Re: {\rtf\a112911112911112911112911...112911} in the body will cr ash OE5 clients.

[Dawes, Rogan (ZA - JNB)]

And having it in the subject causes funnies with the full outlook 2000
client as well.

I was scrolling through the bugtraq messages, and noted that this
message(call it #2) had the same subject that the previous message(#1) did,
although the window title had been updated appropriately. Moving on to the
next message (#3), and going back again left me with the subject from
message #3 showing on the subject line.

It may be possible to overflow Outlook itself by including a carefully
crafted subject line.

Outlook version 9.0.0.2711 on NT 4 SP5

Rogan

> -Original Message-
> From: Indeera [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, February 23, 2000 11:49 PM
> To: [EMAIL PROTECTED]
> Subject: {\rtf\a112929292911...112911} in the body will
> crash OE5 clients.
>
>
> This was tested by sending a message having the above string
> in the body
> from hotmail to OE5 client version 5.50.3825.400 on NT4
> server  sp6. first
> experianced while trying to open the message sent by Pauli
> Ojanpera subject
> reading 'riched32.dll buffer overflow'. Might not work in other OE5
> versions.  Just thought some one might be interested in this.
> cheers
> ind
> __
> Get Your Private, Free Email at http://www.hotmail.com
>

Re: flex license manager tempfile predictable name...

[Edwards Philip M Contr AFRL/SNRR]

Roelof JT Jonkman <[EMAIL PROTECTED]> wrote:

> Flex does not need to run as root:
>
> Somewhere on their webpage they have some scripts, I crafted
> some myself, and
> didn't see a need to run a license manager as root.

We use software that comes with FlexLM, and their[*] documentation states
that lmgrd should specifically /not/ be run as root.  Some of the wrapper
scripts shipped with the software perform a UID check and bail out if root
is running the script.

All of the license manager startup scripts do a "su  -c startupcommand"
where  is some mortal user with few abilities.


Phil
[*] The vendor/third-party software itself.

--
Phil Edwards  <[EMAIL PROTECTED]>
Senior Unix Sysadmin AFRL/SNRR
Wright-Patterson AFB

Re: Wordpad vulnerability, exploitable also in IE for Win9x

[Charles Skoglund]

> Georgi Guninski security advisory #7, 2000
>
> Wordpad vulnerability, exploitable also in IE for Win9x
>
> Disclaimer:
> The opinions expressed in this advisory and program are my own and not
> of any company.
> The usual standard disclaimer applies, especially the fact that Georgi
> Guninski is not liable for any damages caused by direct or  indirect use
> of the information or functionality provided by this program.
> Georgi Guninski, bears NO responsibility for content or misuse of this
> program or any derivatives thereof.
>
> Description:
> There is a vulnerability in Wordpad which allows executing arbitrary
> programs without warning the user after activating an embedded or linked
> object. This may be also exploited in IE for Win9x.
>
> Details:
> Wordpad executes programs embeded in .doc or .rtf documents without any
> warning if the object is activated by doubleclick.
> This may be exploited in IE for Win9x using the view-source: protocol.
> The view-source: protocol starts Notepad, but if the file is large, then
> the user is asked to use Wordpad. So creating a large .rtf document and
> creating a HTML view-source: link to it in a HTML page or HTML based
> email message will prompt the user to use Wordpad and a program may be
> executed if the user doubleclicks on an object in the opened document.
>
> Demonstration which starts AUTOEXEC.BAT:
> http://www.whitehats.com/guninski/wordpad1.html
> Workaround: Do not activate objects in Wordpad documents
>
> Copyright Georgi Guninski
>
> Regards,
> Georgi Guninski
> http://www.nat.bg/~joro
>

I tested it under Word97 running on a Wimpdoze NT4 (SP4), and it works.

Regards
Charles Skoglund

"Oh my God, they killed Kenny! You bastards!"

quik -/divine/pinnacle/dvniso/dvnmp3/dvnvcd/trb/trbmp3/festis/-
 -/s t i l l b o r n   c r e w   2 0 0 0/-

Re: DoS for the iPlanet Web Server, Enterprise Edition 4.1

[Peter W]

At 10:31am Feb 23, 2000, -Eiji Ohki- wrote:

> I could find out the denial of service effected to iPlanet
> Web Server, Enterprise Edition 4.1 on Linux 2.2.5(Redhat6.1J;
> Kernel 2.2.12).

http://www.iplanet.com/downloads/download/detail_161_284.html
"Version Description: Please note this is a pre-release version"

> to the Enterprise Server International Edition 3.6SP2 on
> Solaris 2.6J (Sparc), the Enterprise Server 3.6SP3 on Solaris
> 2.6J (Sparc) , the iPlanet Web Server, Enterprise Edition 4.0SP3
> on Solaris 2.6J (Sparc)

All officially released, supported versions. Note iWS 4.0 is now at SP4.

I'll agree that Netscape's bug feedback leaves something to be desired,
but I wouldn't panic about this *yet*. ;-)

-Peter

http://www.bastille-linux.org/ : working towards more secure Linux systems

Re: Wordpad vulnerability, exploitable also in IE for Win9x

[Scott]

Although I feel he makes it fairly evident I thought I'd make a note for
all.  This does not work in Windows 2000 using the IE trick.  It doesn't
prompt to open Wordpad but rather just uses notepad.  I feel this has
something to do with the fact that the filesize limit inherent in Notepad
for win9x isn't there in Windows 2000.  Although I could be wrong on this I
just know it doesn't affect Windows 2000 users.

Scott Wade
Systems Administrator

- Original Message -
From: "Georgi Guninski" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 23, 2000 8:27 AM
Subject: [BUGTRAQ] Wordpad vulnerability, exploitable also in IE for Win9x


Georgi Guninski security advisory #7, 2000

Wordpad vulnerability, exploitable also in IE for Win9x

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or  indirect use
of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.

Description:
There is a vulnerability in Wordpad which allows executing arbitrary
programs without warning the user after activating an embedded or linked
object. This may be also exploited in IE for Win9x.

Details:
Wordpad executes programs embeded in .doc or .rtf documents without any
warning if the object is activated by doubleclick.
This may be exploited in IE for Win9x using the view-source: protocol.
The view-source: protocol starts Notepad, but if the file is large, then
the user is asked to use Wordpad. So creating a large .rtf document and
creating a HTML view-source: link to it in a HTML page or HTML based
email message will prompt the user to use Wordpad and a program may be
executed if the user doubleclicks on an object in the opened document.

Demonstration which starts AUTOEXEC.BAT:
http://www.whitehats.com/guninski/wordpad1.html
Workaround: Do not activate objects in Wordpad documents

Copyright Georgi Guninski

Regards,
Georgi Guninski
http://www.nat.bg/~joro

Re: {\rtf\a112911112911112911112911...112911} in the body will crashOE5 clients.

[Signal 11]

Indeera wrote:
>
> This was tested by sending a message having the above string in the body
> from hotmail to OE5 client version 5.50.3825.400 on NT4 server  sp6. first

Does not work in outlook 2000, 9.0.0.2711, win98-SE

If you could attach the complete e-mail with headers in a raw format,
it could aid in debugging.

--
Signal 11 -o- BOFH, malign.net
What evil shall I do today?

Re: unused bit attack alert

[Max Vision]

This is true of PSH as well.  I had actually meant to respond regarding
the PSH flag (SYN+PSH scans are perfectly workable), but had looked at URG
first when writing my response and somehow accidentally omited mention of
PSH.  (Thanks Patrick for reminding me of what I said a few months ago
about PSH)

I inadvertently ended up repeating what Vern Paxson had posted just days
earlier with regard to adding ligitmate flags to traffic:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&[EMAIL PROTECTED]

To summarize, it looks like in most cases PSH, URG, or the two reserved
bits can be set in packets without affecting their function.  Portscan
detectors and IDS should take this into account by masking to the value
being tested.

Has anyone already researched how various IP stacks deal with these
"extra" flags in otherwise normal traffic - aside from my very limited
portscan tests?

On Wed, 23 Feb 2000, Max Vision wrote:
> You might want to strip R_URG as well, since per RFC 793 you can set the
> URG flag on packets with minimal effect to state.
>
...
>
> Max
>
> --
> Max Vision Network Security<[EMAIL PROTECTED]>
> Network Security Assessment http://maxvision.net/
> 100% Success Rate : Penetration Testing & Risk Mitigation
> Free Visibility Analysis and Price Quote for Your Network
>

Re: Firewall and IP stack test tool

[Darren Reed]

In some mail from Mike Frantzen, sie said:
>
> With the re-occurrence of this unused TCP flags fiasco, I am getting off my
> ass and releasing a tool to stress test IP stacks, firewall rulesets,
> firewall resilience and IDS implementations.

Been there, done that.

> ISIC - 0.05   (IP Stack Integrity Check)
> Crafts random packets and launches them.  Can fix or randomize source/dest
> IP's and Ports.  You can specify the percentage of packets to fragment,
> to have IP options, to have bad IP versions  Just about every field
> can be automagically twiddled.

Been there, done that.

Be aware that if you're doing a random attack then the results are also
going to be "random" - i.e. you won't necessarily find *all* holes.

> It contains distinct programs for TCP, UDP, ICMP, IP with a randomized
> protocol field and a program for randomized raw ethernet frames.

Randomized ethernet frames could be interesting (haven't played with
that before).

[...]
> Note 2:
>   It melts just about anything it is targeted against.  Only a matter of
>   time before someone creates an interesting distributed DoS network that
>   ingress filtering won't solve.
[...]

Oh, how's that ?  If ingress filtering is stopping forged IP source
addresses, then whlist the attack can still be made, it's easy to
point the finger back at the source of the problem (which is all it
was ever going to do).  Once you can find the source, the power point
is usually not too far away either...

Darren

Re: Wordpad vulnerability, exploitable also in IE for Win9x

[Kevin Day]

>
> Georgi Guninski security advisory #7, 2000
>
> Wordpad vulnerability, exploitable also in IE for Win9x
>
> Description:
> There is a vulnerability in Wordpad which allows executing arbitrary
> programs without warning the user after activating an embedded or linked
> object. This may be also exploited in IE for Win9x.
>
> Demonstration which starts AUTOEXEC.BAT:
> http://www.whitehats.com/guninski/wordpad1.html
> Workaround: Do not activate objects in Wordpad documents
>
> Copyright Georgi Guninski


For reference, on my Win2000 system with IE5 and Office 2000 installed, it
instead gives me a dialog box which says:

"You are about to activate an embedded object that may contain viuses or be
otherwise harmful to your computer. It is important that it is from a
trustworthy source. Do you want to continue?"


It appears that it's launching Word instead of Wordpad, if you have Word
installed. (Makes sense, since they probably want to associate rtf with
Word).


Kevin

Re: Doubledot bug in FrontPage FrontPage Personal Web Server.

[KOJIMA Hajime]

In <000801bf780a$9ad4b2e0$017f@localhost>,
Jan van de Rijt wrote:
| Description: Doubledot bug in FrontPage FrontPage Personal Web Server.
| Compromise: Accessing drive trough browser.
| Vulnerable Systems: Frontpage-PWS32/3.0.2.926 other versions not tested.
| Details:
| When FrontPage-PWS runs a site on your c:\ drive your drive could be =
| accessed by any user accessing your page, simply by requesting any file =
| in any directory except the files in the FrontPage dir. specially =
| /_vti_pvt/.
|
| How to exploit this bug?
| Simply adding // in the URL addressbar.

  It sounds like same as:





KOJIMA Hajime - Ryukoku University, Seta, Ootsu, Shiga, 520-2194 Japan
[Office] [EMAIL PROTECTED], http://www.st.ryukoku.ac.jp/~kjm/

Open IP Directed Broadcast List...

[dies]

Well I guess I reinvented the wheel here.  On that note.

I've compiled a list of open ip directed broadcasts.  I've scanned
down into 26 bit subnet's and found some interesting results.  Over
138,000 broken networks where found.  A list of these networks is
currently available at http://www.pulltheplug.com.  The reason I did this
was because netscan.org is only hitting 24 bit subnets and with the
recent "Internet Rush" for companies, CIDR, etc I felt it was time to look
deeper into the problem.  I've been pulled away from this project as of
late (real job calls) and I have yet to walk the networks through
arin/ripe/apnic and obtain contacts.  That will be my next step,
ETA - 2/28/00.  After that I'd like to jump down to 27 and 28 bit
subnets.  I'd be willing to get some help from anyone that is interested.

Lastly, for the script kiddies out there. Please do not go and
grab this list and annihilate someone.  Take the information and maybe
learn something from it, like just was subnetting is and how it works..

[EMAIL PROTECTED]

Re: MS signed softwrare privileges

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, Dax
Kelson writes:

> However (playing devil's advocate), you've trusted Microsoft to silently
> execute "any code" on your machine at least once before by installing
> their closed-source operating system, and that is a massive amount of
> unaudited code.

Yes and no.  First, as Juan's original note pointed out, this creates risks
from MS software you didn't install.  Second, and perhaps more important,
anyone who has ever administered a production system knows that you *don't* do
updates, even "harmless" ones, on production systems without testing *in your
environment*, and you *never* do them at critical periods.  The ability for
someone else to update my system is completely unacceptable, even without any
security issues whatsoever.

--Steve Bellovin

Microsoft Security Bulletin (MS00-013)

[Microsoft Product Security]

The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.


Microsoft Security Bulletin (MS00-013)
--

Patch Available for "Misordered Windows Media Services Handshake"
Vulnerability
Originally Posted: February 23, 2000

Summary
===
Microsoft has released a patch that eliminates a security vulnerability in
Microsoft(r) Windows Media Services. The  vulnerability could allow denial
of service attacks against a streaming media server.

Frequently asked questions regarding this vulnerability and the patch can be
found at
http://www.microsoft.com/technet/security/bulletin/fq00-013.asp

Issue
=
The handshake sequence between a Windows Media server and a Windows Media
Player is asynchronous, because certain resource  requests are dependent on
the successful completion of previous ones. If the client-side handshake
packets are sent in a  particular misordered sequence, with certain timing
constraints, the server will attempt to use a resource before it has been
initialized and will fail catastrophically, causing the Windows Media
Unicast Service to crash.

The Windows Media Unicast Service can be put back into normal operating
condition by restarting the service, but any sessions  that were in effect
at the time of the crash would need to be restarted.

Affected Software Versions
==
 - Microsoft Windows Media Services 4.0 and 4.1

NOTE: Windows NT Server 4.0 customers should upgrade their Windows Media
Services installation to Windows Media Services 4.1 before applying the
patch. Windows Media Services 4.1 can be downloaded for free from
http://www.microsoft.com/windows/windowsmedia/. Windows 2000 Server
includes Windows Media Services 4.1, so the patch can be applied directly
to this configuration.

Patch Availability
==
 - Windows NT Server 4.0:
   http://download.microsoft.com/download/winmediatech40/
   Update/4954/NT4/EN-US/WMSU4954_NT4.EXE
 - Windows 2000 Server:
   http://download.microsoft.com/download/winmediatech40/
   Update/4954/NT5/EN-US/WMSU4954_Win2000.EXE

NOTE: Line breaks have been inserted into the above URLs for readability

NOTE: Additional security patches are available at the Microsoft Download
Center

More Information

Please see the following references for more information related to this
issue.
 - Frequently Asked Questions: Microsoft Security Bulletin MS00-013,
   http://www.microsoft.com/technet/security/bulletin/fq00-013.asp.
 - Microsoft Knowledge Base (KB) article Q253943,
   Misordered Windows Media Services Handshake Vulnerability,
   http://www.microsoft.com/technet/support/kb.asp?ID=253943
 - Microsoft TechNet Security Web site,
   http://www.microsoft.com/technet/security/default.asp.

Obtaining Support on this Issue
===
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===
Microsoft thanks Kit Knox for reporting this issue to us and working with us
to protect customers.

Revisions
=
 - February 23, 2000: Bulletin Created.


-
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT  DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR  PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,  INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF  LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

(c) 2000 Microsoft Corporation. All rights reserved. Terms of Use.

   ***
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  [EMAIL PROTECTED]
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please visit http://www.microsoft.com/security/services/bulletin.asp. For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

Re: A.L.E.R.T.: BigMailBox.com href tokens leave mailboxes open to control by a malicious site.

[Cancer Omega]

On Wed, 23 Feb 2000, Jim Paris wrote:

> > BigMailBox.com was notified of the problem on Fri, 11 Feb 2000. After
> > additional testing and verification, staff of BigMailBox.com patched
> > the vulnerability on Mon, 14 Feb 2000.
> ...
> > Contact BigMailBox and complain about shoddy and insecure e-mail access.
>
> They patched the hole in 3 days (over a weekend, no less!).  I don't
> think that demands mass complaints about "shoddy and insecure"
> e-mail.  They seem to have been very responsible about the bug.

The fix did not occur three days following notification.  After posting
our notice, we were notified by another Bugtraq subscriber that said
vulnerability had been previously posted to Bugtraq over a *month* ago.
(Yeah, we missed that, but so did BigMailBox.)

.c

Re: Wordpad vulnerability, exploitable also in IE for Win9x

[Pauli Ojanpera]

The nice thing about that is you can have '.txt'
extension in the file (i.e. wordpad1.txt).
WordPad autodetects it as a RTF document anyway.
__
Get Your Private, Free Email at http://www.hotmail.com

Pragma Systems response to USSRLabs report

[Ussr Labs]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Pragma Systems response to USSRLabs report

On February 22, 2000, Pragma Systems received an anonymous email
regarding a security issue reported to NT Security News, hosted by
Windows 2000 magazine, with our InterAccess TelnetD Server 4.0 for
NT. We took immediate action to determine if a problem existed. After
researching the report and the company reporting the issue, USSRLabs,
we have determined that a possible problem could exist.

We have been unable to duplicate the problem with the January 5, 2000
Build 7 release available from our site. We have tested our server
installed on NT4 SP5, Windows 2000 Build 2128, and NT4 SP 6a. From
the USSRLabs website, we have discovered that they tested with Build
4, build date of May 4, 1998, and did not complete the testing with
the latest version to determine if the problem had been fixed. Please
note, that this company did report the problem as occuring with a
build nearly 2 years old. We do not have any information about what
type of system USSRLabs did their testing on.

The reported problem results in a 100% CPU usage. From our experience
this is caused by a Winsock error during a recv() call. It is
possible that this error would only occur on systems running the
Service packs with winsock updates. Pragma Systems has requested
testing procedures from USSRLabs to verify if a service pack update
was attempted to solve the problem. At this time, we have little
information about how this result was produced.

Solutions to this problem are to update service packs and InterAccess
TelnetD Server 4.0 to the latest build.

For any further information on our testing and available updates,
contact Beth Henry, Software Project Lead, at [EMAIL PROTECTED]

Thank you for taking the time to research this issue for yourself.

Pragma Systems, Inc.
13706 Research Blvd, #301
Austin, TX 78750
(512) 219-7270
[EMAIL PROTECTED]

from http://www.pragmasys.com/USSR_response.htm
- --
- 

Appear the people of Pragma Systems, no undertand what is the real
problem, the exploit (from us), made 100% usage, there are no
problems in winsock or services pack.

The program TelnetD have the problem in the implementation of the
recv , who have a unchecked buffer, who cause a buffer overflow.

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c
h
http://www.ussrback.com


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.2 for non-commercial use 

iQA/AwUBOLRIKdybEYfHhkiVEQLMfgCfbwI2z1fgQHWxwlwK0C12/hDS1w8Anip+
4iYqngt3kvT9GtotTMVtJfT3
=t1KQ
-END PGP SIGNATURE-

Local / Remote Exploiteable Buffer Overflow Vulnerability in InterAccess TelnetD (fwd)

[Alfred Huger]

-- Forwarded message --
Date: Wed, 23 Feb 2000 10:59:20 -0600
From: Edith Myers <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Local / Remote Exploiteable Buffer Overflow Vulnerability in
InterAccess TelnetD

Hello --

We have been in current contact with USSR Labs. I have also contacted
NTSecurity.net regarding this issue.

USSR Labs stated that they had contacted us and we had not contacted them
back regarding this issue. In actuality, we had not received any contact
from them prior to the release of the information regarding the Telnet
Server issue. After we received information from NTSecurity.net stating
that they had published this error on their web page, we contacted USSR
Labs and they stated that they had tried to contact us from our Tech
support web page but kept getting ODBC errors -- therefore, no contact had
been received from them and we could not tell them that this is a BUILD 4
issue and we are currently on BUILD 7 (we have not sold build 4 or had it
on our web site for download in over a year).

We have come to find out that it may be a WinSock issue with older service
packs which can be resolved by updating the service pack/WinSock or by
downloading the latest version of InterAccess TelnetD Server for Windows NT
4.0 (build7).

I informed USSR Labs that they could have directly emailed Pragma (since
our email address is listed) or called us regarding this issue. They had
presented the information as if we were ignoring their attempts to contact
us, whereas in actuality we were not being contacted because of the ODBC
error was preventing any contact from getting to Pragma. So I had suggested
that they should have found an alternative method for contacting us.
(NOTE: we have hence fixed the ODBC error that had be occuring on our Tech
Support page and now have a direct MailTo link).

(That's what's been going on over the past day -- just to update you to
this point)

Please let your readers know that this is a BUILD 4 issue (which was
released June 1998) and we are now on BUILD 7. The problem can be fixed by
updating the service pack/WinSock or by updating to BUILD 7.

(FYI-- we emailed USSR Labs our latest build of the product and one of our
IP addresses to help them. After giving them this, they are now excessively
pinging this computer. They have emailed me asking me if I have found
anything interesting on this computer. I found that to be slightly malicious).

Please let me know if this information helps your readers.

Regards,
Edith H. Myers



Director of Marketing & Operations  Tel:  512-219-7270
Pragma Systems, Inc.Fax: 512-219-7110
http://www.pragmasys.com



^ ^
   ^ ^   ^ ^
 O  O
=== _|_ ===

Tfn2k Password Recovery

[Simple Nomad]

Tfn2k asks for a password during the build, which is used to prevent
someone from recovering the password from the td or tfn binaries. I
wrote a program that will recover the password. It will compile and run
on Solaris and Intel-based free Unix systems (didn't test it elsewhere).
It can extract the password from a Sol, Intel-based Linux, or
Intel-based FreeBSD binary td or tfn (also probably others but just tested
these). In other words, you can extract passwords from a Linux td binary
on your Sol 2.7 box.

Uses for this include:

Scenario #1 -

 You are a hot cybersleuth, extracting the password as a part of a
 forensics effort. If the password matches some other forensic stuff
 (like the password of a suspected script kid, or the DES key that
 unlocks a cache of hacker tools in a tar file), you might catch that
 elusive cyberterrorist.


Scenario #2 -

 You have discovered a cache of tfn2k binaries on your large network.
 By recovering the password, you can compile your own tfn and send
 a command to be rexec'd to each suspected system, such as:

   echo "0wned!! Clean me!!" | mail [EMAIL PROTECTED]

 Optionally if you discover you are flooding someone, you could
 send the command to stop the flood from your new tfn binary.


Scenario #3 -

 You are under attack and Zombie Zapper didn't help (ZZ only works
 against tfn, trinoo, and stacheldraht). Send the sites attacking
 you this software and ask them to send you the password. Once you
 have it, compile your own tfn and start telling those zombies to
 leave you alone! Okay, this last one is a little far-fetched and
 won't work if the attack lasts just a couple of hours and if the
 addresses are forged, but it is better than nothing.

Have fun and play nice, everyone!

- Simple Nomad  -  No rest for the Wicca'd  -
-  [EMAIL PROTECTED]-www.nmrc.org   -
-  [EMAIL PROTECTED]  - razor.bindview.com-

/*
 * tfn2kpass - tfn2k Password Recovery. Extract password for tfn2k from a
 * td or tfn binary.
 *
 * Written by Simple Nomad [[EMAIL PROTECTED]] 21Feb2000
 *
 * More fun stuff at http://razor.bindview.com/, licensing at end
 * of file.
 *
 * Should compile and run fine on any Intel/Sun-based system:
 *gcc -o tfn2kpass tfn2kpass.c
 *
 * Example usage:
 *./tfn2kpass tfn-binary-file
 *
 * Tested against binaries compiled on Intel Linux, Intel FreeBSD, and
 * Solaris. Thanks for the help, Jordan <[EMAIL PROTECTED]>
 * and Paul <[EMAIL PROTECTED]> from the RAZOR team.
 *
 */

/* includes */
#include 
#include 

/*
 * Main program
 */
int main(int argc, char *argv[])
{
  FILE *ftd;
  int i, search = 0, search2, found = 0, rew = 32;
  unsigned char recover[32];
  unsigned char password[32];
  unsigned char offset;
  char close[]="";
  char check[sizeof(close)];

  /* Say hello... */
  printf("tfn2kpass - Recover the password from tfn2k's 'td' or 'tfn'\n");
  printf("Comments/bugs: Simple Nomad <[EMAIL PROTECTED]>\n");
  printf("http://razor.bindview.com/\n\n");

  if (argc!=2)
  {
fprintf(stderr,"USAGE: tfn2kpass \n\n");
fprintf(stderr,"EXAMPLES:\n");
fprintf(stderr,"  tfn2kpass renamed_td\n");
exit(-1);
  }

  ftd=fopen(argv[1],"rb");
  if (ftd == NULL)
  {
fprintf(stderr,"Unable to open file %s.\n",argv[1]);
exit(-1);
  }

  /* first we search the file for the first marker that we
 are close to the password -- the 40 @'s should be right
 after the password */
  while(!feof(ftd))
  {
fseek(ftd,search,SEEK_SET);
fread(&check,40,1,ftd);
if (!strncmp(check,close,40))
{
  found = 1;
  break;
}
search++;
  }

  if (found)
  {
found = 0; /* reset our flag for next 'find' */
search--;
search2 = search;
/* Now we'll search backward looking for the first non-zero
   value, which is the offset used to mask the password.
   The amount of zeroes depends upon platform as well as the
   daemon type (td or tfn), so we move back one at a time.
   Also it allows us to examine daemons compiled on a freebsd
   box from our linux box, for example. */
while(search2!=0)
{
  fseek(ftd,search2,SEEK_SET);
  fread(&offset,1,1,ftd);
  /* Sol bins have the needed "offset" right before the string
 of @'s as well as at the end of the password field, so we
 need to skip that byte. Also, if we do not shorten the
 amount of bytes for a Sol bin by one, we end up with one
 extra char at the beginning of the password. Go figure. */
  if((offset) && (search2 == search))
  {
rew--;
  }
  else if(offset)
  {
found = 1;
break;
  }
  search2--;
}
if (found) /* if we found the offset, grab and print the password */
{
  fseek(ftd,search2-rew,SEEK_SET);
  fread(&recover,32,1,ftd);
  fclose(ftd);

  for (i=0;i<32;i++) password[i]=recover[i] - offset;
  printf("The password is - 

Sambar Server alert! (2)

[Georgi Chorbadzhiyski]

Hello!

Small addition to my previous post:

Sambar server running on Windows 95/98 is _NOT_ vulnerable.

Sorry for the typo :(

All versions of SAMBAR running on NT/2000, containg HELLO.BAT and
ECHO.BAT in their /CGI-BIN/ directory _ARE_ vulnerable.


Georgi Chorbadzhiiski

Re: Toshiba NoteBooks BIOS Password Backdoor - Password Cracker - Follow The Instructions.

[Doctor Muerte]

The one and only way to bypass the Power On BIOS password 
of a Toshiba Notebook. This method works on all models. 

This is what you need:

1. Your notebook
2. An empty formatted diskette (720 kb or 1,44 mb)
3. A second computer (e.g. a DOS desktop PC)
4. A hex-editor (e.g. Norton DiskEdit or HexWorks)

This is what you have to do:

1. Start the desktop PC and start the hex-editor
2. Put the disk in drive A:
3. Change the first five bytes of sector 1 (boot sector is 
sector 0) to: 4B 45 59 00 00
4. Save it! Now you have a KEYDISK
5. Remove the disk from drive A:
6. Put the disk in the notebook drive
7. Start the notebook in Boot Mode (push the reset button)
8. Press Enter when asked for Password:
9. You will be asked to Set Password again. Press Y and 
Enter.
10. You now see the BIOS configuration where you can set a 
new password.

And that's all!

Oscar Vila

Re: MS signed softwrare privileges

[Microsoft Product Security Response Team]

Hi All -

We wanted to respond to Juan Cuartango's comments on the purpose of the
handling of Microsoft certificates in the Active Setup control.  While we
love a good conspiracy theory as much as the next person, the reality is
that the certificates are treated as they are in order to improve our
customers' experience while downloading software from Microsoft web sites.
In the past, customers complained about being prompted to "OK" every signed
control after they went to one of our web sites to load or update software.
Because of this, the Active Setup control treats the Microsoft certificates
as "trusted providers".

We understand that a few customers may find this behavior undesirable, and
we are concerned by the scenario that Elias pointed out.  Therefore, we will
be modifying the Active Setup control so that it warns before downloading
unless a customer has specifically requested that he not be warned in the
future.  Regards,

[EMAIL PROTECTED]



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 22, 2000 8:36 AM
To: [EMAIL PROTECTED]
Subject: MS signed softwrare privileges


I would like to clarify some aspects from the Elias post
regarding Microsoft signed software.
The fact that anybody could install MS signed software
using Active Setup component in not very important.
The issue is : MS can silently execute any code in our
Windows systems just using their signature.
MS has privileged their code, even if your IE security
setting "Download signed ActiveX" is set to prompt MS
software will be installed without prompting the user.
It seems that MS has left a back door that will allow them
to perform any action in the Windows systems just visiting
a WEB page or opening an e-mail message.
I have prepared a demo in :
http://www.angelfire.com/ab/juan123/iengine.html

This demo shows the diferent behaviour of IE when the
ActiveX is signed by MS or signed by others.

This issue opens a big security and privacy hole, MS can
take complete control over our systems using this backdoor.

In this backdoor acceptable ?
In my opinion It is not, I have worked 18 years for
diferent OS software manufacturers and I have never
installed one line of code without a previous user approval.

ITS4 Version 1.0.1

[John Viega]

I just put up a new version of ITS4.  It's got a modified license
file, so it should now match RST's intentions toward the software (it
was previously too restrictive).  There are some other changes that
were largely contributed, including support for VC++.

Here's the changelog from 1.0->1.0.1:
- Added support for Visual C++ 5.0 and later.  Patches sent by Russell Lang.
  Note that wildcards at the commandline will not work.
- Added GNU getopt to the distribution for platforms that don't have it.
- Changed the LICENSE file, as it had a few problems where the text
  didn't match the intent.  Whoops... we're geeks, not lawyers...
  Thanks to Steffen Zahn for pointing out this problem.
- Made some other minor changes, mainly related to portability issues.
  Thanks to Thomas Klausner, Chris Faulhaber and William Bader for their
  patches.