Home

HOWTO's

Distributions

Links

References

Quint

Search

qmail

qmail-Install-HOWTO

djbdns

ezmlm

RPM's

kcmdhcpd

Linux Newsletter

SecurityFocus.com

Reprinted in full with permission of SecurityFocus

1. FRONT AND CENTER
1. Diseas'd Ventures: A Critique of Media Reportage of Viruses
2. Chasing the Wind, Part Six: The Gathering Storm
3. My First RSA Conference
2. LINUX VULNERABILITY SUMMARY
1. Multiple Vendor routed traceon Vulnerability
2. Multiple Vendor loopback (land.c) Denial of Service Vulnerability
3. Multiple Vendor TCP Initial Sequence Number Statistical ...
4. KFM Insecure TMP File Creation Vulnerability
5. RedHat Linux Swap File World Readable Permissions Vulnerability
6. SAP Web Application Server for Linux Arbitrary Command ...
3. LINUX FOCUS LIST SUMMARY
1. lpt (Thread)
2. secure temporary files (Thread)
3. blocking access (Thread)
4. SecurityFocus.com Linux Newsletter #26 (Thread)
4. NEW PRODUCTS FOR LINUX PLATFORMS
1. Storm Firewall
2. Gateway Guardian
3. PSAudit-UNIX
5. NEW TOOLS FOR LINUX PLATFORMS
1. SILC
2. ferm
3. mcrypt
4. tcpspy
5. TechTracker
6. SUBSCRIBE/UNSUBSCRIBE INFORMATION

FRONT AND CENTER
-------------------

Diseas'd Ventures: A Critique of Media Reportage of Viruses

In this article, George Smith takes a critical look at the way the media
reports viruses. Specifically, he critiques the shortcomings of the
'crisis' mode used by the media to report virus threats and virus-writing
competitions and examines the effects of that school of reportage on the
public's reaction to viruses.

http://www.securityfocus.com/focus/virus/articles/diseased.html

Chasing the Wind, Part Six: The Gathering Storm
by Robert G. Ferrell

This is the sixth installment of Robert G. Ferrell's series, Chasing the
Wind. As we left off in the last episode, our aspiring hacker Ian was on
his way home from a hacker's convention, eager to test his new knowledge.
Bob, Acme Ailerons' CIO, was alerted to a possible virus infection in the
company's systems, one which Jake, the company's systems Administrator
would spend his day quashing. Douglas, Acme's Systems Engineer, looked on
as an Air Force captain unveiled a frightening project. Meanwhile a group
of mysterious men seemed to be hatching a shady scheme...

http://www.securityfocus.com/focus/ih/articles/chasing6.html

My first RSA Conference
by Kevin Mitnick

The annual RSA Conference is noted for being the largest data security and
cryptography conference in the world. It's the place the most respected
cryptographers and security professionals in the industry gather to share
their knowledge and experience. But I still found it incomplete.

http://www.securityfocus.com/templates/article.html?id=199



BUGTRAQ SUMMARY
-------------------


Multiple Vendor routed traceon Vulnerability
BugTraq ID: 2658
Remote: Yes
Date Published: 1998-10-21
Relevant URL:
http://www.securityfocus.com/bid/2658
Summary:

routed is a daemon used to dynamically update network routing tables.
Certain operating systems (including IRIX 3.x up to 6.4 inclusive, Caldera
OpenLinux 1.0 and 1.1) contain a routed version which allows an attacker
to append certain logging data to arbitrary files on the host machine with
root privileges.

routed communicates with other network components via the Routing
Information Protocol (RIPv1 - RFC1058, RIPv2 - RFC1723).  This protocol
implements certain commands which can be sent via UDP packets to the
routed service, normally residing on UDP port 520.  One of these commands
(listed as obsolete in RFC1058) is "traceon" which turns on certain
debugging features.  When this command is passed in conjunction with a
"trace file" name, via RIP to a vulnerable version of routed, certain
trace / debugging information is appended to this file, regardless of
ownership and properties.  The file specified for logging this function
could therefore include /dev files, and various other important system
files, and could result in denial of service or data loss when used by an
attacker.  An attacker would likely have to spoof the source address in
order to exploit this vulnerability.

Multiple Vendor loopback (land.c) Denial of Service Vulnerability
BugTraq ID: 2666
Remote: Yes
Date Published: 1997-11-20
Relevant URL:
http://www.securityfocus.com/bid/2666
Summary:

A number of TCP/IP stacks are vulnerable to a "loopback" condition
initiated by sending a TCP packet with the "SYN" flag set and the source
address and port spoofed to equal the destination source and port.  When a
packet of this sort is received, an infinite loop is initiated and the
affected system halts.  This is known to affect Windows 95, Windows NT 4.0
up to SP3, Cisco IOS devices & catalyst switches, and HP-UX up to 11.00.

Multiple Vendor TCP Initial Sequence Number Statistical Vulnerability
BugTraq ID: 2682
Remote: Yes
Date Published: 2001-05-02
Relevant URL:
http://www.securityfocus.com/bid/2682
Summary:

Over the past several years, a variety of attacks against TCP initial
sequence number (ISN) generation have been discussed.

A vulnerability exists in some TCP/IP stack implementations that use
random increments for initial sequence numbers.  Such implementations are
vulnerable to statistical attack, which could allow an attacker to
predict, within a reasonable range, sequence numbers of future and
existing connections.

The weakness is due to the implications of the Central Limit Theorem,
which roughly states that the distribution of the sum of a large number of
independent, identically distributed variables will be approximately
normal, regardless of the underlying distribution.

According to the TCP protocol, a packet from a remote host with the
correct sequence number is trusted to come from that host.  By predicting
a sequence number, several attacks could be performed; an attacker could
disrupt or hijack existing connections, or spoof future connections.

The practical impact of the attack depends on the target protocol.  Most
importantly, systems running insecure protocols which blindly trust a TCP
connection which appears to come from a given IP address without requiring
any other form of authentication are vulnerable to spoofing by a remote
attacker, potentially yielding privileges or access on the system.


KFM Insecure TMP File Creation Vulnerability
BugTraq ID: 2629
Remote: No
Date Published: 2001-04-18
Relevant URL:
http://www.securityfocus.com/bid/2629
Summary:

KFM is the KDE File Manager, included with version 1 of the KDE base
package in most Linux installations.  KFM is designed as a graphical,
easily navigated interface to the Linux Filesystem.

A problem in the KFM package could make it possible for local users to
overwrite any file owned by a user of KFM.  This is due to insufficient
checking of previously existing temporary files and directories by the KFM
package.

Upon execution, KFM creates a temporary directory in which to cache
content.  This temporary directory is created using a name consisting of
kfm-cache-.  An example would be a user with an id of 1000.  The
directory would be created using the name kfm-cache-1000.  This directory
usually caches a set of predictable files.

KFM does not safely check for the existance of this directory prior to
using it, and upon needing to use one of the predicted files in the
directory, will attempt to place output into the previously made symbolic
link, thus overwriting the contents of the linked file, resulting in data
corruption or loss of data entirely.

RedHat Linux Swap File World Readable Permissions Vulnerability
BugTraq ID: 2678
Remote: No
Date Published: 2001-05-02
Relevant URL:
http://www.securityfocus.com/bid/2678
Summary:

Red Hat Linux is the Linux distribution maintained and distributed by Red
Hat Incorporated.  Red Hat Linux offers a scalable, full featured
operating system that can operate on a system as small as a desktop, and
large as an enterprise server.

A problem exists in Red Hat Linux that could allow local users to gain
access to privileged information.  This vulnerability has been verified
under circumstances such as upgrades from previous revisions to 7.1.

When a system with less swap space than physical ram is upgraded to
version 7.1, the upgrade prompts the user to create more swap space,
giving the option to create this swap space in a file on the ext2 file
system.  If the user selects the option of having a swap file created on
the ext2 file system, this file is created with world readable
permissions.  This design flaw makes it possible for any local user to
read the contents of the file.

It is currently unknown whether this swap file is used by the system after
installation is complete, and the system has entered normal operation.

SAP Web Application Server for Linux Arbitrary Command Execution 
Vulnerability
BugTraq ID: 2662
Remote: No
Date Published: 2001-04-29
Relevant URL:
http://www.securityfocus.com/bid/2662
Summary:

The SAP TestDrive Web Application Server for Linux is distributed as part
of a SAP LinuxLab evaluation CD.

An input validation error exists in the SAP Operating System Collector
(saposcol) included with the CD which could allow a local user to execute
arbitrary code with elevated privileges.

The problem exists as the result of a call to popen().  Since popen()
relies on /bin/sh to execute programs and no checking is done on
environment variables, an attacker could modify their own environment
variables such that saposcol executes unintended programs.

Because the program is installed setuid root by default, it is possible
for a local attacker to execute arbitrary code as root.

Note: The original report detailing this vulnerability was based on
analysis of an evaluation version of the SAP Web Application Server for
Linux.  While it is likely that the vulnerability is present in commercial
versions, it has not been confirmed.



LINUX FOCUS LIST SUMMARY
---------------------------------


lpt   (Thread)
Relevant URL:


http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2far  
chive.pike%3flist%3d91%26date%3d2001-05-04%26thread%3dPine.LNX.4.33.0105  
030946350.758-100000@carandiru.conectiva


secure temporary files   (Thread)
Relevant URL:


http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2far  
chive.pike%3flist%3d91%26date%3d2001-05-04%26thread%3dPine.LNX.4.30.0105  
011644370.1641-100000@spice.eahd.or.ug


blocking access   (Thread)
Relevant URL:


http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2far  
chive.pike%3flist%3d91%26date%3d2001-05-04%26thread%3dPine.LNX.4.21.0104  
301959340.2304-100000@prax.unix.csis.american.edu


SecurityFocus.com Linux Newsletter #26   (Thread)
Relevant URL:


http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2far  
chive.pike%3flist%3d91%26date%3d2001-05-04%26thread%3dPine.GSO.4.30.0104  
300956540.1246-100000@mail


NEW PRODUCTS FOR LINUX PLATFORMS
 -----------------------------------


Storm Firewall
by Stormix Technologies
Platforms: Linux
Relevant URL:
http://www.securityfocus.com/products/1332
Summary:

The Storm Firewall is a stable, easy-to-use security solution for your
home or business computers.

The Storm Firewall graphical user interface provides:
-Firewall Setup Wizard lets anyone setup a firewall quickly.
-Simple Options builds on top of the base provided by the Wizard, allowing
for further customization.
-Advanced Setup gives you the flexibilty to edit rules at the chain level,
so you can design your own firewall.
-Log Viewer allows you to view firewall activity, and filter logs by IP
address or chain.

Gateway Guardian
by NetMaster Networking Solutions, Inc.
Platforms: Linux
Relevant URL:
http://www.securityfocus.com/products/1298
Summary:

Developed with NetMaster's own Linux distribution tailored specifically
for firewall applications, Gateway Guardian is a very flexible, high-end
firewall that takes a revolutionary approach to allowing a company to use
a lower-end PC as their Internet gateway. Running on a PC that is not the
Internet gateway, Gateway Guardian uses a pure Java application to
preconfigure hardware, Internet provider settings, and firewall rules
through a wizard like format. When the information has been entered, the
Java application writes an entire Linux operating system and the custom
firewall configuration onto a 3-1/4" floppy diskette.

PSAudit-UNIX
by PentaSafe
Platforms: FreeBSD, HP-UX, IRIX, Linux, NetBSD, Solaris, SunOS, True64
UNIX, UNIX, Ultrix and Unixware
Relevant URL:
http://www.securityfocus.com/products/272
Summary:

PentaSafe's PSAudit-Unix product provides UNIX security auditing
capability for 90+ varieties of UNIX. Provides a review of your system
using a standalone PC. With nothing to install on the UNIX system, the
review can be performed non-intrusively without the usual dangers of
damaging a live system or affecting performance. Copies four files to your
PC, there is no software loaded onto the UNIX system and no need for
network connections. Performs 60+ tests on the system, results are
assimilated into easily interpreted reports.


NEW TOOLS FOR LINUX PLATFORMS
------------------------------------


SILC (Secure Internet Live Conferencing)
by Pekka Riikonen <priikone@poseidon.pspt.fi>
Platforms: Linux
Relevant URL:
http://www.securityfocus.com/tools/1641
Summary:

SILC (Secure Internet Live Conferencing) is a protocol which provides
secure conferencing services in the Internet over insecure channels. SILC
superficially resembles IRC, although they are very different internally.
The purpose of SILC is to provide secure conferencing services. Strong
cryptographic methods are used to secure all traffic.

ferm
by Auke Kok <koka@geo.vu.nl>
Platforms: Linux
Relevant URL:
http://www.securityfocus.com/tools/1866
Summary:

ferm is a tool to maintain and setup complicated firewall rules. It allows
one to reduce the tedious task of carefully inserting rules and chains,
thus enabling the firewall administrator to spend more time on developing
good rules, and less time on the proper implementation of those rules.
These rules will be executed by the preferred kernel interface, such as
ipchains and iptables, and in one pass. Firewall rules can also be split
into different files and loaded at will.

mcrypt
by Nikos Mavroyanopoulos <nmav@hellug.gr>
Platforms: Linux
Relevant URL:
http://www.securityfocus.com/tools/751
Summary:

mcrypt is a program for encrypting files or streams. It is intended to be
a replacement for the old UNIX crypt. It uses well-known and well-tested
algorithms like DES, BLOWFISH, TWOFISH, ARCFOUR, CAST-128, and more in
several modes (CBC, CFB, etc.). It also has a compatibility mode with the
old UNIX crypt and Solaris des.

tcpspy
by Tim J Robbins <fyre@eryf.net>
Platforms: Linux
Relevant URL:
http://www.securityfocus.com/tools/1819
Summary:

tcpspy is an administrator's tool that logs information about incoming and
outgoing TCP/IP connections including local address, remote address, and
the username of the user responsible for the connection.


Tech Tracker
by Anyah
Platforms: Linux
Relevant URL:
http://www.securityfocus.com/tools/2031
Summary:

Tech Tracker is a Web-based IT tracking system that strives to be
simple-to-administrate and use, yet powerful. Its features include problem
tracking, hardware asset tracking, customizable lookup lists, varying
levels of access, user management from the Web interface, and and the
ability to import data.



SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------


How do I subscribe?

Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body
of:

  SUBSCRIBE FOCUS-LINUX Lastname, Firstname

You will receive a confirmation request message to which you will have
to anwser.

How do I unsubscribe?

Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed
address with a message body of:

  UNSUBSCRIBE FOCUS-LINUX

If your e-mail address has changed, e-mail aleph1@securityfocus.com and I
will manually remove you.

How do I disable mail delivery temporarily?

If you will are simply going on vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:

  SET FOCUS-LINUX NOMAIL

To turn back on e-mail delivery use the command:

  SET FOCUS-LINUX MAIL

Is the list available in a digest format?

Yes. The digest generated once a day.

How do I subscribe to the digest?

To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message
body of:

  SET FOCUS-LINUX DIGEST

How do I unsubscribe from the digest?

To turn the digest off send a message to LISTSERV with a message body
of:

  SET FOCUS-LINUX NODIGEST

If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.

I seem to not be able to unsubscribe. What is going on?

You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send e-mail from
the appropiate address or e-mail the moderator to be unsubscribed
manually.

Username:

Password: