SecurityFocus Linux Newsletter #134

SecurityFocus Linux Newsletter #134

This Issue is Sponsored by: Interland

"For a limited time get 15% OFF Netscreen Firewalls and an additional 15% OFF any LINUX Managed Dedicated Hosting Solution from Interland. Knowledgeable 24/7/365 Technical Support. Call 1-877-504-0091 for more details on how to protect your dedicated server."

Visit us at: http://www.securityfocus.com/Interland-linux-secnews

I. FRONT AND CENTER

1. **Announcing the new SecurityFocus Pen-Test and Firewalls Focus Areas**
2. Malware Myths and Misinformation Part 2
3. A Special Needs Class
4. Untrustworthy Passport II. LINUX VULNERABILITY SUMMARY
5. Sun ONE Application Server Plaintext Password Vulnerability
6. Ultimate PHP Board admin_iplog.PHP Arbitrary PHP Execution...
7. PostNuke Phoenix Main Modules Multiple Path Disclosure Vulnerabilities
8. Batalla Naval Remote Buffer Overflow Vulnerability
9. Ifenslave Argument Local Buffer Overflow Vulnerability
10. P-News Administrative Account Creation Vulnerability
11. PalmVNC Insecure Password Storage Vulnerability
12. Encrypted Virtual Filesystem Local Heap Overrun Vulnerability
13. Sun ONE Application Server Error Message Cross-Site Scripting...
14. Red Hat Linux up2date Unspecified Vulnerability
15. PostNuke Phoenix Rating System Denial Of Service Vulnerability
16. Newsscript Administrative Privilege Elevation Vulnerability
17. Multiple Vendor Algorithmic Complexity Denial of Service Vulnerability
18. Geeklog Image Upload Extension Validation Vulnerability
19. Zeus Web Server Admin Interface VS_Diag.CGI Cross Site Scripting...
20. Linux /bin/mail Carbon Copy Field Buffer Overrun Vulnerability
21. Eterm PATH_ENV Buffer Overflow Vulnerability
22. Sun ONE Application Server Source Disclosure Vulnerability
23. Apache APR_PSPrintf Memory Corruption Vulnerability
24. UML_NET Integer Mismanagement Code Execution Vulnerability
25. FastTrack P2P Supernode Packet Handler Buffer Overflow Vulnerability
26. Apache Basic Authentication Module Valid User Login Denial Of...
27. Bandmin Cross-Site Scripting Vulnerability
28. Multiple GPS Local And Remote Vulnerabilities
29. Geeklog Authentication SQL Injection Vulnerability
30. GNU GCC Implicit Struct Copy Memory Corruption Vulnerability
31. PHP Transparent Session ID Cross Site Scripting Vulnerability III. LINUX FOCUS LIST SUMMARY
32. process accounting (Thread)
33. securing a bridget (Thread)
34. hardening scripts (Thread)
35. more on linux hardening (Thread)
36. more on linux hardening (fwd) (Thread) IV. NEW PRODUCTS FOR LINUX PLATFORMS
37. PureSight
38. NetSecure Web
39. Kerio MailServer
40. NEW TOOLS FOR LINUX PLATFORMS
41. Access Control Designer vbeta1
42. SSHTerm v0.1.4 beta
43. Samhain v1.7.8 VI. SPONSOR INFORMATION
44. FRONT AND CENTER

    ---

45. **Announcing the new SecurityFocus Pen-Test and Firewalls Focus Areas**

In response to the ever evolving needs of the security community, SecurityFocus is very pleased to announce the release of two new focus areas effective June 2, 2003:
Pen-Test at: <http://www.securityfocus.com/pen-test> and Firewalls at <http://www.securityfocus.com/firewalls>

2. Malware Myths and Misinformation Part 2 By David Harley May 28, 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This article is the second of a three-part series looking at some of the myths and misconceptions that undermine anti-virus protection.

http://www.securityfocus.com/infocus/1698

3. A Special Needs Class
By George Smith

The University of Calgary's new course in virus-writing begs the question: is it a cheap publicity stunt or just boneheaded educating?

http://www.securityfocus.com/columnists/164

4. Untrustworthy Passport
by Yen-Ming Chen (yenming.chen@foundstone.com)

On May 7, 2003, yet another vulnerability[1,2,3] was found on Microsoft's Passport service, a single sign-on service for multiple Web sites including Microsoft's own Hotmail and Expedia.com. The vulnerability allows an attacker to gain control of any passport user's account by resetting her password simply by accessing a server response file (SRF) interface. Microsoft disabled the vulnerable feature in a few hours after the information went public. Some sources [4] claim federal regulators can fine Microsoft up to 22 trillion dollars, although that will be unlikely. Either way, the damage to Passport and Microsoft's perception of trustworthy computing has been done. In this article, we take a deeper look at the vulnerability from the perspective of a software development life cycle, its impact and how to monitor and fix such problem. We will also examine how the bug could have slipped through the cracks standard penetration testing methodologies and provide recommendations to harden the methodology.

http://www.securityfocus.com/guest/20225

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

II. BUGTRAQ SUMMARY

1. Sun ONE Application Server Plaintext Password Vulnerability BugTraq ID: 7712 Remote: No Date Published: May 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7712 Summary:

Sun ONE Application Server is the application server solution distributed and maintained by Sun Microsystems. It is available for the Unix, Linux, and Microsoft platforms.

A problem with the Sun ONE Application Server could make unauthorized access to credentials possible.

It has been reported that a problem exists in the method used for the storage of passwords by Sun ONE Application Server. This could lead to local users gaining unauthorized access to passwords, and potentially unauthorized access to the Sun ONE administrative server.

Specifically, Sun ONE Application Server stores administrative server credentials in the "statefile" file, using plaintext format by default. To further exaggerate this problem, the Sun ONE application is installed by default into a folder that is world readable. A local user with access sufficient to read this file may disclose the usernames and passwords contained within.

Information gathered in this way may be used to aid in further attacks launched against the vulnerable system.

It should be noted that although this vulnerability has been reported to affect Sun ONE Application Server version 7.0 on Windows platforms, previous versions might also be affected.

2. Ultimate PHP Board admin_iplog.PHP Arbitrary PHP Execution Vulnerability BugTraq ID: 7678
Remote: Yes
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7678
Summary:

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Ultimate PHP Board (UPB) is a freely available, open source PHP Bulletin Board. It is available for the Unix and Linux operating systems.

UPB stores information about each connected user in the 'db' file, stored in the 'iplog' directory. Information logged includes the users IP address as well as the HTTP user agent information. An administrator is capable of viewing this information by calling the 'admin_iplog.php' script.

A vulnerability has been reported for UPB 1.9. The problem is said to occur due to insufficient sanitization of the HTTP 'User-Agent' information before including it within the 'admin_iplog.php' script. As a result, an attacker may be capable of embedding malicious PHP commands within this field, which would in turn be interpreted by the web server.

The execution of these commands would only occur when an administrator chooses to view the log of forum activity via the 'admin_iplog.php' script. All commands executed would be run with the privileges of the web server, typically httpd.

It should be noted that although unconfirmed this may also affect UPB versions prior to 1.9.

3. PostNuke Phoenix Main Modules Multiple Path Disclosure Vulnerabilities BugTraq ID: 7693
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7693
Summary:

PostNuke is a web-based content management system. It is implemented in PHP and available for Unix/Linux variants and Microsoft Windows platforms.

Path disclosure vulnerabilities have been reported in modules which are included with PostNuke Phoenix. Affected modules include Downloads, Web_Links, Sections, FAQ, Search, Reviews and Glossary. The nature of these issues is poor handling of data supplied via URI parameters, causing error pages to be generated that contain the path to the installation root directory and other resources.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Exploitation of these issues may allow an attacker to gather sensitive information.

Some of these issues may be previously reported or exist in other content management systems such as PHP-Nuke or PHPBB, due to shared code.

4. Batalla Naval Remote Buffer Overflow Vulnerability BugTraq ID: 7699
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7699
Summary:

Batalla Naval is graphical naval battle game that can be played over a network. It is available for Unix/Linux variants and Microsoft Windows operating systems.

Batalla Naval is prone to a remotely exploitable buffer overflow when handling requests of excessive length. In particular, sending a string to the game server (gbnserver) that is 500 or more bytes in length may cause stack memory to be corrupted. This could allow for execution of malicious instructions in the context of the game server.

The game server listens on port 1995 by default.

5. Ifenslave Argument Local Buffer Overflow Vulnerability BugTraq ID: 7682
Remote: No
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7682
Summary:

ifenslave is a tool designed to attach and detach slave network interfaces to a bonding device. The bonding device will act like an Ethernet network device to the Linux kernel, but will send out packets using the bound slave devices using a scheduler.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

ifenslave for Linux has been reported prone to a buffer overflow vulnerability.

The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space.

Specifically, excessive data passed as the first command line argument to the vulnerable ifenslave executable, when copied into internal memory, may overrun the boundary of the assigned buffer and corrupt adjacent memory. Memory adjacent to this buffer has been confirmed to contain values that are crucial to controlling program execution flow. It is therefore possible for a local attacker to seize control of the vulnerable application and have malicious arbitrary code executed in the context of ifenslave. ifenslave is not installed setUID or setGID by default.

It should be noted that although this vulnerability has been reported to affect ifenslave version 0.07 previous versions might also be affected.

6. P-News Administrative Account Creation Vulnerability BugTraq ID: 7689
Remote: Yes
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7689
Summary:

P-News is a web-based news management system. It is implemented in PHP and available for Unix/Linux variants and Microsoft Windows operating systems.

A vulnerability has been reported that could enable a P-News member to create and access an administrative account. The flaw exists in the
'p-news.php' script. It is possible to inject malicious data into the
'Name' account editing input field. Exploitation could allow a member to
compromise P-News.

This issue was reported in P-News 1.16. Other versions may also be affected.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

7. PalmVNC Insecure Password Storage Vulnerability BugTraq ID: 7696
Remote: No
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7696
Summary:

PalmVNC is a VNC implementation for PalmOS. It can be used to establish VNC sessions with Windows or Unix/Linux systems.

PalmVNC stores password credentials in plaintext. By default, the database file (PalmVNCDB) that contains VNC passwords has the backup bit set. As a result, these credentials may be stored on a desktop system when the Palm is "Hotsynced". This could expose credentials to other users of the system that the backup is stored on.

This issue was reported in PalmVNC 1.40. Other versions are also likely affected.

8. Encrypted Virtual Filesystem Local Heap Overrun Vulnerability BugTraq ID: 7679
Remote: No
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7679
Summary:

Encrypted Virtual Filesystem (EVFS) is a virtual filesystem that runs on top of the Linux VFS. It allows multiple users to each mount their own encrypted filesystems using individual keys. It is available for the Linux operating system.

A vulnerability has been discovered in the 'efs' utility used by EVFS. The problem occurs during the 'do_mount()' function within the efs.c source file. During a call to salloc(), the size calculation fails to take the size of the 'to' argument into account. Data greater then that allocated may subsequently be written into the buffer. As a result, it may be possible for an attacker to corrupt sensitive memory management information.

Successful exploitation of this vulnerability could allow a legitimate EVFS user to execute arbitrary commands with root privileges.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability affects EVFS v0.2, however earlier versions may also be affected.

9. Sun ONE Application Server Error Message Cross-Site Scripting Vulnerability BugTraq ID: 7710
Remote: Yes
Date Published: May 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7710
Summary:

Sun ONE Application Server is the application server solution distributed and maintained by Sun Microsystems. It is available for the Unix, Linux, and Microsoft platforms.

Sun ONE Application Server has been reported prone to a cross-site scripting vulnerability.

Sun ONE Application Server does not adequately filter script code from URL parameters, making it prone to cross-site scripting attacks. Attacker-supplied script code may be included in a malicious link to a JSP application hosted on the vulnerable server. If the request triggers an error, the error message may contain the attacker-supplied script code, which in turn may be executed in the browser of the web user who visits the link. The code will be executed in the security context of the system running Sun ONE Application Server. Such a link might be included in a HTML e-mail or on a malicious web page.

This may enable a remote attacker to steal cookie-based authentication credentials from legitimate users.

It should be noted that although this vulnerability has been reported to affect Sun ONE Application Server 7.0 on Windows platforms, previous versions might also be affected.

1. Red Hat Linux up2date Unspecified Vulnerability BugTraq ID: 7714 Remote: No Date Published: May 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7714 Summary:

Red Hat Linux is a popular distribution of the Linux operating environment.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A vulnerability has been reported for Red Hat Linux's up2date mechanism. up2date is used by Red Hat Linux distributions to provide a way for users to obtain system updates through the Red Hat Network.

up2date is prone to an issue that may result in a segmentation fault during Migration. Although unconfirmed, due to the nature of this report, it has been speculated that memory corruption may trigger this vulnerability. It may be possible that, under the correct circumstances, this situation may ultimately be exploitable.

The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information becomes available.

1. PostNuke Phoenix Rating System Denial Of Service Vulnerability BugTraq ID: 7702 Remote: Yes Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7702 Summary:

PostNuke is a web-based content management system. It is implemented in PHP and available for Unix/Linux variants and Microsoft Windows platforms.

A problem in the software may make it possible to prevent access to sites by legitimate users.

It has been reported that the PostNuke rating system does not properly handle some submissions to the rating system. Because of this, a remote attacker may be able to submit a string that causes a denial of service to legitimate users.

The problem is in the handling of rating strings of excessive length. By submitting a maliciously crafted string, it is possible to cause the software to become unstable and potentially crash. It has been reported this can affect both the web server and database server under the PostNuke installation, though it's not entirely clear how.

1. Newsscript Administrative Privilege Elevation Vulnerability BugTraq ID: 7705 Remote: Yes Date Published: May 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7705 Summary:

Newsscript is a web-based news management system. It is written in PHP and available for Unix/Linux variants and Microsoft Windows operating systems.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A vulnerability was reported in Newsscript that may permit an unauthorized member to increase their privilege level. The issue exists in the profile editing function of the 'write.php' script. This is due to insufficient validation of data supplied to account editing input fields of Newsscript. In particular, it is possible to include user database delimiters (<~>) when editing user profile properties. This could be used to add arbitrary data to a user record, including modification of the user's privilege level.

1. Multiple Vendor Algorithmic Complexity Denial of Service Vulnerability BugTraq ID: 7756 Remote: Yes Date Published: May 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7756 Summary:

A hash table is a sorting algorithm that can be used to store various pieces of data within 'buckets'. Each algorithm typically has a best, average, and worst-case calculation time. A hash collision or bucket collision can occur when implementing a hash table algorithm. These collisions can occur when a hashed value or the storage location of a hash, modulo the size of the table, is already in use.

Multiple vendor applications have been reported prone to algorithmic complexity attacks related to hash collisions. This problem presents itself due to the use of known or predictable deterministic hashing algorithms.

An attacker could exploit this issue by somehow transmitting specially crafted input to a target application. The input must be designed to trigger a large frequency of hash or bucket collisions, causing the algorithm to continuously experience its worst-case calculation time. As collisions occur, the efficiency of the algorithm may exponentially decrease, resulting in a denial of service.

Successful exploitation of this issue may allow an attacker to trigger a large-scale denial of service against a target application, using a relatively small amount of data. This presents a realistic remote attack vector against vulnerable applications in situations where an attacker has a minimal amount of bandwidth at their disposal.

Specific deterministic hashing algorithms, implemented by a variety of applications, have been reported vulnerable to these attacks. The consequences of exploitation against each application will vary greatly depending on environments and various operating system behaviors.

1. Geeklog Image Upload Extension Validation Vulnerability BugTraq ID: 7744 Remote: Yes Date Published: May 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7744 Summary:

Geeklog is open-source weblog software. It is written in PHP and will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

Geeklog allows weblog users to upload images. Uploaded images should have certain extensions (such as .jpg or .gif). However, Geeklog does not sufficiently validate image upload extensions. This issue exists in the users and stories modules. It may be possible for an attacker to upload a file with an arbitrary extension, such as a script, and then request the file.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Depending on web server configuration, this could result in execution of arbitrary commands or file corruption. More sophisticated attacks could also occur, given that this vulnerability allows a remote attacker to place files with arbitrary extensions on the host.

1. Zeus Web Server Admin Interface VS_Diag.CGI Cross Site Scripting Vulnerability BugTraq ID: 7751 Remote: Yes Date Published: May 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7751 Summary:

Zeus Web Server is a proprietary webserver for Unix, Linux, Sun, BSD, HP-UX, and Apple OS X platforms.

The web-based administration interface included in Zeus Web Server is vulnerable to cross site scripting attacks. Specifically, the vs_diag.cgi application does not sufficiently sanitize user-supplied input. Thus, it is possible for an attacker to construct a malicious link which contains arbitrary HTML and script code. Attacker-supplied HTML and script code may be executed on a web client visiting the malicious link in the context of the vulnerable server.

It is important to note that the user must supply a username and password for the administrative interface before the script will execute. The vendor has stated that cookies are not used to store any sort of authentication credentials. Thus, this vulnerability cannot be exploited to obtain administrative passwords and other sensitive information.

This vulnerability was reported for Zeus 4.2r2 and earlier.

1. Linux /bin/mail Carbon Copy Field Buffer Overrun Vulnerability BugTraq ID: 7760 Remote: Yes Date Published: May 30 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7760 Summary:

The /bin/mail utility is a mail processing system which can be used to send and receive e-mail messages. It is available for the Unix and Linux operating systems.

A vulnerability has been discovered in /bin/mail on the Linux operating system. The problem occurs when processing the 'CC:' field within an e-mail message. Due to insufficient bounds checking, handling approximately 8824 bytes of data will trigger a buffer overrun.

Successful exploitation of this issue could allow an attacker to execute arbitrary commands with the privileges of /bin/mail. It should be noted that local exploitation of this vulnerability may be inconsequential. However, a malicious e-mail message referenced by the vulnerability utility or a remote CGI interface may both be sufficient conduits for remote exploitation.

1. Eterm PATH_ENV Buffer Overflow Vulnerability BugTraq ID: 7708 Remote: No Date Published: May 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7708 Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Eterm is terminal emulation software which is available for Unix and Linux variants.

Eterm has been reported prone to a local buffer overflow vulnerability. Code execution with elevated privileges has been confirmed possible.

The issue presents itself in the conf_parse_theme() function, and is due to a lack of sufficient bounds checking performed on an environment variable that is copied into an internal memory buffer. The buffer is located in static memory space. This issue is further exaggerated because adjacent memory contains 'rs-pixmap' char pointer data, this may be manipulated by the attacker to point anywhere in system memory.

The function post_parse(), is later invoked. This function calls free() on the location pointed to by rs_pixmaps. Since the attacker may have corrupted 'rs-pixmap' data to point to a malicious crafted fake malloc chunk on the heap, when malloc() is called arbitrary memory of the attackers choice may be corrupted.

It has been reported that Eterm fails after it frees the malicious chunk, an internal Eterm function dump_stack_trace(), intercepts SIGSEGV in the process and performs a small memory dump before launching gdb, dump_stack_trace() later generates a SIGALRM. It has been demonstrated, however, that the delivery of this signal may be prevented and arbitrary shell code executed with elevated privileges. Code execution will occur in the context of the vulnerable Eterm, which may have setuid/setgid utmp or possibly root on some Unix/Linux distributions.

1. Sun ONE Application Server Source Disclosure Vulnerability BugTraq ID: 7709 Remote: Yes Date Published: May 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7709 Summary:

Sun ONE Application Server is the application server solution distributed and maintained by Sun Microsystems. It is available for the Unix, Linux, and Microsoft platforms.

Sun ONE Application Server is prone to a source code disclosure vulnerability. This issue is due to handling of case in requests for resources. By changing the case of a file extension, the server may fail to interpret the script and instead serve it as a normal web resource. For example, if a JSP page is requested with the '.jsp' extension, it will be interpreted. However, if the same resource is requested using with an extension of '.JSP', it will not be interpreted by the server.

Script source code may contain sensitive information, such as database authentication credentials, which will be disclosed to a remote attacker if this issue is exploited.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This issue exists for Sun ONE Application Server on Microsoft Windows platforms. Previous versions may also be affected.

1. Apache APR_PSPrintf Memory Corruption Vulnerability BugTraq ID: 7723 Remote: Yes Date Published: May 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7723 Summary:

The Apache Software Foundation has released version 2.0.46, which addresses a vulnerability in the web server. Exploitation could reportedly occur through mod_dav or other components. This could potentially be exploited by remote attackers to deny web server resources to legitimate users. It has also been conjectured that exploitation could allow for execution of arbitrary code.

The vulnerability is present in the Apache apr_psprintf() Apache Portable Runtime (APR) library, specifically the apr_pools.c source file. It is believed that erroneous heap based memory management, performed by the psprintf_flush()function, may be the root cause of the issue. The ap_construct_url() and ap_construct_server() procedures are reported to be affected by this issue.

In addition to mod_dav, the following modules could also provide attack vectors under some circumstances:

mod_alias
mod_dav/mod_dav_fs
mod_dir
mod_imap
mod_proxy
mod_rewrite
mod_speling
mod_ssl
mod_usertrack

It is possible to reproduce this issue through mod_dav via an XML object request of excessive length. It is reported that a request of 12250+ bytes will trigger the condition on non-Windows operating systems, while 20000+ bytes is required to trigger the condition on Windows systems.

This issue is reported to affect Apache 2.0.37 through 2.0.45.

20. UML_NET Integer Mismanagement Code Execution Vulnerability BugTraq ID: 7676
Remote: No
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7676
Summary:

uml_utilities is a collection of packages designed to be used in conjunction with the User Mode Linux (UML) kernel patch. The uml_net program can be used by an administrator to configure various network devices and system networking parameters.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A vulnerability has been discovered in uml_net. The problem lies in the uml_net.c source file and occurs while handling user-supplied version information.

The 'v' variable is declared as a signed integer, however it is used to store an unsigned integer value returned by a call to the 'strtoul()' function. This will result in 'v' being interpreted as a negative value. As 'v' is later used in various bounds checking calculations, specifically
'if (v > CURRENT_VERSION)', it is possible to trigger an unexpected
calculation and bypass the check.

If all necessary calculation checks are passed, an attacker may be capable of indexing into a malformed location within an array of function pointers. Specifically, the 'v' variable is used as an index into the (*handlers[])() array. When this occurs the negative value stored in 'v' will allow the attacker to reference a supplied address lower in process memory.

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary commands with the privileges of uml_net, possibly root. It has been confirmed that uml_net is installed suid root on at least one Linux distribution.

21. FastTrack P2P Supernode Packet Handler Buffer Overflow Vulnerability BugTraq ID: 7680
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7680
Summary:

KaZaA, Grokster and Morpheus are file-sharing clients based on FastTrack P2P technologies. They will run on Microsoft Windows 9x/ME/NT/2000/XP systems. Ports also exist for variants of the Linux operating system.

FastTrack P2P Supernode Packet Handler has been reported prone to a buffer overflow vulnerability. The issue presents itself in the FastTrack Supernode packet handler. The handler does not perform sufficient bounds checking on Supernode entries received before they are copied into a reserved buffer in internal memory.

Specifically, when Supernode data extracted from certain FastTrack P2P network packets is passed to the affected FastTrack class and later copied into internal memory, excessive Supernode data (>200 entries) may overrun the boundary of the assigned buffer and corrupt adjacent memory. Memory adjacent to this buffer has been reported to contain values that are crucial to controlling memory management or program execution flow. Therefore it may be possible for a remote attacker to trigger a denial of service condition or ultimately seize control of the vulnerable application and have arbitrary attacker supplied code executed. Code execution would occur in the context of the user running an application that incorporates the vulnerable FastTrack P2P Packet Handler.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It should be noted that this vulnerability has been tested on KaZaA version 2.0.2. Other versions of KaZaA and similar file-sharing clients based on FastTrack P2P technology may also be affected.

22. Apache Basic Authentication Module Valid User Login Denial Of Service Vulnerability BugTraq ID: 7725
Remote: Yes
Date Published: May 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7725
Summary:

Apache Web Server is a freely available, open source web server software package for the Unix, Linux, and Microsoft platforms. It is maintained by public domain.

A problem with the software may make it possible to deny access to legitimate users.

It has been reported that Apache 2.0 does not properly use specific thread-safe functions. Because of this, an attacker may be able to create a circumstance that prevents users from logging into restricted areas with valid user credentials.

The problem is in the use of crypt and derivative functions. Platforms without a crypt_r function, and without a thread-safe crypt function are vulnerable to an unspecified issue that can cause the failure of authentication credentials until the vulnerable server is restarted.

23. Bandmin Cross-Site Scripting Vulnerability BugTraq ID: 7729
Remote: Yes
Date Published: May 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7729
Summary:

Bandmin is a CGI script designed for network traffic monitoring. It is available for the Unix, Linux, and Microsoft operating systems.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that a cross-site scripting vulnerability exists in Bandmin. The problem with this script may lead to a violation of site security properties.

The problem is in the checking of input supplied in URI parameters to the
'index.cgi' script. The script does not sanitize input of HTML before
displaying it in web pages. This may result in the theft of authentication credentials, or execution of malicious HTML or script content in the security context of the site hosting Bandmin.

24. Sun One Application Server Request Logging Circumvention Weakness BugTraq ID: 7711
Remote: Yes
Date Published: May 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7711
Summary:

Sun ONE Application Server is the application server solution distributed and maintained by Sun Microsystems. It is available for the Unix, Linux, and Microsoft platforms.

A problem with the software may make it possible to circumvent logging.

It has been reported that Sun ONE Application Server may not properly log requests under some circumstances. Because of this, an attacker may be able to obscure attacks from the view of administrators.

The problem is in the handling of extremely long requests. Sun ONE Application Server is capable of serving requests with lengths of up to 4096 bytes. However, the logging facility truncates requests at the length of 4042 bytes. An attacker could potentially embed a malicious request in the 54 unlogged bytes, obscuring the specifics of the attack from administrator view.

It has been reported that this problem affects Sun ONE Application Server on Microsoft Windows platforms. Versions prior to 7.0 may also be affected, but this has not been confirmed.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

25. Multiple GPS Local And Remote Vulnerabilities BugTraq ID: 7736
Remote: Yes
Date Published: May 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7736
Summary:

Graphical Process Statistics (gps) is graphical process monitoring software. gps provides functionality for polling processes over a network. It is available for Unix and Linux variants.

gps is prone to multiple local and remote vulnerabilities. The following issues were reported:

A flaw in the implementation of the rgpsp source connection acceptance policy could permit unauthorized hosts to make connections. This could occur even if not permitted by the /etc/rgpsp.conf file.

Multiple unspecified potential buffer overflows were addressed that could allow for execution of malicious instructions in the context of the software.

Misformatting of rgpsp protocol command line parameters could potentially cause the protocol to fail.

A buffer overrun could occur if rgpsp attempts to handle process information with excessive command line data. Command line data in excess of 128 characters could potentially corrupt memory. This may be exploited to execute arbitrary code in the context of the user running rgpsp.

This BID will be divided into separate records when further analysis of these issues is complete. It should be noted that these issues were all fixed as of version 1.1.0, which was released April 28th, 2002. Fixes span a number of earlier releases, so it is possible that these issues have been public knowledge for some time. Further information will be included in individual BIDs.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

26. Geeklog Authentication SQL Injection Vulnerability BugTraq ID: 7742
Remote: Yes
Date Published: May 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7742
Summary:

Geeklog is open-source weblog software. It is written in PHP and will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

Geeklog is reported to be prone to SQL injection attacks during authentication. This is due to insufficient sanitization of cookie values, which will be used in database queries. This could permit an attacker to inject SQL code.

It has been demonstrated that vulnerability may allow a remote attacker to modify query logic and gain access to arbitrary Geeklog accounts, allowing for compromise of the software. It may also be possible, depending on the database implementation and other factors, to launch attacks against the database. This could result in disclosure of sensitive information or other consequences.

27. GNU GCC Implicit Struct Copy Memory Corruption Vulnerability BugTraq ID: 7743
Remote: Yes
Date Published: May 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7743
Summary:

GNU gcc is a C programming language compiler designed for the Linux and Unix operating systems. It supports the use of various command-line optimization switches that can be used to significantly reduce the number of instructions needed to execute.

A potential vulnerability has been reported for the GNU gcc compiler. The problem is said to affect versions prior to 3.2.3. The problem is said to occur when the '-O2' optimization switch has been used during the compilation of a program implementing implicit structure copying.

When carrying out the structure copying procedures, values stored within previously declared structures may be unexpectedly corrupted. Furthermore, new data meant to replace data within a structure may not be copied correctly. As a result, this issue may also result in the disclosure of sensitive internal program data.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Successful exploitation of this issue could potentially allow an attacker to modify internal data structures in such a way that the execution flow of the process may be controlled. This may be possible through the corruption of a function pointer or bounds checking parameter.

28. PHP Transparent Session ID Cross Site Scripting Vulnerability BugTraq ID: 7761
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7761
Summary:

PHP is a freely available, open source web scripting language package. It is available for Microsoft Windows, Linux, and Unix operating systems.

PHP contains an option known as transparent session IDs. This feature allows session IDs to be embedded with a URL.

A cross-site scripting vulnerability has been discovered in PHP version 4.3.1 and earlier. The problem occurs when the 'session.use_trans_sid' global parameter has been enabled.

Due to insufficient sanitization of the PHPSESSID URI parameter, it is possible for an attacker to embed malicious script code within a link. By embedding malicious code in such a way that an HTML tag will be prematurely terminated, it may be possible to execute arbitrary script code.

Successful exploitation of this issue would allow an attacker to execute arbitrary script code in a victim's browser within the context of the visited website. This may allow for the theft of sensitive information, such as session ID's, or possibly other attacks.

It should be noted that PHP versions prior to release 4.2.0 do not support transparent session IDs by default. Support must be specified during initial compilation.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

III. LINUX FOCUS LIST SUMMARY

1. process accounting (Thread) Relevant URL:

http://www.securityfocus.com/archive/91/323352

2. securing a bridget (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/323350

3. hardening scripts (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/323349

4. more on linux hardening (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/323347

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

5. more on linux hardening (fwd) (Thread) Relevant URL:

http://www.securityfocus.com/archive/91/322997

IV. NEW PRODUCTS FOR LINUX PLATFORMS

1. PureSight by iCognito Platforms: Linux, Solaris, Windows 2000, Windows NT Relevant URL: http://www.icognito.com/products/ps.shtml Summary:

PureSight Home is a powerful tool that helps parents and other concerned users embrace technology in their homes while safeguarding the family from intentional or accidental viewing of inappropriate content. PureSight Home provides maximal protection from objectionable materials on the web without the need for costly and time-consuming updates. Easily installed and customized, the password-protected tool can be readily set and modified according to parental preferences.

2. NetSecure Web
by NetSecure Software
Platforms: AIX, BSDI, Linux, Solaris, Windows NT Relevant URL:
http://www.netsecuresoftware.com/netsecurenew/Products/NetSecureWeb/netsecureweb.html Summary:

NetSecure Web enables you to create Internet services guaranteeing full protection of your information system network. * Total access to internal database server * Fully transparent for internal and external users * Preserves your private network from intrusion * Ensures that only authorized requests are delivered * Easy installation and operation

3. Kerio MailServer
by Kerio Technologies Inc.
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP Relevant URL:
http://www.kerio.com/us/kms_home.html
Summary:

Kerio MailServer represents a new generation of mail servers designed for corporate networks. To help combat increasing security threats, Kerio MailServer offers a wide range of features to keep email from being intercepted, infected by computer viruses, or sent as spam

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

V. NEW TOOLS FOR LINUX PLATFORMS

1. Access Control Designer vbeta1 by Robert Trebula R0B0 Relevant URL: http://acd.zero.sk.eu.org/ Platforms: Os Independent Summary:

Access Control Designer is a universal modular tool for visually designing access control policies. The user of this system depicts requirements for the designed security policy in a graphical notation based on a generally accepted security model. The tool will then generate a configuration of security mechanisms, which will be used for the implementation of the security policy. Modularity of the tool will allow users to design security policies for a lot of various environments - systems needed to have access controlled. A pluggable module API allows third-party programmers to provide ACD modules for systems and so allow users to use ACD for designing access control policies for the systems.

2. SSHTerm v0.1.4 beta
by Richard Pernavas
Relevant URL:
http://www.sshtools.com/
Platforms: Os Independent
Summary:

SSHTerm is a Java SSH client that provides a whole range of features, including port forwarding, password authentication, public-key authentication, ANSI/VT100/VT220/VT320 terminal, full clipboard support, record and playback input/output, and the ability to load/save connection settings to a file.

3. Samhain v1.7.8
by rainer
Relevant URL:
http://la-samhna.de/samhain/
Platforms: AIX, Digital UNIX/Alpha, FreeBSD, HP-UX, Linux, Solaris, Unixware Summary:

samhain is a daemon that can check file integrity, search the file tree for SUID files, and detect kernel module rootkits (Linux only). It can be used either standalone or as a client/server system for centralized monitoring, with strong (192-bit AES) encryption for client/server connections and the option to store databases and configuration files on the server. For tamper resistance, it supports signed database/configuration files and signed reports/audit logs. It has been tested on Linux, FreeBSD, Solaris, AIX, HP-UX, and Unixware.

VI. SPONSOR INFORMATION

"For a limited time get 15% OFF Netscreen Firewalls and an additional 15% OFF any LINUX Managed Dedicated Hosting Solution from Interland. Knowledgeable 24/7/365 Technical Support. Call 1-877-504-0091 for more details on how to protect your dedicated server."

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Visit us at: http://www.securityfocus.com/Interland-linux-secnews