|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Stephen Entwisle (se
SECURITYFOCUS.COM)Date: Mon Apr 23 2001 - 11:07:15 CDT
SecurityFocus.com Linux Newsletter #25
--------------------------------------
I. FRONT AND CENTER
1. A Comparison of iptables Automation Tools
2. Infectable Objects, Part Five - HTML and Other Scripts
II. LINUX VULNERABILITY SUMMARY
1. Trend Micro Interscan Viruswall Multiple Program Buffer ...
2. IPTables FTP Stateful Inspection Arbitrary Filter Rule ...
3. KFM Insecure TMP File Creation Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. Tracking down possible Trinoo_Master hack.. (Thread)
2. ipchains vs. iptables (Thread)
3. Hacked box, suspect R00tkit. (Thread)
4. Permissions (Thread)
5. SecurityFocus.com Linux Newsletter #24 (Thread)
6. snort snorts ONLY my eth0 (Thread)
7. Netfilter stateful inspection doubts (Thread)
8. Buffer overflow on Linux (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORM
1. M-Secure
2. Storm Firewall
3. Gateway Guardian
V. NEW TOOLS FOR LINUX PLATFORMS
1. Port Scan Attack Detector (psad)
2. Iridium Firewall
3. Firewall Monitor
4. KSTAT - Kernel Security Therapy Anti-Trolls
5. distribuNet
VI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. FRONT AND CENTER
-------------------
1. A Comparison of iptables Automation Tools
Over the past several years, the use of Linux as a firewall platform has
grown significantly. Linux firewalling code has come a long way since the
time ipfwadm was introduced in kernel 1.2. This discussion will look at IP
firewalling code in Linux kernel and its configuration via various
interfaces such as GUIs or scripts (written in shell scripting language,
Perl or special configuration language). Specifically, this article will
offer a brief overview of the means of configuring iptables, and will
offer a brief review of some tools that have been developed to automate
the configuration of iptables.
http://www.securityfocus.com/focus/linux/articles/iptables.html
2. Infectable Objects, Part Five - HTML and Other Scripts
by by Robert Vibert
One of the more interesting developments in the virus world has been the
extension of viruses from compiled executable files into script files.
There is now an expanding range of script file types that can contain
malicious code. This article,the fifth and final in a series by
SecurityFocus writer Robert Vibert, will offer an overview of script file
types that can contain viral code, including batch files, Java, JavaScript
and HTML files.
http://www.securityfocus.com/focus/virus/articles/infobj5.html
II. BUGTRAQ SUMMARY
-------------------
1. Trend Micro Interscan Viruswall Multiple Program Buffer Overflow...
BugTraq ID: 2579
Remote: Yes
Date Published: 2001-04-13
Relevant URL:
http://www.securityfocus.com/bid/2579
Summary:
Interscan Viruswall is a Virus scanning software package distributed and
maintained by Trend Micro. It is designed to scan for virus occurances in
both incoming and outgoing traffic via SMTP, FTP, and HTTP at the gateway
of the network.
A combination of two problems in the Interscan Viruswall package makes it
possible for a remote user to execute arbitrary commands as root, and
potentially gain local access to the Viruswall system. This vulnerability
is the manifestation of two problems, which when combined make a system
vulnerable.
Included with Interscan Viruswall is a web based administration interface
called ISADMIN. This service is the CERN httpd v3.0 running on port 1812
of the Viruswall system.
The first problem consists of multiple programs in the cgi directory
containing buffer overflows. It is possible to execute arbitrary commands
through most of the programs contained in the CGI directory of the HTTP
daemon, due to insuffient bounds checking and validation of input.
The second problem consists of the CERN httpd insufficiently controlling
access to programs in the CGI directory. The CERN HTTP daemon, as
installed with the Viruswall package, runs with the privileges of root.
The access control settings of the httpd do not allow users to directly
execute programs ending in the .cgi suffix. However, four programs within
the cgi directory do not end in .cgi suffixes, and may be executed
directly through calling of the URL and file extension.
2. IPTables FTP Stateful Inspection Arbitrary Filter Rule Insertion...
BugTraq ID: 2602
Remote: Yes
Date Published: 2001-04-16
Relevant URL:
http://www.securityfocus.com/bid/2602
Summary:
The Linux kernel includes a built-in firewall implementation called
IPTables. IPTables supports stateful inspection of several application
protocols, one of which is FTP. The inspection is used to facilitate
outgoing PORT connections for FTP data transfers when clients or servers
are behind firewalls.
Under many firewall configurations and in environments where NAT is in
use, PORT mode data transfers normally cannot be used.
Some firewalls support stateful inspection of FTP traffic, which can allow
the firewall to dynamically open and map ports for FTP data transfers.
These firewalls permit the use of PORT mode FTP. In the Linux IPTables
implementation, filtering rules for FTP PORT mode data are stored in the
table of 'RELATED' connections, temporarily permitting the traffic through
the firewall.
The IPTables module used to inspect FTP data and interpret PORT requests
contains a vulnerability which may allow a remote attacker to insert
malicious rules into the firewall's table of related connections.
The PORT command accepts two basic parameters, the IP address and TCP port
of the destination host. When a PORT command is issued, the server makes
a connection to the destination host on that port and transmits the data.
To prevent malicious users from utilizing this mechanism to proxy data
transfers to arbitrary hosts (ftp bounce attack), most FTP servers compare
the destination IP address in the PORT command to the address of the
client. If they do not match, the command is rejected and typically
logged. The stateful-inspection module also attempts to detect this.
When a PORT command containing an IP address which differs from the
client's is processed, the occurrence is caught. Despite being detected,
the condition is handled erroneously causing an entry for the PORT
connection to be inserted into the table of 'RELATED' connections. This
temporarily permits traffic through the firewall from the FTP server to
the destination included in the PORT command.
The following section of source code contains the offending operation in
the stateful-inspection module.
The 'if' condition below determines whether the IP address in the PORT
command matches the client's or not.
/* Update the ftp info */
LOCK_BH(&ip_ftp_lock);
if (htonl((array[0] << 24) | (array[1] << 16) | (array[2] << 8) |
array[3])
== ct->tuplehash[dir].tuple.src.ip) {
info->is_ftp = 1;
info->seq = ntohl(tcph->seq) + matchoff;
info->len = matchlen;
info->ftptype = dir;
info->port = array[4] << 8 | array[5];
} else {
/* Enrico Scholz's passive FTP to partially RNAT'd ftp
server: it really wants us to connect to a
different IP address. Simply don't record it for
NAT. */
DEBUGP("conntrack_ftp: NOT RECORDING: %u,%u,%u,%u !=
%u.%u.%u.%u\n",
array[0], array[1], array[2], array[3],
NIPQUAD(ct->tuplehash[dir].tuple.src.ip));
} The problem lies in the 'else' block, which executes if the
addresses do not match. After executing, it does not return or otherwise
stop the processing of the PORT command. The module continues to function
as though the PORT command is valid, creating an entry in the 'RELATED'
connections table.
Furthermore, clients do not need to authenticate to exploit this
vulnerability. Anyone who can reach the service may be able to cause this
behaviour, including 'internal' clients.
If exploited successfully, an attacker can create a condition where the
FTP server can establish connections to arbitrary hosts on any port
bypassing IPTables filtering rules.
This could be used by an attacker to gain access to internal, protected
hosts from the FTP server if it is compromised by an attacker. In
addition, an attacker on an internal network could use this vulnerability
to access external hosts (which they do not normally have access to)
through the FTP server.
3. KFM Insecure TMP File Creation Vulnerability
BugTraq ID: 2629
Remote: No
Date Published: 2001-04-18
Relevant URL:
http://www.securityfocus.com/bid/2629
Summary:
KFM is the KDE File Manager, included with version 1 of the KDE base
package in most Linux installations. KFM is designed as a graphical,
easily navigated interface to the Linux Filesystem.
A problem in the KFM package could make it possible for local users to
overwrite any file owned by a user of KFM. This is due to insufficient
checking of previously existing temporary files and directories by the KFM
package.
Upon execution, KFM creates a temporary directory in which to cache
content. This temporary directory is created using a name consisting of
kfm-cache-<USER ID>. An example would be a user with an id of 1000. The
directory would be created using the name kfm-cache-1000. This directory
usually caches a set of predictable files.
KFM does not safely check for the existance of this directory prior to
using it, and upon needing to use one of the predicted files in the
directory, will attempt to place output into the previously made symbolic
link, thus overwriting the contents of the linked file, resulting in data
corruption or loss of data entirely.
III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. Tracking down possible Trinoo_Master hack.. (Thread)
Relevant URL:
wwonline.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d91%26date%3d2001-04-20%26thread%3d01a701c0c8c7$6d7e6160$363e52d1wwonline.com
2. ipchains vs. iptables (Thread)
Relevant URL:
3. Hacked box, suspect R00tkit. (Thread)
Relevant URL:
4. Permissions (Thread)
Relevant URL:
5. SecurityFocus.com Linux Newsletter #24 (Thread)
Relevant URL:
6. snort snorts ONLY my eth0 (Thread)
Relevant URL:
7. Netfilter stateful inspection doubts (Thread)
Relevant URL:
8. Buffer overflow on Linux (Thread)
Relevant URL:
IV.NEW PRODUCTS FOR LINUX PLATFORMS
----------------------------------------
1. M-Secure
by MessagingDirect
Platforms: AIX, IRIX, Linux and Solaris
Relevant URL:
http://www.securityfocus.com/products/1127
Summary:
M-Secure is MessagingDirect's secure pipeline for the creation, sending
and receiving of digitally signed and encrypted documents. The
Extranet-tuned strongbox can authenticate valid users of the Extranet, no
matter where they are. M-Secure offers end-to-end security that is
location independent and is as simple to use as an ATM. It is the ultimate
tool for high-security networks ready to step out of the office and into
the world - at a fraction of the complexity and cost of current solutions.
2. Storm Firewall
by Stormix Technologies
Platforms: Linux
Relevant URL:
http://www.securityfocus.com/products/1332
Summary:
The Storm Firewall is a stable, easy-to-use security solution for your
home or business computers.
The Storm Firewall graphical user interface provides:
-Firewall Setup Wizard lets anyone setup a firewall quickly.
-Simple Options builds on top of the base provided by the Wizard, allowing
for further customization.
-Advanced Setup gives you the flexibilty to edit rules at the chain level,
so you can design your own firewall.
-Log Viewer allows you to view firewall activity, and filter logs by IP
address or chain.
3. Gateway Guardian
by NetMaster Networking Solutions, Inc.
Platforms: Linux
Relevant URL:
http://www.securityfocus.com/products/1298
Summary:
Developed with NetMaster's own Linux distribution tailored specifically
for firewall applications, Gateway Guardian is a very flexible, high-end
firewall that takes a revolutionary approach to allowing a company to use
a lower-end PC as their Internet gateway. Running on a PC that is not the
Internet gateway, Gateway Guardian uses a pure Java application to
preconfigure hardware, Internet provider settings, and firewall rules
through a wizard like format. When the information has been entered, the
Java application writes an entire Linux operating system and the custom
firewall configuration onto a 3-1/4" floppy diskette.
V.NEW TOOLS FOR LINUX PLATFORMS
------------------------------------
1. Port Scan Attack Detector (psad)
by Michael Rash <mbrcipherdyne.com>
Platforms: Linux
Relevant URL:
http://www.securityfocus.com/tools/2006
Summary:
Port Scan Attack Detector (psad) is a program written in Perl that is
designed to work with Linux firewalling code (iptables in the 2.4.x
kernels, and ipchains in the 2.2.x kernels) to detect port scans. It
features a set of highly configurable danger thresholds (with sensible
defaults provided), verbose alert messages that include the source,
destination, scanned port range, begin and end times, TCP flags and
corresponding nmap options (Linux 2.4.x kernels only), email alerting, and
automatic blocking of offending IP addresses via dynamic configuration of
ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels
psad incorporates many of the TCP signatures included in Snort to detect
highly suspect scans for various backdoor programs (e.g. EvilFTP,
GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port
scans (syn, fin, Xmas) which are easily leveraged against a machine via
nmap.
2. Iridium Firewall
by Ryan Edwards
Platforms: Linux
Relevant URL:
http://www.securityfocus.com/tools/1948
Summary:
Iridium Firewall is an ipchains-based Linux 2.2 packet-filtering firewall
designed for use on a gateway server protecting an internal LAN of
masqueraded devices. It provides protection from many (I won't say all)
forms of Denial of Service attacks, IP Spoofing, Stuffed Routing, Stuffed
Masquerading, SYN Cookie attacks, damaged or hostile ICMP packets, and
packet fragmentation among others. It protects from attacks on several
well known Trojan Horse and illegal ports as well as attempted connections
from bogus, reserved or illegal IP addresses.
3. Firewall Monitor
by Gianni Tedesco, scaramangabarrysworld.com
Platforms: Linux
Relevant URL:
http://www.securityfocus.com/tools/1883
Summary:
fwmon is a firewall monitor for Linux. It integrates with ipchains to give
you realtime notification of firewall events. It has fairly customizable
output, allowing you to display a packet summary, hex, and ascii data
dumps to stdout, a logfile, or tcpdump-style capture files. It also boasts
some simple security features such as the ability to chroot itself, and
operate in a non-root environment.
4. KSTAT - Kernel Security Therapy Anti-Trolls
by S0ftproject2000 Team <staffs0ftpj.org>
Platforms: Linux
Relevant URL:
http://www.securityfocus.com/tools/1995
Summary:
Tool useful to find an attacker in your system by a direct analysis of the
kernel through /dev/kmem and bypassing the hiding techniques of the
intruder (kernel static recompilation/use of LKMs). Kstat can find the
syscalls which were modified by a LKM, list the linked LKMs, query one or
all the network interfaces of the system, list all the processes and much
more.
5. distribuNet
by Arshan Dabirsiaghi
Platforms: Linux
Relevant URL:
http://www.securityfocus.com/tools/1997
Summary:
distribuNet is a mid-level statically linked C library for cross-platform
distributed networking applications. The library operates almost exactly
like th Berkeley socket libraries that it wraps. The library has been
compiled and tested on Linux 2.2 and Linux 2.0 with g++. All programs
built with the library must use g++ as well, since it takes advantage of
some of the C++ gcc modules.
VI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERVSECURITYFOCUS.COM with a message body
of:
SUBSCRIBE FOCUS-LINUX Lastname, Firstname
You will receive a confirmation request message to which you will have
to respond.
2. How do I unsubscribe?
Send an e-mail message to LISTSERVSECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE FOCUS-LINUX
If your e-mail address has changed, e-mail aleph1securityfocus.com and
I will manually remove you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET FOCUS-LINUX NOMAIL
To turn back on e-mail delivery use the command:
SET FOCUS-LINUX MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERVSECURITYFOCUS.COM with with a
message body of:
SET FOCUS-LINUX DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET FOCUS-LINUX NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send e-mail from
the appropiate address or e-mail the moderator to be unsubscribed
manually.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]