[ISN] Linux Advisory Watch - August 20, 2004

InfoSec News isn at c4i.org
Mon Aug 23 03:30:43 EDT 2004

|  LinuxSecurity.com                         Weekly Newsletter        |
|  August 20, 2004                           Volume 5, Number 33a     |

  Editors:      Dave Wreski                     David Isecke
                dave at linuxsecurity.com          dai at linuxsecurity.com

This week, advisories were released for acroread, ftpd, gaim, glibc, gv,
kdelibs, kernel, mozilla, mysql, Nessus, Netscape, pam, qt3, Roundup,
rsync, ruby, semi, spamassassin, squirrelmail, and Tomcat.

The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake,
NetBSD, Red Hat, Suse, and Trustix.


>> Internet Productivity Suite:  Open Source Security <<

Trust Internet Productivity Suite's open source architecture to give you
the best security and productivity applications available.  Collaborating
with thousands of developers, Guardian Digital security engineers
implement the most technologically advanced ideas and methods into their



Reducing the Risk

Reducing the risk of intrusion can be achieved by eliminating many of the
known common problems.

The vast majority of attacks on done by script kiddies who scan massive IP
blocks looking for a vulnerable computer, then run a program which they
don't understand, to exploit the vulnerability they've just discovered.
To block these script kiddies just fix the common vulnerabilities that the
programs they use rely on.

Buffer Overflow

A buffer overflow attack is when the attacker sends malformed packets to a
service that causes the memory buffer to overflow.  The cracker hopes this
will cause the program to crash and defaulting into a root prompt.
Buffer overflows happen because of programming errors where input was not
checked to be valid.

To prevent buffer overflows, all code must be meticulously hand checked
multiple times by multiple people.  Since this is not often possible, to
limit the chances of being successfully cracked by a buffer overflow
attack, make sure you keep your systems up to date and get rid of all
excess services. Reducing the number of total services your server is
offering, the less amount of code that could have a potential buffer
overflow.  Also, there are kernel patches that prevent some forms of
buffer overflow.

Denial of Service

A Denial of Service, DoS, attack can come in many shapes and forms. The
Blue Screen of Death from Windows can be one if it is caused by someone
and not just poor programming.  Also, the infamous DDoS attacks from
earlier this year are an example where multiple 'zombie' computers
coordinate together to attack a host all at the same time. A DoS attack is
anything that maliciously prevents the computer from doing what was
intended.  This is usually accomplished by errors in code that will cause
the program to eat up all the system resources.

IP Session Hi-Jacking

IP Session Hi-Jacking, also known as a man in the middle attack, is a
sophisticated attack which can now be done using tools circulating in the
script kiddie community.  With an IP Session Hi-Jacking, an user connects
to a system using a service like telnet, then a cracker intercepts the
packets and tricks the system into thinking that the cracker's machine is
actually the user's machine.  The user will think her connect got dropped,
when in actuality, it is still going, but it has been taken over by the

With this form of attack, there is no way to block it, but there are
checks that can be done to prevent it.  Telnet is the type of service that
crackers want to hi-jack; it has shell access, is unencrypted, and doesn't
perform many checks to make sure the person really is who they say they
are.  SSH, on the other hand, would be very hard to hi-jack; it has strong
encryption, multiple checks of an identity, and can have its shell access
limited.  Most services can't really be hi-jacked, but the ones that can,
like telnet, usually have a secure replacement, like SSH, that can be used

 Security Tip Written by Ryan Maple (ryan at guardiandigital.com)
 Additional tips are available at the following URL:


An Interview with Gary McGraw, Co-author of Exploiting Software:
How to Break Code

Gary McGraw is perhaps best known for his groundbreaking work on securing
software, having co-authored the classic Building Secure Software
(Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund
a companion volume, Exploiting Software, which details software security
from the vantage point of the other side, the attacker. He has graciously
agreed to share some of his insights with all of us at LinuxSecurity.com



Security Expert Dave Wreski Discusses Open Source Security

LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian
Digital, Inc. and respected author of various hardened security and Linux
publications, to talk about how Guardian Digital is changing the face of
IT security today. Guardian Digital is perhaps best known for their
hardened Linux solution EnGarde Secure Linux, touted as the premier
secure, open-source platform for its comprehensive array of general
purpose services, such as web, FTP, email, DNS, IDS, routing, VPN,
firewalling, and much more.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Conectiva        | ----------------------------//

 8/13/2004 - squirrelmail
   Multiple vulnerabilities

   This patch addresses four vulnerabilities in SquirrelMail,
   including XSS and SQL injection attacks.

|  Distribution: Debian           | ----------------------------//

 8/20/2004 - ruby
   Insecure file permissions

   This can lead an attacker who has also shell access to the
   webserver to take over a session.

 8/20/2004 - rsync
   Insufficient path sanitation

   The rsync developers have discoverd a security related problem in
   rsync which offers an attacker to access files outside of the
   defined directory.

 8/20/2004 - kdelibs
   Insecure temporary file vulnerability

   This can be abused by a local attacker to create or truncate
   arbitrary files or to prevent KDE applications from functioning

 8/20/2004 - mysql
   Insecure temporary file vulnerability

   Jeroen van Wolffelaar discovered an insecure temporary file
   vulnerability in the mysqlhotcopy script when using the scp method
   which is part of the mysql-server package.

|  Distribution: Fedora           | ----------------------------//

 8/20/2004 - rsync
   Insufficient path sanitization

   This update backports a security fix to a path-sanitizing flaw
   that affects rsync when it is used in daemon mode without also
   using chroot.

|  Distribution: Gentoo           | ----------------------------//

 8/13/2004 - Roundup
   Filesystem access vulnerability

   Roundup will make files owned by the user that it's running as
   accessable to a remote attacker.

 8/13/2004 - gv
   Buffer overflow vulnerability

   gv contains an exploitable buffer overflow that allows an attacker
   to execute arbitrary code.

 8/13/2004 - Nessus
   Race condition vulnerability

   Nessus contains a vulnerability allowing a user to perform a
   privilege escalation attack using "adduser".

 8/13/2004 - Gaim
   Buffer overflow vulnerability

   Gaim contains a remotely exploitable buffer overflow vulnerability
   in the MSN-protocol parsing code that may allow remote execution
   of arbitrary code.

 8/13/2004 - kdebase,kdelibs Multiple vulnerabilities
   Buffer overflow vulnerability

   KDE contains three security issues that can allow an attacker to
   compromise system accounts, cause a Denial of Service, or spoof
   websites via frame injection.

 8/20/2004 - acroread
   Buffer overflow vulnerabilities

   Acroread contains two errors in the handling of UUEncoded
   filenames that may lead to execution of arbitrary code or

 8/20/2004 - Tomcat
   Insecure installation

   Improper file ownership may allow a member of the tomcat group to
   execute scripts as root.

 8/20/2004 - glibc
   Information leak vulnerability

   glibc contains an information leak vulnerability allowing the
   debugging of SUID binaries.

 8/20/2004 - rsync
   Insufficient path sanitation

   This vulnerability could allow the listing of arbitrary files and
   allow file overwriting outside module's path on rsync server
   configurations that allow uploading.

 8/20/2004 - xine-lib Buffer overflow vulnerability
   Insufficient path sanitation

   An attacker may construct a carefully-crafted playlist file which
   will cause xine-lib to execute arbitrary code with the permissions
   of the user.

 8/20/2004 - courier-imap Format string vulnerability
   Insufficient path sanitation

   An attacker may be able to execute arbitrary code as the user
   running courier-imapd (oftentimes root).

|  Distribution: Mandrake         | ----------------------------//

 8/13/2004 - gaim
   Buffer overflow vulnerabilities

   Sebastian Krahmer discovered two remotely exploitable buffer
   overflow vunerabilities in the gaim instant messenger.

 8/13/2004 - mozilla
   Multiple vulnerabilities

   A large number of Mozilla vulnerabilites is addressed by this

 8/20/2004 - rsync
   Insufficient path sanitation

   If rsync is running in daemon mode, and not in a chrooted
   environment, it is possible for a remote attacker to trick rsyncd
   into creating an absolute pathname while sanitizing it.

 8/20/2004 - spamassassin
   Denial of service vulnerability

   Security fix prevents a denial of service attack open to certain
   malformed messages.

 8/20/2004 - qt3
   Heap overflow vulnerability

   his vulnerability could allow for the compromise of the account
   used to view or browse malicious graphic files.

|  Distribution: NetBSD           | ----------------------------//

 8/20/2004 - ftpd
   Privilege escalation vulnerability

   A set of flaws in the ftpd source code can be used together to
   achieve root access within an ftp session.

|  Distribution: Red Hat          | ----------------------------//

 8/19/2004 - pam
   Privilege escalation vulnarability

   If he pam_wheel module was used with the "trust" option enabled,
   but without the "use_uid" option, any local user could use PAM to
   gain access to a superuser account without supplying a password.

 8/19/2004 - Itanium
   kernel Multiple vulnerabilities

   Updated Itanium kernel packages that fix a number of security
   issues are now available.

 8/19/2004 - semi
   Insecure temporary file vulnerability

   Temporary files were being created without taking adequate
   precautions, and therefore a local user could potentially
   overwrite files with the privileges of the user running emacs.

 8/20/2004 - Netscape
   Multiple vulnerabilities

   Netscape Navigator and Netscape Communicator have been removed
   from the Red Hat Enterprise Linux 2.1 CD-ROM distribution as part
   of Update 5. These packages were based on Netscape 4.8, which is
   known to be vulnerable to recent critical security issues, such as
   CAN-2004-0597, CAN-2004-0598, and CAN-2004-0599.

 8/20/2004 - kernel
   Denial of service vulnerability

   A bug in the SoundBlaster 16 code which did not properly handle
   certain sample sizes has been fixed. This flaw could be used by
   local users to crash a system.

|  Distribution: Suse             | ----------------------------//

 8/20/2004 - rsync
   Insufficient pathname sanitizing

   If rsync is running in daemon-mode and without a chroot
   environment it is possible for a remote attacker to trick rsyncd
   into creating an absolute pathname while sanitizing it.

 8/20/2004 - qt3
   Buffer overflow vulnerability

   Chris Evans found a heap overflow in the BMP image format parser
   which can probably be abused by remote attackers to execute
   arbitrary code.

|  Distribution: Trustix          | ----------------------------//

 8/20/2004 - rsync
   Path escape vulnerability

   Please either enable chroot or upgrade to 2.6.1. People not
   running a daemon, running a read-only daemon, or running a
   chrooted daemon are totally unaffected.

Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list