Reprinted in full with permission of SecurityFocus
- FRONT AND CENTER
- Studying Normal Traffic, Part Three: TCP Headers
- LINUX VULNERABILITY SUMMARY
- Multiple Vendor loopback (land.c) Denial of Service Vulnerability
- Multiple Vendor TCP Initial Sequence Number Statistical
Vulnerability
- RedHat Linux Swap File World Readable Permissions Vulnerability
- SAP Web Application Server for Linux Arbitrary Command Execution
Vuln
- LINUX FOCUS LIST SUMMARY
- Configuration mistake in popular Linux security documentation.
(Thread)
- DNS Floods to personal firewalls (Thread)
- lpt (solved) (Thread)
- Subscription probe for FOCUS-LINUX - please ignore (Thread)
- Fw: your post (Thread)
- NEW PRODUCTS FOR LINUX PLATFORMS
- 1. CRYPTOAdmin Token Administration System
- NEW TOOLS FOR LINUX PLATFORMS
- Hark!
- nPULSE v0.52
- SILC (Secure Internet Live Conferencing) v0.2.3
- Gibraltar Firewall 0.98c
- gShield v2.6.2
- xautolock v2.x / 2.0
- Astaro Security Linux 1.811
- grsecurity v1.1
- Tech Tracker v.85001
- SUBSCRIBE/UNSUBSCRIBE INFORMATION
- FRONT AND CENTER
-------------------
- Studying Normal Traffic, Part Three: TCP Headers
This is the final article in a three-part series devoted to studying
normal traffic. The first two articles in this series showed how to
capture packets using WinDump and reviewed some of the basics of normal
TCP/IP traffic. In this article, we will be looking at two other aspects
of normal TCP traffic: the structure of TCP packets and the use of TCP
options.
http://www.securityfocus.com/focus/ids/articles/normaltraf3.html
- BUGTRAQ SUMMARY
-------------------
- Multiple Vendor loopback (land.c) Denial of Service Vulnerability
BugTraq ID: 2666
Remote: Yes
Date Published: 1997-11-20
Relevant URL:
http://www.securityfocus.com/bid/2666
Summary:
A number of TCP/IP stacks are vulnerable to a "loopback" condition
initiated by sending a TCP packet with the "SYN" flag set and the source
address and port spoofed to equal the destination source and port. When a
packet of this sort is received, an infinite loop is initiated and the
affected system halts. This is known to affect Windows 95,
Windows NT 4.0 up to SP3, Cisco IOS devices & catalyst switches, and HP-UX
up to 11.00.
- Multiple Vendor TCP Initial Sequence Number Statistical Vulnerability
BugTraq ID: 2682
Remote: Yes
Date Published: 2001-03-14
Relevant URL:
http://www.securityfocus.com/bid/2682
Summary:
Over the past several years, a variety of attacks against TCP initial
sequence number (ISN) generation have been discussed.
A vulnerability exists in some TCP/IP stack implementations that use
random increments for initial sequence numbers. Such implementations are
vulnerable to statistical attack, which could allow an attacker to
predict, within a reasonable range, sequence numbers of future and
existing connections.
The weakness is due to the implications of the Central Limit Theorem,
which roughly states that the distribution of the sum of a large number of
independent, identically distributed variables will be approximately
normal, regardless of the underlying distribution. According to the TCP
protocol, a packet from a remote host with the correct sequence number is
trusted to come from that host. By predicting a sequence number, several
attacks could be performed; an attacker could disrupt or hijack existing
connections, or spoof future connections.
The practical impact of the attack depends on the target protocol. Most
importantly, systems running insecure protocols which blindly trust a TCP
connection which appears to come from a given IP address without requiring
any other form of authentication are vulnerable to spoofing by a remote
attacker, potentially yielding privileges or access on the system.
- RedHat Linux Swap File World Readable Permissions Vulnerability
BugTraq ID: 2678
Remote: No
Date Published: 2001-05-02
Relevant URL:
http://www.securityfocus.com/bid/2678
Summary:
Red Hat Linux is the Linux distribution maintained and distributed by Red
Hat Incorporated. Red Hat Linux offers a scalable, full featured
operating system that can operate on a system as small as a desktop, and
large as an enterprise server.
A problem exists in Red Hat Linux that could allow local users to gain
access to privileged information. This vulnerability has been verified
under circumstances such as upgrades from previous revisions to 7.1.
When a system with less swap space than physical ram is upgraded to
version 7.1, the upgrade prompts the user to create more swap space,
giving the option to create this swap space in a file on the ext2 file
system. If the user selects the option of having a swap file created on
the ext2 file system, this file is created with world readable
permissions. This design flaw makes it possible for any local user to
read the contents of the file.
It is currently unknown whether this swap file is used by the system after
installation is complete, and the system has entered normal operation.
- SAP Web Application Server for Linux Arbitrary Command Execution
Vulnerability
BugTraq ID: 2662
Remote: No
Date Published: 2001-04-29
Relevant URL:
http://www.securityfocus.com/bid/2662
Summary:
The SAP TestDrive Web Application Server for Linux is distributed as part
of a SAP LinuxLab evaluation CD.
An input validation error exists in the SAP Operating System Collector
(saposcol) included with the CD which could allow a local user to execute
arbitrary code with elevated privileges.
The problem exists as the result of a call to popen(). Since popen()
relies on /bin/sh to execute programs and no checking is done on
environment variables, an attacker could modify their own environment
variables such that saposcol executes unintended programs.
Because the program is installed setuid root by default, it is possible
for a local attacker to execute arbitrary code as root.
Note: The original report detailing this vulnerability was based on
analysis of an evaluation version of the SAP Web Application Server for
Linux. While it is likely that the vulnerability is present in commercial
versions, it has not been confirmed.
- LINUX FOCUS LIST SUMMARY
---------------------------------
- Configuration mistake in popular Linux security documentation.
(Thread)
Relevant URL:
http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2far
chive.pike%3flist%3d91%26date%3d2001-05-11%26thread%3d200105070904.LAA07
824@post.webmailer.de
- DNS Floods to personal firewalls (Thread)
Relevant URL:
http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2far
chive.pike%3flist%3d91%26date%3d2001-05-11%26thread%3d3AF5C0F6.2412.7867
9C8@localhost
- lpt (solved) (Thread)
Relevant URL:
http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2far
chive.pike%3flist%3d91%26date%3d2001-05-11%26thread%3d3AF59840.AC19A9A5@
sh.cvut.cz
- Subscription probe for FOCUS-LINUX - please ignore (Thread)
Relevant URL:
http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2far
chive.pike%3flist%3d91%26date%3d2001-05-11%26thread%3d20010506120546.588
FD24C3FC@lists.securityfocus.com
- Fw: your post (Thread)
Relevant URL:
http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2far
chive.pike%3flist%3d91%26date%3d2001-05-11%26thread%3d009101c0d4e6$b7375
fc0$0400a8c0@ratu
- NEW PRODUCTS FOR LINUX PLATFORMS
-----------------------------------
- CRYPTOAdmin Token Administration System
Platforms: Unix and Windows NT
by CRYPTOCard
Relevant URL: http://www.securityfocus.com/templates/product.html?id=459
CRYPTOAdmin is a client-server application that allows system
administrators to initialize CRYPTOCard RB-1 Challenge-Response Tokens and
centrally administer user databases. CRYPTOAdmin is designed to work in
conjunction with third party products that have built-in support for
CRYPTOCard tokens. These third party products include authentication
servers and firewalls from a growing list of vendors. Built-in token
support means there is no extra server to buy; the third party products
are already CRYPTOCard-enabled. CRYPTOAdmin enhances the functionality and
ease-of-use of these third party products while keeping costs low
- NEW TOOLS FOR LINUX PLATFORMS
------------------------------------
- Hark!
Platforms: Solaris, UNIX, Windows 2000, Windows 95/98 and Windows NT
by Camelot
Relevant URL: http://www.securityfocus.com/tools/2040
Hark! is the world's first automated intelligent access control solution.
Powered by Camelot's Network Intelligence technology, Hark! utilizes
advanced discovery algorithms to analyze network events and deduce the
functional structure of an organization, extracting and mapping the
relationships between users and various network resources.
- nPULSE v0.52
Platforms: FreeBSD, Linux, Solaris and UNIX
by Dr. Steven Horsburgh (shorsburgh@horsburgh.com)
Relevant URL: http://www.securityfocus.com/tools/1716
nPULSE is a web-based network monitoring package for Unix-like operating
systems. It can quickly monitor tens, hundreds, even thousands of
sites/devices at a time on multiple ports. nPULSE is written in Perl and
comes with its own mini web server for extra security.
- SILC (Secure Internet Live Conferencing) v0.2.3
Platforms: Linux
by Pekka Riikonen (priikone@poseidon.pspt.fi)
Relevant URL: http://www.securityfocus.com/tools/1641
SILC (Secure Internet Live Conferencing) is a protocol which provides
secure conferencing services in the Internet over insecure channels. SILC
superficially resembles IRC, although they are very different internally.
The purpose of SILC is to provide secure conferencing services. Strong
cryptographic methods are used to secure all traffic.
- Gibraltar Firewall 0.98c
Platforms: Linux
by Rene Mayrhofer (rene.mayrhofer@vianova.at)
Relevant URL: http://www.securityfocus.com/tools/1837
Gibraltar is a Debian-based router/firewall distribution, fully workable
from a bootable, live CD-ROM. Log files can be stored on a harddisk, and
configuration data is stored on a floppy disk and kept on a RAM disk
during run-time. It runs directly from the CD-ROM. The official ISO images
of Gibraltar can be used freely but commercial distribution is restricted.
- gShield v2.6.2
Platforms: Linux
by R. Gregory (godot@mindspring.com)
Relevant URL: http://www.securityfocus.com/tools/1154
gShield is an iptables firewall for use with the 2.4.x Linux kernel
series. It has aggressive defaults, easy configuration through a BSD-style
configuration file, support for NAT, variable access control for services,
integrated port-forwarding, transparent proxy support, and more. It seeks
to make administrating a comprehensive firewall easier.
New Features include:
- handles dynamic or static IP's without problem
- can selectively enable IP Masqing
- adds tcpwrapper-like functionality for access to services
- aggressive defaults; only default 'open' service is auth
- easily configurable via a well commented BSD-style conf file.
- can include user defined rulesets within the script itself
- xautolock v2.x / 2.0
Platforms: FreeBSD, Linux, OpenBSD, Solaris, SunOS and UNIX
by MCE
Relevant URL: http://www.securityfocus.com/tools/2038
Xautolock monitors console activity under the X window system, and fires
up a program of your choice if nothing happens during a user configurable
period of time. You can use this to automatically start up a screen locker
in case you tend to forget to do so manually before having a coffee break.
- Astaro Security Linux 1.811
Platforms: Linux
by Astaro AG (info@astaro.de)
Relevant URL: http://www.securityfocus.com/tools/1831
Astaro Security Linux is a new firewall solution. It does stateful
inspection, packet filtering, content filtering, virus scanning, VPN with
IPSec, and much more. With its Web-based management tool and the ability
to pull updates over the Internet, it it is pretty easy to manage. It is
based on a special hardened Linux 2.4 distribution where most daemons are
running in change-roots and are protected by capabilities.
- grsecurity v1.1
Platforms: Linux
by spender
Relevant URL: http://www.securityfocus.com/tools/2036
grsecurity is a set of security patches based on code from hap-linux and
openwall which have been ported to the 2.4 kernel. It features a
non-executable stack, /proc restrictions, chroot restrictions, linking and
fifo restrictions, exec and set*id logging, secure file descriptors,
stealth networking enhancements, signal logging, failed fork logging, time
change logging, and others.
- Tech Tracker v.85001
Platforms: Linux
by Anyah
Relevant URL: http://www.securityfocus.com/tools/2031
Tech Tracker is a Web-based IT tracking system that strives to be
simple-to-administrate and use, yet powerful. Its features include problem
tracking, hardware asset tracking, customizable lookup lists, varying
levels of access, user management from the Web interface, and and the
ability to import data.
- SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
- How do I subscribe?
Send an email message to LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBSCRIBE FOCUS-LINUX Lastname, Firstname
You will receive a confirmation request message to which you will have
to respond.
- How do I unsubscribe?
Send an email message to LISTSERV@SECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE FOCUS-LINUX
If your email address has changed email aleph1@securityfocus.com and I
will manually remove you.
- How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET FOCUS-LINUX NOMAIL
To turn back on email delivery use the command:
SET FOCUS-LINUX MAIL
- Is the list available in a digest format?
Yes. The digest generated once a day.
- How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message
body of:
SET FOCUS-LINUX DIGEST
- How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET FOCUS-LINUX NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
- I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.