SecurityFocus Linux Newsletter #141

SecurityFocus Linux Newsletter #141

This Issue is Sponsored by: KaVaDo

Your network Firewall and IDS products do not prevent Web application exploits - the most common form of online attack - resulting in Web defacement, data theft, sabotage and fraud.

KaVaDo is the first and only company that provides a complete and integrated suite of Web application security products, allowing you to:

• assess your entire Web environment with a Web Application Scanner, ·
• automatically set positive security policies for real-time protection, and
• maintain such policies at the Application Firewall without compromising business performance.

For more information on KaVaDo and to download a FREE white paper on Security Policy Automation for Web Applications, please visit http://www.securityfocus.com/Kavado-linux-secnews3

I. FRONT AND CENTER

1. Waiting for the Worms
2. Blogs: Another Tool in the Security Pro's Toolkit (Part One)
3. Honeytokens: The Other Honeypot
4. The SecurityFocus 4th Anniversary Contest Winners Announced
5. **ANNOUNCEMENT** II. LINUX VULNERABILITY SUMMARY
6. Invision Power Board Multiple Vulnerabilities
7. NeoModus Direct Connect Infinite Request Remote Denial Of...
8. Netscape Client Detection Tool Plug-In Buffer Overflow...
9. Citadel/UX Configuration Buffer Overrun Vulnerability
10. Citadel/UX Unlimited Biography Data Denial Of Service...
11. NFS-Utils Xlog Remote Buffer Overrun Vulnerability
12. PHPForum Mainfile.PHP Remote File Include Vulnerability
13. UMN GopherD GSIsTest Remote Buffer Overflow Vulnerability
14. ImageMagick Display Filename Format String Vulnerability
15. Citadel/UX Weak Internal Program Authentication Key Vulnerability
16. QMail-SMTPD-Auth True Program Remote E-Mail Vulnerability III. LINUX FOCUS LIST SUMMARY
17. New SecurityFocus Article: Linux Firewall-related /proc Entries...
18. Stealthy Linux Key Logger (Thread) IV. NEW PRODUCTS FOR LINUX PLATFORMS
19. Zorp
20. AccessGuard
21. HIVE
22. NEW TOOLS FOR LINUX PLATFORMS
23. Lazy Encryption Algorithm v1
24. Modular Access Control System v0.7.1-alpha
25. shellforge v0.1.14 VI. SPONSOR INFORMATION
26. FRONT AND CENTER

    ---

27. Waiting for the Worms By Tim Mullen

The hole's been announced, the patch has been released. Now there's nothing to do but wait for the worm to come and wreak its ugly havoc.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

http://www.securityfocus.com/columnists/174

2. Blogs: Another Tool in the Security Pro's Toolkit (Part One) By Scott Granneman

I'll admit, I love information. No, make that I love and need information. If you're interested in keeping up with trends and changes in security, you're probably an information addict as well. You absorb security-related information and then ponder, examine, and analyze it before reshaping it in a way that helps protect your data, your systems, and your networks.

http://www.securityfocus.com/columnists/173

3. Honeytokens: The Other Honeypot
By Lance Spitzner

The purpose of this series of honeypot papers is to cover the breadth of honeypot technologies, values and issues. This article extends the capabilities even further by discussing the concept of honeytokens.

http://www.securityfocus.com/infocus/1713

4. The SecurityFocus 4th Anniversary Contest

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

With the contest having ended this past Wednsday July 16, 2003, and with a large volume of entries, we have chosen the winners. The Two entrants who came closest to choosing the correct day of Sept. 22, 2002 7:11 am MST have won a pair of tickets to the Black Hat Briefings in Las Vegas, NV. USA. Congratulations to Jenny H. of San Antonio, TX., and Leah E. of Tucson AZ., for their winning entries.

5. **ANNOUNCEMENT** SecurityFocus will now be masking email addresses contained within all our Mailing Lists to ensure that they can no longer be harvested. We have taken these steps with your privacy being our main concern.

II. BUGTRAQ SUMMARY

1. Invision Power Board Multiple Vulnerabilities BugTraq ID: 8165 Remote: Yes Date Published: Jul 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8165 Summary:

Invision Board is web forum software. It is implemented in PHP and is available for Unix and Linux variants and Microsoft Windows operating systems.

It has been reported that Invision Power Board in some cases fails to sufficiently sanitize user input in multiple instances, resulting in a number of exploitable vulnerabilities. This creates a possibility for SQL injection attacks, as well as HTML injection attacks.

HTML and script code are not filtered from within [FLASH][/FLASH] tags, allowing for injection of hostile client-side script code into areas of the bulletin board that allow these tags to be included. Exploitation could result in theft of cookie-based authentication credentials from other users. It will also be possible to control how the site is rendered to other users. Other attacks are also possible.

The 'ipchat.php' does not filter SQL syntax supplied via URI parameters before including it in database queries, allowing for SQL injection attacks. This could be exploited to manipulate database queries, potentially resulting in compromise of the bulletin board, information disclosure or database corruption. SQL injection attacks may also allow attackers to exploit latent vulnerabilities present in the underlying database implementation.

This BID will be separated into multiple BIDs when analysis of these issues is complete.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. NeoModus Direct Connect Infinite Request Remote Denial Of Service Vulnerability BugTraq ID: 8178
Remote: Yes
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8178
Summary:

Direct Connect is a freely available file sharing client distributed by NeoModus. It is available for the Microsoft Windows and Linux platforms.

It has been reported that NeoModus Direct Connect does not sufficiently limit requests. Because of this, an attacker could potentially deny service to a legitimate user of the client.

The problem is in the limiting of connection requests by Direct Connect hubs. It is possible for a user to send an infinite amount of connection requests from one client to another through a hub. This could result in the consuming of network and system resources by the target client, making the target host unusable.

3. Netscape Client Detection Tool Plug-In Buffer Overflow Vulnerability BugTraq ID: 8180
Remote: No
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8180
Summary:

The Client Detection Tool plug-in is a component of the Netscape browser. It is maintained and distributed by Netscape, and available for the Microsoft Windows, Unix, and Linux platforms.

It has been reported that the Client Detection Tool plug-in is vulnerable to a buffer overflow when handling some types of files. This may result in the execution of arbitrary code with the privileges of the browser user.

The problem is in the handling of specially crafted files of the x-cdt mime type. A buffer overflow occurs when the CDT plug-in attempts to handle an argument of greater than 256 bytes. When a file name and path to a user's temporary directory total more than 256 bytes, it is possible to execute code contained in the file name.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Some limitations exist in this vulnerability. For example, some operating systems such as Microsoft Windows Server 2003 limit attachment name size to 218 bytes. Additionally, the file name cannot contain non-ASCII characters.

4. Citadel/UX Configuration Buffer Overrun Vulnerability BugTraq ID: 8191
Remote: Yes
Date Published: Jul 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8191
Summary:

Citadel/UX is an open source BBS package for Linux, BSD, Solaris and other Unix systems.

Citadel/UX provides a means for clients to execute commands as an internal program and access IPC (Inter-process Communications). To use this feature, clients must supply an internal program password via the IPGM command.

Citadel/UX is prone to a buffer overrun when importing configuration data supplied by IPGM authenticated users. If excessive data is supplied during an import, it is possible to corrupt sensitive regions of stack memory with specific values. This may be exploited to execute arbitrary code in the context of the server.

5. Citadel/UX Unlimited Biography Data Denial Of Service Vulnerability BugTraq ID: 8192
Remote: Yes
Date Published: Jul 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8192
Summary:

Citadel/UX is an open source BBS package for Linux, BSD, Solaris and other Unix systems.

Citadel/UX allows users to add biographical data to their profile. This is facilitated via the EBIO command.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Citadel/UX does not limit the amount of Biography data that clients can supply. This data is written to a file on the system hosting the BBS. A malicious user of the BBS could exploit this to cause a denial of service by supplying excessive data, potentially using up disk space available to the system user that the BBS is running as.

6. NFS-Utils Xlog Remote Buffer Overrun Vulnerability BugTraq ID: 8179
Remote: Yes
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8179
Summary:

nfs-utils provides various NFS tools, including a daemon for handling RPC requests. It is available for Unix and Linux variants.

A remote buffer overrun vulnerability has been reported in xlog, which is a logging facility for nfs-utils. It is possible to exploit this issue via mountd. It has been reported that exploitation of this issue will most likely result in a denial of service. There is a likelihood that this issue could be exploited to run arbitrary code in the context of mountd, which runs as root.

This vulnerability is an off-by-one boundary condition error in the xlog.c source file, which contains code for handling logging of RPC requests. In particular, the xlog() function is prone to this issue when a buffer equal to or longer than 1023 bytes is supplied, causing one byte of memory to be overrun with attacker-supplied data.

The issue could also occur in other nfs-utils components that call xlog with externally-supplied data.

7. PHPForum Mainfile.PHP Remote File Include Vulnerability BugTraq ID: 8158
Remote: Yes
Date Published: Jul 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8158
Summary:

phpForum is web forum software. It is available for Unix/Linux variants and Microsoft Windows operating systems.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

phpForum is prone to a vulnerability that may permit remote attackers to include and execute malicious PHP scripts. Remote users, under some PHP configurations, may influence $MAIN_PATH variable. This variable is used in the include path for the 'config.php' script. By influencing the include path so that it points to a malicious PHP script on a remote system, it is possible to cause arbitrary PHP code to be executed. This would occur in the context of the web server. This issue exists in the 'mainfile.php' script.

This could be exploited to execute malicious PHP commands in the context of the web server process.

8. UMN GopherD GSIsTest Remote Buffer Overflow Vulnerability BugTraq ID: 8157
Remote: Yes
Date Published: Jul 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8157
Summary:

gopherd is the daemon implementation of the Gopher Daemon by the University of Minnesota. It is available for the Unix and Linux platforms.

It has been reported that UMN gopherd is vulnerable to a remotely exploitable boundary condition error. This may make it possible for an attacker to gain unauthorized access to a host using the vulnerable software.

The problem is in the GSisTest function in the GSgopherobj.c source file. A routine in this file copies user input into a buffer of 64 bytes without sufficient boundary checking. This could allow an attacker to overwrite sensitive process memory, and potentially execute code with the privileges of the gopher daemon.

9. ImageMagick Display Filename Format String Vulnerability BugTraq ID: 8177
Remote: Yes
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8177
Summary:

ImageMagick is an image manipulation program. It is available for a variety of platforms including Microsoft Windows and Unix and Linux variant operating systems.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The ImageMagick display program is alleged to be prone to a format string vulnerability. Exploitation may occur when the program is invoked with a filename that includes malicious format specifiers. This issue could be exploited to corrupt arbitrary regions of memory with attacker-supplied data, potentially resulting in execution of arbitrary code in the context of the user running the program.

For this issue to be exploited, the program would need to be invoked with an untrusted filename. This could occur automatically if the program was specified as the default image viewer for an e-mail client or some other program.

This issue was reported for Unix/Linux platforms. It is not known if other platforms are similarly affected.

1. Citadel/UX Weak Internal Program Authentication Key Vulnerability BugTraq ID: 8193 Remote: Yes Date Published: Jul 15 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8193 Summary:

Citadel/UX is an open source BBS package for Linux, BSD, Solaris and other Unix systems.

Citadel/UX uses an authentication key exchange process, normally used to authenticate to the Citadel/UX as an internal trusted program (IPGM).

A vulnerability has been reported for Citadel/UX, the issue presents itself in the procedure used by Citadel/UX to generate the internal program authentication key. The affected server derives the key using an srand() call, the current process ID is used as the seed for srand(). This method results in a low entropy key that can be replicated, if the current PID for the affected Citadel/UX server is known.

A remote attacker may exploit this vulnerability, by iterating through possible process IDs in a sequential manner. If successful the attacker may authenticate with the affected server as a trusted program, and consequently attain elevated privileges.

1. QMail-SMTPD-Auth True Program Remote E-Mail Vulnerability BugTraq ID: 8196 Remote: Yes Date Published: Jul 15 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8196 Summary:

qmail-smtpd-auth is a freely available, open source program to add support for the AUTH extension to QMail. It is available for the Unix and Linux platforms.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A vulnerability in qmail-smtpd-auth has been reported when malformed authentication requests are received. This may result in an attacker circumventing authentication to send e-mail.

The problem is in the handling of requests that do not contain all the correct parameters. By submitting a request for authentication to a qmail daemon patched with the vulnerable code, and omitting the hostname component of a request to authenticate against the server when attempting to relay e-mail through a specific server, an attacker may bypass authentication.

This problem requires the site be configured to use /bin/true as the dummy program. It should be noted that this is the default configuration.

III. LINUX FOCUS LIST SUMMARY

1. New SecurityFocus Article: Linux Firewall-related /proc Entries (Thread) Relevant URL:

http://www.securityfocus.com/archive/91/329132

2. Stealthy Linux Key Logger (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/328797

IV. NEW PRODUCTS FOR LINUX PLATFORMS

1. Zorp by Balabit IT Security Ltd. Platforms: Linux Relevant URL:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Summary:

Zorp is a proxy firewall suite making it possible to finetune proxy decisions (with its built in script language), to fully analyze complex protocols (like SSH with several forwarded TCP connections), to use outband authentication techniques (unlike common practices where proxy authentication had to be hacked into the protocol). Combined the power explained above, source code is provided under the GNU/GPL.

2. AccessGuard
by AccessGuard
Platforms: Os Independent
Relevant URL:

Summary:

AccessGuard is a fully automated intrusion prevention service, that instantly protects your IT infrastructure from known and unknown attacks by hackers, worms, server based 'Denial of Service' and other Internet risks. AccessGuard reduces security cost: It replaces and outperforms state of the art Intrusion Detection Systems (IDS) and makes analysis by security specialists unnecessary.

3. HIVE
by Sentryware
Platforms: Os Independent
Relevant URL:

Summary:

HIVE is a high-performance, appliance-based Layer 7 IPS (Intrusion Prevention System) that guards against web-based attacks. Over 80% of attacks are launched against web applications. Therefore it is vital to consider them as a critical factor in information security. Websites are usually protected by traditional firewalls, but these do not offer security against web attacks. HIVE complements the traditional firewall: elevating and optimising the security of your systems. By continuously monitoring incoming and outgoing data flows, HIVE is able to dynamically adjust the security policies for both the web-applications and web-servers under its protection.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

V. NEW TOOLS FOR LINUX PLATFORMS

1. Lazy Encryption Algorithm v1 by Eduardo Ruiz Relevant URL: http://lea.research.kelsisiler.com Platforms: Linux Summary:

LEA is a simple algorithm for file encryption that uses boolean algebra and modular arithmetic to test the stream and generate numbers with a logical order. Using bytes as increments and decrements users can choose between normal encryption without a pseudo- random data generator or steganography with or without random data.

2. Modular Access Control System v0.7.1-alpha by Mario D. Santana
Relevant URL:
http://macs.sf.net/
Platforms: Os Independent
Summary:

Modular Access Control System (MACS) is a system for global authentication, authorization, user/group/resource management, and application services.

3. shellforge v0.1.14
by Philippe Biondi biondi@cartel-securite.fr Relevant URL:
http://www.cartel-info.fr/pbiondi/shellforge.html Platforms: Linux, POSIX
Summary:

shellforge enables you to write shellcode programs in C. It transforms C program code into shellcode that will run on a Linux/x86 system. It provides macros to substitute libc calls with direct system calls and a Python script to automate compilation, extraction, encoding, and tests.

VI. SPONSOR INFORMATION

Your network Firewall and IDS products do not prevent Web application exploits - the most common form of online attack - resulting in Web defacement, data theft, sabotage and fraud.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

KaVaDo is the first and only company that provides a complete and integrated suite of Web application security products, allowing you to:

• assess your entire Web environment with a Web Application Scanner, ·
• automatically set positive security policies for real-time protection, and
• maintain such policies at the Application Firewall without compromising business performance.

For more information on KaVaDo and to download a FREE white paper on Security Policy Automation for Web Applications, please visit http://www.securityfocus.com/Kavado-linux-secnews3