From daniela em ccuec.unicamp.br Fri Jan 4 12:18:11 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 4 Jan 2002 12:18:11 -0200 Subject: [SECURITY-L] Boletins de noticias Message-ID: <20020104141811.GA16121@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicas: 21/12/2001: ----------- LinuxSecurity Brasil Edição Especial (no. 37) Fonte: Linux Security http://www.security.unicamp.br/docs/informativos/2001/12/b11.html 24/12/2001: ----------- SecurityFocus.com Newsletter #124 Fonte: SecurityFocus.com http://www.security.unicamp.br/docs/informativos/2001/12/b9.txt 27/12/2001: ----------- The SANS Weekly Security News Overview (Vol. 3, Num. 52) Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2001/12/b10.txt 03/01/2001: ----------- SecurityFocus.com Newsletter #125 Fonte: SecurityFocus.com http://www.security.unicamp.br/docs/informativos/2002/01/b1.txt The SANS Weekly Security News Overview (Vol. 4, Num. 01) Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2002/01/b2.txt -- Equipe de Seguranca em Sitemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Fri Jan 4 14:36:41 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 4 Jan 2002 14:36:41 -0200 Subject: [SECURITY-L] [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released Message-ID: <20020104163641.GA10595@ccuec.unicamp.br> Srs. Administradores, Favor atualizar as maquinas que rodam o software mutt. ----- Forwarded message from Thomas Roessler ----- From: Thomas Roessler Subject: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released. To: mutt-announce em mutt.org, mutt-dev em mutt.org, mutt-users em mutt.org, bugtraq em securityfocus.com Cc: Joost Pol , Jeremy Blosser Date: Tue, 1 Jan 2002 21:40:31 +0100 mutt-1.2.5.1 and mutt-1.3.25 have just been released. These releases both fix a security hole which can be remotely exploited. The problem was found and a fix suggested by Joost Pol . Thanks for that. mutt-1.2.5.1 is released as an update to the last stable version of mutt, mutt-1.2.5. The ONLY relevant change in this version is the fix mentioned above. No other bugs present in 1.2.5 have been fixed. You only want to upgrade to this version of mutt if you absolutely have to stick with the mutt-1.2 series. mutt-1.3.25 is the latest BETA version of mutt, and very close to what will eventually become mutt-1.4. Personally, I'd recommend that you download and use this version. The tar balls, with detached PGP signatures, will be available from in some minutes. As an alternative, you can apply the patch available from to any 1.2 or 1.3 series mutt source code, and rebuild. I apologize for the problem, and wish all of you a happy new year. -- Thomas Roessler http://log.does-not-exist.org/ ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Jan 4 16:21:00 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 4 Jan 2002 16:21:00 -0200 Subject: [SECURITY-L] NIST Computer Security DRAFT - Security Guide for Interconnecting Information Technology Systems Message-ID: <20020104182100.GB2958@ccuec.unicamp.br> ----- Forwarded message from Rafael Rodrigues Obelheiro ----- From: Rafael Rodrigues Obelheiro Subject: [S] NIST Computer Security DRAFT - Security Guide for Interconnecting Information Technology Systems To: seguranca em pangeia.com.br Date: Sun, 23 Dec 2001 10:12:23 -0200 ----- Forwarded message from Patrick O'Reilly ----- From: "Patrick O'Reilly" Subject: NIST Computer Security DRAFT - Security Guide for Interconnecting Information Technology Systems Date: Fri, 21 Dec 2001 10:35:52 -0500 (EST) Message-Id: <5.1.0.14.2.20011221102834.028f7208 em email.nist.gov> December 14, 2001 -- The draft Security Guide for Interconnecting Information Technology Systems is available for public comment (see below for URLs). The document provides guidance for planning, establishing, maintaining, and terminating interconnections between information systems that are owned and operated by different organizations. We seek your comments and suggestions. We especially seek your comments on the steps for planning and establishing an interconnection, based on readers' experiences. Furthermore, we are interested in receiving comments on the memorandum of understanding/agreement development guide contained in the document. Please address your comments to Timothy Grance (grance em nist.gov) and Joan Hash (joan.hash em nist.gov) by January 18, 2002. URLs: DRAFTS page: http://csrc.nist.gov/publications/drafts.html (2nd bulleted item from top) Draft document (.pdf): http://csrc.nist.gov/publications/drafts/guide_for_interconnecting_information_system.pdf ----- End forwarded message ----- ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Jan 4 16:25:08 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 4 Jan 2002 16:25:08 -0200 Subject: [SECURITY-L] Worm targets security software Message-ID: <20020104182508.GC2958@ccuec.unicamp.br> ----- Forwarded message from Nelson Murilo ----- From: Nelson Murilo Subject: [S] Worm targets security software To: seguranca em pangeia.com.br Date: Thu, 3 Jan 2002 18:49:56 -0200 [http://news.cnet.com/news/0-1003-200-8334809.html] By David Becker Staff Writer, CNET News.com January 2, 2002, 11:55 a.m. PT A destructive new worm that destroys antivirus software on infected computers was slowly spreading Wednesday. The Maldal.D worm, also known as ZaCker, was written and distributed Dec. 29, according to antivirus software maker Symantec, prompting fears the worm could sneak past security software that wasn't updated over the holiday break. "We always worry when something comes out at the end of the week or over a holiday, when nobody's in their office," said Steve Trilling, director of research at Symantec's Security Response division, which rated Maldal.D as a moderate threat. Maldal.D appeared to be spreading slowly and mainly outside the corporate networks that can turn an infection into an epidemic. "We have seen a bit of an upsurge in submissions today, but most of them are from consumers," Trilling said. "That leads us to believe that a lot of corporations updated their software right away." E-mail screening service MessageLabs reported intercepting about 150 copies of Maldal.D by 11 a.m. Wednesday, placing the worm at the bottom of the company's list of the Top 10 most active viruses. Maldal.D spreads itself as a file attached to an e-mail with the subject "ZaCker." The body of the message consists of one of several dozen cryptic sentences, such as "nowadays, there is no womanhood!! :P" If the file is opened, the activated worm attempts to delete files associated with popular antivirus applications, including programs from Symantec, McAfee and Zone Labs. The worm also deletes files with common extensions such as .exe, .doc and .jpg, which could destroy enough critical files to render an infected PC unstable or unusable. The worm spreads itself by e-mailing copies of itself to all addresses in the infected PC's Microsoft Outlook address book. Attacking security software is an old trick, Trilling said, noting that the recent Goner worm employed similar tactics. Such efforts are unlikely to work, however, if the security software is running as it's supposed to. "If the software is running all the time in the background, it can't easily be deleted," Trilling said. Business and home PC users were advised to download the latest updates for antivirus software to catch Maldal.D and to reinstall security software to PCs already infected. ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Jan 4 16:38:22 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 4 Jan 2002 16:38:22 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020104183822.GA7106@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 07/12/2001: ----------- Red Hat, Inc. Red Hat Security Advisory (RHSA-2001:162-04) Assunto: vulnerabilidade de seguranca no package namazu. http://www.security.unicamp.br/docs/bugs/2001/12/v41.txt 19/12/2001: ----------- Red Hat, Inc. Red Hat Security Advisory (RHSA-2001:168-05) Assunto: vulnerabilidade de seguranca no package mailman. http://www.security.unicamp.br/docs/bugs/2001/12/v39.txt 24/12/2001: ----------- SuSE Security Announcement (SuSE-SA:2001:046) Assunto: vulnerabilidade de seguranca nos packages glibc/shlibs e in.ftpd. http://www.security.unicamp.br/docs/bugs/2001/12/v40.txt 02/01/2002: ----------- Red Hat, Inc. Red Hat Security Advisory (RHSA-2001:170-06) Assunto: vulnerabilidade de seguranca no package mailman. http://www.security.unicamp.br/docs/bugs/2002/01/v1.txt 03/01/2002: ----------- Anúncio de segurança do Conectiva Linux (CLA-2002:447) Assunto: Buffer overflow na glibc. http://www.security.unicamp.br/docs/bugs/2002/01/v2.txt Anúncio de segurança do Conectiva Linux (CLA-2002:448) Assunto: Vulnerabilidades na libgtop. http://www.security.unicamp.br/docs/bugs/2002/01/v3.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Mon Jan 7 12:15:13 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Mon, 7 Jan 2002 12:15:13 -0200 Subject: [SECURITY-L] Vulnerabilidade de seguranca Message-ID: <20020107141513.GA6725@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 05/01/2002: ----------- HP Support Information Digests (HPSBTL020112-010) Assunto: Security vulnerability in Apache 1.3.19. http://www.security.unicamp.br/docs/bugs/2002/01/v4.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Tue Jan 8 15:56:24 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Tue, 8 Jan 2002 15:56:24 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020108175624.GA7831@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 03/01/2002: ----------- Red Hat, Inc. Red Hat Security Advisory (RHSA-2002:002-10) Assunto: vulnerabilidade de seguranca no software stunnel. http://www.security.unicamp.br/docs/bugs/2002/01/v9.txt 04/01/2002: ----------- Trustix Secure Linux Security Advisory #2002-0003 Assunto: Vulnerabilidade de buffer overflow no software mutt. http://www.security.unicamp.br/docs/bugs/2002/01/v6.txt Red Hat, Inc. Red Hat Security Advisory (RHSA-2002:003-10) Assunto: Vulnerabilidade de buffer overflow no software mutt. http://www.security.unicamp.br/docs/bugs/2002/01/v8.txt 07/01/2002: ----------- Anúncio de segurança do Conectiva Linux (CLA-2002:449) Assunto: Vulnerabilidade de buffer overflow no software mutt. http://www.security.unicamp.br/docs/bugs/2002/01/v5.txt Red Hat, Inc. Red Hat Security Advisory (RHSA-2001:176-05) Assunto: vulnerabilidade de seguranca no software exim. http://www.security.unicamp.br/docs/bugs/2002/01/v10.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Tue Jan 8 15:58:36 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Tue, 8 Jan 2002 15:58:36 -0200 Subject: [SECURITY-L] Alerta!!!! - TWIG expoe nome de usuario e senha Message-ID: <20020108175836.GB7831@ccuec.unicamp.br> From: Adriano Mauro Cansian Subject: Alerta!!!! - TWIG nome de usuário e senha To: Pedro A M Vazquez Date: Mon, 07 Jan 2002 19:31:16 -0300 X-Mailer: QUALCOMM Windows Eudora Version 5.1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ALERTA!!!! TWIG expõe nome de usuário e senha. 1. Introdução TWIG é uma aplicação baseada em www para intranets e groupware. Ela inclui suporte para e-mail e acesso de newsgroup. 2. Descrição Quando um usuário se autentica no TWIG, seu nome de usuário e senha são guardados num cookie. Na configuração padrão do TWIG, essa informação não sofre qualquer tipo de ciframento. Um atacante pode adquirir esse cookie através de uma referência cruzada de URL enviada ao usuário. Além do problema do ciframento, o cookie sobrevive à sessão se o usuário não der logout explícito. 3. Sistemas Afetados TWIG 2.6 TWIG 2.6.1 TWIG 2.6.2 TWIG 2.7 TWIG 2.7.1 TWIG 2.7.2 TWIG 2.7.3 TWIG 2.7.4 Versões anteriores também são afetadas. Recebemos alerta referente a uma versão anterior a essas que roda aqui na UNESP, que é afetada. 4. Solução Para administradoress: Edite o seguinte arquivo /config/config.php (ou .php3) mudando os seguintes valores change: $config["security"] = "basic"; para: $config["security"] = "advanced"; E: $config["login_handler"] = "cookie"; Para: $config["login_handler"] = "securecookie.php4session"; Ou verifique as opções descritas na documentação da sua versão do TWIG. Para usuários: Sempre execute logout explícito, através dos menus do TWIG. 5. Comentários Ler os seguintes alertas: http://www.securityfocus.org/archive/1/242913 http://www.securityfocus.org/cgi-bin/vulns-item.pl?section=info&id=3591 Qualquer dúvida entre em contato com o GRC Cordialmente, Francisco Figueiredo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Gnome PGP version 0.4 iD8DBQE8OZDQ/iB8DG84/iIRAr/xAJ98Du3NNWX3BM9Ezmh/+iA7O0zewgCfRCIs Hz0ws8pQMgpFwnd2+uIksMg= =ehW1 -----END PGP SIGNATURE----- From daniela em ccuec.unicamp.br Tue Jan 8 16:03:09 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Tue, 8 Jan 2002 16:03:09 -0200 Subject: [SECURITY-L] CAIS-PUB: NIST Guidelines on Firewalls and Firewall Policy Message-ID: <20020108180309.GC7831@ccuec.unicamp.br> ----- Forwarded message from "Liliana E. Velasquez Alegre Solha" ----- From: "Liliana E. Velasquez Alegre Solha" Subject: [S] CAIS-PUB: NIST Guidelines on Firewalls and Firewall Policy To: Date: Mon, 7 Jan 2002 16:44:47 -0200 (EDT) Pessoal, Nesta ultima semana foi publicado pelo NIST um guia sobre firewalls e VPN: Guidelines on Firewalls and Firewall Policy http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf Talvez seja do interesse de voces. Alias, recomendo que visitem a seguinte URL a partir da qual podem ser acessados este e outros papers na area de seguranca, alguns bastante interessantes: http://csrc.nist.gov/publications/nistpubs/index.html Um abraco, Nina CAIS/RNP January 4, 2002 -- NIST is pleased to announce Special Publication 800-41, Guidelines on Firewalls and Firewall Policy. This document contains an overview of recent developments in firewall technology, and guidance on configuring firewall environments. It discusses firewall access control, active content filtering, DMZs, and co-location with VPNs, web and email servers, and intrusion detection. It contains guidance on developing firewall policy and recommendations for administering firewalls. Lastly, it contains several appendices with links to other firewall-related resources and recommendations for configuring and operating firewalls. URL to view the Firewall document: document is available in .pdf format. ----- End forwarded message ----- From daniela em ccuec.unicamp.br Tue Jan 8 16:03:48 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Tue, 8 Jan 2002 16:03:48 -0200 Subject: [SECURITY-L] CAIS-PAPERS: "Using IPSec in Windows 2000 and XP" Message-ID: <20020108180348.GD7831@ccuec.unicamp.br> ----- Forwarded message from "Liliana E. Velasquez Alegre Solha" ----- From: "Liliana E. Velasquez Alegre Solha" Subject: [S] CAIS-PAPERS: "Using IPSec in Windows 2000 and XP" To: Date: Tue, 8 Jan 2002 08:35:00 -0200 (EDT) Prezados, Recentemente foi publicado pela SecurityFocus a terceira e ultima parte de uma serie de artigos que tratan o uso de IPSec em sistemas Windows 2000 e XP. Acredito que possa interessar a alguns. Using IPSec in Windows 2000 and XP - Part Three http://www.securityfocus.net/infocus/1528 No final do artigo tem links para as outras partes. Um abraco, Nina CAIS/RNP ----- End forwarded message ----- From daniela em ccuec.unicamp.br Wed Jan 9 15:23:17 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 9 Jan 2002 15:23:17 -0200 Subject: [SECURITY-L] Boletins de noticias Message-ID: <20020109172317.GA4509@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicas: 08/01/2002: ----------- SecurityFocus.com Newsletter #126 Fonte: SecurityFocus.com http://www.security.unicamp.br/docs/informativos/2002/01/b4.txt SANS Windows Security Digest (Vol. 5 Num. 1) Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2001/12/b5.txt -- Equipe de Seguranca em Sitemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Wed Jan 9 15:41:09 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 9 Jan 2002 15:41:09 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020109174109.GA8209@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 04/01/2002: ----------- Security Advisory FreeBSD, Inc. (FreeBSD-SA-02:05 - pine) Assunto: vulnerabilidade de seguranca no package "pine". http://www.security.unicamp.br/docs/bugs/2002/01/v11.txt 09/01/2002: ----------- Anúncio de segurança do Conectiva Linux (CLA-2002:450) Assunto: negação de serviço no proftpd. http://www.security.unicamp.br/docs/bugs/2002/01/v12.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Thu Jan 10 10:03:20 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Thu, 10 Jan 2002 10:03:20 -0200 Subject: [SECURITY-L] CyberNotes: 2001 Year End Summary Message-ID: <20020110120320.GC2453@ccuec.unicamp.br> ----- Forwarded message from Klaus Steding-Jessen ----- From: Klaus Steding-Jessen Subject: [S] CyberNotes: 2001 Year End Summary To: seguranca em pangeia.com.br Date: Wed, 9 Jan 2002 16:21:20 -0200 X-Mailer: VM 6.95 under Emacs 20.7.1 [SANS NewsBites Vol. 4 Num. 02] The National Infrastructure Protection Center just released an 84 page summary of all security vulnerabilities, viruses and Trojans identified between December 12, 2000 and December 14, 2001. It is a valuable check list that includes risk level, vendor, operating system, software and reference to more detailed data in NIPC's CyberNotes. http://www.nipc.gov/cybernotes/2001/cyberissue2001-26.pdf Alan ********************************************************************** ----- End forwarded message ----- From daniela em ccuec.unicamp.br Thu Jan 10 11:22:53 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Thu, 10 Jan 2002 11:22:53 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020110132253.GA4309@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 08/01/2002: ----------- HP Support Information Digests (HPSBUX0201-178) Assunto: Sec. Vulnerability with filesystem deadlock. http://www.security.unicamp.br/docs/bugs/2002/01/v13.txt Mandrake Linux Security Update Advisory (MDKSA-2002:001) Assunto: vulnerabilidade de seguranca no package bind. http://www.security.unicamp.br/docs/bugs/2002/01/v14.txt Mandrake Linux Security Update Advisory (MDKSA-2002:002) Assunto: vulnerabilidade de seguranca no package mutt. http://www.security.unicamp.br/docs/bugs/2002/01/v15.txt Sun Microsystems, Inc. Security Bulletin #00214 Assunto: buffer overflow in dtspcd. http://www.security.unicamp.br/docs/bugs/2002/01/v18.txt 09/01/2002: ----------- Red Hat, Inc. Red Hat Security Advisory (RHSA-2001:179-05) Assunto: vulnerabilidade de seguranca no package namazu. http://www.security.unicamp.br/docs/bugs/2002/01/v16.txt Cisco Security Advisory Assunto: Multiple Vulnerabilities in Cisco SN 5420 Storage Routers. http://www.security.unicamp.br/docs/bugs/2002/01/v17.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Fri Jan 11 16:37:01 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 11 Jan 2002 16:37:01 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020111183701.GA25974@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 08/01/2002: ----------- Update: Mandrake Linux Security Update Advisory (MDKSA-2001:095-1) Assunto: vulnerabilidade de seguranca no package glibc. http://www.security.unicamp.br/docs/bugs/2002/01/v20.txt 10/01/2002: ----------- REVISED: Security Advisory FreeBSD, Inc. (FreeBSD-SA-02:05) Assunto: vulnerabilidade de seguranca no software pine. http://www.security.unicamp.br/docs/bugs/2002/01/v19.txt Caldera International, Inc. Security Advisory (CSSA-2002-SCO.1) Assunto: OpenServer: wu-ftpd ftpglob() vulnerability. http://www.security.unicamp.br/docs/bugs/2002/01/v21.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Fri Jan 11 16:52:12 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 11 Jan 2002 16:52:12 -0200 Subject: [SECURITY-L] Boletins de noticias Message-ID: <20020111185212.GA29106@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicas: 11/01/2002: ----------- LinuxSecurity Brasil Edição Especial #2002/02 Fonte: Linux Security http://www.security.unicamp.br/docs/informativos/2002/01/b7.html SANS Windows Security Digest (Vol. 5 Num. 1) Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2001/12/b5.txt -- Equipe de Seguranca em Sitemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Mon Jan 14 09:57:15 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Mon, 14 Jan 2002 09:57:15 -0200 Subject: [SECURITY-L] ASP Application Security: CDONTS.NEWMAIL Message-ID: <20020114115715.GC23462@ccuec.unicamp.br> ----- Forwarded message from aleph1 em securityfocus.com ----- From: aleph1 em securityfocus.com Subject: (forw) ASP Application Security: CDONTS.NEWMAIL To: secpapers em securityfocus.com Date: Sat, 12 Jan 2002 10:19:40 -0700 ----- Forwarded message from David Litchfield ----- From: "David Litchfield" To: Subject: ASP Application Security: CDONTS.NEWMAIL Date: Fri, 11 Jan 2002 15:21:35 -0000 Message-ID: <01a301c19ab3$bcb92bc0$1b01010a em XU5UDGJMHXJ300> X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Howdy, I've written a paper on a potential risk with using the CDONTS.NEWMAIL object in Microsoft ASP applications running on Internet Information Server. The paper discusses how an attacker can leverage an ASP page using the CDONTS.NEWMAIL object to send arbitrary e-mails from the vulnerable web server. The CDONTS.NEWMAIL object is used freqently to provide e-mail functionality for pages such as feedback or contact forms and so ASP developers should ensure that all client input be made safe before passing it to any of the properties of the object. Paper available from http://www.nextgenss.com/research.html . Cheers, David Litchfield ----- End forwarded message ----- -- Elias Levy SecurityFocus http://www.securityfocus.com/ Si vis pacem, para bellum ----- End forwarded message ----- From daniela em ccuec.unicamp.br Tue Jan 15 12:02:19 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Tue, 15 Jan 2002 12:02:19 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020115140219.GA7839@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 14/01/2002: ----------- CERT Advisory CA-2002-01 Assunto: Exploitation of Vulnerability in CDE Subprocess Control Service. http://www.security.unicamp.br/docs/bugs/2002/01/v22.txt SuSE Security Announcement (SuSE-SA:2002:002) Assunto: vulnerabilidade de seguranca no programa sudo. http://www.security.unicamp.br/docs/bugs/2002/01/v23.txt Red Hat, Inc. Red Hat Security Advisory (RHSA-2002:004-06) Assunto: vulnerabilidade de seguranca no package groff. http://www.security.unicamp.br/docs/bugs/2002/01/v24.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Tue Jan 15 14:53:24 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Tue, 15 Jan 2002 14:53:24 -0200 Subject: [SECURITY-L] Alerta-CAIS: Exploracao da vulnerabilidade no Subprocesso do CDE Message-ID: <20020115165324.GA11340@ccuec.unicamp.br> Administradores de maquinas Solaris, Leiam atentamente esse Alerta do CAIS e o boletim do CERT. Atualizem as maquinas o mais rapido possivel. ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: Alerta-CAIS: Exploracao da vulnerabilidade no Subprocesso do CDE To: , Date: Tue, 15 Jan 2002 14:44:17 -0200 (EDT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta do CERT/CC, CERT Advisory CA-2002-01 Exploitation of Vulnerability in CDE Subprocess Control Service, tratando da exploracao da vulnerabilidade associada ao CDE Subprocess Control Service. Conforme o alerta do CERT/CC, foi desenvolvido um exploit para comprometer sistemas Solaris. Esta vulnerabilidade foi reportada no ano passado no alerta CA-2001-31 e afeta varias plataformas. A relacao de sistemas vulneraveis pode ser encontrada em: http://www.kb.cert.org/vuls/id/172583#systems Deve-se procurar identificar atividades de reconhecimento procurando pela porta 6112/tcp. Sistemas que nao tiveram as correcoes aplicadas devem limitar o acesso a esta porta. Deve-se tomar cuidado com as atividades relacionadas a esta porta, pois varias aplicacoes de internet a utilizam de forma legitima. Exemplo de log do cisco: Dec 15 20:21:10 polaris 1916585: Dec 15 20:21:09 GMT-2: %SEC-6-IPACCESSLOGP: list 101 denied tcp 168.xxx.56.yy(25981) -> 200.144.121.33(6112), 1 packet A regra do Snort indicada para esta vulnerabilidade segue: alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 \ (msg: "CDE dtspcd exploit attempt"; \ reference: cve,CAN-2001-0803; \ reference: url,www.cert.org/advisories/CA-2002-01.html; \ flags: A+; \ content: "1"; offset: 10; depth: 1; content: !"000"; offset: 13; depth: 3;) Nota: As regras do Snort sofrem constantes adaptacoes e podem eventualmente gerar falsos positivos. Para maiores detalhes e tambem para obter os patches necessarios, consulte o alerta do CERT/CC em anexo e ou as informacoes relacionadas a esta vulnerabilidade disponiveis em: http://www.cert.org/advisories/CA-2002-01.html http://www.cert.org/advisories/CA-2001-31.html http://www.kb.cert.org/vuls/id/172583 O CAIS recomenda que sejam instalados com urgencia os patches disponibilizados pelos fabricantes. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ - ---------- Forwarded message ---------- Date: Mon, 14 Jan 2002 12:02:22 -0500 (EST) From: CERT Advisory To: cert-advisory em cert.org Subject: CERT Advisory CA-2002-01 Exploitation of Vulnerability in CDE Subprocess CERT Advisory CA-2002-01 Exploitation of Vulnerability in CDE Subprocess Control Service Original release date: January 14, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running CDE Overview The CERT/CC has received credible reports of scanning and exploitation of Solaris systems running the CDE Subprocess Control Service buffer overflow vulnerability identified in CA-2001-31 and discussed in VU#172583. I. Description Since CA-2001-31 was originally released last November, the CERT/CC has received reports of scanning for dtspcd (6112/tcp). Just recently, however, we have received credible reports of an exploit for Solaris systems. Using network traces provided by The Honeynet Project, we have confirmed that the dtspcd vulnerability identified in CA-2001-31 and discussed in VU#172583 is actively being exploited. The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. The CDE Subprocess Control Service (dtspcd) is a network daemon that accepts requests from clients to execute commands and launch applications remotely. On systems running CDE, dtspcd is spawned by the Internet services daemon (typically inetd or xinetd) in response to a CDE client request. dtspcd is typically configured to run on port 6112/tcp with root privileges. There is a remotely exploitable buffer overflow vulnerability in a shared library that is used by dtspcd. During client negotiation, dtspcd accepts a length value and subsequent data from the client without performing adequate input validation. As a result, a malicious client can manipulate data sent to dtspcd and cause a buffer overflow, potentially executing code with root privileges. The overflow occurs in a fixed-size 4K buffer that is exploited by the contents of one of the attack packets. The signature can be found at bytes 0x3e-0x41 in the following attack packet from a tcpdump log (lines may wrap): 09:46:04.378306 10.10.10.1.3592 > 10.10.10.2.6112: P 1:1449(1448) ack 1 win 16060 (DF) 0x0000 4500 05dc a1ac 4000 3006 241c 0a0a 0a01 E..... em .0.$..... 0x0010 0a0a 0a02 0e08 17e0 fee2 c115 5f66 192f ...f........_f./ 0x0020 8018 3ebc e1e9 0000 0101 080a 1ba7 dffb ..>............. 0x0030 003f 7548 3030 3030 3030 3032 3034 3130 .?uH000000020410 0x0040 3365 3030 3031 2020 3420 0000 0031 3000 3e0001..4....10. 0x0050 801c 4011 801c 4011 1080 0101 801c 4011 .. em ...@....... em . 0x0060 801c 4011 801c 4011 801c 4011 801c 4011 .. em ...@... em ...@. ... The value 0x103e in the ASCII (right) column above is interpreted by the server as the number of bytes in the packet to copy into the internal 4K (0x1000) buffer. Since 0x103e is greater than 0x1000, the last 0x3e bytes of the packet will overwrite memory after the end of the 4K buffer. This is the same compromise vector identified in VU#172583. It is important to note that several Internet-enabled games may also use port 6112/tcp as a legitimate part of their normal operation, therefore, not all network activity involving this service may be malicious. Network administrators monitoring this type of activity may wish to verify whether probes of this type are actually attempts to exploit VU#172583. Many common UNIX systems ship with CDE installed and enabled by default. To determine if your system is configured to run dtspcd, check for the following entries (lines may wrap): in /etc/services dtspc 6112/tcp in /etc/inetd.conf dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd Any system that does not run the CDE Subprocess Control Service is not vulnerable to this problem. II. Impact An attacker can execute arbitrary code with root privileges. III. Solution Apply a patch VU#172583 contains information from vendors who have provided information for this advisory. We will update the vulnerability note as we receive more information. If a vendor's name does not appear, then the CERT/CC did not hear from that vendor. Please contact your vendor directly. Vendor information can be found in the "Systems Affected" section of VU#172583 http://www.kb.cert.org/vuls/id/172583#systems Limit access to vulnerable service Until patches are available and can be applied, you may wish to limit or block access to the Subprocess Control Service from untrusted networks such as the Internet. Using a firewall or other packet-filtering technology, block or restrict access to the port used by the Subprocess Control Service. As noted above, dtspcd is typically configured to listen on port 6112/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging functionality for dtspcd connections. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. It is important to understand your network configuration and service requirements before deciding what changes are appropriate. TCP Wrapper is available from ftp://ftp.porcupine.org/pub/security/index.html Disable vulnerable service You may wish to consider disabling dtspcd by commenting out the appropriate entry in /etc/inetd.conf. As a best practice, the CERT/CC recommends disabling any services that are not explicitly required. As noted above, it is important to consider the consequences of such a change in your environment. Appendix A. - References 1. http://www.kb.cert.org/vuls/id/172583 2. http://www.cert.org/advisories/CA-2001-31.html 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803 4. http://xforce.iss.net/alerts/advise101.php 5. http://www.opengroup.org/cde/ 6. http://www.opengroup.org/desktop/faq/ _________________________________________________________________ The CERT Coordination Center thanks The Honeynet Project for their assistance in providing network traces of the exploitation. _________________________________________________________________ Authors: Allen Householder and Art Manion ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-01.html ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History January 14, 2002: Initial release - ------------ Output from pgp ------------ Good signature made 2002-01-14 16:55 GMT by key: 1024 bits, Key ID D02361C9, Created 2001-09-06 "CERT Coordination Center " WARNING: The signing key is not trusted to belong to: CERT Coordination Center -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPERcfOkli63F4U8VAQECoQP/R1zPLCD0ywG0L8GgXrrlLV1lmz3zv0Kt DB6DjOcgjZg1bZQWuwbbkPQV1qazy3Wv8taNZ6So1W8Os3Co7evXnmiOKk5erNL4 BUD0uF75lBHv+0+eejwhC1zNobI0fJbeHvzt9B/cBCcJTLXZOF5tpF3XjlXu9XHS C5mHQVY2WOs= =ZfYp -----END PGP SIGNATURE----- ----- End forwarded message ----- From daniela em ccuec.unicamp.br Wed Jan 16 10:30:34 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 16 Jan 2002 10:30:34 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020116123034.GA1202@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 14/01/2002: ----------- Red Hat, Inc. Red Hat Security Advisory (RHSA-2002:013-03) Assunto: vulnerabilidade de seguranca no package sudo no Red Hat Powertools. http://www.security.unicamp.br/docs/bugs/2002/01/v29.txt Red Hat, Inc. Red Hat Security Advisory (RHSA-2002:005-09) Assunto: vulnerabilidade de seguranca no package xchat. http://www.security.unicamp.br/docs/bugs/2002/01/v30.txt 15/01/2002: ----------- Anúncio de segurança do Conectiva Linux (CLA-2002:451) Assunto: vulnerabilidade local permite obter privilégios de root. http://www.security.unicamp.br/docs/bugs/2002/01/v26.txt Anúncio de atualização do Conectiva Linux (CLA-2002:451) Assunto: PACOTE: initscripts - Alguns serviços não iniciam após um boot com checagem de disco. http://www.security.unicamp.br/docs/bugs/2002/01/v27.txt Red Hat, Inc. Red Hat Security Advisory (RHSA-2002:011-06) Assunto: vulnerabilidade de seguranca no package sudo no Red Hat Linux. http://www.security.unicamp.br/docs/bugs/2002/01/v28.txt Mandrake Linux Security Update Advisory (MDKSA-2002:003) Assunto: vulnerabilidade de seguranca no package sudo. http://www.security.unicamp.br/docs/bugs/2002/01/v31.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Wed Jan 16 14:54:05 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 16 Jan 2002 14:54:05 -0200 Subject: [SECURITY-L] Orientacao de seguranca 01/2002 - vulnerabilidade no FormMail Message-ID: <20020116165405.GA28427@ccuec.unicamp.br> http://www.security.unicamp.br/docs/orientacoes/2002/o1.html Orientação sobre segurança - 01/2002 Assunto: vulnerabilidade no FormMail Srs. Administradores, Segundo informações divulgadas em listas públicas de segurança existe um bug no FormMail versões 1.6, 1.7 e 1.8 que permite o uso indevido da máquina para envio anônimo de mensagens não solicitadas (SPAMs). Se você possui esse script rodando em agulma máquina da sua Unidade, atualize imediatamente para a versão 1.9. Para fazer o download da versão mais recente consulte em: http://worldwidemart.com/scripts/formmail.shtml -- Equipe de Segurança em Sistemas e Redes UNICAMP - Universidade Estadual de Campinas Data: 16/01/2002 From daniela em ccuec.unicamp.br Wed Jan 16 15:25:15 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 16 Jan 2002 15:25:15 -0200 Subject: [SECURITY-L] Who Needs Hackers? We've Got Microsoft! Message-ID: <20020116172515.GB286@ccuec.unicamp.br> ----- Forwarded message from Cristine Hoepers ----- From: Cristine Hoepers Subject: [S] Who Needs Hackers? We've Got Microsoft! To: seguranca em pangeia.com.br Date: Tue, 15 Jan 2002 17:28:45 -0200 X-Mailer: Mutt 1.0.1i [http://www.infowarrior.org/articles/2001-15.html] Who Needs Hackers? We've Got Microsoft! Richard Forno 20 December 2001: Essay #2001-15 rforno em infowarrior.org (c) 2001 by Author. Permission is granted to quote, reprint or redistribute provided the text is not altered, and appropriate credit is given. Summary: The latest Microsoft bug is a doozy. Why do these things keep cropping up? ______________________________________________________________________ This gives "Plug and Pray" a whole new meaning... Plug your XP box to the Internet and pray the hackers don't find it. (Slashdot) "The only secure Microsoft software is what's still shrink-wrapped in their warehouse..." (Forno) ______________________________________________________________________ By now, people know that I'm not the world's greatest Microsoft fan. Truth be told, I'm not completely biased against the company, and will even acknowledge that it has - at various points - produced some decent products. I also don't 'bash' Microsoft because it's the 'in' thing to do these days, but because there are serious problems with the software company's products and services that they continue to ignore. In fact, some would argue, they just don't get it. Such observations, therefore, must be voiced. The federal government and technology industry want you to believe the threats to our networks are external, not internal, where someone must be held accountable when things go wrong. Thus, we hear the rhetoric about cyberterrorists, hackers, and the so-called 'Digital Pearl Harbor' - things you can't easily point fingers at and hold someone accountable for when bad things happen. The White House would be wise to look at our nation's own self-induced vulnerabilities before rushing to spin up a sinister external threat; absent the rich target of opportunity presented by nearly all Microsoft products, hackers, crackers, and electronic evildoers would have a much harder time causing mainstream mischief every other week. Windows XP was promoted by Microsoft as perhaps the ultimate and most secured Windows operating system the firm had ever created, and one of its key features was increased security from electronic evildoers like hackers, crackers, and so-called cyberterrorists. In fact, in a recent interview with E-Week, Microsoft Vice President Jim Allchin said that Windows XP is "...dramatically more secure than Windows 2000 or any of the prior systems." Released on October 25, it was to be the default operating system on all new personal computers sold, and its release was timed to coincide with new PC sales for the 2001 holiday season. Unfortunately, Windows XP doesn't protect you from Microsoft, an entity some argue is more dangerous than any cyberterrorist or hacker gang. It turns out that the Windows XP ships with a new feature called Universal Plug and Play (UPnP) enabled (turned on) by default - thus allowing UPnP devices to locate each other on a local network, so that your home computer can talk to your refrigerator can talk to your toaster can talk to your stereo can send messages to your PDA, and so forth. However, as a result of this oversight, someone could remotely use this feature to exploit, control, or disrupt a system from remote locations around the world. As if computer exploits aren't bad enough, you'll soon have to worry about someone turning off your freezer and spoiling your holiday leftovers.... Note this is not to be confused with the Windows Remote Assistance feature - promoted as one of the major benefits of using Windows XP, yet functioning in essentially the same way as the UPnP exploit. (One wonders how quickly the Remote Assistance feature will be exploited in the future as well.) Marc Maiffret, the talented, blue-haired 'Chief Hacking Officer' of Eeye Security, demonstrated the UPnP exploit to a shocked group of reporters yesterday. As a result, media and security experts are calling this "The Mother of All Exploits" for Windows XP, scrambling to inform the public about the importance of downloading and installing the fix for this problem - a security problem not caused by a hacker or cracker, but developed and implemented exclusively by Microsoft for your computing convenience and to enhance your user experience as a 'feature' of the product. According to an AP story by Ted Bridis, Microsoft Security Manager Scott Culp, called this latest vulnerability the "the first network-based, remote compromise that I'm aware of for Windows desktop systems" and a "very serious vulnerability." I guess it's all in how you define "compromise." How very Clintonian. Although repeatedly interviewed by the media reporting on Microsoft-based security events over the years, Culp apparently doesn't consider any of the following Microsoft-centric security exploits as "network-based, remote compromises" for "Windows desktop systems" either - the series of Back Orifice programs from the always-amusing Cult of the Dead Cow (CDC) to e-mail worms, trojans, and viruses (think BadTrans) that can transmit sensitive information from systems they infect. Did Culp miss a few days of class here and there and forget to read up on SECHOLE.EXE (July 1998), the assorted Internet Explorer cross-frame scripting exploits (September 1998) or the mid-2000 ability to remotely exploit a Windows desktop through a buffer overflow found in the Clip Art feature of Microsoft Office? And what about Windows File and Print Sharing vulnerabilities from back in 1995? How about the seemingly-endless number of buffer overflow exploits (think CodeRed, Lion, and Nimda) that plague Microsoft Internet Information Server (IIS) - granted, IIS isn't made for "Windows desktops" but it deserves mention given the nearly-identical software code in Microsoft's desktop and server products. So how exactly does Microsoft classify these other types of network-centric exploits? As nuisances but the price of doing business in the wired world? When will it end? And what to do about this latest security problem originating in Redmond? Microsoft, as the world's largest purveyor of PC software, with an established monopoly status, needs to do the responsible thing. Rather than continue to preach security as a marketing tool for its .NET venture, an avenue for business development with new proprietary 'standards' and fee-based, censored security 'partnerships' or review its reactive measures, it should get back to the basics and look within for the solution to its internal problems that usually evolve into the world's problems. Simply put, Microsoft needs to review its software code line-by-line and clean it up. Years of service packing, patching, re-patching, updating, critical updating, and hotfixing Windows products have made them dirty and prone to breaking, as we see every few months. Better yet, Microsoft needs to revisit the basic design of Windows - namely, removing the shared code between applications and the underlying Windows operating system (like the pervasiveness of the Web-enabled Internet Explorer across each Windows application and system.) Like a car, it's time to bring the Windows code into the shop for a major tune-up. Actually, a worldwide recall might in order. In addition, Microsoft must not ensure its products work well together, but also conduct much more aggressive 'abuse testing' of its software (e.g., XP) before it gets released to the Real World. Such testing should be done by independent third parties and conducted in a transparent, public manner to preclude any claims of bias in the results of such testing. In general, Microsoft should conduct what the rest of the computing community considers a real "beta test" - namely, making sure that a supposedly finished application works as intended, using experienced users to test the functionality, durability, and security of the product in a real-world, real-use, take-no-prisoners environment.....not use its much bally-hooed 'beta test' periods as the opportunity to market advance copies of their products, many of which never seem to get out of the beta stage even when they're officially released for sale! In none of the interviews regarding the UPnP situation has Culp admitted that Eeye did the responsible thing by informing Microsoft and waiting for the fix to be available from Microsoft before releasing information on this critical exploit to the internet community, something many folks in the security community (all outside of Microsoft) consider 'responsible disclosure.' According to reports, it took Microsoft nearly two months to release a patch after learning of the exploit. While Eeye's actions were praiseworthy, I wouldn't wait so long before mentioning such a critical security problem to the community. Realisticly, a vendor should be able to examine and verify a reported exploit - particularly one as critical as this one - and release a patch or publish corrective guidance to the public in about two weeks. In this case, Microsoft - had it decided it was in its interest to do so - could have easily assigned fourteen thousand programmer man-days (1000 programmers x 14 days) to address the problem within two weeks. Eeye was very generous in giving Microsoft so long to fix the problem, although why it took nearly two months for Microsoft to address the problem raises some disturbing questions. Perhaps acknowledging this would be contrary to the tone and contents of Culp's October 2001 missive calling for a Microsoft-based Vatican of Vulnerability to quell the public disclosure of security vulnerabilities and implement software security through obscurity and public ignorance. More interestingly, Eeye reported the UPnP exploit to Microsoft back in October (according to sources at EEye, the day after Windows XP was released.) Was Microsoft's two-month silence on this critical exploit a business decision to avoid public embarassment on a new product so close to the holiday (e.g., "new PC purchasing") season? We can only wonder. Microsoft is by far the most notorious in their vulnerability announcements, legaleese, and cover-their-tail security alerts, something CDC member Tweety Fish noted in a 1999 interview discussing the growing number of Microsoft-generated security problems back then. He noted that Microsoft "will not consider any given security risk a problem until it becomes a problem in the press." Or, to put it another way, it's not really a problem until Microsoft says so. Actions speak louder than words. Microsoft pays security plenty of lip service for marketing and public relations spin control, but the firm's history of addressing security problems falls quite short of what security professionals would consider a robust, long-term committment to effectively dealing with the matter. Thus, it's up to third parties like Eeye and other research firms to continue serving as a "check and balance" against a future of vendor-induced security-through-obscurity and public ignorance. Thanks to Eeye's responsible disclosure of this catastrophic vulnerability in Windows XP, not only is the Internet a bit safer, but their actions prove once again that voluntary disclosure of vulnerability information is possible without a fee-based vendor-sponsored club. ______________________________________________________________________ Resources EEye Security Advisory and Technical Discussion - Easy to Understand (20 Dec 01) Microsoft's Fix to the UPnP Exploit Article: "Microsoft," No. "Mickeysoft", Yes. (28 Nov 01) Article: The Freedom to Innovate Includes The Freedom to Obfuscate: Why Microsoft's New "Security Framework" is Just Another .NET Vulnerability (10 Nov 2001) Article: The Microsoft-English Dictionary 1.5 (What Microsoft Really Means To Say) (28 Nov 01) ----- End forwarded message ----- From daniela em ccuec.unicamp.br Thu Jan 17 12:14:02 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Thu, 17 Jan 2002 12:14:02 -0200 Subject: [SECURITY-L] Boletins de noticias Message-ID: <20020117141402.GA4571@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e edes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicas: 15/01/2002: ----------- SecurityFocus.com Newsletter #127 Fonte: SecurityFocus.com http://www.security.unicamp.br/docs/informativos/2002/01/b8.txt 16/01/2002: ----------- The SANS Weekly Security News Overview (Vol. 4, Num. 03) Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2002/01/b9.txt -- Equipe de Seguranca em Sitemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Thu Jan 17 12:26:20 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Thu, 17 Jan 2002 12:26:20 -0200 Subject: [SECURITY-L] Orientacao de seguranca 02/2002 - vulnerabilidade no sudo Message-ID: <20020117142620.GA8014@ccuec.unicamp.br> http://www.security.unicamp.br/docs/orientacoes/2002/o2.html Orientação sobre segurança - 02/2002 Assunto: vulnerabilidade no sudo Srs. Administradores, Segundo informações divulgadas em listas públicas de segurança existe um bug no sudo versões anteriores a 1.6.4 que permite acesso local de root por usuários não autorizados. Se você possui esse software rodando em alguma máquina da sua Unidade, atualize imediatamente para a versão 1.6.4. Maiores informações consulte em: http://www.securityfocus.com/archive/1/250168 -- Equipe de Segurança em Sistemas e Redes UNICAMP - Universidade Estadual de Campinas Data: 17/01/2002 From daniela em ccuec.unicamp.br Thu Jan 17 15:03:56 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Thu, 17 Jan 2002 15:03:56 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020117170356.GA3493@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 16/01/2002: ----------- Security Advisory FreeBSD, Inc. (FreeBSD-SA-02:06) Assunto: vulnerabilidade local permite obter privilégios de root explorando um bug do sudo. http://www.security.unicamp.br/docs/bugs/2002/01/v32.txt SuSE Security Announcement (SuSE-SA:2002:003) Assunto: vulnerabilidade de seguranca no comando "at". http://www.security.unicamp.br/docs/bugs/2002/01/v33.txt Cisco Security Advisory Assunto: Hardening of Solaris OS for MGC http://www.security.unicamp.br/docs/bugs/2002/01/v34.txt NetBSD Security Advisory 2002-001 Assunto: vulnerabilidade de seguranca nos processos Close-on-exec, SUID and ptrace(2). http://www.security.unicamp.br/docs/bugs/2002/01/v35.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Fri Jan 18 10:19:27 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 18 Jan 2002 10:19:27 -0200 Subject: [SECURITY-L] Postfix version 1.1.0 available Message-ID: <20020118121927.GD25171@ccuec.unicamp.br> Srs. Administradores, Saiu nova versao do postfix. Orientamos que as maquinas que rodam esse software sejam atualizadas. ----- Forwarded message from Wietse Venema ----- From: wietse em porcupine.org (Wietse Venema) Subject: [S] Postfix version 1.1.0 available To: Postfix announce Cc: Postfix users Date: Thu, 17 Jan 2002 14:57:41 -0500 (EST) X-Mailer: ELM [version 2.4ME+ PL82 (25)] Postfix version 1.1.0 is available. This is the second official non-beta Postfix release. See below for a summary from the RELEASE_NOTES file. This is the same code as snapshot 20020115 with cosmetic changes. The next snapshot will be called Postfix version 1.1.0-yyyymmdd, where yyyymmdd is the snapshot release date. No snapshot release is planned yet. At least not for the next couple weeks. Available from ftp://ftp.porcupine.org/mirrors/postfix-release/official/ 206254 Jan 17 12:58 postfix-1.1.0.HISTORY Change log 50021 Jan 17 14:14 postfix-1.1.0.RELEASE_NOTES Compatibility, features 1172184 Jan 17 14:16 postfix-1.1.0.tar.gz Source code 152 Jan 17 14:16 postfix-1.1.0.tar.gz.sig PGP signature And soon to appear on the mirror sites listed on www.postfix.org. This code is the result of three months of cleaning up. May it be a basis for further evolution. There still is a lot of work to do. Happy Postfixing! Wietse In the text below, incompatible changes are labeled with the Postfix snapshot that introduced the change. If you upgrade from a later Postfix version, then you do not have to worry about that particular incompatibility. Official Postfix releases are called a.b.c where a=major release number, b=minor release number, c=patchlevel. Snapshot releases are now called a.b.c-yyyymmdd where yyyymmdd is the release date (yyyy=year, mm=month, dd=day). The mail_release_date configuration parameter contains the release date. Patches change the patchlevel and the release date. Snapshots change only the release date, unless they include the same bugfix as a patch release. Incompatible changes with Postfix version 1.1.0 (released 20020117) =================================================================== Changes are listed in order of decreasing importance, not release date. [snapshot-20010709] This release introduces a new queue file record type that is used only for messages that actually use VERP (variable envelope return path) support. With this sole exception, the queue file format is entirely backwards compatible with the previous official Postfix release (20020228, a.k.a. Postfix 1.1.0). [snapshot-20020106] This release modifies the existing master.cf file. The local pickup service is now unprivileged, and the cleanup and flush service are now "public". Should you have to back out to a previous release, then you must 1) edit the master.cf file, make the pickup service "privileged", and make the cleanup and flush services "private"; 2) "chmod 755 /var/spool/postfix/public". To revert to a world-writable mail submission directory, "chmod 1733 /var/spool/postfix/maildrop". [snapshot-20020106, snapshot-20010808, snapshot-20011103, snapshot-20011121] You must stop and restart Postfix because of incompatible changes in the local Postfix security model and in the Postfix internal protocols. Old and new components will not work together. [snapshot-20020106] Simpler local Postfix security model. - No world-writable maildrop directory. Postfix now always uses the set-gid postdrop command for local mail submissions. The local mail pickup daemon is now an unprivileged process. - No world-accessible pickup and queue manager server FIFOs. - New set-gid postqueue command for the queue list/flush operations that used to implemented by the Postfix sendmail command. [snapshot-20020106..15] Simpler Postfix installation and upgrading. - All installation settings are now kept in the main.cf file, and better default settings are now generated for system dependent pathnames such as sendmail_path etc. The install.cf file is no longer used, except when upgrading from an older Postfix version. - Non-default installation parameter settings can (but do not have to) be specified on the "make install" or "make upgrade" command line as name=value arguments. - New postfix-files database (in /etc/postfix) with (pathname, owner, permission) information about all Postfix-related files. - New postfix-install script replaces the awkward INSTALL.sh script. This is driven by the postfix-files database. It has better support for building packages for distribution to other systems. See PACKAGE_README for details. - New post-install script (in /etc/postfix) for post-installation maintenance of directory/file permissions and ownership (this is used by "postfix check"). Example: # postfix stop # post-install set-permissions mail_owner=username setgid_group=groupname # postfix start [snapshot-20020106] Postfix will not run if it detects that the postfix user or group ID are shared with other accounts on the system. The checks aren't exhaustive (that would be too resource consuming) but should be sufficient to encourage packagers and developers to do the right thing. To fix the problem, use the above post-install command, after you have created the appropriate new mail_owner or setgid_group user or group IDs. [snapshot-20020106] If you run multiple Postfix instances on the same machine you now have to specify their configuration directories in the default main.cf file as "alternate_config_directories = /dir1 /dir2 ...". Otherwise, some Postfix commands will no longer work: the set-group ID postdrop command for mail submission and the set-group ID postqueue command for queue listing/flushing. [snapshot-20010808] The default setting for the maps_rbl_domains parameter is now "empty", because mail-abuse.org has become a subscription-based service. The names of the RBL parameters haven't changed. [snapshot-20020106] Postfix SMTP access maps will no longer return OK for non-local multi-domain recipient mail addresses (user em dom1@dom2, user%dom1 em dom2, etcetera); the lookup now returns DUNNO (undetermined). Non-local multi-domain recipient addresses were already prohibited from matching the permit_mx_backup and the relay_domains-based restrictions. [snapshot-20011210] Stricter checking of Postfix chroot configurations. The Postfix startup procedure now warns if "system" directories (etc, bin, lib, usr) under the Postfix top-level queue directory are not owned by the super-user (usually the result of well-intended, but misguided, applications of "chown -R postfix /var/spool/postfix). [snapshot-20011008] The Postfix SMTP server now rejects requests with a generic "try again later" status (451 Server configuration error) when it detects an error in smtp_{client, helo, sender, recipient, etrn}_restrictions settings. More details about the problem are logged to the syslogd; sending such information to random clients would be inappropriate. [snapshot-20011008] Postfix no longer flushes the entire mail queue after receiving an ETRN request for a random domain name. Requests for domains that do not match $fast_flush_domains are now rejected instead. [snapshot-20011226] Postfix configuration file comments no longer continue on the next line when that next line starts with whitespace. This change avoids surprises, but it may cause unexpected behavior with existing, improperly formatted, configuration files. Caveat user. Comment lines are allowed to begin with whitespace. Multi-line input is no longer terminated by a comment line, by an all whitespace line, or by an empty line. [snapshot-20010714] Postfix delivery agents now refuse to create a missing maildir or mail spool subdirectory when its parent directory is world writable. This is necessary to prevent security problems with maildirs or with hashed mailboxes under a world writable mail spool directory. [snapshot-20010525] As per RFC 2821, the Postfix SMTP client now always sends EHLO at the beginning of an SMTP session. Specify "smtp_always_send_ehlo = no" for the old behavior, which is to send EHLO only when the server greeting banner contains the word ESMTP. [snapshot-20010525] As per RFC 2821, an EHLO command in the middle of an SMTP session resets the Postfix SMTP server state just like RSET. This behavior cannot be disabled. [snapshot-20010709] The SMTP client now by default breaks lines > 2048 characters, to avoid mail delivery problems with fragile SMTP server software. To get the old behavior back, specify "smtp_break_lines = no" in the Postfix main.cf file. [snapshot-20010709] With recipient_delimiter=+ (or any character other than -) Postfix will now recognize address extensions even with owner-foo+extension addresses. This change was necessary to make VERP useful for mailing list bounce processing. [snapshot-20010610] The Postfix pipe delivery agent no longer automatically case-folds the expansion of $user, $extension or $mailbox command-line macros. Specify the 'u' flag to get the old behavior. [snapshot-20011210] The Postfix sendmail command no longer exits with status 1 when mail submission fails, but instead returns a sendmail-compatible status code as defined in /usr/include/sysexits.h. Major changes with Postfix version 1.1.0 (Released 20020117) ============================================================ Changes are listed in order of decreasing importance, not release date. The nqmgr queue manager is now bundled with Postfix. It implements a smarter scheduling strategy that allows ordinary mail to slip past mailing list mail, resulting in better response. This queue manager is expected to become the default queue manager shortly. [snapshot-20010709, snapshot-20010808] VERP (variable envelope return path) support. This is enabled by default, including in the SMTP server. See the VERP_README file for instructions. Specify "disable_verp_bounces = yes" to have Postfix send one RFC-standard, non-VERP, bounce report for multi-recipient mail, even when VERP style delivery was requested. This reduces the explosive behavior of bounces when sending mail to a list. [snapshot-20010709] QMQP server support, so that Postfix can be used as a backend mailer for the ezmlm-idx mailing list manager. You still need qmail to drive ezmlm and to process mailing list bounces. The QMQP service is disabled by default. To enable, follow the instructions in the QMQP_README file. [snapshot-20010709] You can now reject unknown virtual(8) recipients at the SMTP port by specifying a "domain.name whatever" entry in the tables specified with virtual_mailbox_maps, similar to Postfix virtual(5) domains. [virtual(8) is the Postfix virtual delivery agent, virtual(5) is the Postfix virtual map. The two implement virtual domains in a very different manner.] [snapshot-20011121] Configurable host/domain name wildcard matching behavior: choice between "pattern `domain.name' matches string `host.domain.name'" (this is to be deprecated in the future) and "pattern `.domain.name' matches string `host.domain.name'" (this is to be preferred in the future). The configuration parameter "parent_domain_matches_subdomains" specifies which Postfix features use the behavior that will become deprecated. [snapshot-20010808] Variable coupling between message receiving rates and message delivery rates. When the message receiving rate exceeds the message delivery rate, an SMTP server will pause for $in_flow_delay seconds before accepting a message. This delay gives Postfix a chance catch up and access the disk, while still allowing new mail to arrive. This feature currently has effect only when mail arrives via a small number of SMTP clients. [snapshot-20010610, snapshot-20011121, snapshot-20011210] Workarounds for a bug in old versions of the CISCO PIX firewall software that caused mail to be resent repeatedly. The workaround has no effect for other mail deliveries. The workaround is turned off when mail is queued for less than $smtp_pix_workaround_threshold_time seconds (default: 500 seconds) so that the workaround is normally enabled only for deferred mail. The delay before sending . is now controlled by the $smtp_pix_workaround_delay_time setting (default: 10 seconds). [snapshot-20011226] Postfix will now do null address lookups in SMTPD access maps. If your access maps cannot store or look up null string key values, specify "smtpd_null_access_lookup_key = <>" and the null sender address will be looked up as <> instead. [snapshot-20011210] More usable virtual delivery agent, thanks to a new "static" map type by Jeff Miller that always returns its map name as the lookup result. This eliminates the need for per-recipient user ID and group ID tables. See the VIRTUAL_README file for more details. [snapshot-20011125] Anti-sender spoofing. New main.cf parameter smtpd_sender_login_maps that specifies the (SASL) login name that owns a MAIL FROM sender address. Specify a regexp table in order to require a simple one-to-one mapping. New SMTPD restriction reject_sender_login_mismatch that refuses a MAIL FROM address when $smtpd_sender_login_maps specifies an owner but the client is not (SASL) logged in as the MAIL FROM address owner, or when a client is (SASL) logged in but does not own the address according to $smtpd_sender_login_maps. [snapshot-20011121] The mailbox_command_maps parameter allows you to configure the external delivery command per user (local delivery agent only). This feature has precedence over the mailbox_command and home_mailbox settings. [snapshot-20011121] New "warn_if_reject" smtpd UCE restriction that only warns if the restriction that follows would reject mail. Look for file records that contain the string "reject_warning". [snapshot-20011127] New header/body_check result "WARN" to make Postfix log a warning about a header/body line without rejecting the content. [snapshot-20011103] In header/body_check files, REJECT can now be followed by text that is sent to the originator. That feature was stuck waiting for years, pending the internal protocol revision. [snapshot-20011008] The permit_mx_backup feature allows you to specify network address blocks via the permit_mx_backup_networks parameter. This requires that the primary MX hosts for the given destination match the specified network blocks. When no value is given for permit_mx_backup_networks, Postfix will accept mail whenever the local MTA is listed in the DNS as an MX relay host for a destination, even when you never gave permission to do so. [snapshot-20010709] Specify "mail_spool_directory = /var/mail/" (note the trailing "/" character) to enable maildir format for /var/mail/username. [snapshot-20010808] Finer control over address masquerading. The masquerade_classes parameter now controls header and envelope sender and recipient addresses. With earlier Postfix versions, address masquerading rewrote all addresses except for the envelope recipient. [snapshot-20010610] The pipe mail delivery agent now supports proper quoting of white space and other special characters in the expansions of the $sender and $recipient command-line macros. This was necessary for correct operation of the "simple" content filter, and is also recommended for delivery via UUCP or BSMTP. [snapshot-20010610] The pipe mail delivery agent now supports case folding the localpart and/or domain part of expansions of the $nexthop, $recipient, $user, $extension or $mailbox command-line macros. This is recommended for mail delivery via UUCP. Bug: $nexthop is always case folded because of problems in the queue manager code. [snapshot-20010525] This release contains many little revisions of little details in the light of the new RFC 2821 and RFC 2822 standards. Changes that may affect interoperability are listed above under "incompatible changes". Other little details are discussed in comments in the source code. [snapshot-20010502] The Postfix SMTP client now by default randomly shuffles destination IP addresses of equal preference (whether obtained via MX lookup or otherwise). Reportedly, this is needed for sites that use Bernstein's dnscache program. Specify "smtp_randomize_addresses = no" to disable this behavior. Based on shuffling code by Aleph1. [snapshot-20011127] New parameter smtpd_noop_commands to specify a list of commands that the Postfix SMTP server treats as NOOP commands (no syntax check, no state change). This is a workaround for misbehaving clients that send unsupported commands such as ONEX. [snapshot-20010502] "postmap -q -" and "postmap -d -" read key values from standard input, which makes it easier to drive them from another program. The same feature was added to the postalias command. [snapshot-20010502] The postsuper command now has a command-line option to delete queue files. In principle this command can be used while Postfix is running, but there is a possibility of deleting the wrong queue file when Postfix deletes a queue file and reuses the queue ID for a new message. In that case, postsuper will delete the new message. [snapshot-20010525] The postsuper queue maintenance tool now renames files whose name (queue ID) does not match the message file inode number. This is necessary after a Postfix mail queue is restored from another machine or from backups. The feature is selected with the -s option, which is the default, and runs whenever Postfix is started. [snapshot-20010525] The postsuper queue maintenance tool has a new -r (requeue) option for subjecting some or all queue files to another iteration of address rewriting. This is useful after the virtual or canonical maps have changed. [snapshot-20010525] The postsuper queue maintenance tool was extended with options to read queue IDs from standard input. This makes the tool easier to drive from scripts. [snapshot-20010329] Better support for running multiple Postfix instances on one machine. Each instance can be recognized by its logging (defaults: "syslog_name = postfix", "syslog_facility = mail"). - To unsubscribe, send mail to majordomo em postfix.org with content (not subject): unsubscribe postfix-users ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Jan 18 15:31:58 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 18 Jan 2002 15:31:58 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020118173157.GA2553@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 16/01/2002: ----------- Mandrake Linux Security Update Advisory (MDKSA-2002:004) Assunto: vulnerabilidade de seguranca no package stunnel. http://www.security.unicamp.br/docs/bugs/2002/01/v36.txt 18/01/2002: ----------- Anúncio de segurança do Conectiva Linux (CLA-2002:453) Assunto: problema com o XChat. http://www.security.unicamp.br/docs/bugs/2002/01/v37.txt Anúncio de segurança do Conectiva Linux (CLA-2002:454) Assunto: Execução remota de comandos (pacote = exim) http://www.security.unicamp.br/docs/bugs/2002/01/v39.txt Security Advisory FreeBSD, Inc. (FreeBSD-SA-02:07) Assunto: Kerberos 5 su command usess getlogin for authorization. http://www.security.unicamp.br/docs/bugs/2002/01/v38.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Fri Jan 18 16:57:41 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 18 Jan 2002 16:57:41 -0200 Subject: [SECURITY-L] Anuncio - chkrootkit 0.35 Message-ID: <20020118185741.GA16618@ccuec.unicamp.br> ----- Forwarded message from Nelson Murilo ----- From: Nelson Murilo Subject: [S] [ Anuncio - chkrootkit 0.35 ] To: seguranca em pangeia.com.br Date: Fri, 18 Jan 2002 15:33:59 -0200 A versao 0.35 do chkrootkit esta disponivel. Esta versao inclui: * strings.c (obrigado a Sean D. True) * novos testes: ldsopreload and lsof; * novas portas adicionadas ao teste bindshell; * novos rootkits e trojans detectados: - RST.b trojan; - duarawkz; (Leif Neland) - knark LKM; - HiDrootkit; - Monkit; - Bobkit; (m0xx) - Pizdakit; ( Kaveh Goudarzi) - t0rn v8.0 (nova variante). (Bob Grabowsky e Mihai Sandu) chkrootkit e uma ferramenta para que visa identificar a presenca de rootkits atraves de assinaturas comuns. Informacoes adicionais sobre chkrootkit em: http://www.chkrootkit.org/ http://www.chkrootkit.com.br/. Este pacote foi testado com sucesso nos seguintes sistemas: Linux 2.0.x, 2.2.x e 2.4.x (qualquer distribuicao), FreeBSD 2.2.x, 3.x e 4.x, OpenBSD 2.6, 2.7, 2.8, 2.9 e 3.0, Solaris 2.5.1, 2.6 e 8.0. O pacote e respectiva assinatura MD5 estao disponiveis em: * ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz * ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5 ou na pagina oficial: * http://www.chkrootkit.org/ Informacoes adicionais sobre rootkits podem ser encontradas em: * http://www.chkrootkit.org/index.html#related_links Atenciosamente, ./nelson -murilo ----- End forwarded message ----- From daniela em ccuec.unicamp.br Mon Jan 21 15:32:01 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Mon, 21 Jan 2002 15:32:01 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020121173201.GA11520@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 18/01/2002: ----------- Mandrake Linux Security Update Advisory (MDKSA-2002:007) Assunto: vulnerabilidade de seguranca no comando at. http://www.security.unicamp.br/docs/bugs/2002/01/v41.txt 21/01/2002: ----------- Anúncio de segurança do Conectiva Linux (CLA-2002:456) Assunto: Incompatibilidade entre PHP4 e IMP no CL7. http://www.security.unicamp.br/docs/bugs/2002/01/v40.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Mon Jan 21 15:36:28 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Mon, 21 Jan 2002 15:36:28 -0200 Subject: [SECURITY-L] Boletim de noticias Message-ID: <20020121173628.GB11520@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicas: 18/01/2002: ----------- LinuxSecurity Brasil Edição Especial #2002/03 Fonte: Linux Security http://www.security.unicamp.br/docs/informativos/2002/01/b10.html -- Equipe de Seguranca em Sitemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Tue Jan 22 16:01:04 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Tue, 22 Jan 2002 16:01:04 -0200 Subject: [SECURITY-L] HFNetChk 3.3 now available Message-ID: <20020122180104.GA15464@ccuec.unicamp.br> ----- Forwarded message from Nelson Murilo ----- From: Nelson Murilo Subject: [S] HFNetChk 3.3 now available To: seguranca em pangeia.com.br Date: Fri, 18 Jan 2002 12:00:23 -0200 HFNetChk version 3.3 is now available. You may obtain the program via the download link on Knowledge Base Article Q303215, or directly via the Microsoft Download Center page: http://www.microsoft.com/downloads/release.asp?releaseid=31154. Overview HFNetChk is a command line tool used to assess a computer or group of computers for their current security hotfix status. HFNetChk can be launched from an NT4 or greater system, and can report on hotfix status for Windows NT 4.0, Windows 2000, Windows XP, IIS 4, IIS 5, IIS 5.1, Internet Explorer 5.01 and later, SQL Server 7.0 and SQL Server 2000. Support A public newsgroup has been created to support HFNetChk. Please visit microsoft.public.security.hfnetchk on the news.microsoft.com news server. UPDATES AND FIXES IN HFNETCHK 3.3 The following issues have been addressed in the 3.3 release: New Switches: (-u) and (-p) to specify username and password for scanning remote systems. (-f) to write the results to a specified output file. (Note: this will overwrite, not append, data to the specified output file.) (-fh) to specify the name of a file containing NetBIOS machine names to scan. One machine name per line, 256 max per file. (fip) to specify the name of a file containing IP addresses to scan. One IP address per line, 256 max per file. Functional Updates: - It is now possible to scan the local machine when the Server Service has been disabled (or has not been installed.) - A warning message will be presented if the installed product is not running the latest available Service Pack. - IP addresses may be used when executing a scan from a Windows NT 4 system. (Note: remote system IP addresses must resolve to machine names in order for this feature to work from NT4 systems.) - Code has been added that will automatically check to see whether the downloaded mssecure.cab file has been signed by Microsoft. If the downloaded file (mssecure.cab) has been properly signed by Microsoft, HFNetChk will automatically expand the file and will not prompt the user to accept the signed package. - This version will correctly identify .NET server machines and IIS 6.0 machines. (Patches have not been released for these platforms, nor has the XML file been updated with information on these platforms, but the proper product names will now appear in the output.) - If the tool is unable to access the mssecure.cab file from the Microsoft server, it will next try to download the expanded mssecure.xml file from http://www.microsoft.com/technet/security/search/mssecure.xml. If this also fails, HFNetChk will then search the local system for versions of the CAB and XML files. Output: - To enhance performance, tab output (-o tab) is required when scanning more than 255 hosts. - Both MachineName and IPaddress are displayed in wrap and tab output. Format is: MachineName (IPAddress) In instances where either value cannot be resolved from the other, the known value will be displayed in both locations. Enhancements: - Fixed bug where domain controllers were identified as workstations instead of servers. As a result, not all available hotfixes would be displayed when scanning domain controllers. - Results include status on all installed products, even when a given product is up to date on patches. - Text alignment has been enhanced for wrap and tab output. - Enhanced error reporting when access is denied to a machine or there is an error in reading the remote system's registry. - Improved -d domain scanning. - Improved support when scanning workgroups (using -d). - Improved memory management when performing large scans. - Improved recognition for SQL Server 2000 Service Packs. Additional features, such as scanning for Exchange Server or Microsoft Office patches, are being considered for a future release of HFNetChk and are not included in this release. ----- End forwarded message ----- From daniela em ccuec.unicamp.br Wed Jan 23 10:35:51 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 23 Jan 2002 10:35:51 -0200 Subject: [SECURITY-L] Postfix version 1.1 Patch01 Message-ID: <20020123123550.GA6912@ccuec.unicamp.br> ----- Forwarded message from Wietse Venema ----- From: wietse em porcupine.org (Wietse Venema) Subject: Postfix version 1.1 Patch01 To: Postfix announce Cc: Postfix users Date: Tue, 22 Jan 2002 12:20:14 -0500 (EST) X-Mailer: ELM [version 2.4ME+ PL82 (25)] Postfix version 1.1 patch 01 cleans up a lot of documentation, fixes one bug, and adds one safety feature: - Bugfix: postqueue -s dereferenced a null pointer when given a numerical domain argument. - Safety: when postmap creates a non-existent file, the new file inherits group/other read permissions from the source file. At almost 40 kbytes the patch is too large for email distribution. The patch, as well as patched Postfix source code, can be found at ftp://ftp.porcupine.org/ 8588 Jan 22 12:12 postfix-1.1-patch01.gz 152 Jan 22 11:32 postfix-1.1.1.tar.gz.sig 1172858 Jan 22 11:32 postfix-1.1.1.tar.gz 50295 Jan 22 11:31 postfix-1.1.1.RELEASE_NOTES 207060 Jan 22 11:22 postfix-1.1.1.HISTORY Soon to appear on the mirror sites listed on www.postfix.org. Wietse ----- End forwarded message ----- From daniela em ccuec.unicamp.br Wed Jan 23 11:49:42 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 23 Jan 2002 11:49:42 -0200 Subject: [SECURITY-L] Vulnerabilidade de seguranca Message-ID: <20020123134942.GA11244@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 21/01/2002: ----------- Slackware Security Assunto: Security updates: at, sudo, xchat. http://www.security.unicamp.br/docs/bugs/2002/01/v42.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Wed Jan 23 11:54:05 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 23 Jan 2002 11:54:05 -0200 Subject: [SECURITY-L] Boletim de noticias Message-ID: <20020123135405.GA12361@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicas: 22/01/2002: ----------- SecurityFocus.com Newsletter #128 Fonte: SecurityFocus.com http://www.security.unicamp.br/docs/informativos/2002/01/b11.txt -- Equipe de Seguranca em Sitemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Thu Jan 24 14:06:02 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Thu, 24 Jan 2002 14:06:02 -0200 Subject: [SECURITY-L] Ataque contra servidores AIX Message-ID: <20020124160602.GA21531@ccuec.unicamp.br> Srs. Administradores, Por favor, leiam esse alerta do CAIS/RNP e atualizem ugentemente as maquinas AIX sob sua responsabilidade. ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Ataque contra servidores AIX To: , , Cc: Centro de Atendimento a Incidentes de Seguranca Date: Thu, 24 Jan 2002 13:24:22 -0200 (EDT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS foi notificado hoje da realizacao, com sucesso, de dois ataques contra servidores AIX da RNP. Solicitamos a todos os responsaveis por servidores AIX que atualizem seus sistemas e que fiquem alertas a tentativas de invasao. Qualquer atividade suspeita deve ser reportada ao CAIS. Vale ressaltar que em Outubro de 2001 o CAIS publicou um alerta sobre uma serie de vulnerabilidades e ferramentas de ataque envolvendo a plataforma AIX. Recomenda-se fortemente a leitura desse alerta, disponivel em: http://www.rnp.br/cais/alertas/2001/cais-ALR-23082001.html Em anexo esta' o alerta divulgado pela IBM, tratando deste mesmo assunto, disponivel na seguinte url: http://www.cert-rs.tche.br/listas/infoseg/msg00696.html O CAIS possui informacoes suficientes para acreditar que os ataques estao sendo realizados de forma automatizada, o que faz com que as correcoes tenham que ser realizadas *urgentemente*. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ Date: Fri, 24 Aug 2001 15:37:02 -0400 From: IBM MSS Advisory Service To: BUGTRAQ em securityfocus.com Subject: IBM AIX Security Notification: Web site defacements - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -----BEGIN PGP SIGNED MESSAGE----- IBM AIX Security Notification Wed, 22 August 2001, 13:50:04 CDT Over the last few days, the IBM AIX Security Team has become aware of a hacker group that has been targeting systems running the AIX operating system, breaking into these systems, and defacing web sites on those systems. The tools being used to accomplish the breakins appear to be those principally written by a Polish hacking crew using the name "Last Stages of Delirium". Similar tools that take advantage of the same vulnerabilities are available from elsewhere, too. We have researched as many as we have been aware of software tools that are being used to see if any of the vulnerabilities have or have not been closed under AIX. So far, we have determined that of all the vulnerabilties these tools exploit have been fixed by IBM, dating back to 1996. APARs for all of the vulnerabilities have been available to customers. Here is a listing of the exploits we know of being used to gain access to AIX systems during the recent attacks and the AIX version numbers and APAR numbers associated with the fix for that version: 1. chatmpvc, mkatmpvc, rmatmpvc 4.3, APAR #IY08128 4.2, APAR #IY08288 2. digest 4.3, APAR #IX74599 4.2, APAR #IX76272 4.1, APAR #IX74457 3. dtaction 4.3, APAR #IY02944 4. dtprintinfo 4.3, APAR #IY06367 4.2, APAR #IY06547 5. ftpd 4.3, APAR #IY04477 4.2, APAR #IX85556 4.1, APAR #IX85555 6. nslookup 4.3, APAR #IY02120 4.3, APAR #IX9909 7. pdnsd Associated product out of service; Customers avised to disable and/or uninstall. 8. rpc.ttdbserverd 4.3, APAR #IX81442 4.2, APAR #IX81441 9. piobe, piomkapqd 4.3, APAR #IY12638 10. portmir 4.3, APAR #IY07832 11. sdrd SP systems only; 4.3, APAR #IX80724 12. setsenv 4.3, APAR #IY08812 13. telnetd E-fix available; 4.3, IY22029 5.1, IY22021 Affected customers are urged to upgrade the level of their AIX operating systems and/or apply the APARs listed above to protect their systems. - - -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQCVAwUBO4P/ewsPbaL1YgqvAQEiXwP/bwThtsNncjiuH6GWsxCR8NLM+fmGNn9x mk8mSGUOXPzP4o+f1RuGXwxaE6YcEQktcnal5v0VtPnz0u9/Sj6D4nVtsZl+Mh/D IMgz+ndY1NbyMjaNDxmlPAAOOXL2z3InhZ46nylCWzS7dMAnJxtN5WhnsYmkAO5d ReTJOZ3LdzQ= =rJ4O - - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPFAnLukli63F4U8VAQHcyAP+PkNDg6qr99zHzcUWquoVrP3RT/UL7ROl ndLZFRuSmEcpql/2MQdkuYoC6u7gHS7Y9p+UJq3SpQKWTY1OqYcx7egnZFC8Emsk /zroE/V4X+d3j74KAJEyeiwhkyMg3RsG9KASwVzvL6sW+KimNqb9eHELDtpqpVLW ByLJnZreuwM= =BIdG -----END PGP SIGNATURE----- ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Jan 25 14:27:32 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 25 Jan 2002 14:27:32 -0200 Subject: [SECURITY-L] Vulnerabildiades de seguranca Message-ID: <20020125162732.GA7972@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 22/01/2002: ----------- Mandrake Linux Security Update Advisory (MDKSA-2002:008) Assunto: vulnerabilidade de seguranca no package jmcce. http://www.security.unicamp.br/docs/bugs/2002/01/v47.txt Red Hat, Inc. Red Hat Security Advisory (RHSA-2002:015-13) Assunto: vulnerabilidade de seguranca no comando at. http://www.security.unicamp.br/docs/bugs/2002/01/v48.txt Red Hat, Inc. Red Hat Security Advisory (RHSA-2002:014-07) Assunto: vulnerabilidade de seguranca no package OpenLDAP. http://www.security.unicamp.br/docs/bugs/2002/01/v49.txt Red Hat, Inc. Red Hat Security Advisory (RHSA-2002:007-16) Assunto: Updated para kernel 2.4. http://www.security.unicamp.br/docs/bugs/2002/01/v50.txt 24/01/2002: ----------- ALERTA-CAIS: Ataque contra servidores AIX http://www.security.unicamp.br/docs/bugs/2002/01/v43.txt CERT Advisory (CA-2002-02) Assunto: Buffer Overflow in AOL ICQ. http://www.security.unicamp.br/docs/bugs/2002/01/v44.txt Anuncio de seguranca do Conectiva Linux (CLA-2002:457) Assunto: vulnerabilidade no package imap. http://www.security.unicamp.br/docs/bugs/2002/01/v45.txt Security Advisory FreeBSD, Inc. (FreeBSD-SA-02:08) Assunto: race condition during exec may allow local root compromise. http://www.security.unicamp.br/docs/bugs/2002/01/v46.txt 25/01/2002: ----------- ALERTA-CAIS: Vulnerabilidade no AOL ICQ http://www.security.unicamp.br/docs/bugs/2002/01/v51.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Fri Jan 25 14:29:33 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 25 Jan 2002 14:29:33 -0200 Subject: [SECURITY-L] Apache 1.3.23 Released Message-ID: <20020125162933.GB7972@ccuec.unicamp.br> ----- Forwarded message from Jim Jagielski ----- From: Jim Jagielski Subject: [S] [ANNOUNCEMENT] Apache 1.3.23 Released. To: announce em httpd.apache.org Date: Thu, 24 Jan 2002 22:41:15 -0500 Apache 1.3.23 Released The Apache Software Foundation and The Apache Server Project are pleased to announce the release of version 1.3.23 of the Apache HTTP server. This Announcement notes the significant changes in 1.3.23. This version of Apache is principally a bug fix and mod_proxy improvement release. A summary of the bug fixes and major new features is given at the end of this document. We consider Apache 1.3.23 to be the best version of Apache available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family. Apache 1.3.23 is available for download from http://httpd.apache.org/dist/httpd/ Please see the CHANGES_1.3 file in the same directory for a full list of changes. Binary distributions are available from http://httpd.apache.org/dist/httpd/binaries/ The source and binary distributions are also available via any of the mirrors listed at http://www.apache.org/mirrors/ As of Apache 1.3.17, Win32 binary distributions are now based on the Microsoft Installer (.MSI) technology. This change occurred in order to resolve the many problems WinME and Win2K users experienced with the older InstallShield-based installer.exe file. While development continues to make this new installation method more robust, questions should be directed at the news:comp.infosystems.www.servers.ms-windows newsgroup. As of Apache 1.3.12 binary distributions contain all standard Apache modules as shared objects (if supported by the platform) and include full source code. Installation is easily done by executing the included install script. See the README.bindist and INSTALL.bindist files for a complete explanation. Please note that the binary distributions are only provided for your convenience and current distributions for specific platforms are not always available. For an overview of new features introduced after 1.2 please see http://httpd.apache.org/docs/new_features_1_3.html In general, Apache 1.3 offers several substantial improvements over version 1.2, including better performance, reliability and a wider range of supported platforms, including Windows NT and 2000 (which fall under the "Win32" label), OS2, Netware, and TPE threaded platforms. Apache is the most popular web server in the known universe; over half of the servers on the Internet are running Apache or one of its variants. IMPORTANT NOTE FOR WIN32 USERS: Over the years, many users have come to trust Apache as a secure and stable server. It must be realized that the current Win32 code has not yet reached the levels of the Unix version, but is of acceptable quality. Win32 stability or security problems do not reflect on the Unix version. Apache 1.3.23 Major changes Security vulnerabilities * None addressed. New features The main new features in 1.3.23 (compared to 1.3.22) are: * HTTP/1.1 support for mod_proxy. * Other mod_proxy improvements. * The new 'FileETag' directive to allow one to build the format of the ETag via runtime directives. * Addition of a 'filter callback' function to enable modules to intercept the output byte stream for dynamic page caching. New features that relate to specific platforms: * Use "httpready" accept filter rather than "dataready" on post 4.1.1-RELEASE versions of FreeBSD. Bugs fixed The following bugs were found in Apache 1.3.22 and have been fixed in Apache 1.3.23: * Fix incorrect "Content-Length" header in the 416 response. * Revert mod_negotation's handling of path_info and query_args to the 1.3.20 behavior (PRs: 8628, 8582, 8538). * Prevent an Apache module from being loaded or added twice due to duplicate LoadModule or AddModule directives. The following bugs relate to specific platforms: * Fixed the access forbidden problem when requesting an empty directory on Netware. * Do not kill the child process when accept() returns ENOBUFS on HPUX 11.* * A default locking mechanism has been defined for Unixware 7.0 and later. -- ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Jan 25 14:34:25 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 25 Jan 2002 14:34:25 -0200 Subject: [SECURITY-L] Noticias-CAIS: Safemode.org closes its doors! Message-ID: <20020125163425.GC7972@ccuec.unicamp.br> ----- Forwarded message from "Liliana E. Velasquez Alegre Solha" ----- From: "Liliana E. Velasquez Alegre Solha" Subject: [S] Noticias-CAIS: Safemode.org closes its doors! To: Date: Fri, 25 Jan 2002 08:56:19 -0200 (EDT) Fonte: http://www.safemode.org/ Safemode.org closes its doors! No more defacements will be mirrored on safemode.org. As you know this mirror was mostly run by me, zillion. I have been running safemode for several years now and reached a point where I do no longer appreciate doing it. The defacing scene is evaluating in such a way that in order to keep up with it you require a full team of people willing to take mirrors. This site is sucking up all my free time, energy and has a negative influence on my personal live. In the early beginnings every defacement notification mail was exciting and always special in some kind of way. Also until a year ago the daily amount of defacements where so low that I *appreciated* all of them. Now every morning I open my mailbox with 100-150 emails. Often defacers mail from hacked systems, send mass hacks in 20 separate emails (in order to try and get a bigger record), send fake defacements, send mail bombs etc etc... it all makes me tired and not want to do this anymore. New cyber crime laws have also influenced my decision to stop running this mirror. Running a defacement mirror without breaking any of these laws (if this is possible) requires a lot of discipline and takes away the fun element. I would like to thank all people who have helped me over the years (especially barre and mystakill) and will do my best to keep this site online and available for the public. Regards, zillion ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Jan 25 15:46:34 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 25 Jan 2002 15:46:34 -0200 Subject: [SECURITY-L] Boletins de noticias Message-ID: <20020125174634.GA24841@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicas: 23/01/2002: ----------- The SANS Weekly Security News Overview (Vol. 4, Num. 04) Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2002/01/b12.txt 25/01/2002: ----------- LinuxSecurity Brasil Edição Especial #2002/04 Fonte: Linux Security http://www.security.unicamp.br/docs/informativos/2002/01/b13.html -- Equipe de Seguranca em Sitemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Fri Jan 25 16:28:08 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 25 Jan 2002 16:28:08 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca (2) Message-ID: <20020125182808.GA1288@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 21/01/2002: ----------- REVISED: Caldera International, Inc. Security Advisory (CSSA-2001-SCO.35.2) Assunto: OpenServer: setcontext and sysi86 vulnerabilities. http://www.security.unicamp.br/docs/bugs/2002/01/v52.txt 24/01/2002: ----------- HP Support Information Digests HPSBTL0201-018: Updated uucp packages available; HPSBTL0201-019: Updated enscript packages available. http://www.security.unicamp.br/docs/bugs/2002/01/v53.txt 25/01/2002: ----------- HP Support Information Digests HPSBUX0201-181: Sec. Vulnerability in IPFilter/9000; HPSBUX0201-180: Sec. Vulnerability with WU-FTP 2.6. http://www.security.unicamp.br/docs/bugs/2002/01/v54.txt SuSE Security Announcement (SuSE-SA:2002:004) Assunto: vulnerabilidade de seguranca no package rsync. http://www.security.unicamp.br/docs/bugs/2002/01/v55.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Tue Jan 29 11:48:00 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Tue, 29 Jan 2002 11:48:00 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020129134800.GA8698@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 24/01/2002: ----------- Caldera International, Inc. Security Advisory (CSSA-2001-SCO.2) Assunto: Open UNIX, UnixWare 7: sort creates temporary files insecurely. http://www.security.unicamp.br/docs/bugs/2002/01/v58.txt 25/01/2002: ----------- Anúncio de segurança do Conectiva Linux (CLA-2002:458) Assunto: vulnerabilidade remota no pacote rsync. http://www.security.unicamp.br/docs/bugs/2002/01/v56.txt Red Hat, Inc. Red Hat Security Advisory (RHSA-2002:018-05) Assunto: vulnerabilidade remota no pacote rsync. http://www.security.unicamp.br/docs/bugs/2002/01/v59.txt Slackware Security Assunto: rsync update fixes security problems. http://www.security.unicamp.br/docs/bugs/2002/01/v60.txt 28/01/2002: ----------- Trustix Secure Linux Security Advisory #2002-0025 Assunto: vulnerabilidade remota no pacote rsync. http://www.security.unicamp.br/docs/bugs/2002/01/v61.txt Mandrake Linux Security Update Advisory (MDKSA-2002:009) Assunto: vulnerabilidade remota no pacote rsync. http://www.security.unicamp.br/docs/bugs/2002/01/v62.txt Mandrake Linux Security Update Advisory (MDKSA-2002:010) Assunto: vulnerabilidade remota no pacote enscript. http://www.security.unicamp.br/docs/bugs/2002/01/v63.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Tue Jan 29 14:25:59 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Tue, 29 Jan 2002 14:25:59 -0200 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade remota no rsync Message-ID: <20020129162559.GA20608@ccuec.unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade remota no rsync To: , Date: Tue, 29 Jan 2002 13:54:42 -0200 (EDT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta RHSA-2002:18-05 que trata de uma vulnerabilidade remota no pacote 'rsync' da distribuicao Red Hat Linux. Outros sistemas tambem sao afetados pelo problema, sendo recomendado fazer a atualizacao oferecida por cada fabricante, se houver. Demais casos devem fazer a atualizacao para a versao 2.5.2, que pode ser obtida atraves da seguinte url: http://rsync.samba.org Por se tratar de uma vulnerabilidade remota o CAIS recomenda que as correcoes sejam realizadas o mais rapidamente possivel. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ - --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: New rsync packages available Advisory ID: RHSA-2002:018-05 Issue date: 2002-01-23 Updated on: 2002-01-25 Product: Red Hat Linux Keywords: rsync signed unsigned daemon Cross references: Obsoletes: - --------------------------------------------------------------------- 1. Topic: New rsync packages are available; these fix a remotely exploitable problem in the I/O functions. It is strongly recommended that all users of rsync upgrade to the fixed packages. 2. Relevant releases/architectures: Red Hat Linux 6.2 - alpha, i386, sparc Red Hat Linux 7.0 - alpha, i386 Red Hat Linux 7.1 - alpha, i386, ia64 Red Hat Linux 7.2 - i386, ia64 3. Problem description: rsync is a powerful tool used for mirroring directory structures across machines. rsync has been found to contain several signed/unsigned bugs in its I/O functions which are remotely exploitable. A remote user can crash the rsync server/client and execute code as the user running the rsync server or client. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0048 to this issue. All users of rsync should upgrade their packages. In addition rsync server administrators should consider using the "use chroot", "uid", and "read only" options, which can significantly reduce the impact of a security problem in rsync or elsewhere. Thanks go to Sebastian Krahmer for providing a patch for this vulnerability and to Andrew Tridgell and Martin Pool for their rapid response. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 6. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/rsync-2.4.6-0.6.src.rpm alpha: ftp://updates.redhat.com/6.2/en/os/alpha/rsync-2.4.6-0.6.alpha.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/rsync-2.4.6-0.6.i386.rpm sparc: ftp://updates.redhat.com/6.2/en/os/sparc/rsync-2.4.6-0.6.sparc.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/rsync-2.4.6-8.src.rpm alpha: ftp://updates.redhat.com/7.0/en/os/alpha/rsync-2.4.6-8.alpha.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/rsync-2.4.6-8.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/rsync-2.4.6-8.src.rpm alpha: ftp://updates.redhat.com/7.1/en/os/alpha/rsync-2.4.6-8.alpha.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/rsync-2.4.6-8.i386.rpm ia64: ftp://updates.redhat.com/7.1/en/os/ia64/rsync-2.4.6-8.ia64.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/rsync-2.4.6-8.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/rsync-2.4.6-8.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/rsync-2.4.6-8.ia64.rpm 7. Verification: MD5 sum Package Name - -------------------------------------------------------------------------- 2bd10eb10e84fadc305ebfc2e264ec2e 6.2/en/os/SRPMS/rsync-2.4.6-0.6.src.rpm b38a1e9912b7e49496cd0550700a0917 6.2/en/os/alpha/rsync-2.4.6-0.6.alpha.rpm 80efc477a6b5c921b663f0de9e599ca2 6.2/en/os/i386/rsync-2.4.6-0.6.i386.rpm 69eef6216061a8f7a1fc81d6c74196e1 6.2/en/os/sparc/rsync-2.4.6-0.6.sparc.rpm 03cb9d0957edc8924c8fb6b5c83b4576 7.0/en/os/SRPMS/rsync-2.4.6-8.src.rpm 546234ec652e9baa9053f8d18ac5f20f 7.0/en/os/alpha/rsync-2.4.6-8.alpha.rpm 7efbc285a01752c893c112373feb0fd8 7.0/en/os/i386/rsync-2.4.6-8.i386.rpm 03cb9d0957edc8924c8fb6b5c83b4576 7.1/en/os/SRPMS/rsync-2.4.6-8.src.rpm 546234ec652e9baa9053f8d18ac5f20f 7.1/en/os/alpha/rsync-2.4.6-8.alpha.rpm 7efbc285a01752c893c112373feb0fd8 7.1/en/os/i386/rsync-2.4.6-8.i386.rpm 38f4d868226a980a1c763bb1ef27805a 7.1/en/os/ia64/rsync-2.4.6-8.ia64.rpm 03cb9d0957edc8924c8fb6b5c83b4576 7.2/en/os/SRPMS/rsync-2.4.6-8.src.rpm 7efbc285a01752c893c112373feb0fd8 7.2/en/os/i386/rsync-2.4.6-8.i386.rpm 38f4d868226a980a1c763bb1ef27805a 7.2/en/os/ia64/rsync-2.4.6-8.ia64.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0048 Copyright(c) 2000, 2001, 2002 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPFbFyukli63F4U8VAQFSigQArzNkwvPJA8p/Hshd9+uZgyOmmAv2+iTZ 2CuH7DvgaqvlGYfRYceCqaffvcW351Tc4yXP8a0ZZePhT6whGU3dW1DqszxTUSc3 2pyLhAPLEp9iJMw5t2EG1XxgujNj5exivDvpmoWvvoGj86b4Xv1u9jb1xCdf1dEB gyvY65lF70Y= =3Qq5 -----END PGP SIGNATURE----- ----- End forwarded message ----- From daniela em ccuec.unicamp.br Tue Jan 29 14:27:13 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Tue, 29 Jan 2002 14:27:13 -0200 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade remota no Snort Message-ID: <20020129162713.GB20608@ccuec.unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade remota no Snort To: , Date: Tue, 29 Jan 2002 13:58:04 -0200 (EDT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta da ISS, ISS Alert: Remote Denial of Service Vulnerability in Snort IDS, tratando de uma vulnerabilidade remota no aplicativo Snort. O Snort e' uma ferramenta de deteccao de intrusos - IDS - amplamente utilizada. A vulnerabilidade envolve o envio de pacotes ICMP cujo conteudo foi especialmente montado para gerar uma falha no aplicativo (segmentation fault) resultando em sua desabilitacao temporaria. O exploit que foi disponibilizado demonstra o problema que o Snort tem em gerenciar pacotes ICMP "Echo" e ICMP "Echo-Reply" que possuam menos de 5 bytes de ICMP. A ISS faz duas recomendacoes: a aplicacao de uma correcao no codigo do Snort ou o upgrade utilizando o CVS. A atualizacao do Snort, atraves do CVS, e' mais recomendada, no entanto o Snort pode passar a apresentar problemas de estabilidade, gerando falsos-positivos. A versao do CVS e' atualizada varias vezes por dia e pode apresentar problemas de compilacao e funcionamento. A versao CVS do Snort pode ser econtrada na seguinte url: http://www.snort.org/downloads/snort-daily.tar.gz Os desenvolvedores do Snort estao recomendando que se utilize a versao Snapshot disponivel na seguinte url: http://www.snort.org/downloads/snort-stable-snapshot.tar.gz O CAIS recomenda aos usuarios do Snort que verifiquem a ocorrencia de paradas inesperadas do aplicativo e que facam o upgrade assim que possivel. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ - From xforce em iss.net Tue Jan 29 10:52:54 2002 Date: Mon, 28 Jan 2002 16:10:27 -0500 From: X-Force To: alert em iss.net Subject: ISSalert: ISS Alert: Remote Denial of Service Vulnerability in Snort IDS TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo em iss.net Contact alert-owner em iss.net for help with any problems! - --------------------------------------------------------------------------- Internet Security Systems Security Alert January 28, 2002 Remote Denial of Service Vulnerability in Snort IDS Synopsis: Internet Security Systems (ISS) X-Force is aware of a remote Denial of service (DoS) vulnerability present in Marty Roesch^Òs Snort Intrusion Detection System (IDS). It may be possible for remote attackers to send specially crafted ICMP packets to the program, resulting in a segmentation fault that would crash the Snort engine. This attack can be launched from any routable address, and if launched successfully against a Snort-protected network, all IDS functionality may be disabled until Snort is manually restarted. Affected Versions: Marty Roesch Snort Version 1.8.3 and earlier for all supported platforms Description: Snort is an open-source Intrusion Detection System designed to be simple and lightweight. Snort has packet logging, protocol analysis, attack signature matching and recognition capabilities and is maintained by Marty Roesch of Snort.org. An exploit has been published that demonstrates a flaw in the ICMP protocol handling functionality. Snort incorrectly handles ICMP "Echo" and ICMP "Echo-Reply" packets that contain less than 5 bytes of ICMP data. If Snort encounters such a packet, it will crash and exit. Packets that are used to exploit this vulnerability can be sent with the "ping" command that is present on most operating systems. This exploit technique has been publicly documented, and attackers do not need to have access to the target network or possess knowledge of its configuration. Recommendations: ISS X-Force recommends that all Snort users install the vendor-supplied patch immediately or upgrade to the latest version of Snort. To apply a source code patch to your Snort package: 1. Locate the "decode.h" file in your source distribution. 2. Enter the directory containing decode.h. 3. To update your decode.h file, create a file named "decode.diff", containing the following text: - --- olddecode.h Thu Jan 10 15:47:48 2002 +++ decode.h Thu Jan 10 12:15:33 2002 @@ -105,7 +105,7 @@ #define IP_HEADER_LEN 20 #define TCP_HEADER_LEN 20 #define UDP_HEADER_LEN 8 - -#define ICMP_HEADER_LEN 8 +#define ICMP_HEADER_LEN 4 #define TH_FIN 0x01 #define TH_SYN 0x02 4. Apply the source code update using the "patch" command, or a similar utility. 5. Build new binaries and reinstall. To upgrade to the latest version of Snort: Use a CVS client to access the Snort CVS server at "cvs.snort.sourceforge.net" with the following command: cvs -d:pserver:anonymous em cvs.snort.sourceforge.net:/cvsroot/snort login Use a blank password when prompted. cvs -z3 -d:pserver:anonymous em cvs.snort.sourceforge.net:/cvsroot/snort co snort Snort'^Òs default configuration does not have the ability to restat when it crashes. ISS X-Force advises all Snort users to develop this functionality using freely available watchdog process monitors, cronjobs, or shell scripts. For more information about applying source code patches or upgrading Snort, please refer to the "SNORT FAQ" document available at: http://www.snort.org. Additional Information: ISS X-Force Database, http://xforce.iss.net/static/7874.php Marty Roesch Snort, http://www.snort.org Credits: This vulnerability was discovered by Sinbad , and reported to the BugTraq mailing list. ______ About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 9,000 customers worldwide including 21 of the 25 largest U.S. commercial banks, the top 10 U.S. telecommunications companies, and all major branches of the U.S. Federal Government. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce em iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce em iss.net of Internet Security Systems, Inc. - ------------ Output from pgp ------------ Signature by unknown keyid: 0x7DF5E1BD -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPFbGk+kli63F4U8VAQF1pgP9EX1Q/5+S++SaQfZobvWOphC53QgxqEsU xnSHPPIGiK2xcReax0UrjPbMNDvcvoimej5SE9FppWHx4VSFRz/jfWMBt4Nu5FA7 u6TNrH30Xu9Hm+PGAzXPRs4Ys0IRkNvSiH3e6GOl/PhBCcqNACFk5NlgHUYup/XA 4zbp9ELNQRM= =g2/o -----END PGP SIGNATURE----- ----- End forwarded message ----- From daniela em ccuec.unicamp.br Tue Jan 29 14:27:53 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Tue, 29 Jan 2002 14:27:53 -0200 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade local no 'exec' do FreeBSD Message-ID: <20020129162752.GC20608@ccuec.unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade local no 'exec' do FreeBSD To: , Date: Tue, 29 Jan 2002 14:04:18 -0200 (EDT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta FreeBSD-SA-02:08 que trata de uma vulnerabilidade local existente no 'exec' que pode possibilitar acesso local privilegiado. Todas as versoes de FreeBSD 4.x anteriores a 4.5-RELEASE sao afetadas pelo problema. A versao 4.4-STABLE anterior a data de correcao tambem esta' vulneravel. Recomenda-se fortemente que seja aplicada a devida correcao. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ ============================================================================= FreeBSD-SA-02:08 Security Advisory FreeBSD, Inc. Topic: race condition during exec may allow local root compromise Category: core Module: kernel Announced: 2002-01-24 Credits: Logan Gabriel , Robert Watson , Dag-Erling Smørgrav Affects: All released versions of FreeBSD 4.x prior to 4.5-RELEASE. FreeBSD 4.4-STABLE prior to the correction date. Corrected: 2002-01-22 17:22:59 UTC (4-STABLE, RELENG_4) 2002-01-23 23:05:00 UTC (4.4-RELEASE-p4, RELENG_4_4) 2002-01-23 23:05:53 UTC (4.3-RELEASE-p24, RELENG_4_3) FreeBSD only: NO I. Background When a process is started from a set-user-ID or set-group-ID binary, it is marked so that attempts to attach to it with debugging hooks fail. To allow such attachments would allow a user to subvert the process and gain elevated privileges. II. Problem Description A race condition exists in the FreeBSD exec system call implementation. It is possible for a user to attach a debugger to a process while it is exec'ing, but before the kernel has determined that the process is set-user-ID or set-group-ID. All versions of FreeBSD 4.x prior to FreeBSD 4.5-RELEASE are vulnerable to this problem. The problem has been corrected by marking processes that have started but not yet completed exec with an `in-exec' state. Attempts to debug a process in the in-exec state will fail. III. Impact Local users may be able to gain increased privileges on the local system. IV. Workaround None. Do not allow untrusted users to gain access to the local system. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.4-STABLE, or the RELENG_4_3 or RELENG_4_4 security branch, dated after the respective correction date. 2) To patch your present system: a) Download the relevant patch from the following location: [FreeBSD 4.4-STABLE, or RELENG_4_3 and RELENG_4_4 security branches] ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec.patch.asc [FreeBSD 4.3-RELEASE only] ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec-43R.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec-43R.patch.asc b) Verify the detached PGP signature using your PGP utility. c) Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. 3) FreeBSD 4.4-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.4-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer em FreeBSD.org is requested so we can improve the process for future advisories. Since this vulnerability involves the FreeBSD kernel which is often locally customized on installed systems, a universal binary upgrade package is not feasible. This package includes a patched version of the GENERIC kernel which should be suitable for use on many systems. Systems requiring a customized kernel must use an alternative solution. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-02:08/security-patch-exec-02.08.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-02:08/security-patch-exec-02.08.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-exec-02.08.tgz The new kernel is named /kernel.GENERIC to avoid conflict with the default kernel name (``/kernel''). To cause the system to boot automatically with the new kernel, add the following line to /boot/loader.conf: kernel="/kernel.GENERIC" and reboot the system to load the new kernel. The old kernel is still available and can be manually loaded in the boot loader in case of problems. VI. Correction details The following list contains the $FreeBSD$ revision number of the files that were corrected in the FreeBSD source. Path Revision Branch - ------------------------------------------------------------------------- src/sys/conf/newvers.sh RELENG_4_4 1.44.2.17.2.5 RELENG_4_3 1.44.2.14.2.14 src/sys/kern/kern_exec.c RELENG_4 1.107.2.13 RELENG_4_4 1.107.2.8.2.1 RELENG_4_3 1.107.2.5.2.2 src/sys/kern/sys_process.c RELENG_4 1.51.2.3 RELENG_4_4 1.51.2.1.4.1 RELENG_4_3 1.51.2.1.2.1 src/sys/miscfs/procfs/procfs.h RELENG_4 1.32.2.3 RELENG_4_4 1.32.2.2.2.1 RELENG_4_3 1.32.2.1.2.2 src/sys/miscfs/procfs/procfs_ctl.c RELENG_4 1.20.2.2 RELENG_4_4 1.20.2.1.4.1 RELENG_4_3 1.20.2.1.2.1 src/sys/miscfs/procfs/procfs_dbregs.c RELENG_4 1.4.2.3 RELENG_4_4 1.4.2.2.2.1 RELENG_4_3 1.4.2.1.2.1 src/sys/miscfs/procfs/procfs_fpregs.c RELENG_4 1.11.2.3 RELENG_4_4 1.11.2.2.2.1 RELENG_4_3 1.11.2.1.2.1 src/sys/miscfs/procfs/procfs_mem.c RELENG_4 1.46.2.3 RELENG_4_4 1.46.2.2.2.1 RELENG_4_3 1.46.2.1.2.2 src/sys/miscfs/procfs/procfs_regs.c RELENG_4 1.10.2.3 RELENG_4_4 1.10.2.2.2.1 RELENG_4_3 1.10.2.1.2.1 src/sys/miscfs/procfs/procfs_status.c RELENG_4 1.20.2.4 RELENG_4_4 1.20.2.3.4.1 RELENG_4_3 1.20.2.3.2.1 src/sys/miscfs/procfs/procfs_vnops.c RELENG_4 1.76.2.7 RELENG_4_4 1.76.2.5.2.1 RELENG_4_3 1.76.2.3.2.2 src/sys/sys/proc.h RELENG_4 1.99.2.6 RELENG_4_4 1.99.2.5.4.1 RELENG_4_3 1.99.2.5.2.1 - ------------------------------------------------------------------------- VII. References - ------------ Output from pgp ------------ Signature by unknown keyid: 0x73D288A5 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPFbIH+kli63F4U8VAQHVugQAjxHa7FNenlRmibHxJrOZW4pNxG9HmiSY 9cxRRuv7SmTtk0IL6Z03ILfTn5+c6AGW9xitb+Ff67qOeAJk6wjuTrPTf/7LQ563 wzEMu7DPewTd6NBQDtn1gGV8hCpdRFUsJEg3TGdNLxctjdI2cyC/VbCPHImCgu8S yknCZ1HaFh8= =1sgc -----END PGP SIGNATURE----- ----- End forwarded message ----- From daniela em ccuec.unicamp.br Wed Jan 30 11:10:50 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 30 Jan 2002 11:10:50 -0200 Subject: [SECURITY-L] [murray@FreeBSD.org: 4.5-RELEASE is now available] Message-ID: <20020130131050.GA1377@ccuec.unicamp.br> ----- Forwarded message from Murray Stokely ----- From: Murray Stokely Subject: 4.5-RELEASE is now available To: announce em FreeBSD.org Date: Tue, 29 Jan 2002 19:50:42 -0800 I am very pleased to announce the availability of FreeBSD 4.5-RELEASE, the very latest release on the FreeBSD -STABLE branch of development. Since FreeBSD 4.4 was released in September 2001, we have made hundreds of fixes, updated many system components, made several substantial performance improvements, and addressed a wide variety of security issues. In particular, there have been significant enhancements in the areas of network communications and filesystems. FreeBSD 4.5 contains improvements to the TCP stack to provide better throughput. In addition, TCP performance is aided by larger default buffer sizes. Finally, FreeBSD 4.5 contains new mechanisms to mitigate the effects of TCP Denial of Service attacks. The FFS filesystem benefits from a new directory layout strategy that has demonstrated significantly better performance for operations traversing large directory structures. Various bugs were located and fixed in the FFS and NFS code with the help of a filesystem exercising program originally developed at Apple Computer, Inc. Those users doing fresh installations of FreeBSD should note some changes for newly created filesystems, intended to improve the "out of the box" performance of FreeBSD. In particular, sysinstall(8) now enables Soft Updates (a strategy for improving both performance and reliability of on-disk data structures) for new filesystems it creates and the newfs(8) program will now, by default, create filesystems with larger block sizes. For more information about the most significant changes with this release of FreeBSD, please see the release notes : http://www.FreeBSD.org/releases/4.5R/notes.html Availability ------------ 4.5-RELEASE is available for the i386 and alpha architectures and can be installed directly over the net using the boot floppies or copied to a local NFS/FTP server. We can't promise that all the mirror sites will carry the larger ISO images, but they will at least be available from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ http://ftp.au.freebsd.org/pub/FreeBSD/ ftp://ftp.dk.FreeBSD.org/pub/FreeBSD/ ftp://freebsd.nctu.edu.tw/pub/FreeBSD/ If you can't afford the CDs, are impatient, or just want to use it for evangelism purposes, then by all means download the ISOs, otherwise please continue to support the FreeBSD project by purchasing media from one of our supporting vendors. The following companies have contributed substantially to the development of FreeBSD : FreeBSD Mall, Inc. http://www.freebsdmall.com FreeBSD Services Ltd. http://www.freebsd-services.com Daemon News http://www.bsdmall.com/freebsd1.html Each CD set contains the FreeBSD installation and application package bits for the i386 ("PC") architecture. For a set of distfiles used to build ports in the ports collection, please see the FreeBSD Toolkit, a 6 CD set containing extra bits which no longer fit on the 4 CD set. FreeBSD is also available via anonymous FTP from mirror sites in the following countries: Argentina, Australia, Brazil, Bulgaria, Canada, China, Czech Republic, Denmark, Estonia, Finland, France, Germany, Hong Kong, Hungary, Iceland, Ireland, Israel, Japan, Korea, Lithuania, Latvia, the Netherlands, Poland, Portugal, Romania, Russia, Saudi Arabia, South Africa, Slovak Republic, Slovenia, Spain, Sweden, Taiwan, Thailand, the Ukraine and the United Kingdom. Before trying the central FTP site, please check your regional mirror(s) first by going to: ftp://ftp..FreeBSD.org/pub/FreeBSD Any additional mirror sites will be labeled ftp2, ftp3 and so on. See http://www.freebsd.org/handbook/mirrors-ftp.html for additional information about FreeBSD mirror sites. The FreeBSD installation instructions have recently been significantly enhanced. Chapter 2 of The FreeBSD Handbook, available online at http://www.freebsd.org/handbook/install.html, provides a complete installation walk-through for users new to FreeBSD. Acknowledgments ---------------- Many companies donated equipment, network access, or man-hours to finance the release engineering activities for FreeBSD 4.5, including Compaq, Yahoo!, and The FreeBSD Mall. In addition to myself, the release engineering team for 4.5-RELEASE includes: Robert Watson : Release Engineering John Baldwin : Release Engineering Bruce A. Mah : Release Documentation Steve Price : Package Building Wilko Bulte : Alpha Platform Release Engineering Peter Wemm : Ports Cluster System Administrator Please join me in thanking them for all the hard work which went into making this release. I would also like to thank the FreeBSD Committers , without whom there would be nothing to release, and the many thousands of FreeBSD users world-wide who contributed bug fixes, features and suggestions. Thanks! - Murray ----- End forwarded message ----- From daniela em ccuec.unicamp.br Wed Jan 30 15:28:03 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 30 Jan 2002 15:28:03 -0200 Subject: [SECURITY-L] Maiores explicacoes sobre a vulnerabilidade remota no Snort Message-ID: <20020130172802.GA27409@ccuec.unicamp.br> Pessoal, Recebi essa dica do Rodrigo que pode ser util para os administradores que trabalham com o snort. ----- Forwarded message from focker em feb.unesp.br ----- From: Subject: Res: [SECURITY-L] CAIS-Alerta: Vulnerabilidade remota no Snort Subject: Res: [SECURITY-L] CAIS-Alerta: Vulnerabilidade remota no Snort To: "Daniela Regina Barbetti" Date: Wed, 30 Jan 2002 14:10:04 -0200 (BRST) X-Mailer: Servidor WebMail v FEB Cara Daniela, Esta vulnerabilidade apenas ocorre se voce utilizar implicitamente a opcao -d do snort e tambem fizer uso de logs no formato ASCII. Gostaria de lembrar que estas nao sao as atitudes default do snort, sendo assim o problema nao se torna tao grave, principalmente a nivel de se ter de atualizar por uma versao em testes (disponivel no CVS). Desde ja agradeco, Rodrigo Rubira Branco Gerente de Seguranca Firewalls Security Corporation -- Mensagem Original -- De: Daniela Regina Barbetti Para: security-l em unicamp.br Enviar: 29-01-2002 Assunto: [SECURITY-L] CAIS-Alerta: Vulnerabilidade remota no Snort ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade remota no Snort To: , Date: Tue, 29 Jan 2002 13:58:04 -0200 (EDT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta da ISS, ISS Alert: Remote Denial of Service Vulnerability in Snort IDS, tratando de uma vulnerabilidade remota no aplicativo Snort. O Snort e' uma ferramenta de deteccao de intrusos - IDS - amplamente utilizada. A vulnerabilidade envolve o envio de pacotes ICMP cujo conteudo foi especialmente montado para gerar uma falha no aplicativo (segmentation fault) resultando em sua desabilitacao temporaria. O exploit que foi disponibilizado demonstra o problema que o Snort tem em gerenciar pacotes ICMP "Echo" e ICMP "Echo-Reply" que possuam menos de 5 bytes de ICMP. A ISS faz duas recomendacoes: a aplicacao de uma correcao no codigo do Snort ou o upgrade utilizando o CVS. A atualizacao do Snort, atraves do CVS, e' mais recomendada, no entanto o Snort pode passar a apresentar problemas de estabilidade, gerando falsos-positivos. A versao do CVS e' atualizada varias vezes por dia e pode apresentar problemas de compilacao e funcionamento. A versao CVS do Snort pode ser econtrada na seguinte url: http://www.snort.org/downloads/snort-daily.tar.gz Os desenvolvedores do Snort estao recomendando que se utilize a versao Snapshot disponivel na seguinte url: http://www.snort.org/downloads/snort-stable-snapshot.tar.gz O CAIS recomenda aos usuarios do Snort que verifiquem a ocorrencia de paradas inesperadas do aplicativo e que facam o upgrade assim que possivel. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ - From xforce em iss.net Tue Jan 29 10:52:54 2002 Date: Mon, 28 Jan 2002 16:10:27 -0500 From: X-Force To: alert em iss.net Subject: ISSalert: ISS Alert: Remote Denial of Service Vulnerability in Snort IDS TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo em iss.net Contact alert-owner em iss.net for help with any problems! - --------------------------------------------------------------------------- Internet Security Systems Security Alert January 28, 2002 Remote Denial of Service Vulnerability in Snort IDS Synopsis: Internet Security Systems (ISS) X-Force is aware of a remote Denial of service (DoS) vulnerability present in Marty Roesch^Òs Snort Intrusion Detection System (IDS). It may be possible for remote attackers to send specially crafted ICMP packets to the program, resulting in a segmentation fault that would crash the Snort engine. This attack can be launched from any routable address, and if launched successfully against a Snort-protected network, all IDS functionality may be disabled until Snort is manually restarted. Affected Versions: Marty Roesch Snort Version 1.8.3 and earlier for all supported platforms Description: Snort is an open-source Intrusion Detection System designed to be simple and lightweight. Snort has packet logging, protocol analysis, attack signature matching and recognition capabilities and is maintained by Marty Roesch of Snort.org. An exploit has been published that demonstrates a flaw in the ICMP protocol handling functionality. Snort incorrectly handles ICMP "Echo" and ICMP "Echo-Reply" packets that contain less than 5 bytes of ICMP data. If Snort encounters such a packet, it will crash and exit. Packets that are used to exploit this vulnerability can be sent with the "ping" command that is present on most operating systems. This exploit technique has been publicly documented, and attackers do not need to have access to the target network or possess knowledge of its configuration. Recommendations: ISS X-Force recommends that all Snort users install the vendor-supplied patch immediately or upgrade to the latest version of Snort. To apply a source code patch to your Snort package: 1. Locate the "decode.h" file in your source distribution. 2. Enter the directory containing decode.h. 3. To update your decode.h file, create a file named "decode.diff", containing the following text: - --- olddecode.h Thu Jan 10 15:47:48 2002 +++ decode.h Thu Jan 10 12:15:33 2002 @@ -105,7 +105,7 @@ #define IP_HEADER_LEN 20 #define TCP_HEADER_LEN 20 #define UDP_HEADER_LEN 8 - -#define ICMP_HEADER_LEN 8 +#define ICMP_HEADER_LEN 4 #define TH_FIN 0x01 #define TH_SYN 0x02 4. Apply the source code update using the "patch" command, or a similar utility. 5. Build new binaries and reinstall. To upgrade to the latest version of Snort: Use a CVS client to access the Snort CVS server at "cvs.snort.sourceforge.net" with the following command: cvs -d:pserver:anonymous em cvs.snort.sourceforge.net:/cvsroot/snort login Use a blank password when prompted. cvs -z3 -d:pserver:anonymous em cvs.snort.sourceforge.net:/cvsroot/snort co snort Snort'^Òs default configuration does not have the ability to restat when it crashes. ISS X-Force advises all Snort users to develop this functionality using freely available watchdog process monitors, cronjobs, or shell scripts. For more information about applying source code patches or upgrading Snort, please refer to the "SNORT FAQ" document available at: http://www.snort.org. Additional Information: ISS X-Force Database, http://xforce.iss.net/static/7874.php Marty Roesch Snort, http://www.snort.org Credits: This vulnerability was discovered by Sinbad , and reported to the BugTraq mailing list. ______ About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 9,000 customers worldwide including 21 of the 25 largest U.S. commercial banks, the top 10 U.S. telecommunications companies, and all major branches of the U.S. Federal Government. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce em iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce em iss.net of Internet Security Systems, Inc. - ------------ Output from pgp ------------ Signature by unknown keyid: 0x7DF5E1BD -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPFbGk+kli63F4U8VAQF1pgP9EX1Q/5+S++SaQfZobvWOphC53QgxqEsU xnSHPPIGiK2xcReax0UrjPbMNDvcvoimej5SE9FppWHx4VSFRz/jfWMBt4Nu5FA7 u6TNrH30Xu9Hm+PGAzXPRs4Ys0IRkNvSiH3e6GOl/PhBCcqNACFk5NlgHUYup/XA 4zbp9ELNQRM= =g2/o -----END PGP SIGNATURE----- ----- End forwarded message ----- _______________________________________________ SECURITY-L mailing list http://obelix.unicamp.br/mailman/listinfo/security-l ---------------------------------------------------------- FEB Webmail Linux - Apache - PHP - NOCC ---------------------------------------------------------- ----- End forwarded message ----- From daniela em ccuec.unicamp.br Wed Jan 30 15:28:33 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 30 Jan 2002 15:28:33 -0200 Subject: [SECURITY-L] CERT Incident Note IN-2002-01 Message-ID: <20020130172833.GB27409@ccuec.unicamp.br> ----- Forwarded message from Cristine Hoepers ----- From: Cristine Hoepers Subject: [S] CERT Incident Note IN-2002-01 To: seguranca em pangeia.com.br Date: Wed, 30 Jan 2002 11:20:44 -0200 X-Mailer: Mutt 1.0.1i [http://www.cert.org/incident_notes/IN-2002-01.html] CERT® Incident Note IN-2002-01 The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. W32/Myparty Malicious Code Release Date: January 28, 2002 A complete revision history can be found at the end of this file. Systems Affected Systems running Microsoft Windows Overview "W32/Myparty" is malicious code written for the Windows platform that spreads as an email file attachment. The malicious code makes use of social engineering to entice a user to execute it. The W32/Myparty payload is non-destructive. As of 16:00 EST (UTC-0500) January 28, 2002 the CERT/CC has received reports of W32/Myparty from several dozen individual sites. I. Description Analysis of the W32/Myparty malicious code indicates that it is a Windows binary spreading via an email message with the following characteristics: SUBJECT: new photos from my party! BODY: Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! ATTACHMENT: www.myparty.yahoo.com The attached file name containing the malicious code, www.myparty.yahoo.com, was carefully chosen to entice the email recipient to open and (in most email clients) run the attachment. This social engineering exploits the fact that .com is both an executable file extension in Windows and a top-level domain (TLD). We have seen two variants of www.myparty.yahoo.com as follows: Filename = www.myparty.yahoo.com MD5 checksum = 43fc3f274372f548b7e6c14af45e0746 File size = 30172 Filename = www.myparty.yahoo.com MD5 checksum = 221c47432e70b049fce07a6ca85ca7dd File size = 29701 Both files take the same actions when executed: * the file msstask.exe is created in the current user's profile Startup folder (\Start Menu\Programs\Startup) and is immediately executed. It will also be executed every time the Windows user logs into the system. Filename = msstask.exe MD5 checksum = cda312b5364bbaddcd2c2bf3ceb4e6cd File size = 6144 * on Windows 9x computers, a copy of www.myparty.yahoo.com is written to C:\Recycled\REGCTRL.EXE. On Windows NT computers, this copy is placed in either C:\REGCTRL.EXE or a newly created random directory in the C:\Recycled folder. This copy is subsequently executed. * an email message is sent to a predefined address with a subject line of the folder where the W32/Myparty malicious code was stored on the victim machine. When sending this message, W32/Myparty will use the SMTP statement HELO HOST when identifying itself to the SMTP server. * the current user's default SMTP server is retrieved from the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001 * the hard drive is scanned for Windows Address Book (.WAB) files and Outlook Express inboxes and folders (.DBX) in order to harvest email addresses. * copies of the malicious code are emailed to all the email addresses it could find. Outside analysis indicates that this final step of mass mailing may be time-dependant. The code may only send itself if the clock on the victim machine is set to January 25-29. It is the experience of the CERT/CC that variants of malicious code often occur, so this time-trigger may not apply. Other outside analysis also indicates that the default web browser may be launched to a particular URL under certain circumstances. II. Impact W32/Myparty may cause the default web browser to run unexpectedly. Likewise, the victim and targeted sites may experience an increased load on the mail server when the malicious code is propagating. III. Solution Run and maintain an anti-virus product It is important for users to update their anti-virus software. Most anti-virus software vendors have released updated information, tools, or virus databases to help detect and recover from W32/Myparty. A list of vendor-specific anti-virus information can be found in Appendix A. Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available. Exercise caution when opening attachments Exercise caution when receiving email with attachments. Users should be suspicious of unexpected attachments regardless of their origin. In general, users should also always scan files received through email with an anti-virus product. The following section of the "Home Network Security" document provides advice on handling email attachments securely: http://www.cert.org/tech_tips/home_networks.html#IV-A-4 Filter the email or use a firewall Sites can use email filtering techniques to delete messages containing subject lines known to contain the malicious code, or they can filter all attachments. Appendix A. - Vendor Information Aladdin Knowledge Systems http://www.esafe.com/home/csrt/valerts2.asp?virus_no=10102 Central Command, Inc. http://support.centralcommand.com/cgi-bin/command.cfg/php/e nduser/std_adp.php?p_refno=020128-000003 Command Software Systems http://www.commandsoftware.com/virus/myparty.html Computer Associates http://www3.ca.com/solutions/collateral.asp?CT=65&ID=1323 F-Secure Corp http://www.datafellows.com/v-descs/myparty.shtml McAfee http://vil.mcafee.com/dispVirus.asp?virus_k=99332& Norman Data Defense Systems http://www.norman.com/virus_info/w32_myparty_a_mm.shtml Panda Software http://service.pandasoftware.es/servlet/panda.pandaInternet .EntradaDatosInternet? operacion=EV2FichaVirus&pestanaFicha=0&idioma=1&nombreVirus Ficha=W32/Myparty em MM Proland Software http://www.pspl.com/virus_info/worms/myparty.htm Sophos http://www.sophos.com/virusinfo/analyses/w32mypartya.html Symantec http://securityresponse.symantec.com/avcenter/venc/data/pf/ w32.myparty em mm.html Trend Micro http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VN ame=WORM_MYPARTY.A You may wish to visit the CERT/CC's Computer Virus Resources Page located at: http://www.cert.org/other_sources/viruses.html _________________________________________________________________ Authors: Roman Danyliw, Allen Householder ______________________________________________________________________ ______________________________________________________________________ This document is available from: http://www.cert.org/incident_notes/IN-2002-01.html ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History Jan 28, 2002: Initial release Jan 29, 2002: Modified feedback link ----- End forwarded message ----- From daniela em ccuec.unicamp.br Wed Jan 30 16:17:50 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 30 Jan 2002 16:17:50 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020130181750.GA7336@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 28/01/2002: ----------- CERT Incident Note IN-2002-01 Assunto: W32/Myparty Malicious Code http://www.security.unicamp.br/docs/bugs/2002/01/v68.txt 29/01/2002: ----------- Cisco Security Advisory Assunto: Cisco CatOS Telnet Buffer Vulnerability. http://www.security.unicamp.br/docs/bugs/2002/01/v67.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Thu Jan 31 15:18:57 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Thu, 31 Jan 2002 15:18:57 -0200 Subject: [SECURITY-L] CAIS-Pub: NIST Windows 2000 security draft released Message-ID: <20020131171857.GC18683@ccuec.unicamp.br> ----- Forwarded message from "Liliana E. Velasquez Alegre Solha" ----- From: "Liliana E. Velasquez Alegre Solha" Subject: [S] CAIS-Pub: NIST Windows 2000 security draft released To: Date: Thu, 31 Jan 2002 12:31:02 -0200 (EDT) Prezados, Nesta semana, o NIST divulgou mais um guia de seguranca muito interessante, desta vez tratando de sistemas Windows 2000 Professional. Ele pode ser acessado a partir de: http://csrc.nist.gov/itsec/guidance_W2Kpro.html Em anexo, uma noticia relacionada. Um abraco, Nina CAIS/RNP -------------------------------------------------------------- http://www.fcw.com/fcw/articles/2002/0128/web-nist-01-30-02.asp By Diane Frank Jan. 30, 2002 The National Institute of Standards and Technology's security center on Jan. 28 released its draft guide for system administrators to secure Microsoft Corp.'s Windows 2000 Professional and many of the common applications that run on the operating system. The NIST Computer Security Resource Center's package, "System Administration Guidance for Windows 2000 Professional," is intended to describe a recommended process for securing Windows 2000 systems and networks. It includes configuration guides, checklists and templates for applications such as Web browsers, antivirus software and e-mail clients. The guidance is not intended to provide the final word on Windows security for agency systems administrators, and the center makes it very clear on its Web site and in the guide that agencies should not implement any of the recommended settings without first testing them within the agency's network. "This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore, this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns," the security center's site states. The center developed the guidance in collaboration with the National Security Agency, which has released several configuration guides for commercial products, including Windows NT and 2000. NIST serves as the primary technical security resources for civilian agencies under the Computer Security Act of 1987. ----- End forwarded message -----