Author: Benjamin D. Thomas
backup-manager, kismet, php, phpldapadmin, maildrop, pstotext, sqwebmail, polygen,
audit, freeradius, openmotif, freeradius, openmotif, php, ntp, openoffice, lesstif,
libsoup, evolution, kernel, selinux- policy-targed, policycoreutils, xen, dbus,
evince, poppler, phpWiki, phpGroupWare, phpWebSite, pam_ldap, and mplayer. The
distributors include Debian, Fedora, Gentoo, and Red Hat.Introduction: IP Spoofing, Part II
IP Fragment Attacks:
When packets are too large to be sent in a single IP packet, due
to interface hardware limitations for example, an intermediate
router can split them up unless prohibited by the Don’t Fragment
flag. IP fragmentation occurs when a router receives a packet
larger than the MTU (Maximum Transmission Unit) of the next
network segment. All such fragments will have the same
Identification field value, and the fragment offset indicates
the position of the current fragment in the context of the
pre-split up packet. Intermediate routers are not expected
to re-assemble the fragments. The final destination will
reassemble all the fragments of an IP packet and pass it to
higher protocol layers like TCP or UDP.
Attackers create artificially fragmented packets in order to
circumvent firewalls that do not perform packet reassembly.
These only consider the properties of each individual fragment,
and let the fragments through to final destination. One such
attack involving fragments is known as the tiny fragment
attack.
Two TCP fragments are created. The first fragment is so small
that it does not even include the full TCP header, particularly
the destination port number. The second fragment contains the
remainder of the TCP header, including the port number. Another
such type of malicious fragmentation involves fragments that
have illegal fragment offsets.
A fragment offset value gives the index position of this
fragment’s data in a reassembled packet. The second fragment
packet contains an offset value, which is less than the
length of the data in the first packet. E.g..
If the first fragment was 24 bytes long, the second fragment
may claim to have an offset of 20. Upon reassembly, the data
in the second fragment overwrites the last four bytes of the
data from the first fragment. If the unfragmented packet
were TCP, then the first fragment would contain the TCP
header overwriting the destination port number.
In the IP layer implementations of nearly all OS, there are
bugs in the reassembly code. An attacker can create and
send a pair of carefully crafted but malformed IP packets
that in the process of reassembly cause a server to panic
and crash. The receiving host attempts to reassemble such
a packet, it calculates a negative length for the second
fragment. This value is passed to a function (such as
memcpy ()), which should do a copy from/ to memory, which
takes the negative number to be an enormous unsigned
(positive) number.
Another type of attack involves sending fragments that if
reassembled will be an abnormally large packet, larger than
the maximum permissible length for an IP packet. The attacker
hopes that the receiving host will crash while attempting to
reassemble the packet. The Ping of Death used this attack.
It creates an ICMP echo request packet, which is larger
than the maximum packet size of 65,535 bytes.
READ ENTIRE ARTICLE:
http://www.linuxsecurity.com/content/view/120225/49/
LinuxSecurity.com
Feature Extras:
Linux File
& Directory Permissions Mistakes – One common mistake Linux administrators
make is having file and directory permissions that are far too liberal and
allow access beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this article,
so I’ll assume you are familiar with the usage of such tools as chmod, chown,
and chgrp. If you’d like a refresher, one is available right here on linuxsecurity.com.Introduction:
Buffer Overflow Vulnerabilities – Buffer overflows are a leading type
of security vulnerability. This paper explains what a buffer overflow is,
how it can be exploited, and what countermeasures can be taken to prevent
the use of buffer overflow vulnerabilities.Getting
to Know Linux Security: File Permissions – Welcome to the first
tutorial in the ‘Getting to Know Linux Security’ series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple. If the feedback is
good, I’ll consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with “subscribe” as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week’s most relevant Linux security headline.
Debian | ||
Debian: New courier packages fix denial of service |
||
25th, August, 2005
|
||
Debian: New libpam-ldap packages fix authentication bypass |
||
25th, August, 2005
|
||
Debian: New simpleproxy packages fix arbitrary code execution |
||
26th, August, 2005
|
||
Debian: New backup-manager package fixes several vulnerabilities |
||
26th, August, 2005
|
||
Debian: New kismet packages fix arbitrary code execution |
||
29th, August, 2005
|
||
Debian: New PHP 4 packages fix several vulnerabilities |
||
29th, August, 2005
|
||
Debian: New phpldapadmin packages fix unauthorised access |
||
30th, August, 2005
|
||
Debian: New maildrop packages fix arbitrary group mail command execution |
||
30th, August, 2005
|
||
Debian: New pstotext packages fix arbitrary command execution |
||
31st, August, 2005
|
||
Debian: New sqwebmail packages fix cross-site scripting |
||
1st, September, 2005
|
||
Debian: New Mozilla Firefox packages fix several vulnerabilities |
||
1st, September, 2005
|
||
Debian: New polygen packages fix denial of service |
||
1st, September, 2005
|
||
Fedora | ||
Fedora Core 4 Update: audit-1.0.3-1.fc4 | ||
25th, August, 2005
|
||
Fedora Core 3 Update: freeradius-1.0.1-2.FC3.1 | ||
25th, August, 2005
|
||
Fedora Core 3 Update: openmotif-2.2.3-9.FC3.1 | ||
25th, August, 2005
|
||
Fedora Core 3 Update: php-4.3.11-2.7 | ||
25th, August, 2005
|
||
Fedora Core 4 Update: php-5.0.4-10.4 | ||
25th, August, 2005
|
||
Fedora Core 3 Update: ntp-4.2.0.a.20040617-5.FC3 | ||
26th, August, 2005
|
||
Fedora Core 4 Update: openoffice.org-1.9.125-1.1.0.fc4 | ||
26th, August, 2005
|
||
Fedora Core 3 Update: lesstif-0.93.36-6.FC3.2 | ||
26th, August, 2005
|
||
Fedora Core 4 Update: libsoup-2.2.3-4.FC4 | ||
26th, August, 2005
|
||
Fedora Core 3 Update: libsoup-2.2.2-2.FC3 | ||
26th, August, 2005
|
||
Fedora Core 3 Update: evolution-connector-2.0.4-2 | ||
26th, August, 2005
|
||
Fedora Core 4 Update: kernel-2.6.12-1.1447_FC4 | ||
28th, August, 2005
|
||
Fedora Core 3 Update: kernel-2.6.12-1.1376_FC3 | ||
28th, August, 2005
|
||
Fedora Core 4 Update: selinux-policy-targeted-1.25.4-10 | ||
29th, August, 2005
|
||
Fedora Core 4 Update: policycoreutils-1.23.11-3.2 | ||
29th, August, 2005
|
||
Fedora Core 4 Update: xen-2-20050823 | ||
29th, August, 2005
|
||
Fedora Core 4 Update: dbus-0.33-3.fc4.1 | ||
29th, August, 2005
|
||
Fedora Core 4 Update: evince-0.4.0-1.1 | ||
31st, August, 2005
|
||
Fedora Core 4 Update: poppler-0.4.1-1.1 | ||
31st, August, 2005
|
||
Fedora Core 4 Update: xorg-x11-6.8.2-37.FC4.45 | ||
31st, August, 2005
|
||
Fedora Core 4 Update: evince-0.4.0-1.2 | ||
1st, September, 2005
|
||
Gentoo | ||
Gentoo: Kismet Multiple vulnerabilities | ||
26th, August, 2005
|
||
Gentoo: Apache 2.0 Denial of Service vulnerability |
||
25th, August, 2005
|
||
Gentoo: Tor Information disclosure | ||
25th, August, 2005
|
||
Gentoo: libpcre Heap integer overflow | ||
25th, August, 2005
|
||
Gentoo: PhpWiki Arbitrary command execution through XML-RPC |
||
26th, August, 2005
|
||
Gentoo: lm_sensors Insecure temporary file creation |
||
30th, August, 2005
|
||
Gentoo: phpGroupWare Multiple vulnerabilities | ||
30th, August, 2005
|
||
Gentoo: phpWebSite Arbitrary command execution through XML-RPC and SQL injection |
||
31st, August, 2005
|
||
Gentoo: pam_ldap Authentication bypass vulnerability |
||
31st, August, 2005
|
||
Gentoo: MPlayer Heap overflow in ad_pcm.c | ||
1st, September, 2005
|
||
Red Hat |
||
RedHat: Important: kernel security update | ||
25th, August, 2005
|
||
RedHat: Important: kernel security update | ||
25th, August, 2005
|
||
RedHat: Important: Evolution security update |
||
29th, August, 2005
|
||