Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Advisory Watch: September 2nd 2005
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, advisories were released for courier, libpman-ldap, simple proxy,
backup-manager, kismet, php, phpldapadmin, maildrop, pstotext, sqwebmail, polygen,
audit, freeradius, openmotif, freeradius, openmotif, php, ntp, openoffice, lesstif,
libsoup, evolution, kernel, selinux- policy-targed, policycoreutils, xen, dbus,
evince, poppler, phpWiki, phpGroupWare, phpWebSite, pam_ldap, and mplayer. The
distributors include Debian, Fedora, Gentoo, and Red Hat.
Master of Science in Information
Security - Earn your Master of Science in Information Security online
from Norwich University. Designated a "Center of Excellence", the program offers
a solid education in the management of information assurance, and the unique case
study method melds theory into practice. Using today's e-Learning technology,
you can earn this esteemed degree, without disrupting your career or home life.
Introduction: IP Spoofing, Part II IP Fragment Attacks:
When packets are too large to be sent in a single IP packet, due
to interface hardware limitations for example, an intermediate
router can split them up unless prohibited by the Don't Fragment
flag. IP fragmentation occurs when a router receives a packet
larger than the MTU (Maximum Transmission Unit) of the next
network segment. All such fragments will have the same
Identification field value, and the fragment offset indicates
the position of the current fragment in the context of the
pre-split up packet. Intermediate routers are not expected
to re-assemble the fragments. The final destination will
reassemble all the fragments of an IP packet and pass it to
higher protocol layers like TCP or UDP.
Attackers create artificially fragmented packets in order to
circumvent firewalls that do not perform packet reassembly.
These only consider the properties of each individual fragment,
and let the fragments through to final destination. One such
attack involving fragments is known as the tiny fragment
attack.
Two TCP fragments are created. The first fragment is so small
that it does not even include the full TCP header, particularly
the destination port number. The second fragment contains the
remainder of the TCP header, including the port number. Another
such type of malicious fragmentation involves fragments that
have illegal fragment offsets.
A fragment offset value gives the index position of this
fragment's data in a reassembled packet. The second fragment
packet contains an offset value, which is less than the
length of the data in the first packet. E.g..
If the first fragment was 24 bytes long, the second fragment
may claim to have an offset of 20. Upon reassembly, the data
in the second fragment overwrites the last four bytes of the
data from the first fragment. If the unfragmented packet
were TCP, then the first fragment would contain the TCP
header overwriting the destination port number.
In the IP layer implementations of nearly all OS, there are
bugs in the reassembly code. An attacker can create and
send a pair of carefully crafted but malformed IP packets
that in the process of reassembly cause a server to panic
and crash. The receiving host attempts to reassemble such
a packet, it calculates a negative length for the second
fragment. This value is passed to a function (such as
memcpy ()), which should do a copy from/ to memory, which
takes the negative number to be an enormous unsigned
(positive) number.
Another type of attack involves sending fragments that if
reassembled will be an abnormally large packet, larger than
the maximum permissible length for an IP packet. The attacker
hopes that the receiving host will crash while attempting to
reassemble the packet. The Ping of Death used this attack.
It creates an ICMP echo request packet, which is larger
than the maximum packet size of 65,535 bytes.
Linux File
& Directory Permissions Mistakes - One common mistake Linux administrators
make is having file and directory permissions that are far too liberal and
allow access beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this article,
so I'll assume you are familiar with the usage of such tools as chmod, chown,
and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Introduction:
Buffer Overflow Vulnerabilities - Buffer overflows are a leading type
of security vulnerability. This paper explains what a buffer overflow is,
how it can be exploited, and what countermeasures can be taken to prevent
the use of buffer overflow vulnerabilities.
Getting
to Know Linux Security: File Permissions - Welcome to the first
tutorial in the 'Getting to Know Linux Security' series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple. If the feedback is
good, I'll consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Debian
Debian: New courier packages fix denial
of service
This update corrects a flaw where the devmajor, devminor, success,
exit, and inode values for syscall rules was getting set to 0 before sending
to the kernel.
http://www.linuxsecurity.com/content/view/120218
This update includes the latest upstream version of the PEAR
XML_RPC package, which fixes a security issue in request parsing in the
XML_RPC Server code. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-2498 to this issue.
http://www.linuxsecurity.com/content/view/120221
Fedora Core 4 Update: php-5.0.4-10.4
25th, August, 2005
This update includes the latest upstream version of the PEAR
XML_RPC package, which fixes a security issue in request parsing in the
XML_RPC Server code. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-2498 to this issue.
http://www.linuxsecurity.com/content/view/120223
Fedora Core 3 Update: ntp-4.2.0.a.20040617-5.FC3
26th, August, 2005
When starting xntpd with the -u option and specifying the group
by using a string not a numeric gid the daemon uses the gid of the user
not the group. This problem is now fixed by this update.
http://www.linuxsecurity.com/content/view/120232
Updated kernel packages that fix a number of security issues
as well as other bugs are now available for Red Hat Enterprise Linux 2.1
(32 bit architectures) This update has been rated as having important
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/120216
RedHat: Important: kernel security update
25th, August, 2005
Updated kernel packages are now available to correct security
issues and bugs for Red Hat Enterprise Linux version 2.1 (Itanium). This
update has been rated as having important security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/120217
RedHat: Important: Evolution security
update
29th, August, 2005
Updated evolution packages that fix a format string issue are
now available. This update has been rated as having important security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/120249
Write Comment
Please keep the topic of messages relevant to the subject of the article.
Personal verbal attacks will be deleted.
Please don't use comments to plug your web site.. Such material will be removed.
