Linux Security Week, August 7, 2000 By Dave Wreski Submitted By: LinuxSecurity.com Contributors Posted By: Dave Wreski 8/7/2000 17:11 For this week, advisories for mailman, netscape, cvsweb, kon2, and pam_console. Of these, remote root vulnerabilities are present in cvsweb and kon2. Our feature for this week is an article discussing the US and UK governments want to install a device on public networks to monitor traffic for suspected criminal activities by Chris Parker. The article discusses both FBI's Carnivore email surveillance system and the RIP Bill that has recently been passed in the UK. Carnivore and Privacy: An Oxymoron? Thanks to LinuxLock.org for making LinuxSecurity.com their Security Source of the Month Our sponsor this week is WebTrends. Their Security Analyzer has the most vulnerability tests available for Red Hat & VA Linux. It uses advanced agent-based technology, enabling you to scan your Linux servers from your Windows NT/2000 console and protect them against potential threats. Now with over 1,000 tests available. Visit WebTrends Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines and system advisories. Advisories *Debian: mailman vulnerability August 6th, 2000 Former versions of mailman v2.0 came with a security problem, introduced during the 2.0 beta cycle, that could be exploited by clever local users to gain group mailman permission. No exploit does exist at the moment, though. *SuSE: Misc Security Info August 4th, 2000 This advisory contains information on the status of several outstanding potential security vulnerabilities present in SuSE Linux. Including: netscape, knfsd, system user account nobody, pam_console, gpm, openldap, and mailman *RedHat: mailman vulnerability August 3rd, 2000 New mailman packages are available which close security holes present in earlier versions of mailman. All sites using the mailman mailing list management software should upgrade. *Mandrake: mailman August 3rd, 2000 The wrapper program supplied with the mailman package has a format bug which could be exploited to obtain the privileges of the mailman user which has read and write access to all files mailman uses. This vulnerability can only be exploited by root users with shell access. *Mandrake: pam vulnerability August 2nd, 2000 There is a problem with the pam_console module that incorrectly identifies remote X logins for displays other than :0 (for example, :1, :2, etc.) as being local displays, thus giving control of the console to the remote user. Because the remote user has control of the console they are able to issue commands to reboot the remote system after providing their password. Please note that this vulnerability is only exploitable if the system is running a graphical login manager like gdm, kdm, or xdm and if XDMCP is enabled and remote access is granted. Users are highly recommended to upgrade to this version which fixes the exploit (thanks to RedHat). *Conectiva: mailman vulnerability August 2nd, 2000 The wrapper program supplied with the mailman package has a format bug which could be exploited to obtain the privileges of the mailman user. This user has read and write access to all files of the mailman package. Note that this vulnerability can only be exploited by local users with shell access. *Mandrake: kon2 vulnerability August 2nd, 2000 There is a vulnerable suid program called fld. This program accepts option input from a text file and it is possible to input arbitrary code into the stack, thus spawning a root shell. *TurboLinux: netscape-4.73 and earlier August 2nd, 2000 Current and previous versions of netscape communicator have a buffer overflow condition in its handling of JPEG files. Specifically, it trusts the purported length of JPEG files provided by the header and can be mislead into reading arbitrary amounts of data, leading to the overwriting of memory. *TurboLinux: cvsweb-1.90 and earlier August 1st, 2000 Remote root exploit present in versions earlier than 2.0. Current and previous version of cvsweb allow remote users to access/write files as the default web user via the cvsweb.cgi script. *Mandrake: netscape vulnerability August 1st, 2000 Previous versions of Netscape, from version 3.0 to 4.73 contain a serious overflow flaw due to improper input verification in Netscape's JPEG processing code. The way Netscape processed JPEG comments trusted the length parameter for comment fields. By manipulating this value, it was possible to cause Netscape to read in an excessive amount of data which would then overwrite memory. Data with a malicious design could allow a remote site to execute arbitrary code as the user of Netscape on the client system. It is highly recommended that everyone using Netscape upgrade to this latest version that fixes the flaw. *RedHat: netscape vulnerability July 31st, 2000 Netscape's processing of JPEG comments trusted the length parameter for comment fields; by manipulating this value, it would be possible to cause netscape to read in an excessive amount of data, overwriting memory. Specially designed data could allow a remote site to execute arbitrary code as the user of netscape. Top Articles *Interivew with Jasta: coder of Gnapster August 4th, 2000 Chris writes, "Since the invention of Napster, Peer to Peer sharing has been on all of our security concious minds... Is this safe? Can this program allow my network to be comprimised? Was security an issue when these Apps were created? Well, we interviewed Jasta, creator of Gnapster, the gnome napster client, about the security concerns of Gnapster/Napster, the feedback of Open Source security hackers, and how much he thought about security when coding Gnapster." *Discussion of "Linux Sux Redux" Issue August 4th, 2000 Peter writes, "This is in response to an article posted at abcnews.com by Fred Moody, available at: http://abcnews.go.com/sections/tech/FredMoody/moody.html, in which he claims that Linux is a far less secure operating system than NT, based on his interpretation of the Bugtraq vulnerability statistics. *How Do I Tighten Security on My System? July 31st, 2000 "Hardening" a system is the practice of making that system much harder to crack. I like to think that this involves steps not only to prevent break-ins, but also to detect them when they happen. *Bruce Schneier, "It doesn't look good." July 31st, 2000 Speaking at the Black Hat Security Conference, cryptographer and security expert Bruce Schneier gave one of the opening keynotes Wednesday. In it, he argued that inevitably, as the Internet and computer systems become more complex, they become more insecure. *Will Crypto Feast on Carnivore? August 4th, 2000 In the aftermath of the FBI's recently revealed Carnivore email surveillance system, email security companies are hoping they can convince average email users to seal their electronic envelopes -- and finally propel email encryption into a broader market. "We're seeing Carnivore pop up and become a real threat to people's privacy and saying, 'Wait a second -- we could take this product Mithril, our secure server product, re-brand it and put it out there," said Sean Steele, director of business development at security firm ChainMail. *An Old Spy with a New Vision of Encryption August 3rd, 2000 Ex-NSA official and now Cylink CEO Bill Crowell is reviving the software maker and helping to bridge the government-industry divide.After three decades at America's largest spy center, the National Security Agency, Crowell turned to the private sector in 1998 and has brought Cylink Corp., which nearly collapsed under the weight of accounting irregularities and a spate of resignations by top brass, back from the brink. *The Coroner's Toolkit August 5th, 2000 Wietse Venema and Dan Farmer the authors of SATAN have written a package called The Coroner's Toolkit (TCT) that is designed to help a System Administrator do forensic analysis on their cracked Unix box. The authors say that TCT does not have one single goal, but instead it has the theme of making a snapshot of the machine so that there can be an attempt towards reconstruction of the past. *Running logcheck, the logfile auditing software for Unix August 3rd, 2000 Portsentry has some very specific behaviors when triggered: it drops the offending connection, locks out the offending IP address, and then writes an alert to your system logs. Logcheck picks up where Portsentry leaves off, parsing system logs at pre-set intervals and mailing information about the attack or alert to the administrator (or the admin's designated recipient). *Tools of the Trade: nmap August 2nd, 2000 The intent of this article is to familiarize the reader with the network scanner nmap. As Lamont Grandquist (an nmap contributor/developer) points out, nmap does three things: It will ping a number of hosts to determine if they are up. It will portscan hosts to determine what services they are offering and it will attempt to determine the OS (operating system) of host(s). Nmap allows the user to scan networks as small as a two node LAN (Local Area Network) or as large as a 500 node LAN and even larger. Nmap also allows you to customize your scanning techniques. *FBI Agrees To Release Carnivore Details August 7th, 2000 Pushed by a court hearing and growing press attention, the FBI on Wednesday agreed to expedite its release of documents detailing the inner workings of Carnivore, its controversial electronic wiretap system that scans private E-mail through Internet service providers. But ISPs must allow the FBI to install the system on their networks in the meantime. *ISPs sued over spamming blacklist August 5th, 2000 A leading Internet-based polling company is suing America Online Inc. and a dozen other Internet service providers for blocking correspondence with some 2.7 million of its 6.6 million online members *They Know Where You're Shopping August 5th, 2000 Chris Hughes was surprised when Internet merchant PayPal rejected his credit card last week, but was even more surprised when he found out why. PayPal's credit card verification service, Cybersource Corp., indicated Hughes was a high risk because he had used 10 different credit cards at various Internet sites during the past several months. *Interview with Lance Brown: StopCarnivore.org August 4th, 2000 The HNS Staff did an interview with Lance Brown, the creator of http://www.stopcarnivore.org. Mr. Brown is the President and Founder of Future Solutions, which was founded in 1996 with the goal of pursuing freedom-minded solutions to tomorrow's problems. Mr. Brown is also: President and CEO of PeoplesForum.com; CIO/Technology Supervisor of Dispute Solvers/Rent-a-Court, an online dispute resolution firm; Candidate for President (of the U.S.) in 2008. *E-tailers violate own privacy policies August 4th, 2000 Without knowing it, some Internet shoppers are forking over more than cash for their purchases. Several online retailers have been giving their customers' personal information to a marketing company. *'Uncle Spam' wants you! August 3rd, 2000 Uncle Sam could become "Uncle Spam" if the government follows through with plans for creating an "official U.S. e-mail box" for every address in America, say industry executives briefed on the proposal. The ruckus began earlier this week, when the U.S. Postal Service disclosed that it was exploring the e-mail idea.The government would use the e-mail addresses to send driver's license renewal forms, tax documents and other materials that would normally be sent by snail mail. And Americans would visit two mailboxes every day -- the ones outside their homes and the ones inside their computers, said Deputy Postmaster General John M. Nolan. *Join Us, Don't Fight Us, Pentagon Tells Hackers August 1st, 2000 The largest-ever convention of computer hackers opened here on Friday with top-ranking U.S. military officials offering to hire the elite of the cybervandal world and put them to work defending against foreign government attacks. "I invite you to join the government, or private industry for that matter. But get on the defense side," Art Money, U.S. Assistant Secretary of Defense, and the Pentagon's Chief Information Officer with responsibility for command, control, communications and intelligence." [3spacer.gif] [1x1space.gif] [10x8spacer.gif] [topstories.gif] Linux Security Week, August 7, 2000 Aug 7 The Danger of Script Kiddies Aug 7 FBI Agrees To Release Carnivore Details Aug 7 The Reality of Building Secure Private Networks Aug 7 Excite@Home IP flaw exposed Aug 7 Hackers linked to China stole Los Alamos documents Aug 5 ISPs sued over spamming blacklist Aug 5 Contact Us | Legal Notice | About Our Site © Guardian Digital, Inc., 2000