SecurityFocus Linux Newsletter #62

From: John Boletta (jboletta@securityfocus.com)
Date: 01/07/02


Date: Mon, 7 Jan 2002 11:49:04 -0700 (MST)
From: John Boletta <jboletta@securityfocus.com>
To: linux-secnews@securityfocus.com

SecurityFocus Linux Newsletter #62
----------------------------------

Announcing THE SECURITY eMARKETING REPORT

SecurityFocus is proud to introduce the Security eMarketing Report, the
monthly HTML e-mail publication tailored specifically to the on-line
marketing needs of security professionals. Along with monthly
SecurityFocus Web site traffic statistics, this publication will feature
content written by industry experts on a variety of topics including, but
not limited to:

     ** Case Studies
     ** Industry News
     ** Columnists
     ** Guest Interviews
     ** Success Stories
     ** Techniques

To subscribe, please send an email to smr@securityfocus.com
<mailto:smr@securityfocus.com> .

To see last month's issue please click here
http://www.securityfocus.com/advertising/newsletter/smr_001.htm
<http://www.securityfocus.com/advertising/newsletter/smr_001.htm>

-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Special Event: Information Security in the Age of Terrorism
     2. IPTables Linux firewall with packet string-matching support
     3. SecurityFocus is Hiring!
II. LINUX VULNERABILITY SUMMARY
     1. DeleGate Cross-Site Scripting Vulnerability
     2. Last Lines CGI Script Directory Traversal Vulnerability
     3. DayDream BBS Control Code Multiple Buffer Overflow Vulnerability
     4. Last Lines CGI Script Remote Command Execution Vulnerability
     5. Abe Timmerman zml.cgi File Disclosure Vulnerability
     6. Cherokee HTTPD Directory Traversal Vulnerability
     7. Cherokee HTTPD Remote Command Execution Vulnerability
     8. GPM-Root Format String Vulnerability
     9. Cherokee HTTPD Insecure Privilege Release Vulnerability
III. LINUX FOCUS LIST SUMMARY
     1. About named port binding (Thread)
     2. Locking Down a Linux Box (Thread)
     3. DHCP and Firewall Problem (Thread)
     4. local auditing tools (Thread)
     5. chroot for sftpd ? (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. SiteMinder 4.6
     2. F-Secure Anti-Virus for Linux
     3. PowerPassword 2.6
V. NEW TOOLS FOR LINUX PLATFORMS
     1. MailScanner v3.00-3
     2. Slackware Administrators Security Toolkit v0.1.3.1
     3. Oidentd v2.0.3
     4. PCX Firewall v2.11
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. Special Event: Information Security in the Age of Terrorism
(March 25-26, 2002, Washington DC)

Join an impressive faculty to learn strategic tools to safeguard your
trade secrets and assets at Financial Research Associates' conference on
Information Security in the Age of Terrorism, March 25-26 in Washington
DC. Learn about the burgeoning relationships between terrorist
organizations and hackers, the impact of better funded and organized
hackers, how to protect your organization and much more. This event
focuses on practical security strategies with practitioner case studies
and features an all-star faculty. To see a detailed conference brochure,
go to www.frallc.com <http://www.frallc.com> , or call for more
information at 800-280-8440.

2. IPTables Linux firewall with packet string-matching support
by Anton Chuvakin, Ph.D.

Linux firewalling code has come a long way since the time ipfwadm was
introduced in kernel version 1.2.1 in 1995. Ipfwadm enabled standard
TCP/IP packet filtering features such as filtering by source/target
addresses and port numbers. Then, in early 1999, when the first stable
2.2.0 kernel was released, firewalling code was replaced with new
ipchains-controlled code. New features included support for chains of
rules, fragmentation handling, better network address translation (NAT)
support and several usability improvements. Readers should be reminded
that Linux firewalling includes kernel-level code (usually in form of
loadable module or kernel source patch) and user-level code (a control
utility such as /usr/bin/ipchains, that is used to insert packet rules
into kernel-space). Thus whenever new Linux firewalling code was
introduced it involved both kernel and userspace code rewrite.

http://www.securityfocus.com/infocus/1531

3. SecurityFocus is Hiring!

SecurityFocus is currently looking for a programmer/debugger for its
Threat Analysis teams. This position requires skillsets which I have
outlined below.

These positions require the staff members to be located in Calgary,
Alberta, Canada. Relocation assistance is possible from within Canada.
Skills will require verification by the way of an actual practical test
before an in-person interview is secured.

Skills required:

        - Expertise with SoftICE & IDA Pro (or similar tools).
        - Expertise with x86 assembly language
        - Programming ability in C & C++, targeting both the Unix and
          Windows platforms
        - Strong report writing skills and ability to interface with
          customers.

Additional skills preferred:

        - Working knowledge of computer viruses, worms, and trojans
          propagation techniques
        - Working knowledge of honeypots.

Personal Skills Required:

Any applicant must be able to work in a team environment and deal with
very tight deliverables. An outgoing pleasant personality is an absolute
requiremant. No rockstars, no primadonas.

About SecurityFocus

SecurityFocus, is the leading provider of security intelligence products
and services for business. They include SIA (Security Intelligence Alert),
which alerts subscribers to security vulnerabilities, and ARIS (Attack
Registry & Intelligence Service), which predicts cyber assaults on
customer networks, based on global attack data. SecurityFocus also
licenses the world's largest and most comprehensive vulnerability
information database, hosts the most popular security community mailing
list on the Internet, Bugtraq, and publishes original security content on
its Web site.

Please send resumes if interested to Alfred Huger ah@securityfocus.com

II. BUGTRAQ SUMMARY
-------------------
1. DeleGate Cross-Site Scripting Vulnerability
BugTraq ID: 3749
Remote: Yes
Date Published: Dec 28 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3749
Summary:

DeleGate is a proxy server which runs on Linux , Unix, Microsoft Windows
and OS/2 platforms. It is capable of translating a number of
protocols(HTTP, FTP, NNTP, POP, Telnet, etc.) between client and server.

DeleGate is prone to cross-site scripting attacks.

HTML tags are not filtered from links to error pages. For example, a page
that displays a 403 error message or a custom error page created by the
administrator and displayed using DeleGate's MOUNT option.

As a result, it is possible for an attacker to insert malicious script
code into a link to a site running DeleGate. When a web user clicks the
link an error page will be displayed and the script code will be executed
on the web user in the context of the site running DeleGate.

Such an attack may be used to steal a legitimate user's cookie-based
authentication credentials.

2. Last Lines CGI Script Directory Traversal Vulnerability
BugTraq ID: 3754
Remote: Yes
Date Published: Dec 30 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3754
Summary:

Last Lines CGI is a freely available script written in Perl and maintained
by the Matrix's CGI Vault. It allows the user to print a specified number
of lines from a log file(or any text file) to a webpage. It can run on
Linux and Unix systems or any other platform with Apache and Perl support.

Lastlines.cgi does not sufficiently validate externally supplied input and
is therefore prone to directory traversal attacks. It is possible for a
remote attacker to submit a maliciously crafted web request, containing
'../' sequences, which is capable of breaking out of wwwroot and browsing
arbitrary web-readable files on a host running the vulnerable script.

3. DayDream BBS Control Code Multiple Buffer Overflow Vulnerability
BugTraq ID: 3757
Remote: Yes
Date Published: Dec 30 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3757
Summary:

DayDream BBS was originally written for AmigaOS, although a port is now
actively maintained for Linux and BSD based systems. DayDream is
conference based, and includes support for message boards, file transfers,
and doors.

It is possible to include control codes in text files displayed by
DayDream. They are interpreted and can be used to insert data such as the
current date or user name, or to perform actions. The command ~#MC is
used to introduce a menu command, and the commands ~#TF and ~#RA are used
to display text files. These three commands suffer from buffer overflow
vulnerabilities.

By associating extremely large parameters with these control codes, it is
possible to overflow a buffer in memory. This can be used to corrupt the
stack, and modify the return address of the affected function. It is
possible this could be used to execute arbitrary code.

If a user is able to include these control codes in posted messages, it
may be possible for a remote user of the BBS system to cause arbitrary
code to be executed. Under the recommended installation, DayDream runs as
a non-privileged user 'bbs'. However, successful exploitation of this
vulnerability may lead to local access to the system. Given local access,
it is often easier to obtain elevated privileges.

It has been reported that this vulnerability has been repaired in the
recent releases of DayDream, although it has not been reported on the
software homepage at the time this was written.

4. Last Lines CGI Script Remote Command Execution Vulnerability
BugTraq ID: 3755
Remote: Yes
Date Published: Dec 30 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3755
Summary:

Last Lines CGI is a freely available script written in Perl and maintained
by the Matrix's CGI Vault. It allows the user to print a specified number
of lines from a log file(or any text file) to a webpage. It can run on
Linux and Unix systems or any other platform with Apache and Perl support.

Lastlines.cgi does not sufficiently validate certain types of input from
web requests. It is possible for a remote attacker to submit a malicious
web request containing shell metacharacters(such as ';', '|', etc.) to
execute arbitrary commands on the host running the vulnerable script.
Commands will be executed with the privileges of the webserver process.

This impact of this vulnerability is that an attacker may gain local,
interactive access to the host.

5. Abe Timmerman zml.cgi File Disclosure Vulnerability
BugTraq ID: 3759
Remote: Yes
Date Published: Dec 31 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3759
Summary:

zml.cgi is a perl script which can be used to support server side include
directives under Apache. It recognizes a simple set of commands, and
allows access to cgi parameters and environment variables. It can run on
Linux and Unix systems or any other platform with Apache and Perl support.

zml.cgi accepts as a parameter the file to parse for these ssi directives.
This parameter is susceptible to the standard ../ directory traversal
attack, allowing arbitrary files to be specified. Although the script
attempts to append a .zml extension to any file accessed, appending a null
byte to the file parameter is sufficient to evade this restriction.

6. Cherokee HTTPD Directory Traversal Vulnerability
BugTraq ID: 3772
Remote: Yes
Date Published: Dec 29 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3772
Summary:

Cherokee is a compact web server which provides fast delivery of web
content. It is freely available and distributed under the GPL. It runs on
Linux and other Unix systems.

A vulnerability exists in Cherokee web server which may allow a remote
attacker to display arbitrary files.

Cherokee is prone to directory traversal attacks. This is due to
insufficient validation of externally supplied data, such as in web
requests. By appending '../' sequences to a web request, it is possible
for an attacker to break out of wwwroot and browse the filesystem of the
host.

Furthermore, another issue is known to exist in Cherokee which increases
the impact of this vulnerability dramatically. BugTraq ID 3771, "Cherokee
HTTPD Insecure Privilege Release Vulnerability" describes a problem in
which Cherokee web server fails to drop root privileges after binding to
port 80. The implication is that an attacker may browse any file on the
system, as the web server is running with root privileges.

7. Cherokee HTTPD Remote Command Execution Vulnerability
BugTraq ID: 3773
Remote: Yes
Date Published: Dec 29 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3773
Summary:

Cherokee is a compact web server which provides fast delivery of web
content. It is freely available and distributed under the GPL. It runs on
Linux and other Unix systems.

Cherokee web server is prone to an issue which may allow a remote attacker
to gain interactive access to the host running it.

Cherokee does not filter shell metacharacters from web requests. It is
therefore possible for a remote attacker to submit a malicious web request
containing arbitrary commands which will be executed on the shell with the
privileges of the webserver process.

Furthermore, another issue is known to exist in Cherokee which increases
the impact of this vulnerability to include a potential for remote root
compromise. BugTraq ID 3771, "Cherokee HTTPD Insecure Privilege Release
Vulnerability" describes a problem in which Cherokee web server fails to
drop root privileges after binding to port 80, causing any commands that
are executed by a remote attacker to have much greater consequences.

8. GPM-Root Format String Vulnerability
BugTraq ID: 3750
Remote: No
Date Published: Dec 28 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3750
Summary:

gpm is the General Mouse Protocol, a software package maintained by public
domain. It is freely available, and open source. It runs on Linux and
other Unix systems.

A problem has been discovered in gpm that could allow local users to gain
elevated privileges. The problem is in the handling of format strings.

gpm does not properly handle format strings supplied by an arbitrary user.
A user may pass arbitrary format strings to the gpm-root program, that
could result in the execution of arbitrary code. The gpm program is
started by init with root privileges.

This problem may make it possible for a local user to gain administrative
privileges.

9. Cherokee HTTPD Insecure Privilege Release Vulnerability
BugTraq ID: 3771
Remote: Yes
Date Published: Dec 29 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3771
Summary:

Cherokee is a compact web server which provides fast delivery of web
content. It is freely available and distributed under the GPL. It runs on
Linux and other Unix systems.

A vulnerability exists in Cherokee web server.

Port 80 on Unix-based systems is a privileged port. Normally, when a web
server is run it will bind to port 80 as root and then drop privileges.
However, Cherokee does not properly implement the principle of "least
privilege", and fails to drop root privileges after it binds to port 80.

While this vulnerability is not exploitable in and of itself, Cherokee web
server is prone to a number of other issues which may result in a remote
root compromise as a consequence of this issue. For example, BugTraq ID
3773 "Cherokee HTTPD Remote Command Execution Vulnerability" and BugTraq
ID 3772 "Cherokee HTTPD Directory Traversal Vulnerability" may both be
exploited to much greater effect as a result of this issue.

IV. LINUX FOCUS LIST SUMMARY
---------------------------------
1. About named port binding (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=000901c1944d$8bab0c40$2e402fd3@antihong&threads=1

2. Locking Down a Linux Box (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=1010079119.1536.10.camel@localhost.localdomain&threads=1

3. DHCP and Firewall Problem (Thread)
Relevant URL:

3.0.6.32.20020103105157.00987e80@mail.igrin.co.nz&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=3.0.6.32.20020103105157.00987e80@mail.igrin.co.nz&threads=1

4. local auditing tools (Thread)
Relevant URL:

EBEILKLJBHHLBGJAOPLNCEMHCAAA.ryany@pantek.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=EBEILKLJBHHLBGJAOPLNCEMHCAAA.ryany@pantek.com&threads=1

5. chroot for sftpd ? (Thread)
Relevant URL:

20020102101149.26084.qmail@mail.securityfocus.com">http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=20020102101149.26084.qmail@mail.securityfocus.com &threads=1

IV.NEW PRODUCTS FOR LINUX PLATFORMS
-----------------------------------
1. SiteMinder 4.6
by Netegrity
Platforms: Linux, Solaris, Windows NT, AIX, HP-UX
Relevant URL:
http://www.netegrity.com/products/index.cfm?leveltwo=SiteMinder
Summary:

SiteMinder makes e-business web sites more secure and manageable by
providing a platform for centrally managing all applications, rather than
building proprietary user directories and access control systems into each
individual application. This centralized approach to security management
enables companies to greatly reduce administration cost and complexity.
SiteMinder delivers an integrated set of "shared" security and management
services, enabling companies to centralize authentication and access
control, and leverage these services across all users and applications on
an e-business web site. SiteMinder delivers single sign-on to all
applications by sharing authentication management information (who you
are), and entitlement management data (what you are allowed to access)
across your entire e-business environment.

2. F-Secure Anti-Virus for Linux
by F-Secure Corporation
Platforms: Linux
Relevant URL:
http://www.f-secure.com/products/anti-virus/linux.htm
Summary:

F-Secure Anti-Virus for Linux is an easy-to-use and up-to-date virus
scanner that can detect and disinfect viruses effectively. It scans and
removes viruses from networked or stand-alone workstations, and enables
system administrators to scan files on Linux servers that handle Web
sites, ftp sites, or file sharing on a LAN.

3. PowerPassword 2.6
by Symark Software
Platforms: Linux, UNIX, Solaris, AIX, HP-UX, IRIX, DG-UX, True64 UNIX
Relevant URL:
http://www.symark.com/
Summary:

Symark PowerPassword lets system administrators control which users can
log in to each UNIX machine under which circumstances. Using a flexible
login policy language, system administrators can specify such things as
what time of day a user may log in, who may log in over modem lines or
over the network, and whether additional passwords or authentication
schemes are used. PowerPassword also includes a flexible password-ageing
system, which is compatible with NIS and shadow passwords, and works
across an entire UNIX network. Also, PowerPassword can be easily
integrated with authentication mechanisms such as smart cards, to further
enhance login security. A free 30 day trial download is also available.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. MailScanner v3.00-3
by Julian Field
Relevant URL:
http://www.sng.ecs.soton.ac.uk/mailscanner/downloads.shtml
Platforms: AIX, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD, SunOS
Summary:

MailScanner is an Email virus scanner and spam tagger. It supports
sendmail and Exim MTAs, and Sophos and McAfee anti-virus scanners. It is
very easy to install, and requires no changes at all to your sendmail.cf
file. It is designed to be lightweight, and so won't grind your mail
system to a halt with its load.

2. Slackware Administrators Security Toolkit v0.1.3.1
by John Jenkins mrgoblin@users.sourceforge.net
Relevant URL:
http://sourceforge.net/projects/sastk/
Platforms: Linux
Summary:

SAStk (Slackware Administrators Security tool kit) aims to provide a set
of tools and utilities to install and maintain a reasonable level of
security for the Slackware GNU/Linux distribution. At the same time, it
should ease administration with a new centralized initialization setup and
background information on what the daemons do.

3. Oidentd v2.0.3
by Ryan McCabe odin@numb.org
Relevant URL:
http://dev.ojnk.net/
Platforms: FreeBSD, Linux, OpenBSD, Solaris, SunOS
Summary:

oidentd is an RFC 1413 compliant ident daemon which runs on Linux,
FreeBSD, OpenBSD, and Solaris. It can handle IP masqueraded/NAT
connections on Linux, FreeBSD, and OpenBSD, and it has a flexible
mechanism for specifying ident responses. Users can be granted permission
to specify their own ident responses. Responses can be specified according
to host and port pairs.

4. PCX Firewall v2.11
by James A. Pattie
Relevant URL:
http://sourceforge.net/project/showfiles.php?group_id=21013
Platforms: Linux
Summary:

PCX Firewall is an IPTables firewalling solution that uses Perl to
generate static shell scripts based upon the user's configuration
settings. This allows the firewall to startup quickly, as it does not have
to parse config files every time it starts.

VI. SPONSORSHIP INFORMATION
---------------------------
Announcing THE SECURITY eMARKETING REPORT

SecurityFocus is proud to introduce the Security eMarketing Report, the
monthly HTML e-mail publication tailored specifically to the on-line
marketing needs of security professionals. Along with monthly
SecurityFocus Web site traffic statistics, this publication will feature
content written by industry experts on a variety of topics including, but
not limited to:

     ** Case Studies
     ** Industry News
     ** Columnists
     ** Guest Interviews
     ** Success Stories
     ** Techniques

To subscribe, please send an email to smr@securityfocus.com
<mailto:smr@securityfocus.com> .

To see last month's issue please click here
http://www.securityfocus.com/advertising/newsletter/smr_001.htm
<http://www.securityfocus.com/advertising/newsletter/smr_001.htm>

-------------------------------------------------------------------------------