|
[GN][News] GN SecNews #4
|
Vijay Kumar
|
Feb 16, 2003 06:31 PST
|
GN SecNews Vol #4
-----------------
News Article Type: Weekly
Author: vijay (vijay-@users.sourceforge.net)
Date: Sun Feb 16 19:25:49 IST 2003
Please send in your comments and suggestions for improvement.
Disclaimer: This is a compilation of Security News Articles/Advisories from various GNU/Linux Providers, Developers and Users. The Author(s) of this article makes no warranties of any kind whatsoever with respect to the information contained from the sources. The information given here is as is from the source with the PGP signature if available.
===============================================================================
Contents
========
1.) [RHSA-2003:015-05] Updated fileutils package fixes race condition
in recursive operations
2.) [RHSA-2003:035-10] Updated PAM packages fix bug in pam_xauth module
3.) SecurityFocus Newsletter #183
4.) SecurityFocus Linux Newsletter #118
5.) iDEFENSE Security Advisory 02.10.03: Buffer Overflow In NOD32
Antivirus Software for Unix
===============================================================================
1.)[RHSA-2003:015-05] Updated fileutils package fixes race condition
in recursive operations (fwd)
===============================================================================
---------------------------------------------------------------------
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated fileutils package fixes race condition in recursive operations
Advisory ID: RHSA-2003:015-05
Issue date: 2003-01-21
Updated on: 2003-02-12
Product: Red Hat Linux
Keywords: rm move gnu mv remove
Cross references:
Obsoletes:
CVE Names: CAN-2002-0435
---------------------------------------------------------------------
1. Topic:
New fileutils packages for Red Hat Linux 6.2, 7.0, 7.1, 7.2 and 7.3 fix a
race condition in recursive remove and move commands.
2. Relevant releases/architectures:
Red Hat Linux 6.2 - i386
Red Hat Linux 7.0 - i386
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
3. Problem description:
The fileutils package includes a number of GNU versions of common and
popular file management utilities.
A race condition in the recursive use of 'rm' and 'mv' in fileutils 4.1 and
earlier could allow local users to delete files and directories (as the user
running fileutils) if the user has write access to part of the tree being
moved or deleted.
Red Hat Linux versions 6.2, 7, 7.1, 7.2, and 7.3 shipped with versions of
fileutils that are vulnerable to this issue. This erratum provides new
fileutils packages that contain a patch correcting this issue.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
5. RPMs required:
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/fileutils-4.0-21.1.src.rpm
i386:
ftp://updates.redhat.com/6.2/en/os/i386/fileutils-4.0-21.1.i386.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/fileutils-4.0x-3.1.src.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/fileutils-4.0x-3.1.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/fileutils-4.0.36-4.1.src.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/fileutils-4.0.36-4.1.i386.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/fileutils-4.1-10.1.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/fileutils-4.1-10.1.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/fileutils-4.1-10.1.ia64.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/fileutils-4.1-10.1.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/fileutils-4.1-10.1.i386.rpm
6. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
55639c22a29023720b9504fda5c8614e 6.2/en/os/SRPMS/fileutils-4.0-21.1.src.rpm
cacc930476d0338f406ecead3dcf952b 6.2/en/os/i386/fileutils-4.0-21.1.i386.rpm
7c7f227ab74bde72f3412107ba63ba62 7.0/en/os/SRPMS/fileutils-4.0x-3.1.src.rpm
37887ea82f67399490cf04f30727078f 7.0/en/os/i386/fileutils-4.0x-3.1.i386.rpm
fe03cd0ec3fc7a0cd6f22872704c4390 7.1/en/os/SRPMS/fileutils-4.0.36-4.1.src.rpm
24bcfd92b6298dc3510a4cbfdf812a96 7.1/en/os/i386/fileutils-4.0.36-4.1.i386.rpm
4357c82173c6ad064119cdf265f6162e 7.2/en/os/SRPMS/fileutils-4.1-10.1.src.rpm
d8a014f87a6aa623c36620ba96178698 7.2/en/os/i386/fileutils-4.1-10.1.i386.rpm
3c7c5fd690854ba5655717583883ddc5 7.2/en/os/ia64/fileutils-4.1-10.1.ia64.rpm
4357c82173c6ad064119cdf265f6162e 7.3/en/os/SRPMS/fileutils-4.1-10.1.src.rpm
d8a014f87a6aa623c36620ba96178698 7.3/en/os/i386/fileutils-4.1-10.1.i386.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at http://www.redhat.com/about/contact/pgpkey.html
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
md5sum <filename>
7. References:
http://online.securityfocus.com/archive/1/260936
http://mail.gnu.org/archive/html/bug-fileutils/2002-03/msg00028.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0435
8. Contact:
The Red Hat security contact is <secu-@redhat.com>. More contact
details at http://www.redhat.com/solutions/security/news/contact.html
Copyright 2003 Red Hat, Inc.
***********************************************************************
************************** End of Doc #1 ******************************
***********************************************************************
===============================================================================
2.) [RHSA-2003:035-10] Updated PAM packages fix bug in pam_xauth module
===============================================================================
---------------------------------------------------------------------
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated PAM packages fix bug in pam_xauth module
Advisory ID: RHSA-2003:035-10
Issue date: 2003-02-07
Updated on: 2003-02-12
Product: Red Hat Linux
Keywords: pam_xauth root cookies
Cross references: RHSA-2003:028
Obsoletes:
CVE Names: CAN-2002-1160
---------------------------------------------------------------------
1. Topic:
Updated PAM packages are now available for Red Hat Linux 7.1, 7.2, 7.3, and
8.0. These packages correct a bug in pam_xauth's handling of authorization
data for the root user.
2. Relevant releases/architectures:
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386
3. Problem description:
The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat
Linux since version 7.1 would forward authorization information from the
root account to unprivileged users. This could be used by a local attacker
to gain access to an administrator's X session. In order to exploit this
vulnerability, the attacker would have to get the administrator, as root,
to use su to the account belonging to the attacker.
Users of pam_xauth are advised to upgrade to these errata packages, which
contain a patch that adds ACL (access control list) functionality to
pam_xauth and disallows root forwarding by default.
Versions of pam_xauth included in Red Hat Linux 7 and earlier disabled
passing of credentials from the root account to unprivileged users by
default and are not affected by this issue.
Thanks to Andreas Beck for reporting this issue.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
5. RPMs required:
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/pam-0.75-46.7.1.src.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/pam-0.75-46.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/pam-devel-0.75-46.7.1.i386.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/pam-0.75-46.7.2.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/pam-0.75-46.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/pam-devel-0.75-46.7.2.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/pam-0.75-46.7.2.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/pam-devel-0.75-46.7.2.ia64.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/pam-0.75-46.7.3.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/pam-0.75-46.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/pam-devel-0.75-46.7.3.i386.rpm
Red Hat Linux 8.0:
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/pam-0.75-46.8.0.src.rpm
i386:
ftp://updates.redhat.com/8.0/en/os/i386/pam-0.75-46.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/pam-devel-0.75-46.8.0.i386.rpm
6. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
4a869dd0efd82fb9f098cc4284263aeb 7.1/en/os/SRPMS/pam-0.75-46.7.1.src.rpm
2ee6c4e7c9c59efdf3e31c8d9482a30a 7.1/en/os/i386/pam-0.75-46.7.1.i386.rpm
0d8f6cb6d0f293cb174f3e376c21eb1d 7.1/en/os/i386/pam-devel-0.75-46.7.1.i386.rpm
fcbe7194fc12466d4532b213373c3ce6 7.2/en/os/SRPMS/pam-0.75-46.7.2.src.rpm
7d16c011e4f74e8e02bb8c193506186d 7.2/en/os/i386/pam-0.75-46.7.2.i386.rpm
0919b62d8d7531883d6e01f5ff3a51b6 7.2/en/os/i386/pam-devel-0.75-46.7.2.i386.rpm
e653e3ff25eb958570b411d201b5106e 7.2/en/os/ia64/pam-0.75-46.7.2.ia64.rpm
8f4d0dc64cdbded20c46a38460e6affe 7.2/en/os/ia64/pam-devel-0.75-46.7.2.ia64.rpm
99751631043fbe42f98f8598e74e6d4b 7.3/en/os/SRPMS/pam-0.75-46.7.3.src.rpm
8ea6d868c28c22d629d2059f1ad72f1b 7.3/en/os/i386/pam-0.75-46.7.3.i386.rpm
9fef754632838504c0590ba30203a925 7.3/en/os/i386/pam-devel-0.75-46.7.3.i386.rpm
1b74821ca4fd0b7a9919c3b0fdf3dbb3 8.0/en/os/SRPMS/pam-0.75-46.8.0.src.rpm
25ebcb39f56c98cc064c34b2d048ed35 8.0/en/os/i386/pam-0.75-46.8.0.i386.rpm
f6412156d54a4021a3200eb7d7ff79c0 8.0/en/os/i386/pam-devel-0.75-46.8.0.i386.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at http://www.redhat.com/about/contact/pgpkey.html
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
md5sum <filename>
7. References:
http://www.redhat.com/support/wpapers/redhat/newpam/tinkering.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1160
8. Contact:
The Red Hat security contact is <secu-@redhat.com>. More contact
details at http://www.redhat.com/solutions/security/news/contact.html
Copyright 2003 Red Hat, Inc.
***********************************************************************
************************** End of Doc #2 ******************************
***********************************************************************
===============================================================================
3.) SecurityFocus Newsletter #183
===============================================================================
SecurityFocus Newsletter #183
-----------------------------
This Issue sponsored by: NetIQ
Security Webcast Featuring Kevin Mitnick
Do you need cost-effective methods to create and implement information
security policies to gain control of your enterprises? Join former hacker
turned consultant Kevin Mitnick for NetIQ's free webcast-"People &
Policies: Turning Your Weakest Security Link into a First Line of
Defense."
Register now at:
http://www.netiq.com/f/form/form.asp?id=1696&origin=NSSecFocusCorpNL021103
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. SunScreen, Part Two: Policies, Rules, and NAT
2. The Great IDS Debate : Signature Analysis Versus Protocol Analysis
3. Smallpot: Tracking the Slapper and Scalper Unix Worms
4. Lessons From the Slammer
5. Something Needs to Change
6. SecurityFocus DPP Program
7. InfoSec World Conference and Expo/2003(March10-12,2003,Orlando,FL)
II. BUGTRAQ SUMMARY
1. SILC Server SSH2 Authentication Password Persistence Weakness
2. myphpPageTool Remote File Include Vulnerability
3. Bladeenc Signed Integer Memory Corruption Vulnerability
4. phpMyShop compte.php SQL Injection Vulnerability
5. OpenBSD CHPass Temporary File Link File Content Revealing...
6. KaZaA Advertisement Response Denial of Service Vulnerability
7. Microsoft Internet Explorer dragDrop Method Local File Reading...
8. PHP-Nuke Avatar HTML Injection Vulnerability
9. PAM pam_xauth Module Unintended X Session Cookie Access...
10. Opera Cross Domain Scripting Vulnerability
11. Opera JavaScript Console Attribute Injection Vulnerability
13. Opera Image Rendering HTML Injection Vulnerability
15. Majordomo Default Configuration Remote List Subscriber...
17. Linux O_DIRECT Direct Input/Output Information Leak Vulnerability
18. ByteCatcher FTP Client Long Server Banner Buffer Overflow...
19. Electrasoft 32Bit FTP Client Long Server Banner Buffer...
20. Microsoft Windows 2000 NetBIOS Continuation Packets Kernel...
21. Microsoft Windows 2000 RPC Service Privilege Escalation...
22. Epic Games Unreal Engine Memory Consumption Denial Of Service...
III. SECURITYFOCUS NEWS ARTICLES
1. Student charged with massive ID fraud
2. Spyware found on one in three corporate networks
3. Discarded computer had confidential medical information
4. Slammer: Why security benefits from proof of concept code
IV. SECURITYFOCUS TOP 6 TOOLS
1. Login Anomaly Detection System v0.1
2. WatchLog v0.1b
3. FieryFilter v0.3
4. apachelogrotate.pl v0.1.2
5. GkrellMMS v2.1.8
6. Logdog v2.0-RC2
V. SECURITYJOBS LIST SUMMARY
1. Employment Opportunities with @stake (Thread)
2. How picky should a security person be in today?s economy? (Thread)
3. Security and Compliance Paralegal (Thread)
4. Information Control & Compliance Manager (Thread)
5. Internet Investigator (Thread)
6. Network Exploitation Analyst (Thread)
7. Database Management Specialist (Thread)
8. Sr. Account Manager - Inside Sales (Thread)
9. Sr. IA Functional Analyssts - Northern VA/DC (Thread)
10. Product Sales Professionals (Inside Sales) - Amherst, NY (Thread)
11. Senior Account Executives - Amherst, NY (Thread)
12. IL-Windows Security Specialist (Thread)
13. Senior Project Consultant -Information Security - OH - $80k...
14. Sydney Opportunities (Thread)
15. Looking for a Pre/Post Sales position based out of Kentucky...
16. ezmlm warning (Thread)
17. Wanted Immediately - Sr. Software Engineer (Thread)
18. Vulnerability Analyst - looking for work (Thread)
19. Resume: Web Security Specialist (Thread)
20. Security Consultant seeking employment in Toronto, Canada...
21. Need -- Design Engineers -- secure battlefield wireless...
22. Seeing a Security Architect in Los Angeles (Thread)
23. Symantec in Redwood City needs a security focused Architect...
VI. INCIDENTS LIST SUMMARY
1. Netbios Name Scans/opaserv worm (Thread)
2. ALEVRIUS! (Thread)
3. email address probes (Thread)
4. Packets from 255.255.255.255(80) (was: Packet from port 80 with...
5. Packets from 255.255.255.255(80) (was: Packet from port 80 with...
6. FTP/Port 1038 (Thread)
7. DoS Attacks, Detecting the Source, and Service Providers (Thread)
8. Speedera Ping, was "Packets from 255.255.255.255(80), etc."...
9. Packet from port 80 with spoofed microsoft.com ip (Thread)
10. More /sumthin, maybe (Thread)
11. Packets from 255.255.255.255(80) (Thread)
12. Packets from 255.255.255.255(80) (was: Packet from port 80...
13. /sumthin Revisited (Thread)
14. klez variant?? (Thread)
15. The Spread of the Sapphire/Slammer Worm (Thread)
16. ZOMBIES_HTTP_GET (Thread)
17. Fwd: Packets from 255.255.255.255(80) (was: Packet from port...
18. MSDE contained in... (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Fw: f-prot antivirus useless buffer overflow (Thread)
2. Re[2]: Windows reverse Shell (Thread)
3. Windows reverse Shell (Thread)
4. Possible DOS against search engines? (Thread)
5. slocate vulnerability (Thread)
6. locator exploit (Thread)
7. bash 2.05.0(1)-release/it.map.gz Slackware 8.0 default and...
VIII. MICROSOFT FOCUS LIST SUMMARY
1. L0phtCrack and Windows 2000 LM Hashes (Thread)
2. Customising user rights on win2k Pro (Thread)
3. Unknown Windows Process (Thread)
4. Unknown Windows 2000 files? (Thread)
5. Secure Ldap call not working due to IUSR/IWAM permissions?...
6. Dynamic Entries in IP Routing Table (Thread)
7. SecurityFocus Microsoft Newsletter #123 (Thread)
8. IIS Security using Integrated Windows Authentication (Thread)
IX. SUN FOCUS LIST SUMMARY
1. ezmlm warning (Thread)
2. LDAP replacing NIS...? (Thread)
X. LINUX FOCUS LIST SUMMARY
1. openSSL Key generation (Thread)
2. ezmlm warning (Thread)
3. Perl administration for Linux fileserver (Thread)
4. Secure Web-Based Administration (Thread)
5. NIS with local root (Thread)
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. SunScreen, Part Two: Policies, Rules, and NAT
By Ido Dubrawsky
This is the second of a two-part series looking at SunScreen, Sun
Microsystem's firewall product, which provides a variety of features that
allow system and network administrators to secure their networks as well
as provide for remote access capabilities. This article will cover the
some of the rudimentary facilities in SunScreen such as adding and
removing rules, setting up a remote management station, and network
address translation.
http://online.securityfocus.com/infocus/1664
2. The Great IDS Debate : Signature Analysis Versus Protocol Analysis
by Matt Tanase
Intrusion detection systems (IDS) have rapidly become a crucial component
of any network defense strategy. Over the past few years, their popularity
has soared as vendors have refined their results and increased performance
capabilities. At the heart of intrusion detection systems lies the
analysis engine. It reviews each packet, determines if it is malicious,
and logs an alert if necessary  the core tasks of an IDS. Two different
IDS techniques, each favored by separate and loyal camps, have emerged as
the preferred engine behind the software. Despite the copious marketing
material and fiery online debates, each method has distinct strengths and
weaknesses. In this article, we'll examine and compare the two different
techniques: signature analysis and protocol analysis.
http://online.securityfocus.com/infocus/1663
3. Smallpot: Tracking the Slapper and Scalper Unix Worms
by Costin Raiu
Fueled by the old myth that "you can't get a virus in Unix" and by the
increasing popularity of Linux and FreeBSD, Unix viruses passed an
important milestone in 2001 and continued by receiving even more attention
during 2002.
http://online.securityfocus.com/infocus/1662
4. Lessons From the Slammer
By Richard Forno
January's Slammer infection held valuable lessons for all security
stakeholders.
http://online.securityfocus.com/columnists/140
5. Something Needs to Change
By Tim Mullen
That's all there was to "Slammer," 376 bytes. When you think about it,
it's amazing that a piece of code could have wreaked such havoc on the
Internet and caused such widespread system failure -- at about the size of
two paragraphs of this column.
http://online.securityfocus.com/columnists/139
6. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
7. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to todayÂs security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. SILC Server SSH2 Authentication Password Persistence Weakness
BugTraq ID: 6743
Remote: No
Date Published: Feb 01 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6743
Summary:
SILC (Secure Internet Live Conferencing) is a protocol which provides
secure conferencing services in the Internet.
A problem with SILC may allow the recovery of sensitive information.
It has been reported that SILC does not safely handle password
information. As a result, a local user may be able to recover
authentication passwords.
The problem is in the handling of authentication passwords after
authentication has been negotiated. Correct behavior of such applications
is to remove passwords from memory immediately after authentication has
occurred. However, SILC retains password information in memory, which may
result in recovery by another user with sufficient privileges. In addition
to being present in process memory space, this information may also be
retrieved from memory dumps of processes.
2. myphpPageTool Remote File Include Vulnerability
BugTraq ID: 6744
Remote: Yes
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6744
Summary:
myphpPagetool is an application used to maintain a web site using a mysql
database, which stores and manage all web pages and their contents.
myphpPagetool is written in PHP and is available for a variety of
platforms.
myphpPageTool is prone to an issue which may allow remote attackers to
include files located on remote servers. This issue is present in the
index.php, help1.php, help2.php, help3.php, help4.php, help5.php,
help6.php, help7.php, help8.php and help9.php pages existing in the
/doc/admin folder.
Under some circumstances, it is possible for remote attackers to influence
the include path for 'pt_config.inc' to point to an external file on a
remote server by manipulating the $ptinclude URI parameter.
If the remote file is a malicious file, this may be exploited to execute
arbitrary system commands in the context of the webserver.
This vulnerability was reported for myphpPageTool 0.43-1. It is not known
whether other versions are affected.
3. Bladeenc Signed Integer Memory Corruption Vulnerability
BugTraq ID: 6745
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6745
Summary:
Bladeenc is an open-source MP3 encoder and is available for a variety of
platforms including Microsoft Windows and Linux and Unix variant operating
systems.
A memory corruption vulnerability has been reported for Bladeenc. Bladeenc
encodes WAV files in 'chunks' of data. The vulnerability exists when
Bladeenc is seeking a WAV file chunk. Specifically, in the function
__myfseek() in the samplein.c source file, an integer value is not
properly verified. When this function is given a negative value, it will
result in the corruption of sensitive areas of memory with
attacker-supplied values.
An attacker can exploit this vulnerability by creating a malicious WAV
file with carefully crafted headers that will cause Bladeenc to execute
malicious attacker-supplied code.
This vulnerability was reported for Bladeenc 0.94.2 and earlier.
4. phpMyShop compte.php SQL Injection Vulnerability
BugTraq ID: 6746
Remote: Yes
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6746
Summary:
phpMyShop is an application written in PHP that makes it possible to
manage a web based electronic shop.
phpMyShop, in some cases, does not sufficiently sanitize user-supplied
input which is used when constructing SQL queries. As a result, attackers
may supply malicious parameters to manipulate the structure and logic of
SQL queries. This may result in unauthorized operations being performed on
the underlying database.
This vulnerability was reported to exist in the compte.php script file
distributed with phpMyShop. A remote attacker may exploit this
vulnerability to bypass the authentication/registration process used by
phpMyShop sites.
SQL injection attacks may also potentially be used to exploit latent
vulnerabilities in the underlying database implementation.
This vulnerability was reported for phpMyShop 1.00. It is not known
whether other versions are affected.
5. OpenBSD CHPass Temporary File Link File Content Revealing Vulnerability
BugTraq ID: 6748
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6748
Summary:
OpenBSD is a freely available version of the BSD Unix operating system.
A problem in OpenBSD may result in the disclosure of the contents of
specific files.
It has been reported that a vulnerability in chpass may allow local users
to gain access to the content of specific files. This vulnerability
requires that lines in the target file be constructed in a specific
format. The issue also affects the chfn and chsh programs which are hard
links to the chpass binary.
While chpass executes, it is possible for a user to halt the executing
process by sending a SIGSTOP signal to the process via the shell. While
the process is stopped, it is possible for the user to manipulate the
temporary file created by the process, and change the file to a symbolic
link to an arbitrary file. When the process resumes execution, it will
read the content of the linked file. Since the chpass program is a setuid
root executable, this may result in the display of some lines contained in
the file to standard output.
This could allow a local user to read the contents of restricted files,
and may result in further attack against the vulnerable system.
6. KaZaA Advertisement Response Denial of Service Vulnerability
BugTraq ID: 6747
Remote: Yes
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6747
Summary:
KaZaA Media Desktop is a peer to peer file sharing utility. KaZaA is
available for the Microsoft Windows operating system.
When KaZaA clients make a connection to a file sharing server, a request
is made for an advertisement (*ad*) download. A vulnerability has been
discovered in KaZaA clients when receiving unexpected responses to *ad*
requests. When the susceptible KaZaA client attempts to process the
response, the client will crash. This condition likely occurs due to
client assuming various attributes of the response. Computing values
assumed to exist in a response, which may not be in an expected format,
may cause the client to behave in an unpredictable manner.
This issue could be exploited by an attacker to cause a denial of service
against KaZaA clients. The denial of service may also be triggered by a
filter configured to reject various web requests.
Although not yet confirmed, it has been reported that this issue may be
exploited to execute arbitrary instructions within the context of the
target client process.
7. Microsoft Internet Explorer dragDrop Method Local File Reading Vulnerability
BugTraq ID: 6749
Remote: Yes
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6749
Summary:
Microsoft Internet Explorer 5.5 and higher contain the ActiveX method
dragDrop() that allows HTML elements to be dragged and dropped on a web
page.
The dragDrop() method can be used by a maliciously crafted web page to
read local files from an Internet Explorer user's local drive.
If a web page is constructed containing a script element utilizing the
dragDrop() method and properly obfuscated, users can be tricked into
uploading a local file to the malicious webserver.
This can typically be achieved by constructing a Javascript element
appearing to be a hyperlink that actually contains elements to drop text,
such as a file name, into an HTML upload control using the dragDrop()
method. The local file name must be known in order for the attack to
succeed, however, relative paths may be used. The user must also perform
another action, such as clicking on a button, in order to trigger the file
upload.
8. PHP-Nuke Avatar HTML Injection Vulnerability
BugTraq ID: 6750
Remote: Yes
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6750
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
A vulnerability has been reported in PHP-Nuke that may result in HTML
injection. The vulnerability occurs because PHP-Nuke does not sanitize
some user-supplied input submitted to a site when selecting 'avatar'
images. Due to this condition, a malicious user may be able to insert
malicious HTML code which will then be displayed to unsuspecting users of
PHP-Nuke forums. Any attacker-supplied code will be interpreted in a
victim user's web browser in the security context of the site hosting the
software.
It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. It is
also possible to modify or corrupt other user's Avatars. Other attacks are
also possible.
This vulnerability was reported for PHP-Nuke 6.0 and earlier.
9. PAM pam_xauth Module Unintended X Session Cookie Access Vulnerability
BugTraq ID: 6753
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6753
Summary:
Pluggable Authentication Modules (PAM) is shipped with RedHat Linux 8.0
and earlier, by default. PAM comes with the pam_xauth module which can be
used in conjuction with the su utility to pass X MIT-Magic-Cookies to
newly created sessions.
A vulnerability has been discovered when the pam_xauth module is used in
conjunction with the su utility within an X session. When a user (user1)
runs the su utility to assume the identity of another user (user2),
pam_xauth will create a temporary .xauth cookie file located in the
assumed users (user2) home directory. The file is created with read-write
only permissions for the assumed user and contains sensitive information
regarding the suing users X session.
This poses a security risk when a user (user1) runs the su utility to
assume the identity of another user. The real user (user2) is able to read
the contents of the cookie file. The vulnerability lies in the fact that
the cookie file contains sensitive information pertaining to the suing
users X session. This issue could be exploited by the real user (user2)
to connect to the X server with the credentials of the suing user (user1).
Accessing another users X session may allow an attacker to obtain
sensitive information otherwise restricted. It may also grant the ability
to run commands with the privileges of the victim user.
This vulnerability could result in elevated privileges in the event that a
higher privileged user made use of the su program to log into the account
of a lower-privileged user. The lower-privileged user could exploit this
issue to gain administrative access to the local system.
It has been reported that this issue does not affect RedHat 7.0.
10. Opera Cross Domain Scripting Vulnerability
BugTraq ID: 6754
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6754
Summary:
Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.
A vulnerability has been reported reported for Opera 7 browsers for
Microsoft Windows operating systems.
Due to flaws in Opera, it is possible for functions in different domains
to be accessed and executed by an attacker with the credentials of the
victim user. This vulnerability is also exacerbated by the fact that an
attacker may also be able to override properties and methods in other
windows to create malicious methods that can be accessed by a victim user.
Exploitation of this vulnerability will allow an attacker to obtain access
to local resources on a vulnerable system.
This issue may be similar to the ones described in BID 6184.
These vulnerabilities were reported for Opera 7 browser for Microsoft
Windows.
11. Opera JavaScript Console Attribute Injection Vulnerability
BugTraq ID: 6755
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6755
Summary:
Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.
A vulnerability has been reported for Opera 7 browsers for Microsoft
Windows operating systems. The vulnerability exists in Opera's JavaScript
console program. The console program consists of three HTML files, one of
which is 'console.html'. Any unhandled exceptions thrown by any JavaScript
are listed in the console and are converted into clickable links.
The vulnerability exists in the regular expressions used by 'console.html'
to format exception messages. Specifically, exception messages are not
parsed for quote characters. It is possible, by inserting quote (")
characters, to add additional attributes to URLs that may make it possible
to execute arbitrary attacker-supplied script code in the file:// protocol
context. This may lead to disclosure of local file contents to remote
attackers.
This vulnerability was reported for Opera 7 browser for Microsoft Windows.
12. Opera History Object Information Disclosure Weakness
BugTraq ID: 6757
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6757
Summary:
Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.
An information disclosure weakness has been reported for Opera 7 browsers
on the Microsoft Windows platform.
The weakness is due to the way the history object exposes some properties.
Specifically, the properties history.next and history.previous are
exposed.
A vulnerable user, when navigating to a malicious website, may have some
information pertaining to browser history logged by the site. This
information can be used by Web masters for, potentially, malicious
purposes.
This vulnerability was reported for Opera 7 browser for Microsoft Windows.
13. Opera Image Rendering HTML Injection Vulnerability
BugTraq ID: 6756
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6756
Summary:
Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux, Unix variants and Apple MacOS.
Problems with Opera could make it possible to execute arbitrary HTML code
in a vulnerable client.
It has been reported that, when generating HTML to display images or
embedded media, Opera does not correctly format the provided URL or
sufficiently encode local URLs. Specifically, URLs that use the 'file://'
protocol to access local files are not sufficiently sanitized of malicious
HTML code.
This vulnerability could allow an attacker to inject malicious HTML code
to an unsuspecting user of Opera, through a malformed link. Any code will
be executed in the security context of the local Opera User.
Successful exploitation of this vulnerability may result in the disclosure
of local file contents to remote attackers. Other attacks are possible.
This vulnerability was reported for Opera 7 browser for Microsoft Windows.
14. IBM WebSphere Exported XML Password Encoding Weakness
BugTraq ID: 6758
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6758
Summary:
IBM WebSphere is a commercial web application server which runs on a
number of platforms including Linux and Unix variants and Microsoft
Windows operating environments.
IBM WebSphere allows administrators to export configuration files to XML.
When the WebSphere configuration file is exported in this manner,
passwords are obfuscated using an easily reversible algorithm.
The algorithm used to obfuscate the password is as follows:
CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_")
where n is the position of the character.
The obfuscated password is then Base64 encoded.
If an attacker gains access to an exported XML configuration file, it is a
trivial task to decode the password.
To exploit this weakness, an administrator must first export the
configuration to XML and then the attacker may gain unauthorized access to
the exported file.
The WebSphere documentation states that exported configurations will
contain encoded (and not encrypted) passwords. Administrators should be
cautious when exporting configuration files.
This issue was reported in IBM WebSphere Advanced Server Edition 4.0.4.
It is not known if the same encoding is used in other versions. Though
the core weakness is that passwords are encoded and may be easier to
reverse than if encrypted using a strong algorithm, so all current
versions should be considered prone to this weakness to some degree.
15. Majordomo Default Configuration Remote List Subscriber Disclosure Vulnerability
BugTraq ID: 6761
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6761
Summary:
Majordomo is a freely available, open source mailing list management
software package. It is available for Unix, Linux, and Microsoft Windows
platforms.
A problem with Majordomo may allow remote users to gain access to
sensitive information.
It has been reported that Majordomo does not sufficiently guard list
subscriber information. By sending specific commands to a default
implementation, a remote user may be able to gain access to the list of
mailing list subscribers. This issue is documented in the Majordomo
documentation.
The problem is in the default configuration of the mailing list manager.
The software does not place sufficient access controls on the ability of
users to execute the which command. By sending the command "which @",
remote users may be able to list the entire member base of the list,
resulting in a loss of privacy.
It should be noted that in the Majordomo 2 branch, this vulnerability is
limited to gaining access to one address per submission per list.
16. Opera Error Message History Disclosure Weakness
BugTraq ID: 6759
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6759
Summary:
Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux, Unix variants and Apple MacOS.
The Opera console is used to keep a track of any JavaScript error messages
that may have occured when browsing a Web site.
It has been reported that Opera fails to ensure that a remote site has
proper authorization before executing some methods used to access error
messages stored in the Opera console. Specifically, Opera does not
validate any requests for the opera.errorIndex() and opera.errorMessage(i)
methods.
This issue is further exacerbated by the fact that error messages also
contain the URL of the site that caused the issue. This can be exploited
by a malicious attacker to obtain a listing of the victim user's Web
browsing habits for, potentially, malicious purposes.
This vulnerability was reported for Opera 7 browser for Microsoft Windows.
17. Linux O_DIRECT Direct Input/Output Information Leak Vulnerability
BugTraq ID: 6763
Remote: No
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6763
Summary:
The Linux Kernel is the core of the Linux operating system. It is
distributed by various Linux distributions.
A problem with the O_DIRECT flag could make it possible for local users to
gain access to potentially sensitive information.
It has been reported that some Linux Kernels do not properly handle
O_DIRECT, which is used for direct input and output. Any user with system
write privileges may be able to read limited information from other files.
This problem could allow a local user to read limited data from current
files, and may be able to read data from previously deleted files. The
ability of an attacker to exploit this issue at will is not known.
Additionally, exploitation could result in minor corruption of the file
system, which would require repair with the fsck utility.
It should be noted that this vulnerability can not be exploited on systems
using a vulnerable kernel and the EXT3 file system.
18. ByteCatcher FTP Client Long Server Banner Buffer Overflow Vulnerabiliity
BugTraq ID: 6762
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6762
Summary:
Save-It Sotwares ByteCatcher is an FTP client for Microsoft Windows that
lets you resume downloads.
It has been reported that a memory corruption bug exists in ByteCatcher
FTP client. Under some circumstances, when the client connects to a
malicious FTP server, it may be possible for the server to trigger a
boundary condition error.
This issue is due to insufficient bounds check of FTP banners. When the
FTP client receives an FTP banner that contains an excessive ammount of
data it becomes unstable. It has been reported that this vulnerability can
be reproduced by sending an FTP banner of 4096 bytes or more to a
vulnerable client, which may cause sensitive regions of memory to be
corrupted with attacker-supplied values.
It is possible that this vulnerability is an exploitable buffer overflow,
and could result in the execution of attacker-supplied code. Any code
executed would be in the security context of the FTP client process.
19. Electrasoft 32Bit FTP Client Long Server Banner Buffer Overflow Vulnerabiliity
BugTraq ID: 6764
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6764
Summary:
Electrasoft 32Bit FTP is a light weight FTP client application for
Micorsoft Windows.
This issue is due to insufficient bounds check of FTP banners. When the
FTP client receives an FTP banner that contains an excessive ammount of
data it becomes unstable. It has been reported that this vulnerability can
be reproduced by sending an FTP banner of 4096 bytes or more to a
vulnerable client, which may cause sensitive regions of memory to be
corrupted with attacker-supplied values.
It is possible that this vulnerability is an exploitable buffer overflow,
and could result in the execution of attacker-supplied code. Any code
executed would be in the security context of the FTP client process.
20. Microsoft Windows 2000 NetBIOS Continuation Packets Kernel Memory Leak Vulnerability
BugTraq ID: 6766
Remote: Yes
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6766
Summary:
Microsoft Windows 2000 is reported to be prone to a denial of service when
handling NetBIOS continuation packets.
NetBIOS continuation packets are normally generated when a SMB message is
split across a number of packets. Under some circumstances, when these
packets are handled by the server, a kernel memory leak with occur.
This may result in a failure to service SMB requests, which will cause a
denial of service.
21. Microsoft Windows 2000 RPC Service Privilege Escalation Vulnerability
BugTraq ID: 6769
Remote: No
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6769
Summary:
Microsoft Windows 2000 uses Remote Procedure Calls (RPC) for client-server
communications in a distributed computing environment (DCE). TCP Port 135
is typically used for DCE endpoint resolution.
A vulnerability was previously reported which causes a denial of service
against the DCE-RPC endpoint mapper (BID 6005). If a system service
crashes as a result of this denial of service, there is a possibility that
it will orphan a named pipe.
This named pipe could then be hijacked by a malicious user in order to
escalate their privilege level on the system when a privileged process
attempts to connect to the orphaned pipe. This could result in a complete
system level compromise.
22. Epic Games Unreal Engine Memory Consumption Denial Of Service Vulnerability
BugTraq ID: 6770
Remote: Yes
Date Published: Feb 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6770
Summary:
Epic Games' Unreal Engine is a 3D game engine used by Unreal and many
other games.
A memory exhaustion vulnerability has been reported for several games
using some versions of the Unreal Engine.
The Unreal Engine includes a facility to provide networked gaming to its
users and uses a method known as 'Compact Indices' in an attempt to save
some network bandwidth. Unreal Engine allocates memory based on the index
value included in client-supplied packets. Due to inconsistent
interpretation of integers, it is possible for attackers to cause the
server to allocate large amounts of memory by sending a packet with a
negative index value.
This likely occurs due to maximum index checks being performed on the
index value as a signed integer.
There are currently no fixes available.
III. SECURITYFOCUS NEWS AND COMMENTARY
--------------------------------------
1. Student charged with massive ID fraud
By John Leyden, The Register
A former student has been charged with installing secret keystroke
monitoring software on "dozens of computers" on the Boston College campus
to harvest personal data on thousands of University computer users.
http://online.securityfocus.com/news/2283
2. Spyware found on one in three corporate networks
By John Leyden, The Register
One in three European companies are harbouring spyware apps on their
networks, a new study claims.
http://online.securityfocus.com/news/2282
3. Discarded computer had confidential medical information
By Charles Wolfe, The Associated Press
A state computer put up for sale as surplus contained confidential files
naming thousands of people with AIDS and other sexually transmitted
diseases, the state auditor said Thursday.
http://online.securityfocus.com/news/2274
4. Slammer: Why security benefits from proof of concept code
By John Leyden, The Register
The UK security expert who discovered the flaw which was exploited by the
Slammer worm has concluded it does more good than harm to publish proof of
concept code.
http://online.securityfocus.com/news/2268
IV. SECURITY FOCUS TOP 6 TOOLS
------------------------------
1. Login Anomaly Detection System v0.1
by Fred
Relevant URL:
http://www.lepied.com/lads/
Platforms: Python
Summary:
The Login Anomaly Detection System (LADS) detects anomalies in logins and
logouts and is able to perform various actions in response.
2. WatchLog v0.1b
by Brian Shellabarger
Relevant URL:
http://www.glug.com/projects/WatchLog/
Platforms: Linux, POSIX, UNIX
Summary:
WatchLog is a Perl program designed to give users a better real-time view
of their Web traffic. Simply doing a 'tail -f' on the server log file
often yields confusing results as you can be bombarded with scrolling with
a single hit. WatchLog attempts to present the same information in a
clean, formatted, real time view of the activity on a Website by watching
the logfile and presenting only the relevant data.
3. FieryFilter v0.3
by Mezcalero
Relevant URL:
http://www.stud.uni-hamburg.de/users/lennart/projects/fieryfilter/
Platforms: Linux
Summary:
FieryFilter is an interactive desktop firewall for Linux. It will ask the
user every time a new network connection is made if they want to allow or
deny it. The user is able to generate rules from connections and thus
minimize the amount of questions asked.
4. apachelogrotate.pl v0.1.2
by Hatto von Hatzfeld
Relevant URL:
http://www.salesianer.de/util/apachelog.html
Platforms: Linux, UNIX
Summary:
apachelogrotate.pl rotates and packs the logfiles of the Apache Web server
on a Linux system without interrupting its service and without the need
for a permanent change in the Web server configuration. Assuming that
Apache is running, it will identify the log files which have to be rotated
without any configuration, making it easy to install. By default, logfiles
with more than 10 MB are rotated, but this parameter may be changed and/or
a daily, monthly, or yearly rotation period can be configured.
Documentation is included in the script itself.
5. GkrellMMS v2.1.8
by Sjoerd Simons sjo-@luon.net
Relevant URL:
http://gkrellm.luon.net/gkrellmms.phtml
Platforms: Linux, POSIX
Summary:
GkrellMMS is a plugin for controlling XMMS from within GKrellM.
6. Logdog v2.0-RC2
by Brandon Zehm
Relevant uRL:
http://caspian.dotconf.net/menu/Software/LogDog/
Platforms: Linux
Summary:
LogDog monitors messages passing through syslogd and takes actions based
on key words and phrases (which can be regular expressions). It has a
configuration file which allows you to specify a list of key words or
phrases to alert on and a list of commands that can be run when those
words are encountered.
V. SECURITY JOBS SUMMARY
------------------------
1. Employment Opportunities with @stake (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310848
2. How picky should a security person be in today?s economy? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310847
3. Security and Compliance Paralegal (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310575
4. Information Control & Compliance Manager (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310561
5. Internet Investigator (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310562
6. Network Exploitation Analyst (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310543
7. Database Management Specialist (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310532
8. Sr. Account Manager - Inside Sales (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310495
9. Sr. IA Functional Analyssts - Northern VA/DC (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310455
10. Product Sales Professionals (Inside Sales) - Amherst, NY (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310238
11. Senior Account Executives - Amherst, NY (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310233
12. IL-Windows Security Specialist (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310206
13. Senior Project Consultant -Information Security - OH - $80k (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310155
14. Sydney Opportunities (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310099
15. Looking for a Pre/Post Sales position based out of Kentucky ....willing to travel. (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/310017
16. ezmlm warning (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/309855
17. Wanted Immediately - Sr. Software Engineer (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/309967
18. Vulnerability Analyst - looking for work (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/309697
19. Resume: Web Security Specialist (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/309658
20. Security Consultant seeking employment in Toronto, Canada (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/309657
21. Need -- Design Engineers -- secure battlefield wireless communications systems (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/309685
22. Seeing a Security Architect in Los Angeles (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/309648
23. Symantec in Redwood City needs a security focused Architect (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/309624
VI. INCIDENTS LIST SUMMARY
-------------------------
1. Netbios Name Scans/opaserv worm (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/310829
2. ALEVRIUS! (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/310828
3. email address probes (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/310813
4. Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/310520
5. Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/310497
6. FTP/Port 1038 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/310215
7. DoS Attacks, Detecting the Source, and Service Providers (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/310240
8. Speedera Ping, was "Packets from 255.255.255.255(80), etc." (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/310185
9. Packet from port 80 with spoofed microsoft.com ip (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/310157
10. More /sumthin, maybe (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/309924
11. Packets from 255.255.255.255(80) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/309930
12. Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/309945
13. /sumthin Revisited (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/309841
14. klez variant?? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/309844
15. The Spread of the Sapphire/Slammer Worm (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/309839
16. ZOMBIES_HTTP_GET (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/309840
17. Fwd: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/309837
18. MSDE contained in... (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/309690
VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. Fw: f-prot antivirus useless buffer overflow (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/310797
2. Re[2]: Windows reverse Shell (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/310429
3. Windows reverse Shell (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/310418
4. Possible DOS against search engines? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/310422
5. slocate vulnerability (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/309861
6. locator exploit (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/309778
7. bash 2.05.0(1)-release/it.map.gz Slackware 8.0 default and Debian VU#438955 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/309702
VIII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. L0phtCrack and Windows 2000 LM Hashes (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/310827
2. Customising user rights on win2k Pro (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/310826
3. Unknown Windows Process (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/310818
4. Unknown Windows 2000 files? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/310741
5. Secure Ldap call not working due to IUSR/IWAM permissions? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/310763
6. Dynamic Entries in IP Routing Table (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/310213
7. SecurityFocus Microsoft Newsletter #123 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/310002
8. IIS Security using Integrated Windows Authentication (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/310013
IX. SUN FOCUS LIST SUMMARY
----------------------------
1. ezmlm warning (Thread)
Relevant URL:
http://online.securityfocus.com/archive/92/309885
2. LDAP replacing NIS...? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/92/309644
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. openSSL Key generation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/310734
2. ezmlm warning (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/309947
3. Perl administration for Linux fileserver (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/310764
4. Secure Web-Based Administration (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/310014
5. NIS with local root (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/309750
XI. SPONSOR INFORMATION
-----------------------
This Issue sponsored by: NetIQ
Security Webcast Featuring Kevin Mitnick
Do you need cost-effective methods to create and implement information
security policies to gain control of your enterprises? Join former hacker
turned consultant Kevin Mitnick for NetIQ's free webcast-"People &
Policies: Turning Your Weakest Security Link into a First Line of
Defense."
Register now at:
http://www.netiq.com/f/form/form.asp?id=1696&origin=NSSecFocusCorpNL021103
-------------------------------------------------------------------------------
***********************************************************************
************************** End of Doc #3 ******************************
***********************************************************************
===============================================================================
4.) SecurityFocus Linux Newsletter #118
===============================================================================
SecurityFocus Linux Newsletter #118
-----------------------------------
This Issue is Sponsored by: BlackHat
Spooked about Windows security? Getting "slammed" hard by worms? Find
all of the solutions at Black Hat Windows Security Briefings & Training,
February 24-27 in Seattle, the world's premier technical event for Windows
security experts. All of the top experts you've read about recently are
speaking. Fully supported by Microsoft, with new MS hosted training
sessions just added!
Visit www.blackhat.com to register.
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. SunScreen, Part Two: Policies, Rules, and NAT
2. The Great IDS Debate : Signature Analysis Versus Protocol Analysis
3. Smallpot: Tracking the Slapper and Scalper Unix Worms
4. Lessons From the Slammer
5. Something Needs to Change
6. SecurityFocus DPP Program
7. InfoSec World Conference and Expo/2003(March10-12,2003,Orlando,FL)
II. LINUX VULNERABILITY SUMMARY
1. Macromedia ColdFusion MX Windows User File Authorization...
3. Bladeenc Signed Integer Memory Corruption Vulnerability
4. PHP-Nuke Avatar HTML Injection Vulnerability
5. Opera JavaScript Console Attribute Injection Vulnerability
8. Majordomo Default Configuration Remote List Subscriber...
9. SpamProbe Remote Denial of Service Vulnerability
10. PAM pam_xauth Module Unintended X Session Cookie Access...
11. Opera History Object Information Disclosure Weakness
12. Opera Cross Domain Scripting Vulnerability
13. Opera Image Rendering HTML Injection Vulnerability
14. Linux O_DIRECT Direct Input/Output Information Leak Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. openSSL Key generation (Thread)
2. ezmlm warning (Thread)
3. Perl administration for Linux fileserver (Thread)
4. Secure Web-Based Administration (Thread)
5. NIS with local root (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORM
1. Firebox II FastVPN
2. PENS
3. hp secure OS software for Linux
V. NEW TOOLS FOR LINUX PLATFORMS
1. WatchLog v0.1b
2. FieryFilter v0.3
3. apachelogrotate.pl v0.1.2
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. SunScreen, Part Two: Policies, Rules, and NAT
By Ido Dubrawsky
This is the second of a two-part series looking at SunScreen, Sun
Microsystem's firewall product, which provides a variety of features that
allow system and network administrators to secure their networks as well
as provide for remote access capabilities. This article will cover the
some of the rudimentary facilities in SunScreen such as adding and
removing rules, setting up a remote management station, and network
address translation.
http://online.securityfocus.com/infocus/1664
2. The Great IDS Debate : Signature Analysis Versus Protocol Analysis
by Matt Tanase
Intrusion detection systems (IDS) have rapidly become a crucial component
of any network defense strategy. Over the past few years, their popularity
has soared as vendors have refined their results and increased performance
capabilities. At the heart of intrusion detection systems lies the
analysis engine. It reviews each packet, determines if it is malicious,
and logs an alert if necessary  the core tasks of an IDS. Two different
IDS techniques, each favored by separate and loyal camps, have emerged as
the preferred engine behind the software. Despite the copious marketing
material and fiery online debates, each method has distinct strengths and
weaknesses. In this article, we'll examine and compare the two different
techniques: signature analysis and protocol analysis.
http://online.securityfocus.com/infocus/1663
3. Smallpot: Tracking the Slapper and Scalper Unix Worms
by Costin Raiu
Fueled by the old myth that "you can't get a virus in Unix" and by the
increasing popularity of Linux and FreeBSD, Unix viruses passed an
important milestone in 2001 and continued by receiving even more attention
during 2002.
http://online.securityfocus.com/infocus/1662
4. Lessons From the Slammer
By Richard Forno
January's Slammer infection held valuable lessons for all security
stakeholders.
http://online.securityfocus.com/columnists/140
5. Something Needs to Change
By Tim Mullen
That's all there was to "Slammer," 376 bytes. When you think about it,
it's amazing that a piece of code could have wreaked such havoc on the
Internet and caused such widespread system failure -- at about the size of
two paragraphs of this column.
http://online.securityfocus.com/columnists/139
6. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
7. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to todayÂs security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Macromedia ColdFusion MX Windows User File Authorization Vulnerability
BugTraq ID: 6737
Remote: Yes
Date Published: Jan 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6737
Summary:
ColdFusion MX Enterprise Edition is the application server for developing
and hosting infrastructure distributed by Macromedia. It is available as a
standalone product for Unix, Linux, and Microsoft Operating Systems.
When ColdFusion MX is used in conjunction with Microsoft IIS, Windows NT
authentication, and NTFS file permissions, it may be possible for a user
to access files and templates they do not have permission to access.
This is due to a configuration error. IIS is not configured by default to
determine if files associated with ColdFusion MX are accessible or not by
the authenticated user. Consequently, user supplied file names are passed
directly to ColdFusion MX which apparently does not check NTFS permissions
against the user itself.
2. eL DAPo Authentication Information Disclosure Weakness
BugTraq ID: 6735
Remote: Yes
Date Published: Jan 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6735
Summary:
eL DAPo is a Web application for managing and querying LDAP servers
implemented in PHP. It is available for a variety of platforms including
Linux and Unix variant operating systems.
An information disclosure weakness has been reported for eL DAPo. The
issue exists in the login.php script used by eL DAPo. Specifically, when
sending authentication information to query LDAP servers, any information
submitted may be visible in URI parameters.
It is possible to exploit this weakness to obtain authentication
credentials of unsuspecting users.
This vulnerability was reported for eL DAPo 1.13 and earlier.
3. Bladeenc Signed Integer Memory Corruption Vulnerability
BugTraq ID: 6745
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6745
Summary:
Bladeenc is an open-source MP3 encoder and is available for a variety of
platforms including Microsoft Windows and Linux and Unix variant operating
systems.
A memory corruption vulnerability has been reported for Bladeenc. Bladeenc
encodes WAV files in 'chunks' of data. The vulnerability exists when
Bladeenc is seeking a WAV file chunk. Specifically, in the function
__myfseek() in the samplein.c source file, an integer value is not
properly verified. When this function is given a negative value, it will
result in the corruption of sensitive areas of memory with
attacker-supplied values.
An attacker can exploit this vulnerability by creating a malicious WAV
file with carefully crafted headers that will cause Bladeenc to execute
malicious attacker-supplied code.
This vulnerability was reported for Bladeenc 0.94.2 and earlier.
4. PHP-Nuke Avatar HTML Injection Vulnerability
BugTraq ID: 6750
Remote: Yes
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6750
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
A vulnerability has been reported in PHP-Nuke that may result in HTML
injection. The vulnerability occurs because PHP-Nuke does not sanitize
some user-supplied input submitted to a site when selecting 'avatar'
images. Due to this condition, a malicious user may be able to insert
malicious HTML code which will then be displayed to unsuspecting users of
PHP-Nuke forums. Any attacker-supplied code will be interpreted in a
victim user's web browser in the security context of the site hosting the
software.
It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. It is
also possible to modify or corrupt other user's Avatars. Other attacks are
also possible.
This vulnerability was reported for PHP-Nuke 6.0 and earlier.
5. Opera JavaScript Console Attribute Injection Vulnerability
BugTraq ID: 6755
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6755
Summary:
Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.
A vulnerability has been reported for Opera 7 browsers for Microsoft
Windows operating systems. The vulnerability exists in Opera's JavaScript
console program. The console program consists of three HTML files, one of
which is 'console.html'. Any unhandled exceptions thrown by any JavaScript
are listed in the console and are converted into clickable links.
The vulnerability exists in the regular expressions used by 'console.html'
to format exception messages. Specifically, exception messages are not
parsed for quote characters. It is possible, by inserting quote (")
characters, to add additional attributes to URLs that may make it possible
to execute arbitrary attacker-supplied script code in the file:// protocol
context. This may lead to disclosure of local file contents to remote
attackers.
This vulnerability was reported for Opera 7 browser for Microsoft Windows.
6. IBM WebSphere Exported XML Password Encoding Weakness
BugTraq ID: 6758
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6758
Summary:
IBM WebSphere is a commercial web application server which runs on a
number of platforms including Linux and Unix variants and Microsoft
Windows operating environments.
IBM WebSphere allows administrators to export configuration files to XML.
When the WebSphere configuration file is exported in this manner,
passwords are obfuscated using an easily reversible algorithm.
The algorithm used to obfuscate the password is as follows:
CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_")
where n is the position of the character.
The obfuscated password is then Base64 encoded.
If an attacker gains access to an exported XML configuration file, it is a
trivial task to decode the password.
To exploit this weakness, an administrator must first export the
configuration to XML and then the attacker may gain unauthorized access to
the exported file.
The WebSphere documentation states that exported configurations will
contain encoded (and not encrypted) passwords. Administrators should be
cautious when exporting configuration files.
This issue was reported in IBM WebSphere Advanced Server Edition 4.0.4.
It is not known if the same encoding is used in other versions. Though
the core weakness is that passwords are encoded and may be easier to
reverse than if encrypted using a strong algorithm, so all current
versions should be considered prone to this weakness to some degree.
7. Opera Error Message History Disclosure Weakness
BugTraq ID: 6759
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6759
Summary:
Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux, Unix variants and Apple MacOS.
The Opera console is used to keep a track of any JavaScript error messages
that may have occured when browsing a Web site.
It has been reported that Opera fails to ensure that a remote site has
proper authorization before executing some methods used to access error
messages stored in the Opera console. Specifically, Opera does not
validate any requests for the opera.errorIndex() and opera.errorMessage(i)
methods.
This issue is further exacerbated by the fact that error messages also
contain the URL of the site that caused the issue. This can be exploited
by a malicious attacker to obtain a listing of the victim user's Web
browsing habits for, potentially, malicious purposes.
This vulnerability was reported for Opera 7 browser for Microsoft Windows.
8. Majordomo Default Configuration Remote List Subscriber Disclosure Vulnerability
BugTraq ID: 6761
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6761
Summary:
Majordomo is a freely available, open source mailing list management
software package. It is available for Unix, Linux, and Microsoft Windows
platforms.
A problem with Majordomo may allow remote users to gain access to
sensitive information.
It has been reported that Majordomo does not sufficiently guard list
subscriber information. By sending specific commands to a default
implementation, a remote user may be able to gain access to the list of
mailing list subscribers. This issue is documented in the Majordomo
documentation.
The problem is in the default configuration of the mailing list manager.
The software does not place sufficient access controls on the ability of
users to execute the which command. By sending the command "which @",
remote users may be able to list the entire member base of the list,
resulting in a loss of privacy.
It should be noted that in the Majordomo 2 branch, this vulnerability is
limited to gaining access to one address per submission per list.
9. SpamProbe Remote Denial of Service Vulnerability
BugTraq ID: 6739
Remote: Yes
Date Published: Jan 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6739
Summary:
SpamProbe is a spam detection program that uses a Bayesian analysis of the
frequencies of terms used in the email. It is available for the Linux
operating system.
A denial of service vulnerability exists in SpamProbe. The problem occurs
in a regular expression used by the removeHTMLFromText() function, which
is located in MessageFactory.cc.
When SpamProbe attempts to parse HTML located in an emails an issue may
occur on some operating systems which could cause SpamProbe to crash. The
problem reportedly occurs when attempting to parse newline characters (\n)
located within HTML <href> tags.
This issue could be exploited by an attacker to disable a victim's spam
filter. Any subsequent unsolicited email messages sent to the victim would
be successfully delivered.
This condition has been reported to occur on RedHat 8.0. It is not yet
known whether SpamProbe is prone to this issue when running on other
distributions or operating systems.
10. PAM pam_xauth Module Unintended X Session Cookie Access Vulnerability
BugTraq ID: 6753
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6753
Summary:
Pluggable Authentication Modules (PAM) is shipped with RedHat Linux 8.0
and earlier, by default. PAM comes with the pam_xauth module which can be
used in conjuction with the su utility to pass X MIT-Magic-Cookies to
newly created sessions.
A vulnerability has been discovered when the pam_xauth module is used in
conjunction with the su utility within an X session. When a user (user1)
runs the su utility to assume the identity of another user (user2),
pam_xauth will create a temporary .xauth cookie file located in the
assumed users (user2) home directory. The file is created with read-write
only permissions for the assumed user and contains sensitive information
regarding the suing users X session.
This poses a security risk when a user (user1) runs the su utility to
assume the identity of another user. The real user (user2) is able to read
the contents of the cookie file. The vulnerability lies in the fact that
the cookie file contains sensitive information pertaining to the suing
users X session. This issue could be exploited by the real user (user2)
to connect to the X server with the credentials of the suing user (user1).
Accessing another users X session may allow an attacker to obtain
sensitive information otherwise restricted. It may also grant the ability
to run commands with the privileges of the victim user.
This vulnerability could result in elevated privileges in the event that a
higher privileged user made use of the su program to log into the account
of a lower-privileged user. The lower-privileged user could exploit this
issue to gain administrative access to the local system.
It has been reported that this issue does not affect RedHat 7.0.
11. Opera History Object Information Disclosure Weakness
BugTraq ID: 6757
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6757
Summary:
Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.
An information disclosure weakness has been reported for Opera 7 browsers
on the Microsoft Windows platform.
The weakness is due to the way the history object exposes some properties.
Specifically, the properties history.next and history.previous are
exposed.
A vulnerable user, when navigating to a malicious website, may have some
information pertaining to browser history logged by the site. This
information can be used by Web masters for, potentially, malicious
purposes.
This vulnerability was reported for Opera 7 browser for Microsoft Windows.
12. Opera Cross Domain Scripting Vulnerability
BugTraq ID: 6754
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6754
Summary:
Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.
A vulnerability has been reported reported for Opera 7 browsers for
Microsoft Windows operating systems.
Due to flaws in Opera, it is possible for functions in different domains
to be accessed and executed by an attacker with the credentials of the
victim user. This vulnerability is also exacerbated by the fact that an
attacker may also be able to override properties and methods in other
windows to create malicious methods that can be accessed by a victim user.
Exploitation of this vulnerability will allow an attacker to obtain access
to local resources on a vulnerable system.
This issue may be similar to the ones described in BID 6184.
These vulnerabilities were reported for Opera 7 browser for Microsoft
Windows.
13. Opera Image Rendering HTML Injection Vulnerability
BugTraq ID: 6756
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6756
Summary:
Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux, Unix variants and Apple MacOS.
Problems with Opera could make it possible to execute arbitrary HTML code
in a vulnerable client.
It has been reported that, when generating HTML to display images or
embedded media, Opera does not correctly format the provided URL or
sufficiently encode local URLs. Specifically, URLs that use the 'file://'
protocol to access local files are not sufficiently sanitized of malicious
HTML code.
This vulnerability could allow an attacker to inject malicious HTML code
to an unsuspecting user of Opera, through a malformed link. Any code will
be executed in the security context of the local Opera User.
Successful exploitation of this vulnerability may result in the disclosure
of local file contents to remote attackers. Other attacks are possible.
This vulnerability was reported for Opera 7 browser for Microsoft Windows.
14. Linux O_DIRECT Direct Input/Output Information Leak Vulnerability
BugTraq ID: 6763
Remote: No
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6763
Summary:
The Linux Kernel is the core of the Linux operating system. It is
distributed by various Linux distributions.
A problem with the O_DIRECT flag could make it possible for local users to
gain access to potentially sensitive information.
It has been reported that some Linux Kernels do not properly handle
O_DIRECT, which is used for direct input and output. Any user with system
write privileges may be able to read limited information from other files.
This problem could allow a local user to read limited data from current
files, and may be able to read data from previously deleted files. The
ability of an attacker to exploit this issue at will is not known.
Additionally, exploitation could result in minor corruption of the file
system, which would require repair with the fsck utility.
It should be noted that this vulnerability can not be exploited on systems
using a vulnerable kernel and the EXT3 file system.
IV. LINUX FOCUS LIST SUMMARY
----------------------------
1. openSSL Key generation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/310734
2. ezmlm warning (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/309947
3. Perl administration for Linux fileserver (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/310764
4. Secure Web-Based Administration (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/310014
5. NIS with local root (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/309750
IV. NEW PRODUCTS FOR LINUX PLATFORM
-----------------------------------
1. Firebox II FastVPN
by WatchGuard Technologies
Platforms: Linux
Relevant URL:
http://www.watchguard.com/products/fireboxIIfastvpn.asp
Summary:
The Firebox II FastVPN is the most powerful WatchGuard Firebox and
includes a custom encryption accelerator card for supporting intensive
3DES VPN encryption applications. Equipped with a security-hardened Linux
operating system, the reliable Firebox II FastVPN is dedicated to the
specialized task of Internet security. Solid state architecture removes
the risk of hard drive failure and disk crashes, and dual-image flash
memory enables fall-back to the previously transmitted policy. Three
independent network interfaces allow you to separate your protected office
network from the Internet while providing an optional public network for
hosting Web, e-mail or FTP servers. Each network interface is
independently monitored and visually displayed on the front of the Firebox
II. In addition to LEDs showing connectivity and Armed/Disarmed status,
Firebox II's also display three LEDs: TrafficMeter, LoadMeter and
ThroughputMeter. The triangular TrafficMeter displays LEDs for the
trusted, external and optional interfaces (green bars show the direction
of allowed traffic, red bars indicate denied traffic). The LoadMeter LEDs
display the load average of each Firebox II, up to 100Mb. Lastly, Sys
A/Sys B LEDs indicate whether your Firebox II is running your defined
security policy or if it is in configuration mode.
2. PENS
by Portcullis Computer Security
Platforms: Linux, Netware, Windows 2000, Windows 95/98, Windows NT
Relevant URL:
http://www.securitynet.kirion.net/encryption-software/
Summary:
PENS is an on-the-fly encryption software system with either 56-bit DES
or, new for Version 1.5, 128-bit IDEA and Triple DES algorithms for data
encryption and 1024-bit RSA for key exchange and authentication. Users are
given their own encrypted domains with which they can protect their files.
They can also let other users enter these domains - should the
administrator allow that - making worksharing easier. All they have to do
is send their keys to the person who requires them.
3. hp secure OS software for Linux
by Hewlett-Packard
Platforms: N/A
Relevant URL:
http://www.hp.com/security/products/linux/
Summary:
A secure server platform for Linux as an enhancement to the HP Netaction
software suite. HP Secure OS Software for Linux, will help businesses
secure their Linux environments by offering intrusion prevention,
real-time protection against attacks, and damage containment. HP is first
to market with this business-critical security solution for Linux. HP
Secure OS Software for Linux provides high reliability, performance,
availability, flexibility and scalability. Additionally, it is easy to
install and manage, making it attractive to businesses that don't have
large IT organizations.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. WatchLog v0.1b
by Brian Shellabarger
Relevant URL:
http://www.glug.com/projects/WatchLog/
Platforms: Linux, POSIX, UNIX
Summary:
WatchLog is a Perl program designed to give users a better real-time view
of their Web traffic. Simply doing a 'tail -f' on the server log file
often yields confusing results as you can be bombarded with scrolling with
a single hit. WatchLog attempts to present the same information in a
clean, formatted, real time view of the activity on a Website by watching
the logfile and presenting only the relevant data.
2. FieryFilter v0.3
by Mezcalero
Relevant URL:
http://www.stud.uni-hamburg.de/users/lennart/projects/fieryfilter/
Platforms: Linux
Summary:
FieryFilter is an interactive desktop firewall for Linux. It will ask the
user every time a new network connection is made if they want to allow or
deny it. The user is able to generate rules from connections and thus
minimize the amount of questions asked.
3. apachelogrotate.pl v0.1.2
by Hatto von Hatzfeld
Relevant URL:
http://www.salesianer.de/util/apachelog.html
Platforms: Linux, UNIX
Summary:
apachelogrotate.pl rotates and packs the logfiles of the Apache Web server
on a Linux system without interrupting its service and without the need
for a permanent change in the Web server configuration. Assuming that
Apache is running, it will identify the log files which have to be rotated
without any configuration, making it easy to install. By default, logfiles
with more than 10 MB are rotated, but this parameter may be changed and/or
a daily, monthly, or yearly rotation period can be configured.
Documentation is included in the script itself.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: BlackHat
Spooked about Windows security? Getting "slammed" hard by worms? Find
all of the solutions at Black Hat Windows Security Briefings & Training,
February 24-27 in Seattle, the world's premier technical event for Windows
security experts. All of the top experts you've read about recently are
speaking. Fully supported by Microsoft, with new MS hosted training
sessions just added!
Visit www.blackhat.com to register.
-------------------------------------------------------------------------------
***********************************************************************
************************** End of Doc #4 ******************************
***********************************************************************
===============================================================================
5.) iDEFENSE Security Advisory 02.10.03: Buffer Overflow In NOD32
Antivirus Software for Unix
===============================================================================
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 02.10.03:
http://www.idefense.com/advisory/02.10.03.txt
Buffer Overflow In NOD32 Antivirus Software for Unix
February 10, 2003
I. BACKGROUND
Eset Software's NOD32 Antivirus System is a cross-platform anti-virus
application. The Linux, FreeBSD, OpenBSD and NetBSD versions are compiled
from the same sources, which the vendor refers to as "nod32 for UNIX".
More information is available at http://www.nod32.com/products/unix.htm .
II. DESCRIPTION
Local exploitation of a buffer overflow in NOD32 for UNIX could allow
attackers to gain super-user (root) privileges. The overflow occurs when
NOD32 parses a path with a name of length greater than 500 characters
(/tmp/AAAAA....AAA). An attacker can overwrite the first three bytes of
the eax and ecx registers, as can be seen from the following GDB output:
...
Program received signal SIGSEGV, Segmentation fault.
0x4207fa78 in strcmp () from /lib/i686/libc.so.6
(gdb) bt
#0 0x4207fa78 in strcmp () from /lib/i686/libc.so.6
#1 0x0804c2ba in scan_dir ()
#2 0x41414141 in ?? ()
Cannot access memory at address 0x41414141
(gdb) info registers
eax 0x4141414c 1094795596
ecx 0x4141414c 1094795596
...
III. ANALYSIS
Exploitation allows local code execution with the privileges of the user
who spawned NOD32. This is possible by creating an exploit path and then
socially engineering a target user into scanning over the exploit path
using NOD32. If the attacker has write permissions to a directory that is
routinely scanned with NOD32 (such as /tmp), he or she can gain the
privileges of the scanning user (usually root).
Proof of concept exploit code has been written for the FreeBSD 4.7
platform. The following is a sample exploit run that should set up shell
code in an environment variable and spawn a shell under the privileges of
the user executing NOD32:
$ perl eggnod.pl
$ mkdir -p /tmp/`perl -e 'print "A" x 255'`/`perl -e 'print "B" x 240 .
"\xfc\xbf\xbf"'`
$ nod32 /tmp
IV. DETECTION
NOD32 Antivirus System for Unix version 1.012 and below is vulnerable.
V. VENDOR FIX
The latest version 1.013 fixes the issue and can be downloaded from
http://www.nod32.com
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2003-0062 to this issue.
VII. DISCLOSURE TIMELINE
12/03/2003 Issue disclosed to iDEFENSE
01/28/2003 Eset Software notified (webma-@nod32.com)
01/28/2003 iDEFENSE clients notified
02/03/2003 Response received from Palo Luka (lu-@eset.sk)
02/10/2003 Coordinated Public Disclosure
VIII. CREDIT
Knud Erik Højgaard (kn-@skodliv.dk) discovered this vulnerability.
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to list-@idefense.com, subject line: "subscribe"
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world  from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPkgBffrkky7kqW5PEQIq/gCeMsnn0gKxpM25GI/QO673cEV7iAsAn15C
d5dxClPtqnk53TP0W2dmIJKS
=Smty
-----END PGP SIGNATURE-----
***********************************************************************
************************** End of Doc #5 ******************************
***********************************************************************
===============================================================================
End of GN SecNews #4
===============================================================================
-vi
|
|
 |
|
