SecurityFocus Newsletter #230
------------------------------

I. FRONT AND CENTER
-------------------

1. Checklist for Deploying an IDS
By Andy Cuff

The scope of this article considers the worst case scenario, that of
deploying a Network IDS on a remote network (target). The introduction of
an IDS into a organization's network can be sensitive and often has
political implications with the network staff, and thus a checklist
written
from the perspective of an outside consultant (even if the IDS is deployed
internally) that appeases all parties can be useful to ensure a successful
implementation.

http://www.securityfocus.com/infocus/1754


II. BUGTRAQ SUMMARY
-------------------
1. GNU Indent Local Heap Overflow Vulnerability
BugTraq ID: 9297
Remote: No
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9297
Summary:
GNU Indent is an application used to improve the syntax of C, making it
easier to read source code.

An overflow condition has been identified in the software that may allow
an attacker to execute arbitrary code on a vulnerable system.

The issue has been reported to exist in the handle_token_colon() function
of the software. The problem is reported to present itself when the
application attempts to a parse a C source file (*.c). It has been
reported that indent copies data from the file to a 1000 byte long buffer
without sufficient boundary checking. A heap overflow condition may be
triggered, potentially causing heap memory management structures to be
corrupted. This can result in critical memory being overwritten and,
ultimately, code execution with the privileges of the user running indent.

GNU Indent version 2.2.9 has been reported to be prone this issue,
however, other versions may be affected as well.

2. Surfboard httpd Remote Buffer Overflow Vulnerability
BugTraq ID: 9299
Remote: Yes
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9299
Summary:
Surfboard is a freely available web server implementation for Unix/Linux
variants.

A vulnerability has been identified in Surfboard web server when handling
certain URL requests. Because of this, it may be possible for a remote
attacker to gain unauthorized access to a system running the vulnerable
software. The condition is present due to insufficient boundary checking.

The issue presents itself when an attacker sends a specially crafted URL
request with more than 1024 characters to the server daemon. Immediate
consequences of an attack may result in a denial of service condition.

An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing an
affected procedure to return to an address of their choice. Successful
exploitation of this issue may allow an attacker to execute arbitrary code
in the context of the vulnerable software in order to gain unauthorized
access, however, this has not been confirmed at the moment.

Surfboard version 1.1.9 has been reported to be prone to this issue,
however, other versions may be affected as well.

3. OpenBB Index.PHP Remote SQL Injection Vulnerability
BugTraq ID: 9300
Remote: Yes
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9300
Summary:
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.

A problem with the software may make it possible for remote users to
modify database query logic.

It has been reported that OpenBB does not properly check input passed via
the 'CID' parameter of 'index.php' script. Because of this, it may be
possible for a remote user to inject malicious arbitrary SQL queries in
the context of the database user for the bulletin board software. The
consequences of successful exploitation will vary depending on the
underlying database implementation, but may allow for disclosure of
sensitive information such as administrator passwords or remote compromise
of the bulletin board or database itself.

OpenBB 1.06 has been reported to be prone this issue, however, other
versions could be affected as well.

This issue may be related to BID 7401.

4. Web Merchant Services Storefront Shopping Cart login.asp SQL...
BugTraq ID: 9301
Remote: Yes
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9301
Summary:
Storefront shopping cart is web-based shopping cart software. It is
written in ASP.

A vulnerability has been reported to exist in the software that may allow
a remote user to inject malicious SQL syntax into database queries. The
problem is reported to exist due to insufficient sanitization of
user-supplied data in the 'login.asp' script. A remote attacker may
exploit this issue to influence SQL query logic to disclose sensitive
information that could be used to gain unauthorized access. It has been
reported that an attacker may be able to login with '=' as a username and
password.

A malicious user may influence database queries in order to view or modify
sensitive information potentially compromising the software or the
database.

Specific vulnerable versions were not identified in the report, therefore
it is being assumed that the current version Storefront shopping cart 5.0
is vulnerable to this issue.

5. Apache mod_php Module File Descriptor Leakage Vulnerability
BugTraq ID: 9302
Remote: No
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9302
Summary:
Apache is a freely available, open source web server software package. It
is distributed and maintained by the Apache Group. Mod_PHP is an Apache
module which allows for PHP functionality in websites.

A vulnerability has been reported to exist in the Apache mod_php module
that may allow local attackers to gain access to privileged file
descriptors. This issue could be exploited by an attacker to hijack a
vulnerable server daemon.

It has been reported that the file descriptor associated with the socket
listening on port 443, normally used for Secure Sockets Layer (SSL), is
leaked to the mod_php module and any processes it creates. This allows
for scripts and any processes they spawn to access the privileged port.

This issue may allow an attacker to pose as a legitimate server to
clients. An attacker may also steal sensitive information such as user
credentials and other authentication information.

6. OpenBB Board.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 9303
Remote: Yes
Date Published: Dec 27 2003
Relevant URL: http://www.securityfocus.com/bid/9303
Summary:
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.

OpenBB is prone to a cross-site scripting vulnerability in the 'board.php'
script. The source of the problem is that HTML and script code are not
adequately sanitized from input supplied via the 'FID' URI parameter. This
input will be included in dynamically generated web pages. A remote
attacker could exploit this issue by embedding hostile HTML and script
code in a malicious link to the vulnerable script. The attacker-supplied
code will be rendered in the browser of an unsuspecting user who follows
the link, code execution would occur in the context of the site hosting
the vulnerable software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It should be noted that although this vulnerability has been reported to
affect OpenBB 1.06 other versions might also be affected.

7. LANDesk Software LANDesk Management Suite IRCBoot.DLL Active...
BugTraq ID: 9304
Remote: Yes
Date Published: Dec 27 2003
Relevant URL: http://www.securityfocus.com/bid/9304
Summary:
LANDesk Management Suite provides for the automation of systems management
tasks for remotely controlled systems.

A problem has been identified in the handling of some types of requests by
ActiveX controls installed with LANDesk Management Suite. Because of this,
it may be possible for an attacker to execute arbitrary code on a
vulnerable host.

The problem is in the handling of strings by the SetClientAddress()
function. SetClientAddress() is implemented in IRCRBOOT.DLL with
insufficient bounds checking. By supplying a string of excessive length to
the function, it is possible to force the overwriting of sensitive process
memory with attacker-supplied values.

A web page containing the CLSID of the vulnerable ActiveX control and a
malicious string passed as an argument to the affected function, could
potentially exploit this issue to execute code with the privileges of the
browser user.

It should be noted that although this vulnerability has been reported to
affect LANDesk Management Suite version 7.0 and previous versions, other
versions might also be affected.

8. PHP-Nuke Survey Module SQL Injection Vulnerability
BugTraq ID: 9305
Remote: Yes
Date Published: Dec 27 2003
Relevant URL: http://www.securityfocus.com/bid/9305
Summary:
PHP-Nuke is a popular web based Portal system. It allows users to create
accounts and contribute content to the site.

A vulnerability has been reported to exist in PHP-Nuke that may allow a
remote attacker to inject malicious SQL syntax into database queries. The
source of this issue is insufficient sanitization of user-supplied input.

The problem is reported to exist in the $pollID variable contained within
the Survey module. It has been reported that $pollID is not sanitized for
user-supplied input before it is included in database queries. A remote
attacker may exploit this issue to influence SQL query logic.

A malicious user may influence database queries in order to view or modify
sensitive information, potentially compromising the software or the
database.

PHP-Nuke version 7.0 FINAL has been reported to be prone to this issue,
however other versions may be affected as well.

9. L-Soft Listserv Multiple Cross-Site Scripting Vulnerabilitie...
BugTraq ID: 9307
Remote: Yes
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9307
Summary:
Listserv is a publicly available multi-platform application used to manage
mailing lists.

Multiple cross-site scripting vulnerabilities have been reported in L-Soft
Listserv.

The following programs were reported to be affected:
WA-MSD.EXE
WA-USIAINFO.EXE
WA-DEMO.EXE

The cause of these vulnerabilities in insufficient sanitization of input
supplied via URI parameters, which is later included in dynamically
generated web pages. An attacker may exploit these issues by embedding
hostile HTML and script code in a link to a site hosting the software. If
the link is visited by an unsuspecting user, the attacker-supplied code
would be rendered in the context of the site hosting the software. This
could permit theft of cookie-based authentication credentials or other
attacks. These issues could also provide an attack vector for latent
vulnerabilities in web browser software.

10. Private Message System index.php Page Parameter Cross-Site S...
BugTraq ID: 9308
Remote: Yes
Date Published: Dec 27 2003
Relevant URL: http://www.securityfocus.com/bid/9308
Summary:
Private Message System is a web-based chat application that is implemented
in PHP.

Private Message System is prone to a cross-site scripting vulnerability.
The vulnerability exists in the 'index.php' script and is due to
insufficient sanitization of input supplied via the 'page' URI parameter.
This issue may be exploited by creating a malicious link to a site hosting
the software with hostile HTML and script code embedded in URI parameters.
If the link is followed, the attacker-supplied code may be rendered in the
victim user's browser. This would occur in the security context of the
site hosting the software.

Possible consequences of exploitation include theft of cookie-based
authentication credentials or using the issue as an attack vector to
exploit latent web browser security flaws.

11. php-ping Count Parameter Command Execution Vulnerability
BugTraq ID: 9309
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9309
Summary:
php-ping is a ping script written in PHP.

A vulnerability has been reported in php-ping that may allow remote
attackers to execute commands on vulnerable systems.

The vulnerability exists in the php-ping.php script file. Specifically,
the variable 'count' is not properly sanitized of shell metacharacters.
Input supplied to this variable will be interpreted in the shell when the
ping program is invoked by php-ping. An attacker can exploit this
vulnerability by executing the php-ping script and include malicious shell
metacharacters and commands as a value for the 'count' parameter.

Exploitation would permit a remote attacker to execute arbitrary commands
with the privileges of the web server hosting the vulnerable software.

12. MiniBB Profile Website Name HTML Injection Vulnerability
BugTraq ID: 9310
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9310
Summary:
miniBB is web forum software. It is written in PHP and will run on most
Unix and Linux variants as well as Microsoft Windows operating systems.

miniBB is prone to an HTML injection vulnerability. The vulnerability
exists in the 'bb_edit_prf.php' script but is exposed via the
'bb_func_usernfo.php' script, which provides the interface for editing
user profiles. The source of the issue is that 'bb_func_usernfo.php' does
not sufficient sanitize input supplied via the 'website name' field of
user profiles. This issue could permit registered users to inject hostile
HTML and script code into the 'website name' field of their user profile,
which would be rendered by other web users when the user profile is
viewed.

This could be exploited to steal cookie-based authentication credentials.
It is also possible to use this type of vulnerability as an attack vector
to exploit latent browser security flaws.

13. BulletScript MailList bsml.pl Information Disclosure Vulnera...
BugTraq ID: 9311
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9311
Summary:
BulletScript MailList is a cgi script used to handle mailing lists.

A vulnerability has been reported to exist in the software that may allow
remote attackers to gain access to sensitive information. The issue is
reported to be present in the bsml.pl script. An attacker may be able to
disclose sensitive information by gaining unauthorized access to the
script. Successful attacks may allow an attacker to gain access to the
control panel and/or the subscribers of a mailing list by passing
arbitrary values to the 'action' parameter. Information gathered via
these attacks may aid an attacker in mounting further attacks against a
vulnerable system and the affected users.

Due to a lack of information, further details cannot be outlined at the
moment. This BID will be updated as more information becomes available.

14. Sygate Personal Firewall DLL Authentication Bypass Vulnerabi...
BugTraq ID: 9312
Remote: No
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9312
Summary:
Sygate Personal Firewall is a personal firewall application for Microsoft
Windows operating systems. Sygate Personal Firewall supports an Enable
DLL authentication option designed to prompt the user every time a DLL
that has not been previously authorized is loaded by an application that
has been authorized to access the Internet.

A vulnerability has been reported to affect Sygate Personal Firewall that
may allow a user to bypass DLL authentication controls. The issue has been
reported to present itself in the routines that are used to enforce DLL
authentication. These routines unsafely assume that all DLL libraries will
be loaded with LoadLibraryA() or LoadLibraryW() calls, if a DLL is loaded
with custom Portable Executable loaders, for example, the loaders used in
packing utilities, DLL authentication controls can be bypassed.

A local attacker may exploit this condition to bypass Sygate Personal
Firewall DLL authentication controls. It should be noted that this
vulnerability might also be leveraged by malicious applications to bypass
firewall access controls.

15. Microsoft IIS Failure To Log Undocumented TRACK Requests Vul...
BugTraq ID: 9313
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9313
Summary:
Microsoft IIS is a web server implementation for Microsoft Windows
systems. It has been reported that Microsoft IIS ships with support for an
undocumented 'TRACK' HTTP request. 'TRACK' functions in a similar manner
to the 'TRACE' HTTP request.

A vulnerability has been reported to affect Microsoft IIS. It has been
reported that IIS fails to log HTTP TRACK requests made to the affected
server. A remote attacker may exploit this condition in order to enumerate
server banners in a covert manner; these scans will not be logged and may
go unnoticed by the server administrator. Additionally it has been
reported that an attacker may potentially leverage this condition to
exhaust resources on the affected server by invoking multiple successive
TRACK requests in a bid to deny service to legitimate users. Other
attacks, for example XST attacks, might also be possible.

It should be noted that while this vulnerability has been reported to
affect Microsoft IIS 5.0, earlier versions might also be affected.

16. phpBB GroupCP.PHP SQL Injection Vulnerability
BugTraq ID: 9314
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9314
Summary:
phpBB is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.

A vulnerability has been reported to exist in the software that may allow
a remote user who has group moderator privileges to inject malicious SQL
syntax into database queries. The problem reportedly exists in the $sql_in
parameter of the groupcp.php script. This issue is caused by insufficient
sanitization of user-supplied data. A remote attacker may exploit this
issue to influence SQL query logic to have unauthorized SQL queries
executed in the database.

A malicious user may influence database queries in order to view or modify
sensitive information potentially compromising the software or the
database.

17. John Sage ACK_hole01 Potential Remote Heap Buffer Overrun Vu...
BugTraq ID: 9315
Remote: Yes
Date Published: Dec 28 2003
Relevant URL: http://www.securityfocus.com/bid/9315
Summary:
John Sage ACK_hole01 is a TCP/IP network data sink for Unix and Linux
platforms.

ACK_hole01 has been reported prone to a remote heap overrun vulnerability.
The issue presents itself because the size_t integer variable 'bytes' used
to limit data that is read into a heap based buffer, using a read() call,
is not properly initialized. As a result of this flaw, the 'bytes'
variable will be assigned a value based on random data on the stack. When
this variable is later used as the count argument for a read() call,
excessive attacker-supplied data may be read from a network socket
descriptor into a reserved buffer in the heap.

Because of the nature of this issue, the vulnerability may only present
itself if the 'bytes' integer contains a sufficient value, so that data
read exceeds the size of the reserved buffer. An attacker may potentially
exploit this issue to corrupt inline heap memory management chunk headers
that are adjacent to the affected buffer. Exploitation of the issue may be
hindered because free() is not called on an affected adjacent chunk; this,
however, has not been confirmed, as other heap exploitation vectors may be
plausible.

18. Jordan Windows Telnet Server Username Stack Based Buffer Ove...
BugTraq ID: 9316
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9316
Summary:
Jordan Windows Telnet Server is a Telnet server for Microsoft Windows
platforms.

Jordan Windows Telnet Server has been reported prone to a remote buffer
overrun vulnerability. The issue has been reported to present itself when
a username is supplied to the Telnet server that is 518 bytes in length.
Due to a lack of bounds checking, when this username is copied into an
insufficient reserved buffer in stack-based memory, data that exceeds the
size of the buffer will overrun its bounds and corrupt adjacent memory.

An attacker may exploit this condition to corrupt a saved instruction
pointer for the vulnerable function, and thereby influence execution flow
into attacker supplied instructions. These instructions will subsequently
be executed in the context of the affected service.

The severity of this vulnerability may be exaggerated due to the fact that
the overflow occurs pre-authentication.

It should be noted that although this issue has been reported to affect
Jordan Windows Telnet Server version 1.0, other versions might also be
affected.

19. Alt-N MDaemon/WorldClient Form2Raw Raw Message Handler Buffe...
BugTraq ID: 9317
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9317
Summary:
MDaemon is a mail server for Microsoft Windows operating systems. It
includes WorldClient, which is a web-based email client.

A vulnerability has been identified in MDaemon/WorldClient mail server
when handling certain messages with a 'From' field of over 249 bytes.
Because of this, it may be possible for a remote attacker to gain
unauthorized access to a system running the vulnerable software. The
condition is present due to insufficient boundary checking.

It has been reported that FORM2RAW.exe is a CGI script used by MDaemon for
sending and receiving mail via the web. In order to send a message,
FORM2RAW.exe creates a RAW message file in the Raw queue Directory of
MDaemon mail server by processing an HTML form.

The issue presents itself when an attacker composes and sends a message
with more than 249 bytes of data in the 'From' field of the message. The
resulting RAW message file is reported to cause a denial of service
condition in the server.

An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing an
affected procedure to return to an address of their choice. Successful
exploitation of this issue may allow an attacker to execute arbitrary code
in the context of the vulnerable software in order to gain unauthorized
access.

20. PHPCatalog ID Parameter SQL Injection Vulnerability
BugTraq ID: 9318
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9318
Summary:
PHPCatalog is expandable web based e-catalog software implemented in PHP.
It will run on most Unix and Linux variants, as well as Microsoft Windows
operating systems.

A vulnerability has been reported to exist in the software that may allow
a remote user to inject malicious SQL syntax into database queries. The
problem reportedly exists in the $id parameter of PHPCatalog. This issue
is caused by insufficient sanitization of user-supplied data supplied as
input to this parameter, which will then be included in a database query.
A remote attacker may exploit this issue to influence SQL query logic to
have unauthorized SQL queries executed in the database.

A malicious user may influence database queries in order to view or modify
sensitive information potentially compromising the software or the
database.

This vulnerability has been reported to affect PHPCatalog version 2.6.7
and prior versions.

21. NETObserve Authentication Bypass Vulnerability
BugTraq ID: 9319
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9319
Summary:
NETObserve is web-based PC surveillance software that allows a remote user
to monitor systems and perform various actions such as executing commands,
taking screenshots, collecting keystrokes, etc.

NETObserve is prone to a vulnerability that may permit remote
unauthenticated users to access functions of the software. The source of
the issue is inadequate access validation. Remote users may submit a
specially crafted HTTP header which will bypass authentication and allow
the remote attacker to access various functions of the software.

To exploit this issue, the attacker must include the following HTTP header
field in the request:
'Cookie: login=0'

Due to the nature of the software, this could permit an attacker to
execute commands remotely on an underlying system running the software.
This may also expose privileged information about the system and its
users. Successful exploitation will result in remote compromise of the
system.

22. Microsoft Internet Explorer showHelp CHM File Execution Weak...
BugTraq ID: 9320
Remote: Yes
Date Published: Dec 30 2003
Relevant URL: http://www.securityfocus.com/bid/9320
Summary:
Microsoft Internet Explorer is prone to a security flaw in the
implementation of the showHelp() function. Microsoft previously released
patches that provide security measures to prevent abuse of the showHelp()
function to reference local compiled help files (.CHM) from within a web
page. This initial problem was described in BID 6780/MS03-004. However,
using directory traversal sequences and special syntax when referring to
the CHM file, it is possible to bypass this restriction. The following is
an example of how to bypass this restriction:

showHelp(mk:@MSITStore:iexplore.chm::........chmfile.chm::/fileinchm.html);

The directory traversal sequences are used to form a relative path to the
resource and by appending two colons (::) to the name of the compiled
help file (which will have a file extension other than .CHM), the browser
will interpret the file as a compiled help file. The attacker would still
need a method to place the file in a known location on the victim system
and a way to run executable content referenced by the .CHM file. However,
there are known issues in Internet Explorer (such as BID 8984) which be
exploited in combination with this weakness with the end result of
installing and executing malicious code on the client system.

23. XSOK GunZip Path Environment Variable Local Command Executio...
BugTraq ID: 9321
Remote: No
Date Published: Dec 30 2003
Relevant URL: http://www.securityfocus.com/bid/9321
Summary:
xsok is a freely available, open source single player game. It is
available for the Linux platform.

A problem has been disclosed in the handling of user-supplied input in
xsok. Because of this, an attacker may be able to gain elevated
privileges on a host with the vulnerable program.

The problem is in the handling of the GUNZIP_PATH environment variable.
It is possible for an attacker to modify the environment variable,
allowing the attacker to change the search path that the program follows
to find the gunzip executable. Vulnerable versions of the program do not
drop privileges before executing the gunzip executable. By altering the
path and supplying commands contained in a malicious program with the name
gunzip, attackers are able to execute arbitrary commands with the
privileges of the Group-ID games.

24. Apple MacOS X SecurityServer Daemon Local Denial Of Service ...
BugTraq ID: 9332
Remote: No
Date Published: Dec 30 2003
Relevant URL: http://www.securityfocus.com/bid/9332
Summary:
Apple MacOS X SecurityServer is a daemon implemented to provide
authentication, keychain, authorization and other services for MacOS X.

Apple MacOS X SecurityServer has been reported prone to a denial of
service vulnerability that may be triggered by a local user. The issue may
be triggered under certain circumstances when a large passwordLength
argument for a SecKeychainUnlock() call is specified after a locked
keychain is unlocked.

It has been reported that this activity will cause the SecurityServer to
crash, applications that depend on the functionality that SecurityServer
provides may also crash or behave in an unstable manner. It has been
reported that the affected system will require a reboot to restore normal
functionality.

The server appears to crash during a memory copy operation inside of the
sha1AddData() function (from the SHA1.c source file), potentially
resulting in memory corruption. This could possibly allow for execution
of arbitrary code, though this possibility has not been confirmed. If the
SecurityServer were compromised by a local attacker, it could impact
various system security properties.

25. ISAKMPD Invalid SPI SA Deletion Vulnerability
BugTraq ID: 9333
Remote: Yes
Date Published: Jan 01 2004
Relevant URL: http://www.securityfocus.com/bid/9333
Summary:
isakmpd is the IKE key management dameon provided with OpenBSD. isakmpd is
used when negotiating security associations in authenticated or encrypted
network traffic and is normally used to facilitate VPN. It has been
reported that it is possible for attackers to remotely delete SAs
(security associations) in hosts running isakmpd.

When isakmpd receives an INVALID-SPI notification, it will delete the SA
associated with the specified SPI. All associated SAs will be deleted as
well. This occurs only when the notification originates from the correct
IP address. To exploit this vulnerability, the attacker must sniff valid
SPIs and then spoof an INVALID-SPI notification set with the target SPI.
The source address must be set to the IP address of the peer gateway.

When this vulnerability is exploited, the entries similar to the following
may appear in logs:

075542.992984 Exch 10 ipsec_responder: got NOTIFY of type
INVALID_SPI
075543.000662 SA 30 ipsec_delete_spi_list: INVALID_SPI made us
delete SA 0x1b1600 (3 references) for proto 0


Exploitation of this vulnerability may result in a disruption of service.
There may be more serious ramifications, as the IPSec policies are also
reportedly deleted in most cases.

26. ISAKMPD Initial Contact Notification SA Deletion Vulnerabi...
BugTraq ID: 9334
Remote: Yes
Date Published: Jan 01 2004
Relevant URL: http://www.securityfocus.com/bid/9334
Summary:
isakmpd is the IKE key management dameon provided with OpenBSD. isakmpd is
used when negotiating security associations in authenticated or encrypted
network traffic and is normally used to facilitate VPN. It has been
reported that it is possible for attackers to remotely delete SAs
(security associations) in hosts running isakmpd.

When isakmpd receives an INITIAL CONTACT notification that is chained to
a payload considered reasonable, it will delete the SA associated with
the IP address from which the message originated. All associated SAs will
be deleted as well. Notifications of INITIAL CONTACT will be ignored if
the messages to which they are chained are part of an informational
exchange. To exploit this vulnerability, the attacker must send to the
victim gateway a spoofed packet containing the INITIAL CONTACT
notification chained to a payload such as the initiation of a Main Mode
exchange with the source address set to the peer associated with the
target SA. This vulnerability is reportedly much easier to exploit than
the issue described as Bugtraq ID 9333.

When this vulnerability is exploited, the entries similar to the following
may appear in logs:

081412.393202 SA 30 ipsec_handle_leftover_payload: INITIAL-CONTACT
made us delete SA 0x1b1600
081412.399786 SA 30 ipsec_handle_leftover_payload: INITIAL-CONTACT
made us delete SA 0x1b1200

Exploitation of this vulnerability may result in a disruption of service.
There may be more serious ramifications, as the IPSec policies are also
reportedly deleted in most cases.


III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Defenses lacking at social network sites
By: Annalee Newitz

Services like LiveJournal and Tribe are poised to be the next big thing on
the Web in 2004, but their security and privacy practices are more like
1997.

http://www.securityfocus.com/news/7739

2. Online crime up in 2003
By: Kevin Poulsen

Complaints logged by a federal clearinghouse rose sixty percent over last
year.
http://www.securityfocus.com/news/7714

3. Chats led to Acxiom hacker bust
By: Kevin Poulsen

An IRC log on another hacker's computer led police to Epitaph, a
Cincinnati man who downloaded records on millions of consumers.

http://www.securityfocus.com/news/7697

4. Electronic voting firm acknowledges hacker break-in
By: Ted Bridis, The Associated Press

http://www.securityfocus.com/news/7728

5. CIA gadget-museum: robot fish, pigeon camera, jungle microph...
By: Ted Bridis, The Associated Press

http://www.securityfocus.com/news/7721

6. Victory for CPRM: SD cards overtake Compact Flash
By: Andrew Orlowski, The Register

http://www.securityfocus.com/news/7712


IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. ftp.proxy v1.2.2
By: Andreas Schoenberg
Relevant URL: http://www.ftpproxy.org/
Platforms: POSIX
Summary:

ftp.proxy is an application level gateway for FTP. It allows either
forwarding to a specific host or optional client side server selection w/o
allowed host list, access and command control trough external programs.

2. GNUnet v0.6.1a
By: Christian Grothoff
Relevant URL: http://www.ovmj.org/GNUnet/
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, POSIX
Summary:

GNUnet is a peer-to-peer framework with focus on providing security. All
link-to-link messages in the network are confidential and authenticated.
The framework provides a transport abstraction layer and can currently
encapsulate the peer-to-peer traffic in UDP, TCP, or SMTP messages. GNUnet
supports accounting to provide contributing nodes with better service. The
primary service build on top of the core GNUnet framework is anonymous
file sharing.

3. Yin Yang v1.0
By: primac
Relevant URL: http://yinyang.sourceforge.net
Platforms: Linux
Summary:

Yin Yang is a real-time Linux file scanner that is activated whenever a
file is accessed. When a file opening system call is detected, it will
send the full pathname of the file to a network daemon. The network daemon
will then pass the pathname of the file to a file scanner, such as an
anti-virus scanner, and return the status. The status will then be
reported back to the network daemon, and the response will be passed back
to the system call. The default action logs a message to the system
logger. The file scanner is wrapped with the original file opening system
call, so it will open the file normally after the file scanning.

4. Quick Spam Filter v0.9.12
By: Andrew Wood
Relevant URL: http://www.ivarch.com/programs/qsf.shtml
Platforms: Linux, POSIX
Summary:

Quick Spam Filter is a small, fast spam filter that works by learning to
recognise the words that are more likely to appear in spam than non-spam.
It is intended to be used in a procmail recipe to mark email as being
possible spam.

5. System Garden Habitat v0.17.5
By: Nigel Stuckey
Relevant URL: http://www.systemgarden.com/habitat
Platforms: Linux
Summary:

Habitat is a performance management system which captures, stores, and
visualises table-based time series data. Monitor probes exist for Linux
and Solaris with Windows coming soon. It has a command line interface, a
fast GUI client for graphical visualisation, and a simple format for
extending data capture in the agent. It is written in C with Gtk and can
access data from its peers directly, by file sharing, or with the use of a
separate central archiving repository (harvest) to scale to installations
of significant size.

6. Portfwd v0.26
By: Everton da Silva Marques, [email protected]
Relevant URL: http://sourceforge.net/projects/portfwd/
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, Solaris
Summary:

Portfwd is a small C++ utility which forwards incoming TCP connections
and/or UDP packets to remote hosts. Multiple forwarders can be specified
in a flexible configuration file. There is support for FTP forwarding.


V. SECURITYJOBS LIST SUMMARY
----------------------------
1. network security intrusion detection software/... (Thread)
Relevant URL:

http://www.securityfocus.com/archive/77/348868

2. network security intrusion detection software ... (Thread)
Relevant URL:

http://www.securityfocus.com/archive/77/348862


VI. INCIDENTS LIST SUMMARY
--------------------------
1. flood of SYN packets to port 110 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/75/348802

2. netpay.tv connections (Thread)
Relevant URL:

http://www.securityfocus.com/archive/75/348800

3. Reverse http traffic (Thread)
Relevant URL:

http://www.securityfocus.com/archive/75/348649

4. Unusual port scan? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/75/348544

5. Large increase in port 32772 activity (Thread)
Relevant URL:

http://www.securityfocus.com/archive/75/348473


VII. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. Syskey (Thread)
Relevant URL:

http://www.securityfocus.com/archive/82/348733

2. generic privellage escalation (Thread)
Relevant URL:

http://www.securityfocus.com/archive/82/348704

3. Shellcode & NT System Calls (Thread)
Relevant URL:

http://www.securityfocus.com/archive/82/348517


VIII. MICROSOFT FOCUS LIST SUMMARY
----------------------------------
1. SecurityFocus Microsoft Newsletter #169 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348564

2. Disabling Cached Logon Credentials (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348563

3. Accessing eventlogs remotely on W2K3 Server (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348540

4. TCP/IP Stack Hardening - Disabling PMTU Discovery (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348539

5. FPSE Admin Listner on IIS 6.0 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348538

6. Article Announcement: Checklist for Deploying an IDS (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348498


IX. SUN FOCUS LIST SUMMARY
--------------------------
NO NEW POSTS FOR THE WEEK 2003-12-29 to 2004-01-05.


X. LINUX FOCUS LIST SUMMARY
---------------------------
1. skey not updating for one time passwords (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/348737

2. UNIX Authentication (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/348629