Date: Mon, 2 Feb 2004 13:10:31 -0700 (MST)
From:"John Boletta" <jboletta@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #169

SecurityFocus Linux Newsletter #169
------------------------------------

This issue sponsored by: Tenable Network Security

Doing network vulnerability scanning? Did you have to ask for 
permission?
Did you have to beg for forgiveness from the admins you caused panic 
and
disruption to?  Try NeVO, the worlds only 100% passive vulnerability
scanner, from Tenable Network Security!

http://www.securityfocus.com/sponsor/TenableSecurity_linux-
secnews_040202

For your 30 day demo please contact: sales@tenablesecurity.com
------------------------------------------------------------------------

I. FRONT AND CENTER
     1. The Soft Underbelly: Attacking the Client
     2. Digital Signatures and European Laws
     3. Worms Hit Home
     4. We are pleased to announce a new search engine on 
SecurityFocus.
II. LINUX VULNERABILITY SUMMARY
     1. Gaim Multiple Remote Boundary Condition Error Vulnerabilitie...
     2. Antologic Antolinux Administrative Interface NDCR Parameter ...
     3. Cherokee Error Page Cross Site Scripting Vulnerability
     4. Xoops Viewtopic.php Cross-Site Scripting Vulnerability
     5. TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerabi...
     6. Macromedia ColdFusion MX Security Sandbox Circumvention Vuln...
     7. Third-party CVSup Binary Insecure ELF RPATH Library Replacem...
III. LINUX FOCUS LIST SUMMARY
     1. UNIX Authentication (Thread)
     2. Shadow files and the password "!!". (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. Immunity CANVAS
     2. SecretAgent
     3. Cyber-Ark  Inter-Business Vault
     4. EnCase Forensic Edition
     5. KeyGhost SX
     6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
     1. Andutteye  Surveillance (server) v1.16
     2. PIKT - Problem Informant/Killer Tool v1.16.1
     3. DNS Blacklist Packet Filter  v0.1
     4. MUTE File Sharing  v0.2.2
     5. Socks Server 5 v2.4r7
     6. Scapy v0.9.
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION


I. FRONT AND CENTER
-------------------
1. The Soft Underbelly: Attacking the Client
By Tom Vogt

This article discusses the lack of security inside many corporate 
networks
once hackers have breached the border perimeter and firewall. 
Client-based
attack vectors, malicious payloads and their potential impact to an
organization are also discussed.

http://www.securityfocus.com/infocus/1758

2. Digital Signatures and European Laws
By Mirella Mazzeo

This article discusses the security requirements for electronic
communications and commerce with European governments and many 
European-
based businesses. It will also give an overview of the current trends 
for
public key infrastructure in Europe, useful for any organization that 
does
business with the EU.

http://www.securityfocus.com/infocus/1756

3. Worms Hit Home
By Kelly Martin

The fact that each of us can only control and manage the patches and 
virus
definitions on machines within our own borders means little as we watch
the promulgation of malcode on millions of home machines outside of our
control.

http://www.securityfocus.com/columnists/216

4. We are pleased to announce a new search engine on SecurityFocus,
offering faster and more intuitive results. Features include site wide 
or
section specific searching by author, headline or entire document and
sorting by date, headline or URL.


II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Gaim Multiple Remote Boundary Condition Error Vulnerabilitie...
BugTraq ID: 9489
Remote: Yes
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9489
Summary:
Gaim is an instant messaging client that supports numerous protocols. 
It
is available for the Unix and Linux platforms.

Several vulnerabilities in the handling of YMSG protocol, Oscar 
protocol,
proxy handling, and Gaim utilities have been identified.  Because of 
these
issues, it may be possible for a remote attacker to gain unauthorized
access to hosts using the vulnerable software.

Reports indicate the following 12 problems:

Due to two errors in the handling of octal decoding code used for 
e-mail
notification, it is possible to create a condition suitable for 
heap-based
overflow attacks.

An overflow in the parsing of Yahoo Web cookies in HTTP headers exists
when handling a specially prepared cookie.  Initial reports indicate a 
low
possibility of exploitation due to circumstances in memory management 
of
various platforms.

There is insufficient bounds checking of data returned from the Yahoo!
Login page.  Name and Value strings returned to the client from a 
system
purporting to be the Yahoo! Login page could potentially result in the
execution of arbitrary code on the client side.

The YMSG protocol handler is vulnerable to a buffer overflow when 
handling
keynames of excessive sizes, usually greater than 64 bytes.  Remote
communications with maliciously crafted keynames can be forwarded 
through
the Yahoo! server.

An integer overflow exists in the DirectIM handling by Gaim.  A remote
user sending a value to a vulnerable Gaim client with a payload length 
of
UINT_MAX will result in an overflow in the calloc function.

Due to two errors in the handling of Quoted Printable decoding code 
used
for e-mail notification, it is possible to create conditions suitable 
for
heap-based overflow attacks.

The URI parsing utility contains an overflow in the handling of 
specially
crafted URIs.  An attacker could pass along a URI of excessive length 
to
create an exploitable stack overflow.

The Get User Info utility performs inadequate bounds checking on data
received from the YMSG and MSN protocol handlers.  Because of this, it 
is
possible for a remote attacker to exploit a stack overflow in the 
utility
to execute arbitrary code.

A client-side overflow in the handling of HTTP proxy connections exists 
in
Gaim.  A remote proxy sending a string of data in excess of 8192 bytes
could potentially create an exploitable stack overflow on the client
system.

These issues are undergoing further analysis and will be separated into
individual BIDs when analysis is complete.

*Update: Ultramagnetic, a concurrent fork of the Gaim instant messaging
software, has also been reported to be affected by the issues listed 
under
CAN-2004-0006, CAN-2004-0007 and CAN-2004-0008.

2. Antologic Antolinux Administrative Interface NDCR Parameter ...
BugTraq ID: 9495
Remote: Yes
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9495
Summary:
Antologic Antolinux is a Linux server based server.  The server is 
shipped
with an administrative interface written in PHP.

A vulnerability has been reported to exist in the administration 
interface
of the product that may allow a remote attacker to execute arbitrary
commands on vulnerable systems.  The issue reportedly exists in the 
'NDCR'
parameter of the software.  Due to insufficient sanitization of
user-supplied input, data supplied to this variable will be interpreted 
in
the shell.  An attacker can exploit this vulnerability by passing
malicious shell metacharacters to the software in order to execute
arbitrary commands with the privileges of the  server hosting the
vulnerable software.  It has been demonstrated that an attacker may 
gain
access to the password file by carrying out a 'cat' command.  An 
attacker
may need to spoof the HTTP REFERER to carry out successful 
exploitation.

Antologic Antolinux 1.0 has been reported to be prone to this issue,
however, other versions may be affected as well.

3. Cherokee Error Page Cross Site Scripting Vulnerability
BugTraq ID: 9496
Remote: Yes
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9496
Summary:
Cherokee is a web server distributed under the GNU public license.  It 
is
available for numerous platforms, including Microsoft Windows and
Unix/Linux variants.

Cherokee has been reported to contain a cross-site scripting
vulnerability.  This issue is due to the server failing to check and
filter user-supplied strings issued to the server in a web request, 
which
are then included directly in error output.

An attacker can exploit this issue by crafting a URI link containing 
the
malevolent HTML or script code, and enticing a user to follow it.  If 
this
link were followed, the hostile code may be rendered in the web browser 
of
the victim user. This would occur in the security context of the 
affected
web server and may allow for theft of cookie-based authentication
credentials or other attacks.

4. Xoops Viewtopic.php Cross-Site Scripting Vulnerability
BugTraq ID: 9497
Remote: Yes
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9497
Summary:
Xoops is open-source, freely available web portal software written in
object-oriented PHP. It is back-ended by a MySQL database and will run 
on
most Unix and Linux distributions.

A vulnerability has been reported to exist in Xoops that may allow a
remote user to execute HTML or script code in a user's browser.

The issue is reported to exist due to improper sanitizing of 
user-supplied
data. It has been reported that HTML and script code may be parsed via 
the
'topic_id' and 'forum' URI parameters of 'newbb/viewtopic.php' script.
This vulnerability makes it possible for an attacker to construct a
malicious link containing HTML or script code that may be rendered in a
user's browser upon visiting that link. This attack would occur in the
security context of the site.

Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also 
possible.

Xoops versions 2.x have been reported to be prone to this issue.

5. TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerabi...
BugTraq ID: 9507
Remote: Yes
Date Published: Jan 27 2004
Relevant URL: http://www.securityfocus.com/bid/9507
Summary:
tcpdump is a freely available, open source network monitoring tool. It 
is
available for the Unix, Linux, and Microsoft Windows operating systems.

A vulnerability has been identified in the software that may allow a
remote attacker to cause a denial of service condition in the software.
The issue occurs due to the way tcpdump decodes Internet Security
Association and Key Management Protocol (ISAKMP) packets.  A remote
attacker may cause the software to enter an infinite loop by sending
malformed ISAKMP packets resulting in a crash or hang.

Although unconfirmed, due to the nature of this issue, an attacker may
leverage the issue by exploiting an unbounded memory copy operation to
overwrite the saved return address/base pointer, causing an affected
procedure to return to an address of their choice. Successful 
exploitation
of this issue may allow an attacker to execute arbitrary code with the
privileges of the tcpdump process in order to gain unauthorized access.

tcpdump versions prior to 3.8.1 have been reported to be prone to this
issue.

6. Macromedia ColdFusion MX Security Sandbox Circumvention Vuln...
BugTraq ID: 9521
Remote: No
Date Published: Jan 28 2004
Relevant URL: http://www.securityfocus.com/bid/9521
Summary:
ColdFusion MX is the application server for developing and hosting
infrastructure distributed by Macromedia. It is available as a 
standalone
product for Unix, Linux, and Microsoft Operating Systems.

ColdFusion MX has been reported prone to a security sandbox 
circumvention
vulnerability. The issue is reported to exist because programmers have 
the
ability to create instances of classes without using "CreateObject()" 
or
"<cfobject>" tags. It has been reported that the security sandbox does 
not
prevent this behavior.

This issue cannot be exploited remotely, but the vulnerability may 
present
a danger in a shared hosted environment.

An attacker may exploit this issue to circumvent the security sandbox 
of
ColdFusion MX.

This issue has been reported to affect ColdFusion MX 6.1.

7. Third-party CVSup Binary Insecure ELF RPATH Library Replacem...
BugTraq ID: 9523
Remote: No
Date Published: Jan 29 2004
Relevant URL: http://www.securityfocus.com/bid/9523
Summary:
CVSup is a network file distribution utility that is intended to be 
used
with CVS repositories.  It is available for various Unix/Linux
derivatives.

It has been reported that some third-party vendor-supplied CVSup 
binaries
may have an insecure ELF RPATH that includes world-writeable 
directories
in the path.  This variable is used to specify the run-time search path
for ELF objects.  A local attacker could exploit this issue by placing
malicious libraries in these directories, which would be dynamically
linked against at run-time when the cvsup, cvsupd or cvpasswd programs 
are
executed.  This would result in execution of arbitrary code with 
elevated
privileges.

This issue was reported to affect CVSup RPMs that ship with SuSE Linux.
Other distributions may also be affected.  In the instance of SuSE, the
/home/anthon and /usr/src/packages directories included in the search 
path
may be world-writeable, depending on the value of the 
PERMISSIONS_SECURITY
setting in the /etc/sysconfig/security configuration file.  Statically
linked versions of the software should not be affected by this version.


III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. UNIX Authentication (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/352108

2. Shadow files and the password "!!". (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/351826


IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:

Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.

Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to 
become
exploit developers.

2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: 
http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:

SecretAgent is a file encryption and digital signature utility, 
supporting
cross-platform interoperability over a wide range of platforms: 
Windows,
Linux, Mac OS X, and UNIX systems.

It's the perfect solution for your data security requirements, 
regardless
of the size of your organization.

Using the latest recognized standards in encryption and digital 
signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.

3. Cyber-Ark  Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely 
share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:

4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:

EnCase Forensic Edition Version 4 delivers the most advanced features 
for
computer forensics and investigations. With an intuitive GUI and 
superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields 
completely
non-invasive computer forensic investigations while allowing examiners 
to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.

The integrated functionality of EnCase allows the examiner to perform 
all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.

5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:

KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely 
undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data
in it?s own internal memory (not on the hard drive), it is impossible 
for
a network intruder to gain access to any sensitive data stored within 
the
device.

6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:

Evidian's SafeKit technology makes it possible to render any 
application
available 24 hours per day. With no extra hardware: just use your 
existing
servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to 
serve
your users.


V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Andutteye  Surveillance (server) v1.16
By: andutt
Relevant URL: http://www.utterberg.com
Platforms: Linux
Summary:

Andutteye is surveillance software for Linux and Unix systems. Its used 
to
monitor your system, resolve local actions, and send alarms to a 
central
point. You can manage your client configurations, view and handle the
incoming alarms, and have FAQ entries on well known alarms.

2. PIKT - Problem Informant/Killer Tool v1.16.1
By: Robert Osterlund, robert.osterlund@gsb.uchicago.edu
Relevant URL: http://pikt.org
Platforms: AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS
Summary:

PIKT is a cross-platform, multi-functional toolkit for monitoring 
systems,
reporting and fixing problems, and managing system configurations. It
consists of an embedded scripting language with unique, labor-saving
features, a script and system config file preprocessor, a scheduler, an
installer, and other tools.

3. DNS Blacklist Packet Filter  v0.1
By: Russell Miller
Relevant URL:
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, POSIX
Summary:

DNS Blacklist Packet Filter is a BSD/Linux netfilter client that 
decides
whether to accept or drop packets based on the results of a DNS 
blacklist
query (such as MAPS, SORBS, or SPEWS, to name a few). One use is to 
filter
all incoming SMTP SYN packets for spam filtering.

4. MUTE File Sharing  v0.2.2
By: Jason Rohrer
Relevant URL: http://mute-net.sourceforge.net/
Platforms: Linux, MacOS, Os Independent, Windows 2000, Windows 95/98
Summary:

MUTE File Sharing is an anonymous, decentralized search-and-download 
file
sharing system. Several people have described MUTE as the "third
generation file sharing network" (From Napster to Gnutella to MUTE, 
with
each generation getting less centralized and more anonymous). MUTE uses
algorithms inspired by ant behavior to route all messages, include file
transfers, through a mesh network of neighbor connections.

5. Socks Server 5 v2.4r7
By: Matteo Ricchetti
Relevant URL: http://digilander.iol.it/matteo.ricchetti/
Platforms: Linux
Summary:

Socks Server 5 is a socks server for the Linux platform which supports 
the
Socks protocol versions 4 and 5.

6. Scapy v0.9.
By: Philippe Biondi
Relevant URL: http://www.cartel-securite.fr/pbiondi/scapy.html
Platforms: Linux, POSIX
Summary:

Scapy is a powerful interactive packet manipulation tool, packet
generator, network scanner, network discovery tool, and packet sniffer. 
It
provides classes to interactively create packets or sets of packets,
manipulate them, send them over the wire, sniff other packets from the
wire, match answers and replies, and more. Interaction is provided by 
the
Python interpreter, so Python programming structures can be used (such 
as
variables, loops, and functions). Report modules are possible and easy 
to
make. It is intended to do about the same things as ttlscan, nmap, 
hping,
queso, p0f, xprobe, arping, arp-sk/arpspoof, firewalk, irpas, 
tethereal,
and tcpdump.

VII. SPONSOR INFORMATION
-----------------------
This issue sponsored by: Tenable Network Security

Doing network vulnerability scanning? Did you have to ask for 
permission?
Did you have to beg for forgiveness from the admins you caused panic 
and
disruption to?  Try NeVO, the worlds only 100% passive vulnerability
scanner, from Tenable Network Security!

http://www.securityfocus.com/sponsor/TenableSecurity_linux-
secnews_040202

For your 30 day demo please contact: sales@tenablesecurity.com
------------------------------------------------------------------------