December 30, 2005

Linux Advisory Watch - December 30, 2005

Author: Benjamin D. Thomas

This week, advisories were released for phpbb2, ketm, tkdiff, dhis-tools-dns, Mantis, NDB, rssh, OpenMotif, scponly, msec, fetchmail, cpio, php-mbstring, and libgphoto. The distributors include Debian, Gentoo, and Mandriva.IPv6 approach for TCP SYN Flood attack over VoIP, Part II
By: Suhas Desai

There are several general categories of DoS attacks. Some groups divide attacks into three classes: bandwidth attacks, protocol attacks, and logic attacks. Following are brief descriptions of some common types of DoS attacks.

3.1 Bandwidth attacks

Bandwidth attacks are relatively straightforward attempts to consume resources, such as network bandwidth or equipment throughput. High-data-volume attacks can consume all available bandwidth between an ISP and your site. The link fills up, and legitimate traffic slows down. Timeouts may occur, causing retransmission, generating even more traffic. An attacker can consume bandwidth by transmitting any traffic at all on your network connection. A basic flood attack might use UDP or ICMP packets to simply consume all available bandwidth. For that matter, an attack could consist of TCP or raw IP packets, as long as the traffic is routed to your network.

A simple bandwidth-consumption attack can exploit the throughput limits of servers or network equipment by focusing on high packet ratessending large numbers of small packets. High-packet-rate attacks typically overwhelm network equipment before the traffic reaches the limit of available bandwidth. Routers, servers, and firewalls all have constraints on input-output processing, interrupt processing, CPU, and memory resources. Network equipment that reads packet headers to properly route traffic becomes stressed handling the high packet rate (pps), not the volume of the data (Mbps). In practice, denial of service is often accomplished by high packet rates, not by sheer traffic volume.

3.2 Protocol Attacks

The basic flood attack can be further refined to take advantage of the inherent design of common network protocols. These attacks do not directly exploit weaknesses in TCP/IP stacks or network applications but, instead, use the expected behavior of protocols such as TCP, UDP, and ICMP to the attacker's advantage. Examples of protocol attacks include the following:

SYN flood is an asymmetric resource starvation attack in which the attacker floods the victim with TCP SYN packets and the victim allocates resources to accept perceived incoming connections. As mentioned above, the proposed Host Identity Payload and Protocol (HIP) are designed to mitigate the effects of a SYN flood attack. Another technique, SYN Cookies is implemented in some TCP/IP stacks.

Smurf is an asymmetric reflector attack that targets a vulnerable network
broadcast address with ICMP ECHO REQUEST packets and spoofs the source of the victim.

Fraggle is a variant of smurf that sends UDP packets to echo or chargen ports on broadcast addresses and spoofs the source of the victim.

3.3 Software Vulnerability Attacks

Unlike flooding and protocol attacks, which seek to consume network or state resources, logic attacks exploit vulnerabilities in network software, such as a web server, or the underlying TCP/IP stack. Some vulnerability by crafting even a single malformed packet.

Teardrop (bonk, boink) exploits TCP/IP IP stacks that do not properly handle overlapping IP fragments.

Land crafts IP packets with the source address and port set to be the same as the destination address and port.

Ping of death sends a single large ICMP ECHO REQUEST packet to the target.

Naptha is a resource-starvation attack that exploits vulnerable TCP/IP stacks using crafted TCP packets. There are many variations on these common types of attacks and many varieties of attack tools to implement them.

Read Article:

  Debian: New phpbb2 packages fix several
  22nd, December, 2005
Updated package.
  Debian: New ketm packages fix privilege
  23rd, December, 2005
Updated package.
  Debian: New ketm packages fix privilege
  23rd, December, 2005
Updated package.
  Debian: New tkdiff packages fix insecure
temporary file creation
  27th, December, 2005
Updated package.
  Debian: New dhis-tools-dns packages fix
insecure temporary file creation
  27th, December, 2005
Updated package.
  Debian: New tkdiff packages fix insecure
temporary file creation
  29th, December, 2005
Updated package.
  Gentoo: Mantis Multiple vulnerabilities
  22nd, December, 2005
Mantis is affected by multiple vulnerabilities ranging from
file upload and SQL injection to cross-site scripting and HTTP response
  Gentoo: Dropbear Privilege escalation
  23rd, December, 2005
A buffer overflow in Dropbear could allow authenticated users
to execute arbitrary code as the root user.
  Gentoo: NBD Tools Buffer overflow in
NBD server
  23rd, December, 2005
The NBD server is vulnerable to a buffer overflow that may result
in the execution of arbitrary code.
  Gentoo: rssh Privilege escalation
  27th, December, 2005
Local users could gain root privileges by chrooting into arbitrary
  Gentoo: OpenMotif, AMD64 x86 emulation
X libraries Buffer
  28th, December, 2005
Two buffer overflows have been discovered in libUil, part of
the OpenMotif toolkit, that can potentially lead to the execution of arbitrary
  Gentoo: scponly Multiple privilege escalation
  29th, December, 2005
Local users can exploit an scponly flaw to gain root privileges,
and scponly restricted users can use another vulnerability to evade shell
  Mandriva: Updated msec packages fixes
various bugs
  22nd, December, 2005
Bugs in the msec package have been corrected: msec wasn't properly
parsing the output on security checks to check ownership of files, reporting
files as unowned when they were in fact properly owned by a valid user.
  Mandriva: Updated fetchmail packages
fix vulnerability
  23rd, December, 2005
Fetchmail before 6.3.1 and before, when configured for
multidrop mode, allows remote attackers to cause a DoS (application crash)
by sending messages without headers from upstream mail servers.
  Mandriva: Updated cpio packages fix buffer
overflow on x86_64
  23rd, December, 2005
A buffer overflow in cpio 2.6 on 64-bit platforms could allow
a local user to create a DoS (crash) and possibly execute arbitrary code
when creating a cpio archive with a file whose size is represented by
more than 8 digits.
  Mandriva: Updated digikamimageplugins
packages fix showfoto crash issue.
  26th, December, 2005
A previous update of DigiKam (MDKA-2005:059) bumped the version
to 0.8.0. After this update, Narfi Stefansson reported that showfoto,
from digikamimageplugins was crashing when trying to use "Free Rotation".
This update bumps digikamimageplugins to version 0.8.0 also.
  Mandriva: Updated php/php-mbstring packages
fix mail injection vulnerability
  27th, December, 2005
A CRLF injection vulnerability in the mb_send_mail function
in PHP before 5.1.0 might allow remote attackers to inject arbitrary e-mail
headers via line feeds (LF) in the "To" address argument, when using sendmail
as the MTA (mail transfer agent).
  Mandriva: Updated libgphoto packages
fixes issue with some cameras
  29th, December, 2005
The hotplug usermap has been restored for this package because
it is used by HAL to correctly detect digital cameras which are not using
USB Mass storage (for instance, all Canon digital cameras, as well as
some Nikon ones and all PTP cameras). This should allow gnome-volume-manager
to automatically popup a "Do you want to import photos?" dialog when the
camera is plugged in.


  • Linux
Click Here!