Date: Tue, 04 Apr 2006 12:45:23 -0600
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #280
SecurityFocus Linux Newsletter #280
----------------------------------------

Test your Network Security Free with QualysGuard
Requiring NO software, QualysGuard will safely and accurately test your 
network and provide you with the necessary fixes to proactively guard 
your network. Try QualysGuard Risk Free with No Obligation.

http://www.securityfocus.com/cgi-bin/ib.pl

------------------------------------------------------------------
I.   FRONT AND CENTER
        1. Two attacks against VoIP
        2. Open source security testing methodology
        3. This Means Warcraft!
II.  LINUX VULNERABILITY SUMMARY
        1. Vavoom Multiple Denial of Service Vulnerabilities
        2. MediaWiki Encoded Page Link HTML Injection Vulnerability
        3. Noah Grey Greymatter Arbitrary File Upload Vulnerability
        4. Debian GNU/Linux Multiple Packages Insecure RUNPATH 
Vulnerability
        5. Horde Help Viewer Remote PHP Code Execution Vulnerability
        6. FreeRadius RLM_SQLCounter SQL Injection Vulnerability
        7. Tetris-BSD Tetris-bsd.scores Local Privilege Escalation 
Vulnerability
        8. DIA XFIG File Import Multiple Remote Buffer Overflow 
Vulnerabilities
        9. GNU Mailman Attachment Scrubber Malformed MIME Message 
Denial Of Service Vulnerability
        10. Samba Machine Trust Account Local Information Disclosure 
Vulnerability
        11. BusyBox Insecure Password Hash Weakness
        12. Util-VServer SUEXEC Privilege Escalation Weakness
        13. PHP PHPInfo Large Input Cross-Site Scripting Vulnerability
        14. MPG123 Malformed MP3 File Memory Corruption Vulnerability
        15. HP Color LaserJet 2500/4600 Toolbox Directory Traversal 
Vulnerability
        16. Kaffeine Remote HTTP_Peek Buffer Overflow Vulnerability
III. LINUX FOCUS LIST SUMMARY
        1. IPtables and C programming??
        2. Systrace 1.6: Phoenix Release for Linux
V.   SPONSOR INFORMATION

I.   FRONT AND CENTER
---------------------
1. Two attacks against VoIP
By Peter Thermos
This purpose of this article is to discuss two of the most well known 
attacks that can be carried out in current VoIP deployments. The first 
attack demonstrates the ability to hijack a user's VoIP Subscription and 
subsequent communications. The second attack looks at the ability to 
eavesdrop in to VoIP communications.
http://www.securityfocus.com/infocus/1862

2. Open source security testing methodology
By Federico Biancuzzi
Truth is made of numbers. Following this golden rule, Federico 
Biancuzzi interviewed Pete Herzog, founder of ISECOM and creator of the OSSTMM, 
to talk about the upcoming revision 3.0 of the Open Source Security 
Testing Methodology Manual. He discusses why we need a testing 
methodology, why use open source, the value of certifications, and plans for a new 
vulnerability scanner developed with a different approach than Nessus.
http://www.securityfocus.com/columnists/395

3. This Means Warcraft!
By Mark Rasch
A recent World of Warcraft case involved a WoW book by Brian Knopp that 
was being sold on eBay. It resulted in automated takedown notices by 
"lawyerbots" and shows how the legal process today can end up silencing 
legitimate uses of trademarks and copyrights.
http://www.securityfocus.com/columnists/396


II.  LINUX VULNERABILITY SUMMARY
------------------------------------
1. Vavoom Multiple Denial of Service Vulnerabilities
BugTraq ID: 17261
Remote: Yes
Date Published: 2006-03-27
Relevant URL: http://www.securityfocus.com/bid/17261
Summary:
Vavoom is prone to two denial-of-service vulnerabilities. These issues 
can cause the application to stop responding or fail.

Vavoom 1.19.1 and earlier are affected.

2. MediaWiki Encoded Page Link HTML Injection Vulnerability
BugTraq ID: 17269
Remote: Yes
Date Published: 2006-03-27
Relevant URL: http://www.securityfocus.com/bid/17269
Summary:
MediaWiki is prone to an HTML-injection vulnerability. This issue is 
due to a lack of proper sanitization of user-supplied input before using 
it in dynamically generated content.

Attacker-supplied HTML and script code would be executed in the context 
of the affected website, potentially allowing an attacker to steal 
cookie-based authentication credentials. An attacker could also exploit 
this issue to control how the site is rendered to the user; other attacks 
are also possible.

3. Noah Grey Greymatter Arbitrary File Upload Vulnerability
BugTraq ID: 17271
Remote: Yes
Date Published: 2006-03-28
Relevant URL: http://www.securityfocus.com/bid/17271
Summary:
Greymatter is prone to an arbitrary file-upload vulnerability.

An attacker can exploit this vulnerability to upload arbitrary code and 
execute it in the context of the webserver process. This may facilitate 
unauthorized access or privilege escalation; other attacks are also 
possible.

4. Debian GNU/Linux Multiple Packages Insecure RUNPATH Vulnerability
BugTraq ID: 17288
Remote: No
Date Published: 2006-03-28
Relevant URL: http://www.securityfocus.com/bid/17288
Summary:
Multiple packages in Debian GNU/Linux are susceptible to an insecure 
RUNPATH vulnerability. This issue is due to a flaw in the build system 
that results in insecure RUNPATHs being included in certain binaries.

This vulnerability may result in arbitrary code being executed in the 
context of users who run the vulnerable executables. This may facilitate 
privilege escalation.

5. Horde Help Viewer Remote PHP Code Execution Vulnerability
BugTraq ID: 17292
Remote: Yes
Date Published: 2006-03-28
Relevant URL: http://www.securityfocus.com/bid/17292
Summary:
Horde is prone to a remote PHP code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary malicious PHP 
code and in the context of the webserver process. This may help the 
attacker compromise the application and the underlying system; other 
attacks are also possible.

Horde versions 3.0 up to 3.0.9 and 3.1.0 are vulnerable; other versions 
may also be affected.

6. FreeRadius RLM_SQLCounter SQL Injection Vulnerability
BugTraq ID: 17294
Remote: Yes
Date Published: 2006-03-28
Relevant URL: http://www.securityfocus.com/bid/17294
Summary:
FreeRADIUS is prone to an SQL-injection vulnerability. This issue is 
due to a failure in the application to properly sanitize user-supplied 
input before using it in an SQL query.

Successful exploitation could allow an attacker to compromise the 
application, access or modify data, or exploit vulnerabilities in the 
underlying database implementation.

7. Tetris-BSD Tetris-bsd.scores Local Privilege Escalation 
Vulnerability
BugTraq ID: 17308
Remote: No
Date Published: 2006-03-29
Relevant URL: http://www.securityfocus.com/bid/17308
Summary:
Tetris-BSD is prone to a local privilege-escalation vulnerability. The 
issue results from a design error.

A local attacker can leverage this issue to exploit latent 
vulnerabilities in applications by overwriting shared game data files.

8. DIA XFIG File Import Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 17310
Remote: Yes
Date Published: 2006-03-29
Relevant URL: http://www.securityfocus.com/bid/17310
Summary:
Dia is affected by multiple remote buffer-overflow vulnerabilities. 
These issues are due to the application's failure to properly bounds-check 
user-supplied input before copying it into insufficiently sized memory 
buffers.

These issues allow remote attackers to execute arbitrary machine code 
in the context of the user running the affected application to open 
attacker-supplied malicious XFig files.

9. GNU Mailman Attachment Scrubber Malformed MIME Message Denial Of 
Service Vulnerability
BugTraq ID: 17311
Remote: Yes
Date Published: 2006-03-29
Relevant URL: http://www.securityfocus.com/bid/17311
Summary:
GNU Mailman is prone to denial-of-service attacks. This issue affects 
the attachment-scrubber utility.

The vulnerability could be triggered by mailing-list posts and will 
affect the availability of mailing lists hosted by the application.

This issue presents itself only when Mailman is used in conjunction 
with Python email version 2.5.

10. Samba Machine Trust Account Local Information Disclosure 
Vulnerability
BugTraq ID: 17314
Remote: No
Date Published: 2006-03-30
Relevant URL: http://www.securityfocus.com/bid/17314
Summary:
Samba is susceptible to a local information-disclosure vulnerability. 
This issue is due to a design error that potentially leads to sensitive 
information being written to log files. This occurs when the debugging 
level has been set to 5 or higher.

This issue allows local attackers to gain access to the machine trust 
account of affected computers. Attackers may then impersonate the 
affected server in the domain. By impersonating the member server, attackers 
may gain access to further sensitive information, including the users 
and groups in the domain; other information may also be available. This 
may aid attackers in further attacks.

Samba versions 3.0.21 through to 3.0.21c that use the 'winbindd' daemon 
are susceptible to this issue.

11. BusyBox Insecure Password Hash Weakness
BugTraq ID: 17330
Remote: Yes
Date Published: 2006-03-31
Relevant URL: http://www.securityfocus.com/bid/17330
Summary:
BusyBox is susceptible to an insecure password-hash weakness. This 
issue is due to a design flaw that results in password hashes being created 
in an insecure manner.

This issue allows attackers to use precomputed password hashes in 
brute-force attacks if they can gain access to password hashes by some means 
(such as exploiting another vulnerability).

12. Util-VServer SUEXEC Privilege Escalation Weakness
BugTraq ID: 17361
Remote: Yes
Date Published: 2006-04-03
Relevant URL: http://www.securityfocus.com/bid/17361
Summary:
The util-vserver package for the Linux-VServer project is susceptible 
to a privilege-escalation weakness.

This issue allows remote attackers that exploit latent vulnerabilities 
in services to potentially gain superuser privileges in a guest virtual 
server. This may aid them in further attacks.

13. PHP PHPInfo Large Input Cross-Site Scripting Vulnerability
BugTraq ID: 17362
Remote: Yes
Date Published: 2006-04-03
Relevant URL: http://www.securityfocus.com/bid/17362
Summary:
PHP is prone to a cross-site scripting vulnerability. This issue is due 
to a failure in the application to properly sanitize user-supplied 
input.

An attacker may leverage this issue to have arbitrary script code 
executed in the browser of an unsuspecting user in the context of the 
affected site. This may help the attacker steal cookie-based authentication 
credentials and launch other attacks.

14. MPG123 Malformed MP3 File Memory Corruption Vulnerability
BugTraq ID: 17365
Remote: Yes
Date Published: 2006-04-03
Relevant URL: http://www.securityfocus.com/bid/17365
Summary:
The mpg123 application is prone to a memory-corruption vulnerability 
related to the handling of MP3 streams.

An attacker may be able to exploit this vulnerability to execute 
arbitrary code in the context of the user running the player, but this has 
not been confirmed.

This issue may be related to the one described in BID 12218 (MPG123 
Layer 2 Frame Header Heap Overflow Vulnerability).

15. HP Color LaserJet 2500/4600 Toolbox Directory Traversal 
Vulnerability
BugTraq ID: 17367
Remote: Yes
Date Published: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/17367
Summary:
The HP Color LaserJet 2500/4600 Toolbox is prone to a 
directory-traversal vulnerability. This issue is due to a failure in the application to 
properly sanitize user-supplied input.

An attacker can exploit this vulnerability to retrieve arbitrary files 
from the vulnerable system in the context of the affected application. 
Information obtained may aid attackers in further attacks.

16. Kaffeine Remote HTTP_Peek Buffer Overflow Vulnerability
BugTraq ID: 17372
Remote: Yes
Date Published: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/17372
Summary:
Kaffiene is reportedly affected by a remote buffer overflow 
vulnerability.  The problem presents itself due to insufficient boundary checks on 
user-supplied strings prior to copying them into finite stack-based 
buffers.

An attacker can leverage this issue remotely to execute arbitrary code 
on an affected computer with the privileges of an unsuspecting user 
that executed the vulnerable software.

III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. IPtables and C programming??
http://www.securityfocus.com/archive/91/429848

2. Systrace 1.6: Phoenix Release for Linux
http://www.securityfocus.com/archive/91/428672

V.   SPONSOR INFORMATION
------------------------
Test your Network Security Free with QualysGuard
Requiring NO software, QualysGuard will safely and accurately test your 
network and provide you with the necessary fixes to proactively guard 
your network. Try QualysGuard Risk Free with No Obligation.

http://www.securityfocus.com/cgi-bin/ib.pl