.

This vulnerability has been reported to affect W3M 0.3.2. It is likely that earlier versions are affected.

9. Nethack Local Buffer Overflow Vulnerability BugTraq ID: 6806
Remote: No
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6806
Summary:

Nethack is a game included with several distributions of Linux including RedHat Linux. It has been reported that Nethack fails to drop privileges, potentially resulting in privilege escalation.

A buffer overflow has been discovered in Nethack when invoked with the '-s' command line option. By passing an overly large string, consisting of at least 1000 characters, to the '-s' command line option of /usr/games/lib/nethackdir/nethack, it is possible to corrupt memory.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

By exploiting this issue it may be possible for an attacker to overwrite values in sensitive areas of memory, resulting in the execution of arbitrary attacker-supplied code.

Nethack distributed with RedHat Linux is shipped with setgid 'games' privileges. Successful exploitation would result in the escalation of privileges to the 'games' group, which could result in the corruption of saved game data, as well as storage consumption.

1. Opera Username URI Warning Dialog Buffer Overflow Vulnerability BugTraq ID: 6811 Remote: Yes Date Published: Feb 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6811 Summary:

Opera is a web client available for a number of platforms including Unix and Linux variants, and Microsoft Windows operating systems.

For security purposes, Opera will display a warning any time a user of the client visits a link containing a username as part of the URI. Bounds checking is not performed on the length of the username when it is copied into a local buffer for display in the warning message.

An excessively long username in a link will trigger a buffer overflow condition that may overwrite the stack frame of the affected function. Attackers may exploit this vulnerability to execute instructions on client systems. This condition may be exploited from a malicious webpage. Exploitation may occur through links, image tags, frames or other means.

This issue was reported for Opera on Microsoft Windows platforms. It is not known if other platforms are affected.

III. LINUX FOCUS LIST SUMMARY

1. openSSL Key generation (Thread) Relevant URL:

http://online.securityfocus.com/archive/91/311621

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. LKM Trojan installed (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/311575

3. SSL and Kerberos (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/311363

4. IPTables stops logging after long uptime (Thread) Relevant URL:

http://online.securityfocus.com/archive/91/311360

5. Perl administration for Linux fileserver (Thread) Relevant URL:

http://online.securityfocus.com/archive/91/311000

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

IV. NEW PRODUCTS FOR LINUX PLATFORM

1. East-Tec DiskSanitizer GOV by EAST Technologies Platforms: DOS, Linux, UNIX, Windows 2000, Windows 95/98, Windows NT Relevant URL: http://www.east-tec.com/dsksanit/index.htm Summary:

East-Tec DiskSanitizer is a software product designed to remove all traces of information from a hard disk. East-Tec DiskSanitizer completely eliminates data from the entire hard disk: every sector and every bit of information is overwritten and destroyed beyond recovery. East-Tec DiskSanitizer is based on the East-Tec Advanced Data Removal Technology, a collection of highly secure data removal capabilities designed to provide protection against ALL methods of data recovery.

2. Disk Amnesia
by Professional Help Computer Services
Platforms: N/A
Relevant URL:
http://www.professionalhelp.com/diskamnesia.html Summary:

Disk Amnesia(tm) is a low-level disk clearing and sanitization tool that uses the computer?s BIOS to identify all physical drives attached to the computer including SCSI drives (if the SCSI card has a BIOS installed).

3. NOD32
by Eset
Platforms: DOS, Netware, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.nod32.com/products/products.htm Summary:

The NOD32 Antivirus System provides balanced state-of-the-art protection against threats endangering your PC, running on various platforms from Microsoft Windows 95 / 98 / ME / NT / 2000 / XP through a number of UNIX operating systems to major mail servers. Viruses, worms, and other malware are kept out of striking distance from your valuable data. Advanced detection methods implemented in the software provide protection against a great proportion of the worms and viruses that are still awaiting creation.

V. NEW TOOLS FOR LINUX PLATFORMS

1. NetProtect Firewall Router v1.0 by vpnguru Relevant URL: http://www.netprotect.org/ Platforms: N/A Summary:

The Netprotect Firewall is a spin-off from the IPCOP GPL Firewall, with many extensions built-in. One big goal is to have a product that is usable in corporate environments.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. SURVIVOR v0.9b
by Benn Oshrin
Relevant URL:
http://www.columbia.edu/acis/sy/unixdev/survivor/ Platforms: N/A
Summary:

SURVIVOR is yet another systems monitor. It consists of a POSIX-thread based scheduler written in C++ running arbitrary checks in a flexible, heterogeneous, bureaucratic, and convoluted environment. It maintains proper state, history, sanity, and attitude, and allows interaction via Web, command, and two-way messaging interfaces.

3. Intrusion Detection Exchange Architecture v1.0.1 by Ian Duffy
Relevant URL:
http://www.sourceforge.net/projects/idea-arch Platforms: Os Independent
Summary:

IDEA is an architecture for implementing a distributed intrusion detection system on a computer network. It provides a way to incorporate many different IDS sensors into an architecture, and have them report to a central IDS server. This server collects, aggregates, and correlates data from the sensors, providing a unified view of network activity. By specifying an open API, many different clients can connect to the IDEA server and "subscribe" to the event notification service so that the client will be notified any time a new alert is received from any of the sensors. Received on Mon Feb 17 15:35:13 2003