Linux Advisory Watch – September 2, 2005

22

Author: Benjamin D. Thomas

This week, advisories were released for courier, libpman-ldap, simple proxy,
backup-manager, kismet, php, phpldapadmin, maildrop, pstotext, sqwebmail, polygen,
audit, freeradius, openmotif, freeradius, openmotif, php, ntp, openoffice, lesstif,
libsoup, evolution, kernel, selinux- policy-targed, policycoreutils, xen, dbus,
evince, poppler, phpWiki, phpGroupWare, phpWebSite, pam_ldap, and mplayer. The
distributors include Debian, Fedora, Gentoo, and Red Hat.Introduction: IP Spoofing, Part II
IP Fragment Attacks:

When packets are too large to be sent in a single IP packet, due
to interface hardware limitations for example, an intermediate
router can split them up unless prohibited by the Don’t Fragment
flag. IP fragmentation occurs when a router receives a packet
larger than the MTU (Maximum Transmission Unit) of the next
network segment. All such fragments will have the same
Identification field value, and the fragment offset indicates
the position of the current fragment in the context of the
pre-split up packet. Intermediate routers are not expected
to re-assemble the fragments. The final destination will
reassemble all the fragments of an IP packet and pass it to
higher protocol layers like TCP or UDP.

Attackers create artificially fragmented packets in order to
circumvent firewalls that do not perform packet reassembly.
These only consider the properties of each individual fragment,
and let the fragments through to final destination. One such
attack involving fragments is known as the tiny fragment
attack.

Two TCP fragments are created. The first fragment is so small
that it does not even include the full TCP header, particularly
the destination port number. The second fragment contains the
remainder of the TCP header, including the port number. Another
such type of malicious fragmentation involves fragments that
have illegal fragment offsets.

A fragment offset value gives the index position of this
fragment’s data in a reassembled packet. The second fragment
packet contains an offset value, which is less than the
length of the data in the first packet. E.g..

If the first fragment was 24 bytes long, the second fragment
may claim to have an offset of 20. Upon reassembly, the data
in the second fragment overwrites the last four bytes of the
data from the first fragment. If the unfragmented packet
were TCP, then the first fragment would contain the TCP
header overwriting the destination port number.

In the IP layer implementations of nearly all OS, there are
bugs in the reassembly code. An attacker can create and
send a pair of carefully crafted but malformed IP packets
that in the process of reassembly cause a server to panic
and crash. The receiving host attempts to reassemble such
a packet, it calculates a negative length for the second
fragment. This value is passed to a function (such as
memcpy ()), which should do a copy from/ to memory, which
takes the negative number to be an enormous unsigned
(positive) number.

Another type of attack involves sending fragments that if
reassembled will be an abnormally large packet, larger than
the maximum permissible length for an IP packet. The attacker
hopes that the receiving host will crash while attempting to
reassemble the packet. The Ping of Death used this attack.
It creates an ICMP echo request packet, which is larger
than the maximum packet size of 65,535 bytes.

READ ENTIRE ARTICLE:
http://www.linuxsecurity.com/content/view/120225/49/


LinuxSecurity.com
Feature Extras:

Linux File
& Directory Permissions Mistakes
– One common mistake Linux administrators
make is having file and directory permissions that are far too liberal and
allow access beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this article,
so I’ll assume you are familiar with the usage of such tools as chmod, chown,
and chgrp. If you’d like a refresher, one is available right here on linuxsecurity.com.

Introduction:
Buffer Overflow Vulnerabilities
– Buffer overflows are a leading type
of security vulnerability. This paper explains what a buffer overflow is,
how it can be exploited, and what countermeasures can be taken to prevent
the use of buffer overflow vulnerabilities.

Getting
to Know Linux Security: File Permissions
– Welcome to the first
tutorial in the ‘Getting to Know Linux Security’ series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple. If the feedback is
good, I’ll consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.

 

Take advantage of our Linux Security discussion
list!
This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with “subscribe” as the subject.

Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week’s most relevant Linux security headline
.


   Debian
  Debian: New courier packages fix denial
of service
  25th, August, 2005

Updated package.

 
  Debian: New libpam-ldap packages fix
authentication bypass
  25th, August, 2005

Updated package.

 
  Debian: New simpleproxy packages fix
arbitrary code execution
  26th, August, 2005

Updated package.

 
  Debian: New backup-manager package fixes
several vulnerabilities
  26th, August, 2005

Updated package.

 
  Debian: New kismet packages fix arbitrary
code execution
  29th, August, 2005

Updated package.

 
  Debian: New PHP 4 packages fix several
vulnerabilities
  29th, August, 2005

Updated package.

 
  Debian: New phpldapadmin packages fix
unauthorised access
  30th, August, 2005

Updated package.

 
  Debian: New maildrop packages fix arbitrary
group mail command execution
  30th, August, 2005

Updated package.

 
  Debian: New pstotext packages fix arbitrary
command execution
  31st, August, 2005

Updated package.

 
  Debian: New sqwebmail packages fix cross-site
scripting
  1st, September, 2005

Updated package.

 
  Debian: New Mozilla Firefox packages
fix several vulnerabilities
  1st, September, 2005

Update Package.

 
  Debian: New polygen packages fix denial
of service
  1st, September, 2005

Updated package.

 
   Fedora
  Fedora Core 4 Update: audit-1.0.3-1.fc4
  25th, August, 2005

This update corrects a flaw where the devmajor, devminor, success,
exit, and inode values for syscall rules was getting set to 0 before sending
to the kernel.

 
  Fedora Core 3 Update: freeradius-1.0.1-2.FC3.1
  25th, August, 2005

Update package.

 
  Fedora Core 3 Update: openmotif-2.2.3-9.FC3.1
  25th, August, 2005

Updated package.

 
  Fedora Core 3 Update: php-4.3.11-2.7
  25th, August, 2005

This update includes the latest upstream version of the PEAR
XML_RPC package, which fixes a security issue in request parsing in the
XML_RPC Server code. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-2498 to this issue.

 
  Fedora Core 4 Update: php-5.0.4-10.4
  25th, August, 2005

This update includes the latest upstream version of the PEAR
XML_RPC package, which fixes a security issue in request parsing in the
XML_RPC Server code. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-2498 to this issue.

 
  Fedora Core 3 Update: ntp-4.2.0.a.20040617-5.FC3
  26th, August, 2005

When starting xntpd with the -u option and specifying the group
by using a string not a numeric gid the daemon uses the gid of the user
not the group. This problem is now fixed by this update.

 
  Fedora Core 4 Update: openoffice.org-1.9.125-1.1.0.fc4
  26th, August, 2005

Updated package.

 
  Fedora Core 3 Update: lesstif-0.93.36-6.FC3.2
  26th, August, 2005

Updated package.

 
  Fedora Core 4 Update: libsoup-2.2.3-4.FC4
  26th, August, 2005

Fixes a problem with NTLM authentication in evolution-connector
with usernames of the form DOMAINUSERNAME

 
  Fedora Core 3 Update: libsoup-2.2.2-2.FC3
  26th, August, 2005

Fixes a problem with NTLM authentication in evolution-connector
with usernames of the form DOMAINUSERNAME

 
  Fedora Core 3 Update: evolution-connector-2.0.4-2
  26th, August, 2005

Updated package.

 
  Fedora Core 4 Update: kernel-2.6.12-1.1447_FC4
  28th, August, 2005

Updated package.

 
  Fedora Core 3 Update: kernel-2.6.12-1.1376_FC3
  28th, August, 2005

Updated package.

 
  Fedora Core 4 Update: selinux-policy-targeted-1.25.4-10
  29th, August, 2005

Updated package.

 
  Fedora Core 4 Update: policycoreutils-1.23.11-3.2
  29th, August, 2005

Fix updates to not travers NFS home dirs.

 
  Fedora Core 4 Update: xen-2-20050823
  29th, August, 2005

Updated package.

 
  Fedora Core 4 Update: dbus-0.33-3.fc4.1
  29th, August, 2005

Updated package.

 
  Fedora Core 4 Update: evince-0.4.0-1.1
  31st, August, 2005

Updated package.

 
  Fedora Core 4 Update: poppler-0.4.1-1.1
  31st, August, 2005

Updated package.

 
  Fedora Core 4 Update: xorg-x11-6.8.2-37.FC4.45
  31st, August, 2005

Updated package.

 
  Fedora Core 4 Update: evince-0.4.0-1.2
  1st, September, 2005

Updated package.

 
   Gentoo
  Gentoo: Kismet Multiple vulnerabilities
  26th, August, 2005

Kismet is vulnerable to multiple issues potentially resulting
in the execution of arbitrary code.

 
  Gentoo: Apache 2.0 Denial of Service
vulnerability
  25th, August, 2005

A bug in Apache may allow a remote attacker to perform a Denial
of Service attack.

 
  Gentoo: Tor Information disclosure
  25th, August, 2005

A flaw in Tor leads to the disclosure of information and the
loss of anonymity, integrity and confidentiality.

 
  Gentoo: libpcre Heap integer overflow
  25th, August, 2005

libpcre is vulnerable to a heap integer overflow, possibly leading
to the execution of arbitrary code.

 
  Gentoo: PhpWiki Arbitrary command execution
through XML-RPC
  26th, August, 2005

PhpWiki includes PHP XML-RPC code which is vulnerable to arbitrary
command execution.

 
  Gentoo: lm_sensors Insecure temporary
file creation
  30th, August, 2005

lm_sensors is vulnerable to linking attacks, potentially allowing
a local user to overwrite arbitrary files.

 
  Gentoo: phpGroupWare Multiple vulnerabilities
  30th, August, 2005

phpGroupWare is vulnerable to multiple issues ranging from information
disclosure to a potential execution of arbitrary code.

 
  Gentoo: phpWebSite Arbitrary command
execution through XML-RPC and SQL injection
  31st, August, 2005

phpWebSite is vulnerable to multiple issues which result in
the execution of arbitrary code and SQL injection.

 
  Gentoo: pam_ldap Authentication bypass
vulnerability
  31st, August, 2005

pam_ldap contains a vulnerability that may allow a remote attacker
to gain system access.

 
  Gentoo: MPlayer Heap overflow in ad_pcm.c
  1st, September, 2005

A heap overflow in MPlayer might lead to the execution of arbitrary
code.

 
   Red
Hat
  RedHat: Important: kernel security update
  25th, August, 2005

Updated kernel packages that fix a number of security issues
as well as other bugs are now available for Red Hat Enterprise Linux 2.1
(32 bit architectures) This update has been rated as having important
security impact by the Red Hat Security Response Team.

 
  RedHat: Important: kernel security update
  25th, August, 2005

Updated kernel packages are now available to correct security
issues and bugs for Red Hat Enterprise Linux version 2.1 (Itanium). This
update has been rated as having important security impact by the Red Hat
Security Response Team.

 
  RedHat: Important: Evolution security
update
  29th, August, 2005

Updated evolution packages that fix a format string issue are
now available. This update has been rated as having important security
impact by the Red Hat Security Response Team.