SecurityFocus Linux Newsletter #67

From: John Boletta (jboletta@securityfocus.com)
Date: 02/11/02


Date: Mon, 11 Feb 2002 12:22:11 -0700 (MST)
From: John Boletta <jboletta@securityfocus.com>
To: linux-secnews@securityfocus.com


SecurityFocus Linux Newsletter #67
----------------------------------

This issue is sponsored by SecurityFocus (http://www.securityfocus.com)

**SecurityFocus Promotion: Two Week Trial of SIA**

SecurityFocus(tm), a leading provider of enterprise security threat
management systems, announces new pricing for SIA(tm) our Security
Intelligence Alert Service. We are also offering a FREE two-week trial of
SIA between January 21st and March 15th, 2002.

SIA provides the most comprehensive and customizable vulnerability and
malicious code alerts available. SIA delivers complete, up-to-the-minute,
specific, actionable information that allows enterprises to prevent
attacks before they occur.

SIA allows you to:

**Fully protect your systems with comprehensive alerts that are specific
to your infrastructure. SIA allows you to specify down to the version
level those products for which you wish to receive alerts.

**Reduce the threat of network downtime from attacks. SIA provides
everything you need to know: thorough technical description of the attack,
workarounds or available patches, signatures for updating IDSs,
mitigation/disinfection strategies, etc.

**Save hours a day by not having to look through hundreds of emails or
dozens of websites. SIA allows you to prioritize your current
vulnerabilities and eliminate the highest risks first.

To take advantage of our FREE two-week trial offer and receive real-time
configuration-specific vulnerability and malicious code alerts, please
call toll-free 1-866-577-6300 in the United States and Canada, or
+1-650-655-6300 outside North America. You may also contact us at
sales@securityfocus.com, or click here
http://www.securityfocus.com/feedback to have a sales representative
contact you.

-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. SecurityFocus is Hiring!
     2. Event Announcement
     3. The Devil You Know: Responding to Interface-based Insider Attacks
     4. Heuristic Techniques in AV Solutions: An Overview
II. LINUX VULNERABILITY SUMMARY
     1. Oracle TNS Listener Arbitrary Library Call Execution Vulnerability
     2. DCForum Predictable Password Generation Vulnerability
     3. Faq-O-Matic Cross-Site Scripting Vulnerability
     4. PHP MySQL Safe_Mode Filesystem Circumvention Vulnerability
     5. Castelle Faxpress Plaintext Password Disclosure Vulnerability
III. LINUX FOCUS LIST SUMMARY
     1. iptables + strings: tutorial + script (Thread)
     2. apache and nimda (now iptables) (Thread)
     3. nimda and string match [Re: apache and nimbda] (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. Luna XL
     2. Aventail ExtraNet Center
     3. hp secure OS software for Linux
V. NEW TOOLS FOR LINUX PLATFORMS
     1. p0f v1.8.2
     2. ifmonitor v0.13
     3. Leetnet client v1.2.8
     4. WaveStumbler v1.1.1
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. SecurityFocus is Hiring!

SecurityFocus is currently looking for a programmer/debugger for its
Threat Analysis teams. This position requires skillsets which I have
outlined below.

These positions require the staff members to be located in Calgary,
Alberta, Canada. Relocation assistance is possible from within Canada.
Skills will require verification by the way of an actual practical test
before an in-person interview is secured.

Skills required:

        - Expertise with SoftICE & IDA Pro (or similar tools).
        - Expertise with x86 assembly language
        - Programming ability in C & C++, targeting both the Unix and
          Windows platforms
        - Strong report writing skills and ability to interface with
          customers.

Additional skills preferred:

        - Working knowledge of computer viruses, worms, and trojans
          propagation techniques
        - Working knowledge of honeypots.

Personal Skills Required:

Any applicant must be able to work in a team environment and deal with
very tight deliverables. An outgoing pleasant personality is an absolute
requiremant. No rockstars, no primadonas.

About SecurityFocus

SecurityFocus, is the leading provider of security intelligence products
and services for business. They include SIA (Security Intelligence Alert),
which alerts subscribers to security vulnerabilities, and ARIS (Attack
Registry & Intelligence Service), which predicts cyber assaults on
customer networks, based on global attack data. SecurityFocus also
licenses the world's largest and most comprehensive vulnerability
information database, hosts the most popular security community mailing
list on the Internet, Bugtraq, and publishes original security content on
its Web site.

Please send resumes if interested to Alfred Huger ah@securityfocus.com

2. Event Announcement

THE PRACTITIONERS' FORUM ON MOBILE & WIRELESS SECURITY April 29 - 30,
2002, The American Management Training Association, Washington DC

Walk away with defensive tactics to protect your wireless networks -
today!

Join wireless security leaders to discuss:

* Various types of wireless attacks - and defense strategies for each
* The pros and cons of WLAN security technologies: WAP, WEP, 802.11x,
  dynamic WEP, VPN's, bluetooth, 3G, dynamic IPsec, and PKI
* Wireless security strategies: What the CIO should know
* Corroborating with law enforcement after and attack occurs
* Case studies presented by leading wireless security practitioners

Plus: A comprehensive post-conference workshop: "A How-To Guide to
Implementing Wireless LAN Security Solutions" For more information please
visit: http://www.frallc.com

3. The Devil You Know: Responding to Interface-based Insider Attacks
by Ronald L. Mendell

It is estimated that up to eighty-five percent of intrusions are
perpetrated by insiders. This article will examine how response teams can
detect and investigate interface-based insider attacks. It is also hoped
that the article will provide the basis of incident response policies for
responding to and investigating insider attacks that exploit
interface-based vulnerabilities.

http://www.securityfocus.com/infocus/1543

4. Heuristic Techniques in AV Solutions: An Overview
by Markus Schmall

Heuristic technologies can be found in nearly all current anti-virus
(herein referred to as AV) solutions and also in other security-related
areas like intrusion detection systems and attack analysis systems with
correlating components. This article will offer a brief overview of
generic heuristic approaches within AV solutions with a particular
emphasis on heuristics for Visual Basic for Applications-based malware.

http://www.securityfocus.com/infocus/1542

II. BUGTRAQ SUMMARY
-------------------
1. Oracle TNS Listener Arbitrary Library Call Execution Vulnerability
BugTraq ID: 4033
Remote: Yes
Date Published: Feb 06 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4033
Summary:

Oracle is a commercial relational database product. Oracle is available
for the Unix, Linux, and Microsoft Windows platforms.

Oracle supports the PL/SQL programming language, used in part to create
stored procedures and embed complicated operations within the database.
PL/SQL includes the functionality to call arbitrary external functions
through libraries or DLLs. PL/SQL accomplishes this through the Oracle
Listener process.

When asked to make an external call, the PL/SQL function connects to the
listener and causes a new process to be created. The Library call is then
executed in this process, and results are communicated through named
pipes.

As there is no authentication between the PL/SQL process and the Listener,
it is possible for a malicious third party to emulate the conversation.
Thus, any party able to connect to the Listener is able to request the
execution of any library call. This may result in a system() call, and the
execution of arbitrary shell commands.

Additionally, it is possible to force the process communication to occur
through sockets instead of named pipes. This easily opens the potential
for a full remote compromise of the Listener user.

Any code that an attacker executes would run with the privilege level of
the listener. On Windows based systems, the library call is run within
the local SYSTEM security context. On Unix systems, the Listener may run
with user-level privileges.

2. DCForum Predictable Password Generation Vulnerability
BugTraq ID: 4014
Remote: Yes
Date Published: Jan 31 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4014
Summary:

DCForum is a web based conferencing system, designed to facilitate online
discussion. It is implemented in Perl and has few system dependancies,
making it available on most operating systems, including Linux, Windows
and most Unix varients.

A vulnerability exists in some versions of DCForum. It is possible for a
user to request a new password. The system generates a new password, and
sends it through email to the appropriate user. It is possible to use this
function without authenticating as the user in question, so that this
feature can be used to recover from a lost or forgotten password.

The flaw exists in the way this password is generated. Instead of being
comprised of random data, the first six characters of the current session
key are used as the new password. As the session key is available to the
remote attacker, the new password function effectively sets arbitrary user
passwords to a known value.

This algorithm is also used when new accounts are created, if the user is
not given the option to select their own password. This may make other
exploitable situations possible, such as creating a valid account without
the need for a valid email address.

Exploitation of this vulnerability immediately leads to the compromise of
arbitrary accounts on the DCForums. An attacker may target an account with
administrative access, possibly leading to further control over the
DCForums system.

3. Faq-O-Matic Cross-Site Scripting Vulnerability
BugTraq ID: 4023
Remote: Yes
Date Published: Feb 04 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4023
Summary:

FAQ-O-Matic is a freely available, open-source FAQ (Frequently Asked
Questions) manager. It is intended to run on Linux and Unix variants.

FAQ-O-Matic does not sufficiently filter HTML tags, including script code,
from URL parameters. It is possible to create a malicious link containing
arbitrary script code. When a legitimate user browses the malicious link,
the script code will be executed in the user's browser in the context of
the website running Faq-O-Matic.

As a result, it may be possible for a remote attacker to steal
cookie-based authentication credentials from a legitimate user of the
user. The attacker may then hijack the session of the legitimate user.

4. PHP MySQL Safe_Mode Filesystem Circumvention Vulnerability
BugTraq ID: 4026
Remote: Yes
Date Published: Feb 03 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4026
Summary:

PHP is a server side scripting language, designed to be embedded within
HTML files. It is available for Windows, Linux, and many Unix based
operating systems. It is commonly used for web development, and is very
widely deployed.

A vulnerability has been discovered that may allow an attacker to gain
access to sensitive information that is located on areas of a filesystem
that were restricted when PHP safe_mode was enabled.

The safe_mode feature in PHP may be used to restrict access to certain
areas of a filesystem by PHP scripts. However, a problem has been
discovered that may allow an attacker to bypass these restrictions to gain
unauthorized access to areas of the filesystem that have been restricted
when PHP safe_mode was enabled.

In particular, the MySQL client library that ships with PHP does not
properly honor safe_mode. As a result, it is possible to use a LOAD DATA
statement to read files that exist in restricted areas of the filesystem
(as determined by PHP safe_mode).

An attacker with access to the MySQL database may exploit this issue to
view any files which are readable by the database process.

5. Castelle Faxpress Plaintext Password Disclosure Vulnerability
BugTraq ID: 4030
Remote: Yes
Date Published: Feb 05 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4030
Summary:

Castelle FaxPress is an integrated solution for a network fax environment.
FaxPress is a hardware and software server providing fax functionality,
and is designed to integrate with Microsoft Windows, Novell NetWare, and
Linux based systems.

FaxPress includes support for printing, either directly or through a
network printer queue. If a print job is submitted to the network queue
with an incorrect password, an error message is reported to the client
through the FaxPress notice system. This error message includes the
submitted username and password in plain text.

Under some circumstances, this may result in the disclosure of sensitive
information. For example, in a corporate environment, the FaxPress client
may be configured by a central department, and the individual users
unaware of the password used.

III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. iptables + strings: tutorial + script (Thread)
Relevant URL:

32802.192.168.0.1.1013045938.squirrel@fire-eyes.yi.org&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=32802.192.168.0.1.1013045938.squirrel@fire-eyes.yi.org&threads=1

2. apache and nimda (now iptables) (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=002501c1ae9f$48d0ef90$d041793e@PC&threads=1

3. nimda and string match [Re: apache and nimbda] (Thread)
Relevant URL:

20020205182437.GB4588@haverlant.homeip.net">http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=20020205182437.GB4588@haverlant.homeip.net &threads=1

IV.NEW PRODUCTS FOR LINUX PLATFORMS
-----------------------------------
1. Luna XL
by Chrysalis-ITS
Relevant URL:
http://www.chrysalis-its.com/trusted_systems/luna_xl.htm
Platforms: Linux, Solaris, Windows NT, Windows 2000
Summary:

Luna XL delivers high-performance hardware-based SSL acceleration for
your secure web server, adding security to high value e-business
transactions. Luna XL offers trench-tested key management for your SSL
sessions without the performance penalty.

2. Aventail ExtraNet Center
by Aventail
Relevant URL:
http://www.aventail.com/managed/extranet.asp
Platforms: Linux, Solaris, Windows NT, AIX, HP-UX, DG-UX
Summary:

Aventail ExtraNet Center is simple to deploy and requires no changes to
your partner's network, applications, or firewall configuration. This
simplifies the political challenges of the extranet, speeds deployment
times to days not months, thus increasing your competitive advantage.
Customer Service: By their very nature, extranets bring key partners and
customers to valuable resources. Aventail ExtraNet Center's client runs
transparently in the background and requires no contact with the user
beyond authentication. This increases the value of the partner extranet
while lowering corporations' support costs. And, it's not just HTTP,
Aventail ExtraNet Center provides security and management for any IP
application.

3. hp secure OS software for Linux
by Hewlett-Packard
Relevant URL:
http://www.hp.com/security/products/linux/
Platforms: Linux,
Summary:

A secure server platform for Linux as an enhancement to the HP Netaction
software suite. HP Secure OS Software for Linux, will help businesses
secure their Linux environments by offering intrusion prevention,
real-time protection against attacks, and damage containment. HP is first
to market with this business-critical security solution for Linux. HP
Secure OS Software for Linux provides high reliability, performance,
availability, flexibility and scalability. Additionally, it is easy to
install and manage, making it attractive to businesses that don't have
large IT organizations.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. p0f v1.8.2
by William Stearns
Relevant URL:
http://www.stearns.org/p0f/
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, POSIX, Solaris, SunOS
Summary:

p0f performs passive OS detection based on SYN packets. Unlike nmap, p0f
does recognition without sending any data. Additionally, it is able to
determine distance to remote host, and can be used to determine the
structure of a foreign or local network. When running on the gateway of a
network it is able to gather huge amounts of data and provide useful
statistics. On a user-end computer it could be used as powerful IDS
add-on. p0f supports full tcpdump-style filtering expressions, and has an
extensible and detailed fingerprinting database. It runs on Linux 2.0/2.2,
FreeBSD, OpenBSD, NetBSD, SunOS, and Solaris.

2. ifmonitor v0.13
by Edson Medina
Relevant URL:
http://ifmonitor.preteritoimperfeito.com/
Platforms: Linux
Summary:

ifmonitor is a network interface traffic logger and grapher for Linux. It
does not depend on SNMP, and it is written in Perl/PHP. It uses MySQL to
store its logs.

3. Leetnet client v1.2.8
by Malikai
Relevant URL:
http://www.leetnet.org/
Platforms: Linux
Summary:

Leetnet features a secure realtime address mapping system to dynamically
link leetnet subscribers, an easy-to-use Web interface for managing your
VPN, and an auto-updating client script. The Leetnet client is a Unix
shell script that manages ipsec daemons. It manages ipsec tunnels by
including two additional ipsec.conf formatted configuration files, which
contain the Freeswan conn entries to leetnet servers and conn entries to
leetnet sites. In addition to managing tunnels, the Linux client
auto-updates itself and deals with tunnel management issues (like snort
exiting when the ipsec interface goes down). All leetnet updates and
communications are transport secured via ipsec at minimum.

4. WaveStumbler v1.1.1
by Patrik Karlssonpatrik@cqure.net
Relevant URL:
http://www.cqure.net/tools08.html
Platforms: Linux
Summary:

WaveStumbler is console based 802.11 network mapper for Linux. It reports
the basic AP stuff like channel, WEP, ESSID, MAC etc. It has support for
Hermes based cards (Compaq, Lucent/Agere, ... ) It still in development
but tends to be stable.

It consist of a patch against the kernel driver, orinoco.c which makes it
possible to send the scan command to the driver via the
/proc/hermes/ethX/cmds file. The answer is then sent back via a netlink
socket. WaveStumbler listens to this socket and displays the output data
on the console.

VI. SPONSORSHIP INFORMATION
---------------------------
This issue is sponsored by SecurityFocus (http://www.securityfocus.com)

**SecurityFocus Promotion: Two Week Trial of SIA**

SecurityFocus(tm), a leading provider of enterprise security threat
management systems, announces new pricing for SIA(tm) our Security
Intelligence Alert Service. We are also offering a FREE two-week trial of
SIA between January 21st and March 15th, 2002.

SIA provides the most comprehensive and customizable vulnerability and
malicious code alerts available. SIA delivers complete, up-to-the-minute,
specific, actionable information that allows enterprises to prevent
attacks before they occur.

SIA allows you to:

**Fully protect your systems with comprehensive alerts that are specific
to your infrastructure. SIA allows you to specify down to the version
level those products for which you wish to receive alerts.

**Reduce the threat of network downtime from attacks. SIA provides
everything you need to know: thorough technical description of the attack,
workarounds or available patches, signatures for updating IDSs,
mitigation/disinfection strategies, etc.

**Save hours a day by not having to look through hundreds of emails or
dozens of websites. SIA allows you to prioritize your current
vulnerabilities and eliminate the highest risks first.

To take advantage of our FREE two-week trial offer and receive real-time
configuration-specific vulnerability and malicious code alerts, please
call toll-free 1-866-577-6300 in the United States and Canada, or
+1-650-655-6300 outside North America. You may also contact us at
sales@securityfocus.com, or click here
http://www.securityfocus.com/feedback to have a sales representative
contact you.

-------------------------------------------------------------------------------