SecurityFocus Linux Newsletter #131

From: John Boletta <jboletta(at)securityfocus.com>
Date: Mon May 12 2003 - 12:38:16 EDT

SecurityFocus Linux Newsletter #131

---

This issue is sponsored by: KaVaDo

The only integrated Web Application Security Suite

---

ScanDo - Web Application Scanner
InterDo - Web Application Firewall

KaVaDo Inc., Web Application Security without Compromise Read more at: http://www.securityfocus.com/Kavado-linux-secnews

---

I. FRONT AND CENTER

1. Starting from Scratch: Formatting and Reinstalling after...
2. The Nowhere Men
3. Security's Failed Past and Risky Future II. LINUX VULNERABILITY SUMMARY
4. Mod_Survey SYSBASE Disk Resource Consumption Denial of Service
5. MySQL Weak Password Encryption Vulnerability
6. CommuniGate Pro Webmail Session Hijacking Vulnerability
7. Sun ONE Directory Server Unprivileged LDAP Operation Denial Of...
8. Leksbot Multiple Unspecified Vulnerabilities
9. KDE Konqueror Malformed HTML Page Denial of Service Vulnerability
10. Ethereal Multiple Dissector One Byte Buffer Overflow...
11. Ethereal Mount Dissector Integer Overflow Vulnerability
12. Ethereal PPP Dissector Integer Overflow Vulnerability III. LINUX FOCUS LIST SUMMARY
13. Martian Source (Thread) IV. NEW PRODUCTS FOR LINUX PLATFORMS
14. NGSecureWeb Web Server Edition
15. WebProxy 2.1
16. HYDRA
17. NEW TOOLS FOR LINUX PLATFORMS
18. Data Thief v1.0
19. DISCO v1.0
20. linux-identd v1.3 VI. SPONSOR INFORMATION
21. FRONT AND CENTER

    ---

22. Starting from Scratch: Formatting and Reinstalling after a Security Incident By Matthew Tanase

This article will examine the process of starting over, and more specifically, reinstalling after a security incident.

http://www.securityfocus.com/infocus/1692

2. The Nowhere Men
By George Smith

Unemployed virus writers take heart: the recording industry is hiring cyber miscreants to attack its own customers. And we thought you'd never amount to anything.

http://www.securityfocus.com/columnists/160

3. Security's Failed Past and Risky Future By Jon Lasser

Final grumblings from SecurityFocus columnist Jon Lasser, as he bids farewell to the computer security world and moves to Colorado.

http://www.securityfocus.com/columnists/159

II. BUGTRAQ SUMMARY

---

1. Mod_Survey SYSBASE Disk Resource Consumption Denial of Service Vulnerability BugTraq ID: 7498 Remote: Yes Date Published: May 05 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7498 Summary:

Mod_Survey is an Apache module designed to process and display XML-based questionnaires and surveys. It is available for the Linux, Unix, and Microsoft Windows operating systems.

The SYSBASE variable is used by Mod_Survey when accessing requests survey files. The value of SYSBASE is initialized to the location of the survey file and is used to create a subdirectory for the storage of various survey related files including cache files and questionnaire response data. The subdirectory is placed within the central data repository, typically /usr/local/mod_survey/data.

A vulnerability has been discovered in Mod_Survey when handling requests for nonexistent surveys. Before verifying the existence of a requested survey file the SYSBASE variable is initialized, triggering the creation of an unneeded directory. The validity of the requested survey file is subsequently verified.

Exploitation of this vulnerability may allow an attacker to carry out a denial of service attack, designed to consume available hard disk space or inodes. The consumption of resources may cause a target server to crash.

This vulnerability affects Mod_Survey versions prior to 3.0.15.

2. MySQL Weak Password Encryption Vulnerability BugTraq ID: 7500
Remote: No
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7500
Summary:

MySQL is an open source relational database project. It is available for the Microsoft Windows, Linux, and Unix operating systems.

MySQL has been reported prone to a weak password encryption algorithm. It has been reported that the MySQL function used to encrypt MySQL passwords makes just one pass over the password and employs a weak left shift based cipher. The output of this function results in a password hash of low entropy. Due to the base complexity of the algorithm used to create the MySQL password hash, the hash may be cracked in little time using a bruteforce method to create an identical hash and thereby guess the clear text password.

An attacker may use information recovered in this way to aid in further attacks launched against the underlying system.

3. CommuniGate Pro Webmail Session Hijacking Vulnerability BugTraq ID: 7501
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7501
Summary:

CommuniGate Pro is an internet messaging server. CommuniGate Pro includes a webmail service to allow access to mailboxes via HTTP. It is available for a number of platforms including Unix and Linux variants and Microsoft Windows operating systems.

CommuniGate Pro Webmail has been reported prone to a session hijacking vulnerability. The vulnerability presents itself when the victim views an image or similar resource embedded in a HTML web-mail. Specifically the current session ID used in CommuniGate Pro Webmail is sent, as the 'referrer' field, in the HTTP header of a request made for an image embedded in a malicious e-mail.

The attacker may intercept the HTTP header and extract the URL data contained in the 'referrer' field. The attacker may then follow the URL to hijack the current user session.

4. OpenSSH Remote Root Authentication Timing Side-Channel Weakness BugTraq ID: 7482
Remote: Yes
Date Published: May 01 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7482
Summary:

OpenSSH-portable with PermitRootLogin disabled has been reported to be prone to an issue that will result in the disclosure of sensitive information.

A timing attack has been described in OpenSSH-portable that could assist a remote user in guessing the administrative password. This issue has been reported to exist in OpenSSH-portable on Linux systems, though it may affect other platforms and version. Specifically, PermitRootLogin support must be disabled, and the attacker must be able to reach the SSH daemon.

It has been demonstrated that analysis of the response time during authentication may give a remote user some indication as to whether or not the guessed root password is valid. This is because OpenSSH does not sufficiently randomize or pad response times.

It should be noted that this weakness does not directly permit the remote attacker to gain administrative access. To further leverage this weakness, the attacker would need to gain shell access to the vulnerable system.

It should also be noted that this weakness is likely an issue related to the vulnerabilities described in Bugtraq IDs 7342, 7343 and 7467.

Additional information has been suggested that this issue exists on OpenSSH implementations implementing PAM.

5. Sun ONE Directory Server Unprivileged LDAP Operation Denial Of Service Vulnerabliity BugTraq ID: 7478
Remote: Yes
Date Published: May 01 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7478
Summary:

Sun ONE Directory Server is a LDAP directory server available for a variety of platforms including Sun Solaris, AIX, Microsoft Windows and Linux and Unix variant systems.

A denial of service vulnerability has been reported for Sun ONE Directory Server. The vulnerability has been reported to occur when certain LDAP operations are made.

This vulnerability can be exploited by remote attackers to cause the ns-slapd service to crash.

Precise technical details of this vulnerability are currently unknown. This BID will be updated as further information becomes available.

6. Leksbot Multiple Unspecified Vulnerabilities BugTraq ID: 7505
Remote: No
Date Published: May 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7505
Summary:

Leksbot is a freely available dictionary of botanical terms. It is available for a variety of platforms including Microsoft Windows and Linux systems.

Multiple vulnerabilities have been reported for Leksbot. The precise nature of these vulnerabilities are currently unknown however, exploitation of this issue may result in an attacker obtaining elevated privileges.

Reportedly, in some installations of Leksbot, the /usr/bin/KATAXWR is unnecessarily configured to be a setuid root binary. Systems configured in this manner may be prone to a security risk, as an attacker may be capable of gaining root privileges.

These vulnerabilities have been confirmed to affect Debian installations of Leksbot. Although unconfirmed, Leksbot installations on other systems may also be prone to this issue.

This BID will be updated as further information is available.

7. KDE Konqueror Malformed HTML Page Denial of Service Vulnerability BugTraq ID: 7486
Remote: Yes
Date Published: May 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7486
Summary:

Konqueror is an Open Source web browser, shipped with the KDE desktop. It is available on Linux platforms.

KDE Konqueror has been reported prone to a denial of service vulnerability when rendering a HTML page that contains malformed data. Specifically when the Konqueror browser attempts to render a page containing 30000 bytes of repeating '\xFF\xFE\r\r\n' sequences, it will fail dumping a core file in the process.

An attacker may exploit this vulnerability to trigger a denial of service condition in a remote user's Konqueror web session.

Although unconfirmed, this vulnerability may be exploited to execute attacker-supplied code.

The precise technical details of this vulnerability are currently unknown. This BID will be updated, as further information is available.

8. Ethereal Multiple Dissector One Byte Buffer Overflow Vulnerabilities BugTraq ID: 7493
Remote: Yes
Date Published: May 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7493
Summary:

Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems.

Several dissectors included with Ethereal are vulnerable to buffer overflow conditions. Specifically, the dissectors were using the tvb_get_nstringz() and tvb_get_nstringz0() functions in an unsafe manner. Exploitation of this issue will allow an attacker to overflow memory buffers by one byte. The AIM, GIOP Gryphon, OSPF, PPTP, Quake, Quake2, Quake3, Rsync, SMB, SMPP, and TSP dissectors are vulnerable to this issue.

The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information is available.

An attacker may be able to exploit this vulnerability by crafting a specially formed packet and sending it to a system using the vulnerable dissectors or by convincing a victim user to use Ethereal to read a malformed packet trace file.

Due to the nature of this vulnerability, it may be possible for an attacker to create a situation in which sensitive memory could be overwritten. If successful this may allow for the execution of arbitrary code with the privileges of the Ethereal process.

This vulnerability affects Ethereal 0.9.11 and earlier.

9. Ethereal Mount Dissector Integer Overflow Vulnerability BugTraq ID: 7494
Remote: Yes
Date Published: May 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7494
Summary:

Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems.

The Mount dissector of Ethereal is prone to an integer overflow vulnerability.

The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information is available.

An attacker may be able to exploit this vulnerability by crafting a specially formed packet and sending it to a system using the Mount dissector or by convincing a victim user to use Ethereal to read a malformed packet trace file.

Due to the nature of this vulnerability it may be possible for an attacker to create a situation in which sensitive memory could be corrupted. If successful, this may cause Ethereal to behave in an unpredictable manner.

This vulnerability affects Ethereal 0.9.11 and earlier.

1. Ethereal PPP Dissector Integer Overflow Vulnerability BugTraq ID: 7495 Remote: Yes Date Published: May 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7495 Summary:

Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems.

The PPP dissector of Ethereal is prone to an integer overflow vulnerability.

The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information is available.

An attacker may be able to exploit this vulnerability by crafting a specially formed packet and sending it to a system using the PPP dissector or by convincing a victim user to use Ethereal to read a malformed packet trace file.

Due to the nature of this vulnerability it may be possible for an attacker to create a situation in which sensitive memory could be corrupted. If successful, this may cause Ethereal to behave in an unpredictable manner.

This vulnerability affects Ethereal 0.9.11 and earlier.

III. LINUX FOCUS LIST SUMMARY

---

1. Martian Source (Thread) Relevant URL:

http://www.securityfocus.com/archive/91/320726

IV. NEW PRODUCTS FOR LINUX PLATFORMS

---

1. NGSecureWeb Web Server Edition by Next Generation Security S.L. Platforms: Os Independent Relevant URL: http://www.ngsec.com/ngproducts/ngsw/ Summary:

NGSecureWeb is a security module for Web Servers. It acts as an application IDS/firewall, preventing security bugs from being exploited. It has the ability to check for shellcodes (even polymorphic ones), buffer overflows, forbidden words, long URLs, long GET arguments, long POST arguments, long HEADERS, etc., in the HTTP request. If the IDS engine detects a possible attack, the firewall engine stops the request. The Apache, IIS and Netscape Enterprise Web servers are supported.

2. WebProxy 2.1
by @stake
Platforms: Linux, Solaris, Windows 2000, Windows NT, Windows XP Relevant URL:
http://www.atstake.com/webproxy/
Summary:

WebProxy is a powerful interactive security tool that helps software developers, quality engineers, and security professionals test and enhance the security of Web applications. Release 2.1 of WebProxy replaces all earlier releases, and is available for sale to enterprise customers and independent security consultants. Sitting between the developer's browser and the Web application, WebProxy acts as a 'proxy' to let the developer observe precisely how the Web application responds to staged attacks, such as those that use buffer overflows, SQL injection, cookie manipulation, cross-site scripting or parameter manipulation. By identifying security vulnerabilities while the software is still in development, companies can more cost-effectively improve the overall security of any Web application.

3. HYDRA
by Bodacion Technologies
Platforms: N/A
Relevant URL:
http://www.bodacion.com/overview.html
Summary:

As a hard real-time embedded system, HYDRA has more in common with the Abrams M1 Tank and a 747 than it does with traditional servers. HYDRA's embedded kernel is one aspect that makes HYDRA so revolutionary, and also gives HYDRA some very distinct advantages, such as being able to perform internal memory checks to prevent buffer overruns. HYDRA's also constantly checks its small kernelfor corruption, making HYDRA immune to viruses. Despite HYDRA's revolutionary design, it is based on Internet standards - making it interoperable with virtually every piece of infrastructure in your network architecture. HYDRA is simple to deploy inside your firewall, outside your firewall, as a replacement for your Web servers talking to an App Server or database, or as the App Server itself.

V. NEW TOOLS FOR LINUX PLATFORMS

---

1. Data Thief v1.0 by Application Security, Inc Relevant URL: http://www.appsecinc.com/resources/freetools/ Platforms: Linux, UNIX Summary:

Data Thief is a "proof-on-concept" tool used to demonstrate to web administrators and developers how easy it is to steal data from a web application that is vulnerable to SQL Injection. Data Thief is designed to retrieve the data from a Microsoft SQL Server back-end behind a web application with a SQL Injection vulnerability. Once a SQL Injection vulnerability is identified, Data Thief does all the work of listing the linked severs, laying out the database schema, and actually selecting the data from a table in the application.

2. DISCO v1.0
by P
Relevant URL:
http://www.altmode.com/disco/
Platforms: FreeBSD, Linux, NetBSD, OpenBSD Summary:

DISCO is a passive IP discovery utility designed to sit on segments throughout a network to discover unique IPs and passively fingerprint TCP SYN packets.

3. linux-identd v1.3
by Per Liden per@fukt.bth.se
Relevant URL:
http://www.fukt.bth.se/~per/identd/
Platforms: Linux
Summary:

linux-identd is a user identification daemon for Linux, which implements the Identification Protocol (RFC1413). This protocol is used to identify active TCP connections. The daemon listens to TCP port 113 (auth), and can be run either as a stand-alone daemon, or through inetd.

VI. SPONSOR INFORMATION

---

This issue is sponsored by: KaVaDo

The only integrated Web Application Security Suite

---

ScanDo - Web Application Scanner
InterDo - Web Application Firewall

KaVaDo Inc., Web Application Security without Compromise Read more at: http://www.securityfocus.com/Kavado-linux-secnews

---

Received on Mon May 12 14:27:43 2003