Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )
On Jan 1, 2008 7:33 PM, reepex [EMAIL PROTECTED] wrote: http://www.tssci-security.com/bookshelf/ Is this list up to date? It makes it seem as if you are learning basic linux commands, sed, and basic perl. Also why are you reading operating system design and implementation when you do not know C? ( Seeing as C books are in your 'to-read' list ). The C programming book listed on the bookshelf has be given a Not Recommended review by the ACCU. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [+] Vulnerability in less version 394 and prior
On 10/31/07, glopeda. com [EMAIL PROTECTED] wrote:
From: [EMAIL PROTECTED]
Application: less 394 and prior
Type: Format strings vulnerability
Priority: Low
Meager demonstration:
$ export LESSOPEN=%s%n
$ less somefile
Segmentation fault
$
Interesting...
$ echo $LESSOPEN
|lesspipe.sh %s
$ export LESSOPEN=%s%n
$ less iptraf.txt
/bin/bash: ./iptraf.txt: Permission denied
: No such file or directory
$ less --version
less 394
Copyright (C) 1984-2005 Mark Nudelman
less comes with NO WARRANTY, to the extent permitted by law.
For information about the terms of redistribution,
see the file named README in the less distribution.
Homepage: http://www.greenwoodsoftware.com/less
$ id
uid=1000(dentonj) gid=100(users)
groups=11(floppy),17(audio),18(video),19(cdrom),83(plugdev),100(users)
$ ls -l iptraf.txt
-rw-r--r-- 1 dentonj users 300 2007-10-25 08:04 iptraf.txt
$ echo $LESSOPEN
%s%n
$ cat /etc/slackware-version
Slackware 12.0.0
$ strace /usr/bin/less iptraf.txt
execve(/usr/bin/less, [/usr/bin/less, iptraf.txt], [/* 47 vars */]) = 0
brk(0) = 0x8065000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7efb000
access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or directory)
open(/etc/ld.so.cache, O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=111039, ...}) = 0
mmap2(NULL, 111039, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7edf000
close(3)= 0
open(/lib/libncursesw.so.5, O_RDONLY) = 3
read(3, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\352..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=309276, ...}) = 0
mmap2(NULL, 311172, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7e93000
mmap2(0xb7ed7000, 32768, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x43) = 0xb7ed7000
close(3)= 0
open(/lib/libc.so.6, O_RDONLY)= 3
read(3, [EMAIL PROTECTED]..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1528742, ...}) = 0
mmap2(NULL, 1316260, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0xb7d51000
mmap2(0xb7e8d000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13c) = 0xb7e8d000
mmap2(0xb7e9, 9636, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7e9
close(3)= 0
open(/lib/libdl.so.2, O_RDONLY) = 3
read(3, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\n\0\000...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=13506, ...}) = 0
mmap2(NULL, 12412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7d4d000
mmap2(0xb7d4f000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7d4f000
close(3)= 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7d4c000
set_thread_area({entry_number:-1 - 6, base_addr:0xb7d4c8d0,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb7e8d000, 4096, PROT_READ) = 0
munmap(0xb7edf000, 111039) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
brk(0) = 0x8065000
brk(0x8086000) = 0x8086000
stat64(/home/dentonj/.terminfo, 0xbfc67624) = -1 ENOENT (No such
file or directory)
stat64(/usr/share/terminfo, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
access(/usr/share/terminfo/x/xterm, R_OK) = 0
open(/usr/share/terminfo/x/xterm, O_RDONLY|O_LARGEFILE) = 3
read(3, \32\0010\0\0\17\0\235\1F\5xterm|xterm terminal..., 4097) = 2522
close(3)= 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TIOCGWINSZ, {ws_row=25, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0
ioctl(2, TIOCGWINSZ, {ws_row=25, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0
open(/usr/bin/.sysless, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such
file or directory)
open(/etc/sysless, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file
or directory)
open(/home/dentonj/.less, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such
file or directory)
open(/usr/lib/locale/locale-archive, O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
open(/usr/share/locale/locale.alias, O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=2586, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7efa000
read(3, # Locale name alias data base.\n#..., 4096) = 2586
read(3, , 4096) = 0
close(3)= 0
munmap(0xb7efa000, 4096)= 0
open(/usr/lib/locale/en_US/LC_IDENTIFICATION, O_RDONLY) = 3
fstat64(3,
Re: [Full-disclosure] New RFID Mailing List Owner 0day
Your script assumes a few things that are not part of a default Slackware install. # This script was created for use on Slackware! exit 5 What is the purpose of the exit status code of 5? Yes, any non-zero number indicates an error. Common exit codes are 0 (succeeded), 1 (or any non-zero number, failure), 126 (command found but not executable), 127 (command not found), and 128+N (fatal error where N is the SIGNAL that caused the exit). An exit status of 5 works, just curious as to its purpose. chown root.staff ping staff is not a default group in Slackware. Your script assumes that it has already been created. chmod 500 ttysnoop ttysnoop is not installed by Slackware. chmod 600 inetd.conf It would also be a good idea to remove the execute permissions from /etc/rc.d/rc.inetd and any other service in /etc/rc.d that isn't needed. Restricting the read permissions of the contents of that directory is also a good idea. cp /root/slack/syslog.conf /etc The file, /root/slack/syslog.conf does not exist by default in Slackware. # Tighten up the log file perms now cd /var/log chmod 600 syslog log.auth log.cron log.daemon log.kern log.mail log.mark log.syslog chmod 600 log.user messages ftp.log secure.log chown root.wheel syslog log.auth log.cron log.daemon log.kern log.mail log.mark log.syslog chown root.wheel log.user messages ftp.log secure.log Most of these files do not exist by default. I'll assume that they are the product of your custom syslog.conf. echo MAKE SURE YOU ADD USERS THAT YOU WANT TO BE ABLE TO SU TO ROOT echo TO THE ROOT AND WHEEL GROUPS OR THEY WON'T BE ABLE TO!!. There is nothing in a default Slackware install that will restrict the use of the su command. Slackware does not use PAM. The /etc/suauth file does not exist by default. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Very strange nmap scan results
Use the -sV --version-all options to determine version/service info for each port. On 9/21/07, scott [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Did this particular person,or persons know what you were going to do? Looks like a honeypot,to me. Been wrong before,won't be the last.I hope,for the sake of whomever you are auditing,that this is the case. Cheers, Redwolfs always Juan B wrote: Hi all, For a client in scaning his Dmz from the internet. I know the servers are behind a pix 515 without any add security features ( they dont have any ips or the didnt enabled the ips feature of the pix). the strange is that two I receive too many open ports! for example I scan the mail relay and although just port 25 is open it report lots of more open ports! this is the nmap scan I issued: nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA cpsa.txt ( I changed the ip's here...) and the result for the mail relay for example are: nteresting ports on mail.cpsa.com (200.61.44.50): PORT STATE SERVICE 1/tcpopen tcpmux 2/tcpopen compressnet 3/tcpopen compressnet 4/tcpopen unknown 5/tcp open rje 6/tcpopen unknown 7/tcpopen echo 8/tcp filtered unknown 9/tcpopen discard 10/tcp open unknown 11/tcp open systat 12/tcp open unknown 13/tcp open daytime 14/tcp open unknown 15/tcp open netstat 16/tcp open unknown 17/tcp open qotd 18/tcp filtered msp 19/tcp open chargen 20/tcp open ftp-data 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 24/tcp open priv-mail 25/tcp open smtp 26/tcp open unknown 27/tcp open nsw-fe 28/tcp open unknown 29/tcp open msg-icp 30/tcp open unknown 31/tcp open msg-auth 32/tcp open unknown 33/tcp open dsp 34/tcp open unknown this continues up to port 1024.. any ideas how to eliminate so many false positives? thanks a lot, Juan Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get listings, and more! http://tv.yahoo.com/collections/3658 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG81G8srt057ENXO4RAkAoAJ9QAmp65M7nICyOvK0IBDb5ZGgdvwCg2iqL 0AffiGeALD+T9XlXXblycek= =Drx9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] beginning to count the time
On 8/23/05, Adam Gardner [EMAIL PROTECTED] wrote: Sure, its: root:*:0:3:gecos:/home/root:/sbin/sh man crypt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
