[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Linux Advisory Watch - July 14th 2006

|  LinuxSecurity.com                               Weekly Newsletter  |
|  July 14th 2006                               Volume 7, Number 29a  |

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave@xxxxxxxxxxxxxxxxx          ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for openoffice, xine-lib, ppp,
gnupg, mutt, libmms, samba, cups, apache2, kernel, and vixie-cron.
The distributors include Debian, Mandriva, and Red Hat.


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home



Packet Sniffing Overview

A packet sniffer is a program which monitors network traffic which
passes through your computer. A packet sniffer which runs on your
PC connected to the internet using a modem, can tell you your
current IP address as well as the IP addresses of the web servers
whose sites you are visiting. You can watch all the un-encrypted
data that travels from your computer, onto the internet. This
includes passwords and other sensitive data that is not secured
by encryption. Put a packet sniffer on a router on the internet,
and you can watch all the network traffic that passes through
that router. This includes absolutely anyone whose data happens
to pass through that router.

Sniffers are basically data interception programs. They work
because the Ethernet was built around a principle of sharing.
Most networks use what is known as broadcast technology, meaning
that every message transmitted by one computer on a network can
be read by any other computer on that network. In practice, all
the other computers, except the one for which the message is
meant, will ignore that message. However, computers can be made
to accept messages, even if they are not meant for them, by
means of a sniffer.

A sniffer is usually passive, it only collects data. Hence, it
becomes extremely difficult to detect sniffer. When installed
on a computer, a sniffer will generate some small amount of
traffic, though, and is therefore detectable.

1. Ping Method:

The trick used here is to send a ping request with the IP
address of the suspect machine but not its MAC address.
Ideally, no machine should see this packet, as each Ethernet
adaptor will reject it since it does not match its own MAC
address. If the suspect machine is running a sniffer, it
will respond since it does not reject packets with a different
destination MAC address. This is an old method and no longer

2. Address Resolution Protocol (ARP) Method:

A machine caches ARPs, so what we do is send a non-broadcast
ARP. A machine in promiscuous mode will cache your ARP
address. Next, we send a broadcast ping packet with our IP
address but a different MAC address. Only a machine that has
our correct MAC address from the sniffed ARP frame will be
able to respond to our broadcast ping request.

3. on Local Host:

Often, after your machine has been compromised, hackers will
leave sniffers on it in order to compromise other hosts. On
a local machine, run ifconfig.

4. Latency Method:

This method is based on the assumption that most sniffers
do some parsing. Simply put, in this method, a huge amount
of data is sent on the network, and the suspect machine is
pinged before and during the data flooding. If the machine
is in promiscuous mode, it will parse the data, increasing
the load on it. It will therefore take extra time to
respond to the ping packet. This difference in response
times can be used as an indicator of whether or not a
machine is in promiscuous mode. A point worth noting is
the packets may be delayed because of the load on the wire,
resulting in false positives.

Read full article:


Security on your mind?

The Community edition of EnGarde Secure Linux is completely
free and open source.  Updates are also freely available when
you register with the Guardian Digital Secure Network.



Linux File & Directory Permissions Mistakes

One common mistake Linux administrators make is having file and
directory permissions that are far too liberal and allow access
beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this
article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one
is available right here on linuxsecurity.com.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Debian           | ----------------------------//

* Debian: New OpenOffice.org packages fix arbitrary code execution
  6th, July, 2006

Loading malformed XML documents can cause buffer overflows in
OpenOffice.org, a free office suite, and cause a denial of service or
execute arbitrary code.  It turned out that the correction in DSA
1104-1 was not sufficient, hence, another update.


* Debian: New xine-lib packages fix denial of service
  7th, July, 2006

Federico L. Bossi Bonin discovered a buffer overflow in the HTTP
Plugin in xine-lib, the xine video/media player library, taht could
allow a remote attacker to cause a denial of service.


* Debian: New ppp packages fix privilege escalation
  10th, July, 2006

Marcus Meissner discovered that the winbind plugin in pppd does not
check whether a setuid() call has been successful when trying to drop
privileges, which may fail with some PAM configurations.


* Debian: New GnuPG packages fix denial of service
  10th, July, 2006

Evgeny Legerov discovered that gnupg, the GNU privacy guard, a free
PGP replacement contains an integer overflow that can cause a
segmentation fault and possibly overwrite memory via a large user ID


* Debian: New mutt packages fix arbitrary code execution
  10th, July, 2006

Updated package.


|  Distribution: Mandriva         | ----------------------------//

* Mandriva: Updated libmms packages fix buffer overflow vulnerability
  7th, July, 2006

Stack-based buffer overflow in MiMMS 0.0.9 allows remote attackers to
cause a denial of service (application crash) and possibly execute
arbitrary code via the (1) send_command, (2) string_utf16, (3)
get_data, and (4) get_media_packet functions, and possibly other
functions. Libmms uses the same vulnerable code. The updated packages
have been patched to correct this issue.


* Mandriva: Updated OpenOffice.org packages fix various
  8th, July, 2006

OpenOffice.org 1.1.x up to 1.1.5 and 2.0.x before 2.0.3 allows
user-complicit attackers to conduct unauthorized activities via
an OpenOffice document with a malicious BASIC macro, which is
executed without prompting the user.


* Mandriva: Updated ppp packages fix plugin vulnerability
  11th, July, 2006

Marcus Meissner discovered that pppd's winbind plugin did not check
for the result of the setuid() call which could allow an attacker to
exploit this on systems with certain PAM limits enabled to execute
the NTLM authentication helper as root.  This could possibly lead to
privilege escalation dependant upon the local winbind configuration.
Updated packages have been patched ot correct this issue.


* Mandriva: Updated samba packages fix DoS vulnerability
  11th, July, 2006

A vulnerability in samba 3.0.x was discovered where an attacker could
cause a single smbd process to bloat, exhausting memory on the
system. This bug is caused by continually increasing the size of an
array which maintains state information about the number of active
share connections.  Updated packages have been patched to correct this


* Mandriva: Updated cups packages to address initscript bug
  11th, July, 2006

A bug in the cupsd initscript could prevent a system from coming
fully online if the CUPS daemon does not get actually started (for
example if CUPS config or cache file are corrupted or port 631
blocked) by continuously attempting to see if the cups server is
available without a timeout. Updated packages are provided that
correct the issue.


* Mandriva: Updated libmms packages fix buffer overflow vulnerability
  12th, July, 2006

The previous update for libmms had an incorrect/incomplete patch.
This update includes a more complete fix for the issue.


* Mandriva: Updated xine-lib packages fix buffer overflow
  12th, July, 2006

The updated packages have been patched to correct this issue.


* Mandriva: Updated apache2 packages to address logging bug
  12th, July, 2006

A patch applied to the build of apache2, when built on x86_64, can
cause various issues in logging.


|  Distribution: Red Hat          | ----------------------------//

* RedHat: Important: kernel security update
  7th, July, 2006

Updated kernel packages that fix a privilege escalation security
issue in the Red Hat Enterprise Linux 4 kernel are now available.
This security advisory has been rated as having important security
impact by the Red Hat Security Response Team.


* RedHat: Important: vixie-cron security update
  12th, July, 2006

Updated vixie-cron packages that fix a privilege escalation issue are
now available. This update has been rated as having important security
impact by the Red Hat Security Response Team.


* RedHat: Moderate: php security update
  12th, July, 2006

Updated PHP packages that fix multiple security issues are now available 
for Red Hat Enterprise Linux 3 and 4. This update has been rated as having 
moderate security impact by the Red Hat Security Response Team.


* RedHat: Moderate: mutt security update
  12th, July, 2006

Updated mutt packages that fix a security issue are now available.
This update has been rated as having moderate security impact by the
Red Hat Security Response Team.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.