This week, advisories were
released for docview, unzip, sendmail, iptables, pam_smb, gdm, php, and perl.
The distributors include Debian, FreeBSD, Gentoo, Mandrake, Red Hat, Slackware,
SuSE, and TurboLinux.
Last Saturday, ISECOM released
version 2.1 of the Open-Source Security Testing Methodology Manual. For those
of you who are not familiar with it, the OSSTMM is an established standard for
testing security. It includes information on ethics, legalities, rules of engagement,
and many templates that will prove to be useful to those conducting penetration
tests. The document is intended to be used by security testing professionals
as well as developers, systems analysts, and architects.
The OSSTMM provides a very
structured method for pen-testing. The manual includes sections on information
security, process security, internet technology security, communications security,
wireless security, and physical security. Each section module has several detailed
parts. For example, information security testing includes posture assessment,
information integrity review, human resources review, competitive intelligence
scouting, and many others. The beauty of the OSSTMM is that it provides a peer-reviewed
and comprehensive listing of tests that should be conducted. Many consulting
firms have an established testing methodology. However, the average security
professional has a few tricks, but it is by no means comprehensive. The OSSTMM
gives everyone an open standard that can be trusted and is not unnecessarily
As mentioned previously,
the OSSTMM provides pen-testing templates. The examples provided can easily
be re-produced in any spreadsheet application to be used multiple times. It
is also just as acceptable to re-print or edit the PDF. Templates include one
for firewall analysis, ids testing, social engineering, privacy, password cracking,
denial of service, and others. If you are involved in security at any level,
you should definitely use the OSSTMM. It is extremely valuable.
The OSSTMM document and
the Institute for Security and Open Methodologies Web site is at the following
Until next time,
Benjamin D. Thomas
Practical Approach of Stealthy Remote Administration
- This paper is written for those paranoid administrators who are looking
for a stealthy technique of managing sensitive servers (like your enterprise
firewall console or IDS).
vs. Expertise: Computer Forensics and the Alternative OS - No longer
a dark and mysterious process, computer forensics have been significantly
on the scene for more than five years now. Despite this, they have only recently
gained the notoriety they deserve.
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
A directory traversal vulnerability in UnZip 5.50 allows attackers tobypass
a check for relative pathnames ("../") by placing certain invalidcharacters
between the two "." characters.
http://www.linuxsecurity.com/advisories/debian_advisory-3570.html 8/26/2003libpam-smb buffer overflow vulnerability directory traversal vulnerability
If a long password is supplied, this cancause a buffer overflow which could
be exploited to execute arbitrarycode with the privileges of the process
which invokes PAM services.
http://www.linuxsecurity.com/advisories/debian_advisory-3571.html Distribution:FreeBSD 8/26/2003sendmail DNS map vulnerability
Some versions of sendmail (8.12.0 through 8.12.8) contain aprogramming error
in the code that implements DNS maps. A malformedDNS reply packet may cause
sendmail to call `free()' on anuninitialized pointer.
http://www.linuxsecurity.com/advisories/freebsd_advisory-3572.html Distribution:Gentoo 8/25/2003vmware-server env variable vulnerability DNS map vulnerability
By manipulating the VMware GSX Server and VMware Workstationenvironment
variables, a program such as a shell session withroot privileges could be
started when a virtual machine islaunched.
http://www.linuxsecurity.com/advisories/gentoo_advisory-3573.html Distribution:Mandrake 8/27/2003sendmail dns map vulnerability
Due to wrong initialization of RESOURCE_RECORD_T structures, if sendmail
receives a bad DNS reply it will call free() on random addresses which usually
causes sendmail to crash.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3574.html Distribution:Red Hat 8/26/2003iptables upgrade fix
Recent updates to the kernel in Red Hat Linux versions 7.1, 7.2, 7.3 and8.0
did not also update the iptables utility, causing functions such asowner
match to stop working.
http://www.linuxsecurity.com/advisories/redhat_advisory-3575.html 8/27/2003pam_smb remote buffer overflow vulnerability
On systems that use pam_smb and are configured to authenticate aremotely
accessible service, an attacker can exploit this bug andremotely execute
http://www.linuxsecurity.com/advisories/redhat_advisory-3576.html Distribution:Slackware 8/25/2003GDM file permission vulnerability
This fixes a bug where a local user may read any system file by making a
symlink to it from $HOME/.xsession-errors and using GDM's error browser
to read the file.
http://www.linuxsecurity.com/advisories/slackware_advisory-3577.html 8/26/2003unzip directory traversal vulnerability
These fix a security issue where a specially crafted archive mayoverwrite
files (including system files anywhere on the filesystem)upon extraction
by a user with sufficient permissions.
http://www.linuxsecurity.com/advisories/slackware_advisory-3578.html Distribution:SuSE 8/26/2003sendmail dns map vulnerability
When sendmail receives an invalid DNS response it tries to call free on
random data which results in a process crash.
http://www.linuxsecurity.com/advisories/suse_advisory-3579.html Distribution:TurboLinux 8/27/2003php XSS vulnerability
The cross-site scripting vulnerability is in the transparent SID support
capability for PHP.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-3580.html 8/27/2003gdm file permission vulnerability
GDM contains a bug where GDM will run as root when examining the ~/.xsession-errors
file when using the "examine session errors" feature, allowing local users
the ability to read any text file on the system by creating a symlink.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-3581.html 8/27/2003perl CGI.pm XSS vulnerability
A cross-site scripting vulnerability exists in the start_form() function