The latest release includes two different ISO images -- one for systems with Intel B/G wireless cards, and one without.
We tried Auditor on a workstation and notebook computer. Auditor detected all of the hardware, even the wireless card in the notebook, flawlessly. Unlike Knoppix, Auditor does not automatically attempt to get an IP address by DHCP on boot -- the user must do this manually.
There are far too many applications included with Auditor to go into each one individually. The CD includes several classes of applications, found on the KDE menu in the "Auditor" menu. The menu classes include "Footprinting," "Scanning," "Analyzer," "Spoofing," "Bruteforce," "Forensics" and "Password cracker." Suffice it to say that Auditor includes a comprehensive list of tools for any user who needs to perform a security audit.
Of course, Auditor could be applied to less-than-honest endeavors as well. Using Auditor, we were able to quickly start up EtherApe to start monitoring network traffic on our LAN, use Dsniff to scan for passwords sent over the network, and run Nessus to scan for vulnerabilities. Given a laptop, wireless card and close proximity to a unprotected (or under-protected) wireless network, and a user could walk away with quite a few passwords and usernames just by casual browsing.
In addition to scanning and penetration testing, Auditor would come in handy for forensics on compromised computers with tools like Wipe, Sleuthkit, recover and testdisk. Auditor also includes a decent selection of normal productivity tools, which will come in handy for admins and security consultants to produce full reports on the same machine they use for scanning and penetration testing. Auditor includes several text editors, image capture tools, and even vnc2swf for users who need to make Flash movies of their tests.
The Remote-Exploit website also has links to Flash movies demonstrating various uses of the Auditor Security Collection, including cracking 128-bit WEP and decrypting SSL traffic using a Man in the Middle attack.
In short, Auditor is a one-stop shop for Linux users who want a full selection of security testing tools. We'd recommend that any system administrator take a look at Auditor, and consider adding it to their security tool chest. If nothing else, it should provide an eye-opener as to what kinds of easy-to-use tools are available to potential attackers.
Andrew Toller and Stefan Kanthak discovered that a flaw in libmspack's
Quantum archive decompressor renders Clam AntiVirus vulnerable to a
Denial of Service attack. A remote attacker could exploit this
vulnerability to cause a Denial of Service by sending a specially crafted
Quantum archive to the server.
It has been reported that the "getterminaltype" function of Heimdal's
(before 0.6.5) telnetd server is vulnerable to buffer overflows. An
attacker could exploit this vulnerability to execute arbitrary code with
the permission of the telnetd server program.
A Denial of Service vulnerability has been discovered in the ptrace()
call on the amd64 platform. By calling ptrace() with specially crafted
("non-canonical") addresses, a local attacker could cause the kernel
to crash. This only affects the amd64 platform. (CAN-2005-1762)
ZouNanHai discovered that a local user could hang the kernel by
invoking syscall() with specially crafted arguments. This only affects
the amd64 platform when running in the 32 bit compatibility mode.
(CAN-2005-1765)
The Vipuls Razor spam detection framework has multiple
vulnerabilities. Processing of malformed messages can lead to
a remote denial of service by causing the software to execute
infinite loops.
RealNetworks, Inc. has
addressed security vulnerabilities that offered the potential for an
attacker to run arbitrary or malicious code on a customer's
machine. RealNetworks has received no reports of machines compromised as a
result of the now-remedied vulnerabilities. RealNetworks takes all security
vulnerabilities very seriously.
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus.
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor.
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute.
Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and
possibly other versions, allow remote malicious web servers to execute
arbitrary code via base64 encoded replies that exceed the intended buffer
lengths when decoded.
CVS (in version prior to 1.11.20) has one or more buffer overflow vulnerabilities, memory leaks, and a NULL pointer dereferencing error.
These can be used to launch a remote denial of service or to remotely
execute arbitrary code.
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
From the Red Hat alert: "Dan Reed discovered that a user can send and listen to messages on another
user's per-user session bus if they know the address of the socket." At current usage levels, this vulnerability is not particularly threatening.
Dnsmasq does not properly detect that DNS replies received do not
correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux
Security Audit team also discovered two off-by-one buffer overflows that
could crash DHCP lease files parsing.
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group.
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash.
The Ettercap suite of networking tools has a
format string vulnerability that can be exploited by a
remote attacker for the execution of arbitrary code.
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler.
Primoz Bratanic discovered that the sql_escape_func function of FreeRADIUS
1.0.2 and earlier may be vulnerable to a buffer overflow. He also
discovered that FreeRADIUS fails to sanitize user-input before using it in
a SQL query, possibly allowing SQL command injection.
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands.
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user.
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user.
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script.
GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see."
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program.
The gxine media player has a format string vulnerability in the
hostname decoding function. A specially crafted file can be used
to cause a user to execute arbitrary code.
gzip suffers from a race condition which could allow a fast-fingered attacker to change the permissions on files owned by others. There is also a directory traversal vulnerability associated with the -N option.
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks.
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine.
InfoZip reports that Zip 2.3 and
(presumably) all previous versions have a buffer-overrun vulnerability
relating to deep directory paths that could potentially lead to local
privilege escalation (e.g., in the case of automated, Zip-based backups).
All versions of UnZip through 5.50 have a number of directory-traversal
vulnerabilities.
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command.
Paul Starzetz has posted an
advisory for yet another kernel vulnerability.
In this case, by using a specially manipulated ELF binary, a local attacker
can compromise the system (via the core dump code) and obtain root access.
This vulnerability affects all kernels from 2.2 through 2.6.12-rc4.
A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
KDE has issued a security advisory for
kimgio. This is found in kdelibs as shipped with KDE 3.2 up to including
KDE 3.4. kimgio contains a PCX image file format reader that does not
properly perform input validation. A source code audit performed by the KDE
security team discovered several vulnerabilities in the PCX and other image
file format readers, some of them exploitable to execute arbitrary code.
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code.
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library.
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function.
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content.
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
stack based buffer overflow in the libTIFF library when reading a TIFF
image with a malformed BitsPerSample tag. Successful exploitation would
require the victim to open a specially crafted TIFF image, resulting in the
execution of arbitrary code.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program.
The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result.
The following vulnerabilities were found and fixed in the Mozilla Suite
and Mozilla Firefox:
Vladimir V. Perepelitsa reported a memory disclosure bug in
JavaScript's regular expression string replacement when using an
anonymous function as the replacement argument (CAN-2005-0989).
moz_bug_r_a4 discovered that Chrome UI code was overly trusting DOM
nodes from the content window, allowing privilege escalation via DOM
property overrides.
Michael Krax reported a possibility to run JavaScript code with
elevated privileges through the use of javascript: favicons.
Michael Krax also discovered that malicious Search plugins could
run JavaScript in the context of the displayed page or stealthily
replace existing search plugins.
shutdown discovered a technique to pollute the global scope of a
window in a way that persists from page to page.
Doron Rosenberg discovered a possibility to run JavaScript with
elevated privileges when the user asks to "Show" a blocked popup that
contains a JavaScript URL.
Finally, Georgi Guninski reported missing Install object instance
checks in the native implementations of XPInstall-related JavaScript
objects.
The following Firefox-specific vulnerabilities have also been
discovered:
Kohei Yoshino discovered a new way to abuse the sidebar panel to
execute JavaScript with elevated privileges.
Omar Khan reported that the Plugin Finder Service can be tricked to
open javascript: URLs with elevated privileges.
Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly
implement certain security checks for script injection, which allows remote
attackers to execute script via "Wrapped" javascript.
Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly limit
privileges of Javascript eval and Script objects in the calling context,
which allows remote attackers to conduct unauthorized activities via
"non-DOM property overrides," a variant of CAN-2005-1160.
Heap overflows have been found in the code handling RealMedia RTSP and
Microsoft Media Services streams over TCP (MMST). By setting up a
malicious server and enticing a user to use its streaming data, a remote
attacker could possibly execute arbitrary code on the client computer with
the permissions of the user running MPlayer.
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013).
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code.
The der_chop script in openssl has a temp file vulnerability that may allow
an attacker to overwrite arbitrary files with the permissions that
the script is running under.
Hyper-Threading technology, as used in FreeBSD other operating systems and
implemented on Intel Pentium and other processors, allows local users to
use a malicious thread to create covert channels, monitor the execution of
other threads, and obtain sensitive information such as cryptographic keys,
via a timing attack on memory cache misses. See this LWN article for more information.
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
The php4 EXIF module has two vulnerabilities. An
integer overflow in the exif_process_IFD_TAG() function
can be exploited to cause a buffer overflow for the
purpose of arbitrary code execution.
EXIF headers with a large IFD nesting level can be used
to cause a denial of service. Remote exploits are possible.
postgresql has a vulnerability in which the EXECUTE privilege may
not be checked on custom functions. This may allow any database user to
circumvent the EXECUTE restriction on functions.
PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
Steven Van Acker has discovered a buffer overflow vulnerability in the
"add_port()" function in Pound 1.8.2+. A remote attacker could send a
request for an overly long hostname parameter, which could lead to the
remote execution of arbitrary code with the rights of the Pound daemon
process.
The ppxp PPP program has a log file vulnerability that can
allow the root privileges used by the software to remain active,
enabling the opening of a root shell by a local user.
RealNetworks, Inc. has fixed a
security vulnerability that offered the potential for an attacker to
run arbitrary or malicious code on a customer's machine. Linux RealPlayer
10 (10.0.0 - 3) and Helix Player (10.0.0 - 3) are vulnerable.
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system.
GNU shtool, which is also used by ocaml-mysql,
has an insecure temp file vulnerability that can be exploited by a
local user to overwrite arbitrary files.
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service.
SpamAssassin 3.0.4 was released
to fix a denial of service vulnerability in versions 3.0.1, 3.0.2, and
3.0.3. The vulnerability allows certain mis-formatted long message headers
to cause spam checking to take a very long time.
Charles Morris discovered a race condition in sudo which could lead to
privilege escalation. If /etc/sudoers allowed a user the execution of
selected programs, and this was followed by another line containing
the pseudo-command "ALL", that user could execute arbitrary commands
with sudo by creating symbolic links at a certain time.
Both Sun's (v < 1.4.2.08) and Blackdown's (v < 1.4.2.02) JDK and JRE may
allow untrusted applets to elevate privileges. A remote attacker could
embed a malicious Java applet in a web page and entice a victim to view
it. This applet can then bypass security restrictions and execute any
command or access any file with the rights of the user running the web
browser.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
The rsvp_print function in tcpdump 3.9.1 and earlier allows remote
attackers to cause a denial of service (infinite loop) via a crafted RSVP
packet of length 4. (CAN-2005-1280)
tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of
service (infinite loop) via a crafted BGP packet, which is not properly
handled by RT_ROUTING_INFO, or LDP packet, which is not properly
handled by the ldp_print function. (CAN-2005-1279)
The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and
earlier allows remote attackers to cause a denial of service (infinite
loop) via a zero length, as demonstrated using a GRE packet.
(CAN-2005-1278)
Two buffer overflow flaws were discovered in the way the telnet client
handles messages from a server. An attacker may be able to execute
arbitrary code on a victim's machine if the victim can be tricked into
connecting to a malicious telnet server.
A bug in Tor allows attackers to view arbitrary memory contents from an
exit server's process space. A remote attacker could exploit the memory
disclosure to gain sensitive information and possibly even private keys.
Versions of trac prior to 0.8.4 suffer from an input validation error which can lead to the uploading of files to undesired locations on the host system.
crontab in Vixie cron 4.1, when running with the -e option, allows local
users to read the cron files of other users by changing the file being
edited to a symlink. NOTE: there is insufficient information to know
whether this is a duplicate of CVE-2001-0235. See also this Security Focus
report.
wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite
certain files via a redirection URL containing a ".." that resolves to the
IP address of the malicious server, which bypasses wget's filtering for
".." sequences.
wget 1.8.x and 1.9.x does not filter or quote control characters when
displaying HTTP responses to the terminal, which may allow remote malicious
web servers to inject terminal escape sequences and execute arbitrary code.
Due to a lack of input validation, WordPress is vulnerable to SQL
injection and XSS attacks. An attacker could use the SQL injection
vulnerabilities to gain information from the database. Furthermore the
cross-site scripting issues give an attacker the ability to inject and
execute malicious script code or to steal cookie-based authentication
credentials, potentially compromising the victim's browser.
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client.
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
Greg Roelofs has reported multiple input validation errors in XV image
decoders. Tavis Ormandy of the Gentoo Linux Security Audit Team has
reported insufficient validation in the PDS (Planetary Data System)
image decoder, format string vulnerabilities in the TIFF and PDS
decoders, and insufficient protection from shell meta-characters in
malformed filenames. Successful exploitation would require a victim to
view a specially created image file using XV, potentially resulting in the
execution of arbitrary code.
