Date: 5 Apr 2005 22:04:16 -0000
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #230
SecurityFocus Linux Newsletter #230
------------------------------------

Need to know what's happening on YOUR network? Symantec DeepSight 
Analyzer
is a free service that gives you the ability to track and manage 
attacks.
Analyzer automatically correlates attacks from various Firewall and 
network
based Intrusion Detection Systems, giving you a comprehensive view of 
your
computer or general network. Sign up today!

http://www.securityfocus.com/sponsor/Symantec_sf-news_041130

------------------------------------------------------------------------
I. FRONT AND CENTER
     1. Web Browser Forensics, Part 1
     2. Defeating Honeypots: System Issues, Part 2
II. LINUX VULNERABILITY SUMMARY
     1. Linux Kernel Bluetooth Signed Buffer Index Vulnerability
     2. Multiple Vendor Telnet Client LINEMODE Sub-Options Remote Bu...
     3. Multiple Vendor Telnet Client Env_opt_add Heap-Based Buffer ...
     4. Midnight Commander Insert_Text Buffer Overflow Vulnerability
     5. Linux Kernel EXT2 File System Information Leak Vulnerability
     6. Sylpheed MIME-Encoded Attachment Name Buffer Overflow Vulner...
     7. Linux Kernel Elf Binary Loading Local Denial of Service Vuln...
     8. Mailreader Remote HTML Injection Vulnerability
     9. YepYep MTFTPD Remote CWD Argument Format String Vulnerabilit...
     10. Linux Kernel File Lock Local Denial Of Service Vulnerability
     11. GDK-Pixbuf BMP Image Processing Double Free Remote Denial 
of...
     12. PAFileDB ID Parameter Cross-Site Scripting Vulnerability
     13. BZip2 CHMod File Permission Modification Race Condition 
Weak...
     14. Linux Kernel Futex Local Deadlock Denial Of Service 
Vulnerab...
     15. PHP Group PHP Image File Format Remote Denial Of Service 
Vul...
     16. PHP Group PHP Remote JPEG File Format Remote Denial Of 
Servi...
     17. BakBone NetVault Configure.CFG Local Buffer Overflow 
Vulnera...
     18. BakBone NetVault Remote Heap Overflow Vulnerability
     19. Linux Kernel TmpFS Driver Local Denial Of Service 
Vulnerabil...
III. LINUX FOCUS LIST SUMMARY
     1. vsftp question (Thread)
     2. Linux and DB2 (Thread)
     3. Apache+PHP+ftp security (Thread)
     4. Re[2]: Apache+PHP+ftp security (Thread)
     5. OpenVPN? (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. CoreGuard Core Security System
     2. EnCase Forensic Edition
     3. KeyGhost SX
     4. SafeKit
     5. Astaro Linux Firewall
     6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
     1. File System Saint 1.02a
     2. Umbrella v0.5
     3. Travesty 1.0
     4. OCS 0.1
     5. KSB - Kernel Socks Bouncer 2.6.10
     6. DigSig 1.3.2
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Web Browser Forensics, Part 1
By Keith J. Jones and Rohyt Belani
This article provides a case study of digital forensics, and 
investigates
incriminating evidence using a user's web browser history.
http://www.securityfocus.com/infocus/1827

2. Defeating Honeypots: System Issues, Part 2
By Thorsten Holz and Frederic Raynal
Part two of this paper discusses how hackers discover, interact with, 
and
sometimes disable honeypots at the system level and the application 
layer.
http://www.securityfocus.com/infocus/1828

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Linux Kernel Bluetooth Signed Buffer Index Vulnerability
BugTraq ID: 12911
Remote: No
Date Published: Mar 28 2005
Relevant URL: http://www.securityfocus.com/bid/12911
Summary:
A local signed buffer index vulnerability affects the Linux kernel. 
This issue is due to a failure of the affected kernel to securely handle 
signed values when validating memory indexes.

This issue may be leverage by a local attacker to gain escalated 
privileges on an affected computer.

2. Multiple Vendor Telnet Client LINEMODE Sub-Options Remote Bu...
BugTraq ID: 12918
Remote: Yes
Date Published: Mar 28 2005
Relevant URL: http://www.securityfocus.com/bid/12918
Summary:
A remote buffer overflow vulnerability affects Multiple vendor's Telnet 
client.  This issue is due to a failure of the application to properly 
validate the length of user-supplied strings prior to copying them into 
static process buffers.

An attacker may exploit this issue to execute arbitrary code with the 
privileges of the user that activated the vulnerable application. This 
may facilitate unauthorized access or privilege escalation.

3. Multiple Vendor Telnet Client Env_opt_add Heap-Based Buffer ...
BugTraq ID: 12919
Remote: Yes
Date Published: Mar 28 2005
Relevant URL: http://www.securityfocus.com/bid/12919
Summary:
Multiple vendor's Telnet client applications are reported prone to a 
remote buffer overflow vulnerability. It is reported that the 
vulnerability exists in a function 'env_opt_add()' in the 'telnet.c' source file, 
which is apparently common source for all of the affected vendors.

A remote attacker may exploit this vulnerability to execute arbitrary 
code on some of the affected platforms in the context of a user that is 
using the vulnerable Telnet client to connect to a malicious server.

4. Midnight Commander Insert_Text Buffer Overflow Vulnerability
BugTraq ID: 12928
Remote: No
Date Published: Mar 29 2005
Relevant URL: http://www.securityfocus.com/bid/12928
Summary:
A buffer overflow vulnerability exists in Midnight Commander.  The 
vulnerability is caused by insufficient bounds checking of external data 
supplied to the 'insert_text()' function.  

This issue may allow local attackers to execute arbitrary code in the 
context of another user.

5. Linux Kernel EXT2 File System Information Leak Vulnerability
BugTraq ID: 12932
Remote: No
Date Published: Mar 29 2005
Relevant URL: http://www.securityfocus.com/bid/12932
Summary:
The Linux kernel EXT2 filesystem handling code is reported prone to a 
local information leakage vulnerability.

This issue may be leveraged by a local attacker to gain access to 
potential sensitive kernel memory.  Information gained in this way may lead 
to further attacks against the affected computer.

6. Sylpheed MIME-Encoded Attachment Name Buffer Overflow Vulner...
BugTraq ID: 12934
Remote: Yes
Date Published: Mar 29 2005
Relevant URL: http://www.securityfocus.com/bid/12934
Summary:
Sylpheed is prone to a buffer overflow when handling email attachments 
with MIME-encoded file names.

Succesful exploitation may allow arbitrary code execution in the 
security context of the application.

7. Linux Kernel Elf Binary Loading Local Denial of Service Vuln...
BugTraq ID: 12935
Remote: No
Date Published: Mar 29 2005
Relevant URL: http://www.securityfocus.com/bid/12935
Summary:
Linux Kernel is prone to a potential local denial of service 
vulnerability.  

It is reported that issue exists in the 'load_elf_library' function.

Linux Kernel 2.6.11.5 and prior versions are affected by this issue.

8. Mailreader Remote HTML Injection Vulnerability
BugTraq ID: 12945
Remote: Yes
Date Published: Mar 30 2005
Relevant URL: http://www.securityfocus.com/bid/12945
Summary:
A remote HTML injection vulnerability affects Mailreader. This issue is 
due to a failure of the application to properly sanitize user-supplied 
input prior to including it in dynamically generated Web content. 

An attacker may leverage this issue to have arbitrary script code 
executed in the browser of an unsuspecting user.  This may facilitate the 
theft of cookie-based authentication credentials as well as other 
attacks.

9. YepYep MTFTPD Remote CWD Argument Format String Vulnerabilit...
BugTraq ID: 12947
Remote: Yes
Date Published: Mar 30 2005
Relevant URL: http://www.securityfocus.com/bid/12947
Summary:
mtftpd is reported prone to a remote format string vulnerability.

Reports indicate that this issue may be exploited by a remote 
authenticated attacker to execute arbitrary code in the context of the 
vulnerable service.

This vulnerability is reported to affect mtftpd versions up to an 
including version 0.0.3.

10. Linux Kernel File Lock Local Denial Of Service Vulnerability
BugTraq ID: 12949
Remote: No
Date Published: Mar 30 2005
Relevant URL: http://www.securityfocus.com/bid/12949
Summary:
A local denial of service vulnerability reportedly affects the Linux 
kernel.  This issue arises due to a failure of the kernel to properly 
handle malicious, excessive file locks.

An attacker may leverage this issue to crash or hang the affected 
kernel and deny service to legitimate users.

It should be noted that Symantec has been unable to reproduce this 
issue after testing.  It is possible that this vulnerability is linked to 
the reporter's specific configuration.  More information will be added 
as it becomes available.

11. GDK-Pixbuf BMP Image Processing Double Free Remote Denial of...
BugTraq ID: 12950
Remote: Yes
Date Published: Mar 30 2005
Relevant URL: http://www.securityfocus.com/bid/12950
Summary:
gdk-pixbuf library is reported prone to a denial of service 
vulnerability.  This issue arises due to a double free condition.

It is reported that this vulnerability presents itself when an 
application that is linked against the library handles malformed Bitmap (.bmp) 
image files. 

A successful attack may result in a denial of service condition.  It is 
not confirmed whether this vulnerability could be leveraged to execute 
arbitrary code.

gdk-pixbuf 0.22.0 and gtk2 2.4.14 packages are known to be vulnerable 
to this issue.  It is likely that other versions are affected as well.

This BID will be updated when more information becomes available.

12. PAFileDB ID Parameter Cross-Site Scripting Vulnerability
BugTraq ID: 12952
Remote: Yes
Date Published: Mar 31 2005
Relevant URL: http://www.securityfocus.com/bid/12952
Summary:
paFileDB is reported prone to a cross-site scripting vulnerability.

The vulnerability presents itself when an attacker supplies malicious 
HTML and script code through the 'id' parameter.

This may allow for theft of cookie-based authentication credentials or 
other attacks.

paFileDB 3.1 and prior versions are affected by this vulnerability.

This issue may be related to BID 12788 (PAFileDB Multiple SQL Injection 
And Cross-Site Scripting Vulnerabilities) and BID 12758 (PHP Arena 
PAFileDB Multiple Remote Cross Site Scripting Vulnerabilities).  This BID 
will be retired or updated upon further analysis.

13. BZip2 CHMod File Permission Modification Race Condition Weak...
BugTraq ID: 12954
Remote: No
Date Published: Mar 31 2005
Relevant URL: http://www.securityfocus.com/bid/12954
Summary:
bzip2 is reported prone to a security weakness, the issue is only 
present when an archive is extracted into a world or group writeable 
directory. It is reported that bzip2 employs non-atomic procedures to write a 
file and later change the permissions on the newly extracted file.

A local attacker may leverage this issue to modify file permissions of 
target files.

This weakness is reported to affect bzip2 version 1.0.2 and previous 
versions.

14. Linux Kernel Futex Local Deadlock Denial Of Service Vulnerab...
BugTraq ID: 12959
Remote: No
Date Published: Mar 31 2005
Relevant URL: http://www.securityfocus.com/bid/12959
Summary:
The Linux kernel futex functions are reported prone to a local denial 
of service vulnerability. The issue is reported to manifest because 
several unspecified futex functions perform 'get_user()' calls and at the 
same time hold mmap_sem for reading purposes.

A local attacker may potentially leverage this issue to trigger a 
kernel deadlock and potentially deny service for legitimate users.

This vulnerability is reported to exist in the 2.6 Linux kernel tree.

15. PHP Group PHP Image File Format Remote Denial Of Service Vul...
BugTraq ID: 12962
Remote: Yes
Date Published: Apr 01 2005
Relevant URL: http://www.securityfocus.com/bid/12962
Summary:
A remote denial of service vulnerability affects PHP Group PHP.  This 
issue is due to a failure of the application to properly handle 
maliciously formed Image Format File (IFF) image files.

It should be noted that this vulnerability can only be exploited 
remotely if a Web based PHP application is implemented that allows 
user-supplied images to be processed by the 'getimagesize()' function.  The 
'getimagesize()' is commonly implemented in PHP Web applications that allow 
for the display of images.

An attacker may leverage this issue to cause the affected script 
interpreter to consume excessive processing resources on an affected 
computer, leading to a denial of service condition.

16. PHP Group PHP Remote JPEG File Format Remote Denial Of Servi...
BugTraq ID: 12963
Remote: Yes
Date Published: Apr 01 2005
Relevant URL: http://www.securityfocus.com/bid/12963
Summary:
A remote denial of service vulnerability affects PHP Group PHP.  This 
issue is due to a failure of the application to properly handle 
maliciously crafted JPEG image files.

It should be noted that this vulnerability can only be exploited 
remotely if a Web based PHP application is implemented that allows 
user-supplied images to be processed by the 'getimagesize()' function.  The 
'getimagesize()' is commonly implemented in PHP Web applications that allow 
for the display of images.

An attacker may leverage this issue to cause the affected script 
interpreter to consume excessive processing resources on an affected 
computer, leading to a denial of service condition.

17. BakBone NetVault Configure.CFG Local Buffer Overflow Vulnera...
BugTraq ID: 12966
Remote: No
Date Published: Apr 01 2005
Relevant URL: http://www.securityfocus.com/bid/12966
Summary:
NetVault is reported prone to a local buffer overflow vulnerability.

It is reported that a local attacker can exploit this vulnerability by 
supplying excessive data through a variable in the 'configure.cfg' 
file.

A successful attack can allow local attackers to execute arbitrary code 
on a vulnerable computer to gain elevated privileges.

This issue has been confirmed in NetVault 7 packages running on Windows 
platforms.  Other versions of NetVault running on different platforms 
may be affected as well.

18. BakBone NetVault Remote Heap Overflow Vulnerability
BugTraq ID: 12967
Remote: Yes
Date Published: Apr 01 2005
Relevant URL: http://www.securityfocus.com/bid/12967
Summary:
NetVault is reported prone to a remote heap overflow vulnerability.

A successful attack can allow remote attackers to execute arbitrary 
code on a vulnerable computer to gain unauthorized access. 

This issue has been confirmed in NetVault 7 packages running on Windows 
platforms. Other versions of NetVault running on different platforms 
may be affected as well.

19. Linux Kernel TmpFS Driver Local Denial Of Service Vulnerabil...
BugTraq ID: 12970
Remote: No
Date Published: Apr 01 2005
Relevant URL: http://www.securityfocus.com/bid/12970
Summary:
The Linux kernel is reported prone to a local denial of service 
vulnerability. The issue is reported to exist in the Linux kernel tmpfs 
driver, and is because of a lack of sanitization performed on the address 
argument of 'shm_nopage()'.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. vsftp question (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/394897

2. Linux and DB2 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/394891

3. Apache+PHP+ftp security (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/394746

4. Re[2]: Apache+PHP+ftp security (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/394581

5. OpenVPN? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/394497

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary: 

CoreGuard System profile

The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates 
all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.

CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets 
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits

2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: 
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary: 

EnCase Forensic Edition Version 4 delivers the most advanced features 
for computer forensics and investigations. With an intuitive GUI and 
superior performance, EnCase Version 4 provides investigators with the 
tools to conduct large-scale and complex investigations with accuracy and 
efficiency. Guidance Software?s award winning solution yields 
completely non-invasive computer forensic investigations while allowing 
examiners to easily manage large volumes of computer evidence and view all 
relevant files, including "deleted" files, file slack and unallocated 
space. 

The integrated functionality of EnCase allows the examiner to perform 
all functions of the computer forensic investigation process. EnCase's 
EnScript, a powerful macro-programming language and API included within 
EnCase, allows investigators to build customized and reusable forensic 
scripts.

3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary: 

KeyGhost SX discreetly captures and records all keystrokes typed, 
including chat conversations, email, word processor, or even activity within 
an accounting or specialist system. It is completely undetectable by 
software scanners and provides you with one of the most powerful stealth 
surveillance applications offered anywhere. 

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data in it?s own internal memory (not on the hard drive), it is 
impossible for a network intruder to gain access to any sensitive data stored 
within the device.

4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary: 

Evidian's SafeKit technology makes it possible to render any 
application available 24 hours per day. With no extra hardware: just use your 
existing servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do is add more standard servers into the cluster. With the load 
balancing features of SafeKit, you can distribute applications over multiple 
servers. If one system fails completely, the others will continue to 
serve your users.

5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary: 

Astaro Linux Firewall: All-in-one firewall, virus protection, content 
filtering and spam protection internet security software package for 
Linux. 
Free download for home users.

6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris, 
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary: 

Low cost, easy to use Two Factor Authentication One Time Password token 
using the Cellular. Does not use SMS or communication, manages multiple 
OTP accounts - new technology. For any business that want a safer 
access to its Internet Services. More information at our site.
 
We also provide eAuthentication service for businesses that will not 
buy an Authentication product but would prefer to pay a monthly charge 
for authentication services from our our CAT Server.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. File System Saint 1.02a
By: Joshua Fritsch
Relevant URL: http://www.unixgeeks.org/saint
Platforms: Linux, UNIX
Summary: 

A fast, flexible, lightweight perl-based host IDS.

2. Umbrella v0.5
By: Umbrella
Relevant URL: http://umbrella.sf.net/
Platforms: Linux
Summary: 

A combination of process-based access control (PBAC) and authentication 
of binaries (like DigSig) - in addition the binaries have the security 
policy included within the binary, thus when it is executed, the policy 
is applied to the corrosponding process. Umbrella provides developers 
with a "restricted fork" which enables him to further restrict a 
sub-process from e.g. accessing the network.

3. Travesty 1.0
By: Robert Wesley McGrew
Relevant URL: http://cse.msstate.edu/~rwm8/travesty/
Platforms: Linux
Summary: 

Travesty is an interactive program for managing the hardware addresses 
(MAC) of ethernet devices on your computer.  It supports manually 
changing the MAC, generating random addresses, and applying different vendor 
prefixes to the current address.
 It also allows the user to import their own lists of hardware 
addresses and descriptions that can be navigated from within the Travesty 
interface.  Travesty is written in Python, and is very simple to add 
functionality to, or modify.

4. OCS 0.1
By: OverIP
Relevant URL: http://hacklab.altervista.org/download/OCS.c
Platforms: Linux
Summary: 

This is a very reliable and fast mass scanner for Cisco router with 
telnet/enable default password.

5. KSB - Kernel Socks Bouncer 2.6.10
By: Paolo Ardoino
Relevant URL: http://ardoino.altervista.org/kernel.php
Platforms: Linux
Summary: 

KSB26 [Kernel Socks Bouncer] is Linux Kernel 2.6.x patch that redirects 
full tcp connections [SSH, telnet, ...] to follow through socks5. KSB26 
uses a character device to pass socks5 and target ips to the Linux 
Kernel. I have choosen to write in kernel space to enjoy myself [I know 
that there are easier and safer ways to write this in userspace].

6. DigSig 1.3.2
By: 
Relevant URL: http://sourceforge.net/projects/disec/
Platforms: Linux
Summary: 

DigSig Linux kernel load module checks the signature of a binary before 
running it.  It inserts digital signatures inside the ELF binary and 
verify this signature before loading the binary. Therefore, it improves 
the security of the system by avoiding a wide range of malicious 
binaries like viruses, worms, Torjan programs and backdoors from running on 
the system.

VII. SPONSOR INFORMATION
-----------------------

Need to know what's happening on YOUR network? Symantec DeepSight 
Analyzer
is a free service that gives you the ability to track and manage 
attacks.
Analyzer automatically correlates attacks from various Firewall and 
network
based Intrusion Detection Systems, giving you a comprehensive view of 
your
computer or general network. Sign up today!

http://www.securityfocus.com/sponsor/Symantec_sf-news_041130

------------------------------------------------------------------------