Date: 7 Jun 2004 19:16:32 -0000
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #187
SecurityFocus Linux Newsletter #187
------------------------------------

This Issue is Sponsored By: SPI Dynamics

ALERT: "How Hackers Launch Blind SQL Injection Attacks- New White Paper
The newest web app vulnerability... Blind SQL Injection!
Even if your web application does not return error messages, it may 
still 
be open to a Blind SQL Injection Attack. Blind SQL Injection can 
deliver 
total control of your server to a hacker giving them the ability to 
read, 
write and manipulate all data stored in your backend systems! Download 
this *FREE* white paper from SPI Dynamics for a complete guide to 
protection! 

http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_040607

------------------------------------------------------------------------
I. FRONT AND CENTER
     1. Wireless Attacks and Penetration Testing (part 1 of 3)
     2. Catching a Virus Writer
     3. Multiple Security Roles With Unix/Linux
II. LINUX VULNERABILITY SUMMARY
     1. Isoqlog Multiple Buffer Overflow Vulnerabilities
     2. Spamguard Multiple Buffer Overflow Vulnerabilities
     3. Gatos xatitv Missing Configuration File Privilege Escalation...
     4. SquirrelMail Email Header HTML Injection Vulnerability
     5. Firebird Remote Pre-Authentication Database Name Buffer Over...
     6. PHP-Nuke Direct Script Access Security Bypass Vulnerability
     7. MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Na...
     8. Gallery Authentication Bypass Vulnerability
     9. Tripwire Email Reporting Format String Vulnerability
     10. Unix and Unix-based select() System Call Overflow 
Vulnerabil...
     11. Trend Micro Scanning Engine Report Generation HTML 
Injection...
     12. Michael Krax log2mail Log File Writing Format String 
Vulnera...
     13. Slackware Linux PHP Packages Insecure Linking Configuration 
...
III. LINUX FOCUS LIST SUMMARY
     1. mrtg/snmp/subinterfaces (Thread)
     2. OpenVPN? (Thread)
     3. Block martians with source address 127.0.0.1 (Thread)
     4. Martians? (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. Immunity CANVAS
     2. SecretAgent
     3. Cyber-Ark  Inter-Business Vault
     4. EnCase Forensic Edition
     5. KeyGhost SX
     6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
     1. Devil-Linux v1.2 Beta 1
     2. GNU Anubis v3.9.94
     3. DNSSEC Walker v3.4
     4. Ettercap v0.7.0 pre2
     5. Linux Intrusion Detection System (LIDS) v2.6.6
     6. Astaro Security Linux (Stable 5.x) v5.007
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Wireless Attacks and Penetration Testing (part 1 of 3)
By Jonathan Hassell

This is the first of a three part series on penetration testing for 
wireless networks. This installment will detail common styles of 
attacks 
against wireless networks, introduce WEP key-cracking, and then discuss 
some recent developments in wireless security.

http://www.securityfocus.com/infocus/1783


2. Catching a Virus Writer
By Kelly Martin 

With the consumer WiFi explosion, launching a virus into the wild has 
never been easier and more anonymous than it is today.

http://www.securityfocus.com/columnists/246


3. Multiple Security Roles With Unix/Linux
By Daniel Hanson

There are some areas of security where Linux and Unix have some strong 
wins, and simply fit in better than anything else.

http://www.securityfocus.com/columnists/247

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Isoqlog Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 10433
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10433
Summary:
Isoqlog is prone to multiple buffer overflow vulnerabilities that span 
various source files and functions.  Some of the vulnerabilities are 
remotely exploitable and may permit execution of arbitrary code in the 
context of the process.  Others are local in nature, but as the software 
is not typically installed setuid/setgid, should not present any 
security risk.

2. Spamguard Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 10434
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10434
Summary:
Spamguard is prone to multiple buffer overflow vulnerabilities that 
span various source files and functions.  Some of the vulnerabilities are 
remotely exploitable and may permit execution of arbitrary code in the 
context of the process.  Others are local in nature, but as the 
software is not typically installed setuid/setgid, should not present any 
security risk.

3. Gatos xatitv Missing Configuration File Privilege Escalation...
BugTraq ID: 10437
Remote: No
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10437
Summary:
The gatos xatitv utility is prone to a local privilege escalation 
vulnerability.  

This issue may occur when the utility, which is installed setuid root, 
fails to drop privileges due to a missing configuration file.  
Unsanitized user-supplied environment variables may then be exploited to 
escalate privileges.

It is noted that the software ships with a default configuration file, 
so exploitation would require that the file was removed at some point.

4. SquirrelMail Email Header HTML Injection Vulnerability
BugTraq ID: 10439
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10439
Summary:
SquirrelMail is reported to be prone to an email header HTML injection 
vulnerability.  This issue is due to a failure of the application to 
properly sanitize user-supplied email header strings.

An attacker can exploit this issue to gain access to an unsuspecting 
user's cookie based authentication credentials; disclosure of personal 
email is possible.  Other attacks are also possible.

5. Firebird Remote Pre-Authentication Database Name Buffer Over...
BugTraq ID: 10446
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10446
Summary:
Firebird is reported prone to a remote buffer overrun vulnerability. 
The issue presents itself due to a lack of sufficient boundary checks 
performed when the database server is handling database names.

A remote attacker may exploit this vulnerability, without requiring 
valid authentication credentials, to influence execution flow of the 
affected Firebird database server. Ultimately this may lead to the execution 
of attacker-supplied code in the context of the affected software.

6. PHP-Nuke Direct Script Access Security Bypass Vulnerability
BugTraq ID: 10447
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10447
Summary:
PHP-Nuke is affected by a direct script access security vulnerability.  
This issue is due to a failure to properly validate the location and 
name of the file being accessed.

This issue will allow an attacker to gain access to sensitive scripts 
such as the 'admin.php' script.  The attacker may be able to exploit 
this unauthorized access to carry out attacks against the affected 
application.

7. MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Na...
BugTraq ID: 10448
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10448
Summary:
Kerberos 5 is prone to multiple boundary condition errors that exist in 
the krb5_aname_to_localname() and helper functions and are due to 
insufficient bounds checking performed on user-supplied data. 

An additional boundary condition issue also exists in the 
krb5_aname_to_localname() function. The condition is reported to present itself in 
the explicit mapping functionality of the krb5_aname_to_localname() as 
an off-by-one.

These conditions may be theoretically exploitable to execute arbitrary 
code remotely in the context of the affected service.

It is reported that explicit mapping or rules-based
mapping functionality of krb5_aname_to_localname() must be enabled for 
these vulnerabilities to be present. Additionally it is necessary that 
the principal name used by the attacker to exploit the issue be listed 
in the explicit mapping list.

These vulnerabilities are reported to affect all releases of MIT 
Kerberos 5, up to and including version krb5-1.3.3.

8. Gallery Authentication Bypass Vulnerability
BugTraq ID: 10451
Remote: Yes
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10451
Summary:
It has been disclosed that an attacker can bypass Gallery's 
authentication process, and log in as any user without a password.

An attacker can override configuration variables by passing them in 
GET, POST or cookie arguments. Gallery simulates the 'register_globals' 
PHP setting by extracting the values of the various $HTTP_ global 
variables into the global namespace. Therefore, regardless of the 
'register_globals' PHP setting, an attacker can override configuration variables.

An attacker can change configuration variables and cause Gallery to 
skip the authentication steps.

Versions prior to 1.4.3-pl2 are reported to be vulnerable.

9. Tripwire Email Reporting Format String Vulnerability
BugTraq ID: 10454
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10454
Summary:
Tripwire is affected by an email reporting format string vulnerability.  
This issue is due to a failure to properly inplement a formatted string 
function.

This vulnerability will allow for execution of arbitrary code on a 
system running the affected software. This would occur in the security 
context of the user invoking the vulnerable application; typically the 
superuser.

**Update - It is reported that this issue only presents itself when the 
MAILMETHOD is sendmail.

10. Unix and Unix-based select() System Call Overflow Vulnerabil...
BugTraq ID: 10455
Remote: Unknown
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10455
Summary:
The select() system call may be vulnerable to an overflow condition, 
possibly allowing attackers to write data past the end of a fixed size 
buffer.

select() uses arguments of type 'fd_set', which is of a fixed size in 
many Unix variants. fd_set is used to keep track of open file 
descriptors. 

If a process raises its rlimit for open files past 1024, it is 
theoretically possible to cause select to change individual bits past the end 
of the fixed size fds_bits structure. In theory, an attacker may be able 
to use this vulnerability to cause a denial of service condition, or 
possibly execute arbitrary code.

It should be noted that rlimits can only be raised by root, and that 
only processes with rlimits allowing more than 1024 file descriptors 
would be affected.

This is a theoretical issue, and it has not been confirmed by any 
vendor. This BID will be updated when further information is released.

11. Trend Micro Scanning Engine Report Generation HTML Injection...
BugTraq ID: 10456
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10456
Summary:
Trend Micro's scanning engine is reportedly affected by an HTML 
injection vulnerability in its report generation feature. This issue is due to 
a failure to properly sanitize user-supplied before including it in a 
HTML report.

It has been speculated that the offending HTML alert reports run from 
the local zone on the affected computer, although this has not been 
verified.

This issue may be exploited by a remote attacker to execute arbitrary 
HTML or script code on an affected computer; potentially resulting in 
unauthorized access. Other attackers are also possible.

12. Michael Krax log2mail Log File Writing Format String Vulnera...
BugTraq ID: 10460
Remote: No
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10460
Summary:
Michael Krax log2mail is reported prone to a log file writing format 
string vulnerability.  This issue is due to a failure of the application 
to properly implement a formatted string function.

This vulnerability will ultimately allow for execution of arbitrary 
code on a system running the affected software. This would occur in the 
security context of the user invoking the vulnerable application; 
typically the 'log2mail' user with group 'adm'.

13. Slackware Linux PHP Packages Insecure Linking Configuration ...
BugTraq ID: 10461
Remote: No
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10461
Summary:
Slackware Linux PHP Packages are reportedly affected by an insecure 
linking configuration vulnerability.  This issue is due to a configuration 
error that links PHP to be linked against shared libraries in insecure 
directories.

This issue can be leveraged by an attacker to execute arbitrary code in 
the security context of the user running the affected PHP process; 
typically the user 'nobody'.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. mrtg/snmp/subinterfaces (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/365318

2. OpenVPN? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/365209

3. Block martians with source address 127.0.0.1 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/365207

4. Martians? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/364805

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary: 

Immunity CANVAS is 100% pure Python, and every license includes full 
access to the entire CANVAS codebase. Python is one of the easiest 
languages to learn, so even novice programmers can be productive on the 
CANVAS API, should they so chose. 

Immunity CANVAS is both a valuable demonstration tool for enterprise 
information security teams or system adminstrators, and an advanced 
development platform for exploit developers, or people learning to become 
exploit developers.

2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT, 
Windows XP
Relevant URL: 
http://www.infoseccorp.com/products/secretagent/contents.htm
Summary: 

SecretAgent is a file encryption and digital signature utility, 
supporting cross-platform interoperability over a wide range of platforms: 
Windows, Linux, Mac OS X, and UNIX systems.

It's the perfect solution for your data security requirements, 
regardless of the size of your organization.

Using the latest recognized standards in encryption and digital 
signature technology, SecretAgent ensures the confidentiality, integrity, and 
authenticity of your data.

3. Cyber-Ark  Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL: 
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary: 

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business 
Vault, an information security solution that enables organizations to 
safely overcome traditional network boundaries in order to securely share 
business information among customers, business partners, and remote 
branches. It provides a seamless, LAN-like experience over the Internet 
that includes all the security, performance, accessibility, and ease of 
administration required to allow organizations to share everyday 
information worldwide. To learn more about these core attributes of the 
Inter-Business Vault click on the relevant link below:

4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: 
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary: 

EnCase Forensic Edition Version 4 delivers the most advanced features 
for computer forensics and investigations. With an intuitive GUI and 
superior performance, EnCase Version 4 provides investigators with the 
tools to conduct large-scale and complex investigations with accuracy and 
efficiency. Guidance Software?s award winning solution yields 
completely non-invasive computer forensic investigations while allowing 
examiners to easily manage large volumes of computer evidence and view all 
relevant files, including "deleted" files, file slack and unallocated 
space. 

The integrated functionality of EnCase allows the examiner to perform 
all functions of the computer forensic investigation process. EnCase's 
EnScript, a powerful macro-programming language and API included within 
EnCase, allows investigators to build customized and reusable forensic 
scripts.

5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary: 

KeyGhost SX discreetly captures and records all keystrokes typed, 
including chat conversations, email, word processor, or even activity within 
an accounting or specialist system. It is completely undetectable by 
software scanners and provides you with one of the most powerful stealth 
surveillance applications offered anywhere. 

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data in it?s own internal memory (not on the hard drive), it is 
impossible for a network intruder to gain access to any sensitive data stored 
within the device.

6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary: 

Evidian's SafeKit technology makes it possible to render any 
application available 24 hours per day. With no extra hardware: just use your 
existing servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do is add more standard servers into the cluster. With the load 
balancing features of SafeKit, you can distribute applications over multiple 
servers. If one system fails completely, the others will continue to 
serve your users.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Devil-Linux v1.2 Beta 1
By: Heiko Zuerker <heiko@devil-linux.org>
Relevant URL: http://www.devil-linux.org/download.htm
Platforms: Linux
Summary: 

Devil-Linux is a special Linux distribution which is used for 
firewalls/routers. The goal of Devil-Linux is to have a small, customizable, and 
secure Linux system. Configuration is saved on a floppy disk, and it 
has several optional packages.

2. GNU Anubis v3.9.94
By: Wojciech Polak
Relevant URL: http://www.gnu.org/software/anubis/
Platforms: Linux, POSIX
Summary: 

GNU Anubis is an outgoing mail processor. It goes between the MUA (Mail 
User Agent) and the MTA (Mail Transport Agent), and can perform various 
sorts of processing and conversion on-the-fly in accordance with the 
sender's specified rules, based on a highly configurable regular 
expressions system. It operates as a proxy server, and can edit outgoing mail 
headers, encrypt or sign mail with the GnuPG, build secure SMTP tunnels 
using the TLS/SSL encryption even if your mail user agent doesn't 
support it, or tunnel a connection through a SOCKS proxy server.

3. DNSSEC Walker v3.4
By: Simon Josefsson
Relevant URL: http://josefsson.org/walker/
Platforms: Linux, UNIX
Summary: 

DNSSEC Walker is a tool to recover DNS zonefiles using the DNS 
protocol. The server does not have to support zonetransfer, but the zone must 
contain DNSSEC "NXT" records.

4. Ettercap v0.7.0 pre2
By: ALoR <alor@users.sourceforge.net>
Relevant URL: http://ettercap.sourceforge.net/
Platforms: FreeBSD, Linux, MacOS, NetBSD, Windows 2000, Windows NT, 
Windows XP
Summary: 

Ettercap is a network sniffer/interceptor/logger for ethernet LANs. It 
supports active and passive dissection of many protocols (even ciphered 
ones, like SSH and HTTPS). Data injection in an established connection 
and filtering on the fly is also possible, keeping the connection 
synchronized. Many sniffing modes were implemented to give you a powerful 
and complete sniffing suite. Plugins are supported. It has the ability to 
check whether you are in a switched LAN or not, and to use OS 
fingerprints (active or passive) to let you know the geometry of the LAN.

5. Linux Intrusion Detection System (LIDS) v2.6.6
By: Xie Hua Gang, xhg@gem.ncic.ac.cn
Relevant URL: http://www.lids.org/download.html
Platforms: Linux
Summary: 

The Linux Intrusion Detection System is a patch which enhances the 
kernel's security. When it is in effect, chosen files access, all 
system/network administration operations, any capability use, raw device, mem, 
and I/O access can be made impossible even for root. You can define 
which program can access which file. It uses and extends the system 
capabilities bounding set to control the whole system and adds some network 
and filesystem security features to the kernel to enhance the security. 
You can finely tune the security protections online, hide sensitive 
processes, receive security alerts through the network, and more.

6. Astaro Security Linux (Stable 5.x) v5.007
By: astaro
Relevant URL: http://www.astaro.com/
Platforms: Linux, POSIX
Summary: 

Astaro Security Linux is a firewall solution. It does stateful packet 
inspection filtering, content filtering, user authentication, virus 
scanning, VPN with IPSec and PPTP, and much more. With its Web-based 
management tool, WebAdmin, and the ability to pull updates via the Internet, 
it is pretty easy to manage. It is based on a special hardened Linux 
2.4 distribution where most daemons are running in change-roots and are 
protected by kernel capabilities.

VII. SPONSOR INFORMATION
-----------------------

This Issue is Sponsored By: SPI Dynamics

ALERT: "How Hackers Launch Blind SQL Injection Attacks- New White Paper
The newest web app vulnerability... Blind SQL Injection!
Even if your web application does not return error messages, it may 
still 
be open to a Blind SQL Injection Attack. Blind SQL Injection can 
deliver 
total control of your server to a hacker giving them the ability to 
read, 
write and manipulate all data stored in your backend systems! Download 
this *FREE* white paper from SPI Dynamics for a complete guide to 
protection! 

http://www.securityfocus.com/sponsor/SPIDynamics_linux-secnews_040607

------------------------------------------------------------------------