+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 14th 2006 Volume 7, Number 29a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for openoffice, xine-lib, ppp, gnupg, mutt, libmms, samba, cups, apache2, kernel, and vixie-cron. The distributors include Debian, Mandriva, and Red Hat. --- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec/ --- Packet Sniffing Overview A packet sniffer is a program which monitors network traffic which passes through your computer. A packet sniffer which runs on your PC connected to the internet using a modem, can tell you your current IP address as well as the IP addresses of the web servers whose sites you are visiting. You can watch all the un-encrypted data that travels from your computer, onto the internet. This includes passwords and other sensitive data that is not secured by encryption. Put a packet sniffer on a router on the internet, and you can watch all the network traffic that passes through that router. This includes absolutely anyone whose data happens to pass through that router. Sniffers are basically data interception programs. They work because the Ethernet was built around a principle of sharing. Most networks use what is known as broadcast technology, meaning that every message transmitted by one computer on a network can be read by any other computer on that network. In practice, all the other computers, except the one for which the message is meant, will ignore that message. However, computers can be made to accept messages, even if they are not meant for them, by means of a sniffer. A sniffer is usually passive, it only collects data. Hence, it becomes extremely difficult to detect sniffer. When installed on a computer, a sniffer will generate some small amount of traffic, though, and is therefore detectable. 1. Ping Method: The trick used here is to send a ping request with the IP address of the suspect machine but not its MAC address. Ideally, no machine should see this packet, as each Ethernet adaptor will reject it since it does not match its own MAC address. If the suspect machine is running a sniffer, it will respond since it does not reject packets with a different destination MAC address. This is an old method and no longer reliable. 2. Address Resolution Protocol (ARP) Method: A machine caches ARPs, so what we do is send a non-broadcast ARP. A machine in promiscuous mode will cache your ARP address. Next, we send a broadcast ping packet with our IP address but a different MAC address. Only a machine that has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request. 3. on Local Host: Often, after your machine has been compromised, hackers will leave sniffers on it in order to compromise other hosts. On a local machine, run ifconfig. 4. Latency Method: This method is based on the assumption that most sniffers do some parsing. Simply put, in this method, a huge amount of data is sent on the network, and the suspect machine is pinged before and during the data flooding. If the machine is in promiscuous mode, it will parse the data, increasing the load on it. It will therefore take extra time to respond to the ping packet. This difference in response times can be used as an indicator of whether or not a machine is in promiscuous mode. A point worth noting is the packets may be delayed because of the load on the wire, resulting in false positives. Read full article: http://www.linuxsecurity.com/content/view/123570/49/ ---------------------- Security on your mind? The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network. http://www.engardelinux.org/modules/index/register.cgi --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New OpenOffice.org packages fix arbitrary code execution 6th, July, 2006 Loading malformed XML documents can cause buffer overflows in OpenOffice.org, a free office suite, and cause a denial of service or execute arbitrary code. It turned out that the correction in DSA 1104-1 was not sufficient, hence, another update. http://www.linuxsecurity.com/content/view/123458 * Debian: New xine-lib packages fix denial of service 7th, July, 2006 Federico L. Bossi Bonin discovered a buffer overflow in the HTTP Plugin in xine-lib, the xine video/media player library, taht could allow a remote attacker to cause a denial of service. http://www.linuxsecurity.com/content/view/123476 * Debian: New ppp packages fix privilege escalation 10th, July, 2006 Marcus Meissner discovered that the winbind plugin in pppd does not check whether a setuid() call has been successful when trying to drop privileges, which may fail with some PAM configurations. http://www.linuxsecurity.com/content/view/123498 * Debian: New GnuPG packages fix denial of service 10th, July, 2006 Evgeny Legerov discovered that gnupg, the GNU privacy guard, a free PGP replacement contains an integer overflow that can cause a segmentation fault and possibly overwrite memory via a large user ID strings. http://www.linuxsecurity.com/content/view/123499 * Debian: New mutt packages fix arbitrary code execution 10th, July, 2006 Updated package. http://www.linuxsecurity.com/content/view/123522 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated libmms packages fix buffer overflow vulnerability 7th, July, 2006 Stack-based buffer overflow in MiMMS 0.0.9 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via the (1) send_command, (2) string_utf16, (3) get_data, and (4) get_media_packet functions, and possibly other functions. Libmms uses the same vulnerable code. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/123477 * Mandriva: Updated OpenOffice.org packages fix various vulnerabilities 8th, July, 2006 OpenOffice.org 1.1.x up to 1.1.5 and 2.0.x before 2.0.3 allows user-complicit attackers to conduct unauthorized activities via an OpenOffice document with a malicious BASIC macro, which is executed without prompting the user. http://www.linuxsecurity.com/content/view/123491 * Mandriva: Updated ppp packages fix plugin vulnerability 11th, July, 2006 Marcus Meissner discovered that pppd's winbind plugin did not check for the result of the setuid() call which could allow an attacker to exploit this on systems with certain PAM limits enabled to execute the NTLM authentication helper as root. This could possibly lead to privilege escalation dependant upon the local winbind configuration. Updated packages have been patched ot correct this issue. http://www.linuxsecurity.com/content/view/123523 * Mandriva: Updated samba packages fix DoS vulnerability 11th, July, 2006 A vulnerability in samba 3.0.x was discovered where an attacker could cause a single smbd process to bloat, exhausting memory on the system. This bug is caused by continually increasing the size of an array which maintains state information about the number of active share connections. Updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/123524 * Mandriva: Updated cups packages to address initscript bug 11th, July, 2006 A bug in the cupsd initscript could prevent a system from coming fully online if the CUPS daemon does not get actually started (for example if CUPS config or cache file are corrupted or port 631 blocked) by continuously attempting to see if the cups server is available without a timeout. Updated packages are provided that correct the issue. http://www.linuxsecurity.com/content/view/123536 * Mandriva: Updated libmms packages fix buffer overflow vulnerability 12th, July, 2006 The previous update for libmms had an incorrect/incomplete patch. This update includes a more complete fix for the issue. http://www.linuxsecurity.com/content/view/123548 * Mandriva: Updated xine-lib packages fix buffer overflow vulnerability 12th, July, 2006 The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/123549 * Mandriva: Updated apache2 packages to address logging bug 12th, July, 2006 A patch applied to the build of apache2, when built on x86_64, can cause various issues in logging. http://www.linuxsecurity.com/content/view/123552 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: kernel security update 7th, July, 2006 Updated kernel packages that fix a privilege escalation security issue in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/123478 * RedHat: Important: vixie-cron security update 12th, July, 2006 Updated vixie-cron packages that fix a privilege escalation issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/123543 * RedHat: Moderate: php security update 12th, July, 2006 Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/123544 * RedHat: Moderate: mutt security update 12th, July, 2006 Updated mutt packages that fix a security issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/123545 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------