RE: [Full-Disclosure] Using Xbox live for covert communication
Then why not find a friend in germany and pretend to plan a biological attack? See how "un-monitored" and "private" it is then-:) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 12:25 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Using Xbox live for covert communication Recently, I subscribed to Xbox live. After playing on some of the games online, I thought that this is a perfect place for covert communication. There rooms aren't monitored. You can open up private rooms and communicate with invited friends. Who knows... :-) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] NYC Security Shindig Version 2 (with punch and pie!)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 New York City Security Shindig 2 Security Shindigs are ways for technical people in the Information Security industry to get together, view an informative technical presentation, and otherwise have a good time. Date/Time: Monday June 14th, 6pm Location: Two Boots "Den of Cin" http://www.twoboots.com/theden/ 44 Avenue A (at E 3rd Street) underneath Two Boots Video. Speaker/Topic: Jamie Butler. Kernel Rootkits. I've seen the slidepack, and it was extremely interesting if you're interested in kernel rootkits, which you should be. It focuses on Win32, but touches on Linux. Jamie teaches a class on the subject that has gotten nothing but good reviews, so you should welcome this fre e chance to see what he's got going on. I've been told there will be demonstrati ons and other excitement. Extras: Free Soda and Pizza (toppings extra). Cash bar. Potential book raffle! Sponsor: Immunity, Inc. (www.immunitysec.com) RSVP Contact: Dave Aitel - [EMAIL PROTECTED] Check the Daily Dave mailing list for updates and further information! -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAwIElzOrqAtg8JS8RAsbqAJ98Y+Mx+/rhxwhBYeQV1SKIeGvQ6wCeIgvV /LtVWnzTk3wwKUHc8iD9Ua4= =nO5v -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [SECURITY] [DSA 514-1] New Linux 2.2.20 packages fix local root exploit (sparc)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 514-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 4th, 2004 http://www.debian.org/security/faq - -- Package: kernel-source-2.2.20, kernel-image-2.2-sparc Vulnerability : failing function and TLB flush Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0077 CERT advisory : VU#981222 Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course. For the stable distribution (woody) these problems have been fixed in version 9woody1 of Linux 2.2 kernel images for the sparc architecture and in version 2.2.20-5woody3 of Linux 2.2.20 source. For the unstable distribution (sid) these problems have been fixed in version 9.1 of Linux 2.2 kernel images for the sparc architecture. This problem has been fixed for other architectures already. We recommend that you upgrade your Linux kernel package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20-5woody3.dsc Size/MD5 checksum: 661 4eede8cde6013e6660459173dacd8e4e http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20-5woody3.diff.gz Size/MD5 checksum: 159991 26db63a4af138d5c67c433da29778102 http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20.orig.tar.gz Size/MD5 checksum: 19394649 57c0edf86cb23a5b215db9121c9b3557 http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-sparc-2.2_9woody1.dsc Size/MD5 checksum: 768 58d7d78f4cc97af50074cafa2322ca7c http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-sparc-2.2_9woody1.tar.gz Size/MD5 checksum:25540 af1005c87ca491c28108fda2a66efb2c Architecture independent components: http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-doc-2.2.20_2.2.20-5woody3_all.deb Size/MD5 checksum: 1162414 d244e1206d51a785d2a298df8ffbb9e8 http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20-5woody3_all.deb Size/MD5 checksum: 15848780 33170e34a3d4c56e910314be93f0b184 http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-headers-2.2.20-sparc_9woody1_all.deb Size/MD5 checksum: 1122094 e5bdced5ca4b46cffec44e531c238a56 Sun Sparc architecture: http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-2.2.20-sun4cdm_9woody1_sparc.deb Size/MD5 checksum: 1617420 3789f331d7aa2e9c10b3ffee08c82b94 http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-2.2.20-sun4dm-smp_9woody1_sparc.deb Size/MD5 checksum: 1653324 e0b6db9b869d1dd51e2a615a0eaef8a1 http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-2.2.20-sun4u_9woody1_sparc.deb Size/MD5 checksum: 2023252 50b820b56ed032a532d5e0bbff5f58b1 http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-2.2.20-sun4u-smp_9woody1_sparc.deb Size/MD5 checksum: 2066292 9144adfbf2bce6098028b69ee28658b8 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://pa
[Full-Disclosure] Integrigy Security Alert - Multiple SQL Injection Vulnerabilities in Oracle E-Business Suite
__ Integrigy Security Alert __ Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities June 3, 2004 __ Summary: Multiple SQL injection vulnerabilities exist in the Oracle E-Business Suite 11i and Oracle Applications 11.0. These vulnerabilities can be remotely exploited simply using a browser and sending a specially crafted URL to the web server. A mandatory patch from Oracle is required to solve these security issues. Product:Oracle E-Business Suite Versions: 11.0.x, 11.5.1 - 11.5.8 Platforms: All platforms Risk Level: Critical _ Description: Integrigy has discovered multiple SQL injection vulnerabilities in almost all supported versions of Oracle Applications (11.0 and 11i). Because Oracle Applications 11i installs code for all product modules, all Oracle Applications 11i customers are vulnerable to these SQL injection issues. A SQL injection vulnerability allows an attacker to execute SQL statements or database functions by inserting SQL code fragments into input fields of a web page. Due to the design of Oracle Applications, a SQL injection attack can easily and effectively compromise the entire database and application. Customers with Internet facing application servers are most vulnerable since these vulnerabilities can be exploited remotely using a browser. Since attacks can be specially crafted for Oracle Applications and an attack may only be a single HTTP Get or Post, successful attacks can be easily designed that will evade most intrusion detection and prevention systems. Solution: Oracle has released a patch for Oracle Applications 11.0 and the Oracle E-Business Suite 11i to correct these vulnerabilities. The following Oracle patches must be applied -- Version Patch --- - 11i 3644626 (11.5.1 - 11.5.8) 11.03648066 (all versions) The patch availability matrix is available in Oracle Metalink Note ID 274375.1. Oracle Applications 11i customers that have applied both the Report Manager Mini-pack B (11i.FRM.B) or greater AND Marketing Suite Family Pack B (11i.MKT_PF.B) do NOT need to apply a patch for these vulnerabilities - these patch levels are included in 11.5.9. All Oracle Applications customers should consider this vulnerability extremely high risk and apply the above patch at the earliest possible opportunity. Customers with Internet facing application servers should apply the patch immediately. Appropriate testing and backups should be always performed before applying any patches. Additional Information: http://www.integrigy.com/resources.htm http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf Metalink Note ID 274356.1 (Oracle Security Alert) Metalink Note ID 274375.1 (Patch Availability Matrix) For more information or questions regarding this security alert, please contact us at [EMAIL PROTECTED] Integrigy has included checks for these vulnerabilities in AppSentry, a vulnerability scanner for Oracle Applications, and AppDefend, an application intrusion prevention system for Oracle Applications. Credit: This vulnerability was discovered by Stephen Kost of Integrigy Corporation. __ About Integrigy Corporation (www.integrigy.com) Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. Integrigy Consulting offers security assessment services for leading ERP and CRM applications. For more information, visit www.integrigy.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Out of Office
I am out of office until 10th of June, please be patient with the email correspondence to catch up. derek holzer ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Colin McRae Rally 04 broadcast clients crash
###
Luigi Auriemma
Application: Colin McRae Rally 04
http://www.codemasters.com/colinmcraerally04/
Versions: 1.0
Platforms:Windows
Bug: bad allocation (?)
Risk: medium
Exploitation: remote, versus clients (broadcast)
Date: 04 June 2004
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:http://aluigi.altervista.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
Colin McRae Rally 04 is the famous rally game developed by Codemasters
and released at the beginning of April 2004.
###
==
2) Bug
==
The bug is in a value that the servers send back to the clients when
they enter in the multiplayer menu.
The bugged value is the number of players in the server ("numplayers"),
if it is too high it causes the crash of the client.
Due the location of the bug, any vulnerable client can't play online
because it automatically requests informations to all the online
servers so a single malicious server can passively block the entire
game network.
###
===
3) The Code
===
http://aluigi.altervista.org/poc/cmr4cdos.zip
###
==
4) Fix
==
No fix.
Two months for a patch is not what I mean with "quick fix".
The bug was found just two days after the pubblic release of the game
and quickly noticed to the developers, but no patch has been released
yet.
###
---
Luigi Auriemma
http://aluigi.altervista.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] another new worm submission
http://www.detroit-x.com/analysis.htm This is something we found this morning. I have packet captures that I will post. I have attached the infected files found with FPORT and also registry entries. We found this rebooting machines with the LSASS.exe error similar to Sasser. As of 6/4/2004 we found no virus defs to pick it up. Joshua Perrymon Sr. Network Security Consultant PGP Fingerprint 51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021 **CONFIDENTIALITY NOTICE** The information contained in this e-mail may be proprietary and/or privileged and is intended for the sole use of the individual or organization named above. If you are not the intended recipient or an authorized representative of the intended recipient, any review, copying or distribution of this e-mail and its attachments, if any, is prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete this message from your system. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200406-01 ] Ethereal: Multiple security problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200406-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Ethereal: Multiple security problems Date: June 04, 2004 Bugs: #51022 ID: 200406-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities including one buffer overflow exist in Ethereal, which may allow an attacker to run arbitrary code or crash the program. Background == Ethereal is a feature rich network protocol analyzer. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 net-analyzer/ethereal <= 0.10.3 >= 0.10.4 Description === There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.4, including: * A buffer overflow in the MMSE dissector. * Under specific conditions a SIP packet could make Ethereal crash. * The AIM dissector could throw an assertion, causing Ethereal to crash. * The SPNEGO dissector could dereference a null pointer, causing a crash. Impact == An attacker could use these vulnerabilities to crash Ethereal or even execute arbitrary code with the permissions of the user running Ethereal, which could be the root user. Workaround == For a temporary workaround you can disable all affected protocol dissectors by selecting Analyze->Enabled Protocols... and deselecting them from the list. However, it is strongly recommended to upgrade to the latest stable release. Resolution == All Ethereal users should upgrade to the latest stable version: # emerge sync # emerge -pv ">=net-analyzer/ethereal-0.10.4" # emerge ">=net-analyzer/ethereal-0.10.4" References == [ 1 ] Ethereal enpa-sa-00014 http://www.ethereal.com/appnotes/enpa-sa-00014.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200406-01.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAwM3zvcL1obalX08RAhWVAJ9e+BRSYi4AZA3Us7+0ib59Qyrk4gCcCdtJ LqivdVf6W1IyR49JPaAOoMc= =P4XV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] bss-based buffer overflow in l2tpd
All versions of l2tpd contain a bss-based buffer overflow. After
circumventing some minor obstacles (i.e., faking a L2TP tunnel
establishment) the overflow can be triggered by sending a specially
crafted packet.
The crucial code can be found in write_packet() in control.c:
static unsigned char wbuf[MAX_RECV_SIZE];
int pos = 0;
[..]
e = PPP_FLAG;
wbuf[pos++] = e;
for (x = 0; x < buf->len; x++)
{
e = *((char *) buf->start + x);
if ((e < 0x20) || (e == PPP_ESCAPE) || (e == PPP_FLAG))
{
/* Escape this */
e = e ^ 0x20;
wbuf[pos++] = PPP_ESCAPE;
}
wbuf[pos++] = e;
}
wbuf[pos++] = PPP_FLAG;
Nota bene: buf->len can be upto 4080 = 4096 (=: MAX_RECV_SIZE) - 16.
It might be hard or even impossible to exploit this buffer overflow.
Thomas Walpuski
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Out of Office
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How much do you want to bet that he will be 0wned before then? ;P On Fri, 4 Jun 2004, Derek wrote: > I am out of office until 10th of June, please be patient > with the email correspondence to catch up. > > derek holzer > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > - -- The Internet must be a medium for it is neither Rare nor Well done! mailto:[EMAIL PROTECTED]">John Galt -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFAwNQm+TX+nYGFQPsRAuAcAJ9Aii7ETU/Rq9UwTHRaJW5cfLcFeACgpWOH DaYREnElW6KGr8Uu98bz5Ys= =kRgL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] another new worm submission
"Perrymon, Josh L." wrote: > > http://www.detroit-x.com/analysis.htm > > This is something we found this morning. I have packet captures that I > will post. > I have attached the infected files found with FPORT and also registry > entries. > > We found this rebooting machines with the LSASS.exe error similar to > Sasser. As of 6/4/2004 we found no virus defs to pick it up. The malware (MD5: 2501c5d989229a6ab02146f7d2c1f6d8) is identified as ... BitDefender : Backdoor.Dumador.AI CA Vet : Win32.Bambo.L trojan DrWeb : BackDoor.Dumaru Eset: Win32/Dumador.AI trojan Kaspersky : Backdoor.Dumador.ai McAfee : BackDoor-CCT Symantec: Backdoor.Nibu.G Trend Micro : TROJ_DUMARIN.H Description: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DUMARIN.H&VSect=T Regards, Axel Pettinger ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] another new worm submission
Perrymon, Josh L. wrote: http://www.detroit-x.com/analysis.htm This is something we found this morning. I have packet captures that I will post. I have attached the infected files found with FPORT and also registry entries. We found this rebooting machines with the LSASS.exe error similar to Sasser. As of 6/4/2004 we found no virus defs to pick it up. Joshua Perrymon Sr. Network Security Consultant McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is not a worm, it's a trojan. Your systems are being remotely compromised, possibly with an auto-rooter targeting the lsass vulnerability, which instructs the compromised system to download, install, and run this trojan. This trojan includes a keystroke logger, and additional components that you seem to have missed. Assume that system and any web site passwords have been compromised. Warn the users of these systems that unless they change any financial site passwords they are likely to be victims of theft. How are these system getting compromised? Why don't you have this patch deployed yet? Why are these systems reachable from the Internet over port 445? You've got more problems than new worms. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200406-02 ] tripwire: Format string vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200406-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: tripwire: Format string vulnerability Date: June 04, 2004 Bugs: #52945 ID: 200406-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability allowing arbitrary code execution under certain circumstances has been found. Background == tripwire is an open source file integrity checker. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-admin/tripwire <= 2.3.1.2 >= 2.3.1.2-r1 Description === The code that generates email reports contains a format string vulnerability in pipedmailmessage.cpp. Impact == With a carefully crafted filename on a local filesystem an attacker could cause execution of arbitrary code with permissions of the user running tripwire, which could be the root user. Workaround == There is no known workaround at this time. Resolution == All tripwire users should upgrade to the latest stable version: # emerge sync # emerge -pv ">=app-admin/tripwire-2.3.1.2-r1" # emerge ">=app-admin/tripwire-2.3.1.2-r1" References == [ 1 ] Bugtraq Announcement http://www.securityfocus.com/archive/1/365036/2004-05-31/2004-06-06/0 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200406-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAwO1FvcL1obalX08RAkrZAJ9Q7rq0lHme7mugx5gqNJsQA1+4fACgoByQ 1bQVhKo0jRXswMknBjPSVn4= =t7dZ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] another new worm submission
--On Friday, June 04, 2004 03:55:05 PM -0500 insecure <[EMAIL PROTECTED]> wrote: McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is not a worm, it's a trojan. Your systems are being remotely compromised, possibly with an auto-rooter targeting the lsass vulnerability, which instructs the compromised system to download, install, and run this trojan. This trojan includes a keystroke logger, and additional components that you seem to have missed. Assume that system and any web site passwords have been compromised. Warn the users of these systems that unless they change any financial site passwords they are likely to be victims of theft. How are these system getting compromised? Why don't you have this patch deployed yet? Why are these systems reachable from the Internet over port 445? For someone who knows nothing about his network, you sure are willing to make a lot of assumptions. You admit you don't know how the systems were compromised and you don't know what compromised them, yet you castigate him for leaving port 445 open and not patching and you assume this happened *remotely*? You've got more problems than new worms. One of which is miserable comforters. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] xabot or sdbot or spybot...
--__--__-- >Message: 21 >Date: Fri, 04 Jun 2004 00:08:23 +0200 >From: Axel Pettinger <[EMAIL PROTECTED]> >Organization: API >To: "Perrymon, Josh L." <[EMAIL PROTECTED]>, [EMAIL PROTECTED] >Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before? >"Perrymon, Josh L." wrote: >> >> I found this worm/ trojan on a laptop. Ran FPort and found the .exe. >> Doesn't look like it propagates to other machines but rather communicates >> with a compromised >> web companies server using IRC. The compromised server has removed the IRC >> service. Only sends RST packets back. >> > >> I would like to know the attack vectors. I'm guessing LSASS. >AntiVirus scanners identify our trojan as: >BitDefender : Backdoor.SDBot.Gen >Kaspersky : Backdoor.Rbot.gen >McAfee : W32/Sdbot.worm.gen.g >Symantec: W32.Spybot.Worm >Trend Micro : WORM_SPYBOT.AP >From a quick look at the file I'd say the following is the best >description of that trojan. There're several attack vectors ... >http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT .AP&VSect=T >Regards, >Axel Pettinger I'd like to throw something in here. While scanning with Spybot 1.3 it came to a halt with an error. The error was an "Xabot" error. After many attempts to figure this out I searched Xabot. This lead to Symantics site http://securityresponse.symantec.com/avcenter/venc/data/w32.xabot.worm.html and http://www.sophos.com/virusinfo/analyses/w32sdbotna.html where it is associated with Sdbot. Well, for sure I am having a hell of a time finding it as all conventional means have failed. 3 online scans. 3 scans in safe mode. Hijack This, Swat-it, Bazooka and still Spybot is halted with the error. I uninstalled Spybot three times. It seems I have a remnant somewhere. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [CYSA-0329] Password recovery vulnerability in FoolProof Security 3.9.x for Windows 95/9
~~ Cyrillium Security Advisory CYSA-0329 [EMAIL PROTECTED] http://www.cyrillium.com/Cyrillium Security Solutions and Services April 29th, 2004 ~~ Severity: High (Password Compromise) Vendor: SmartStuff Software (member of Riverdeep Interactive Learning, Inc.) Affected Products: FoolProof Security 3.9.x for Windows 98/98SE/Me Unaffected Products: FoolProof Security for Macintosh FoolProof Security for Windows XP and Windows 2000 1. Problem Description Cyrillium Security Solutions and Services has discovered a vulnerability in the password recovery feature of FoolProof Security that allows an attacker to recover the "Administrator" password using the "Control" password and password recovery key. FoolProof for Macintosh and FoolProof for Windows XP & 2000 are not affected because they do not support the password recovery feature. 2. Details Passwords are stored as 16-byte, zero-padded ASCII strings. When FoolProof Security is installed, an "Administrator" password must be specified. Either the "Administrator" password or the "Control" password may be used to access the FoolProof control panel and to bypass the Bootlock and Keylock protection features. If the "Control" password is forgotten or compromised, the "Administrator" password can be used to either enter the FoolProof control panel to change the "Control" password or to determine the "Control" password from the password recovery key. The password recovery key is a 32-character hexadecimal string that can be obtained by holding down the Shift key and pressing "OK" in the FoolProof control panel's initial password dialog box. The ADMINPW.EXE program on the FoolProof Security installation diskette calculates the "Control" password from the "Administrator" password and the password recovery key. The ADMINPW.EXE program combines the zero-padded "Administrator" password with the password recovery key using the bitwise exclusive OR (XOR) operation. Next, the ASCII string "D:SKFOIK@(*EHJFL" is subtracted from the previous result (one byte at a time). The final result is the "Control" password. If C represents the "Control" password, A represents the "Administrator" password, B represents the ASCII string "D:SKFOIJ@(*EHJFL", and K represents the password recovery key, then manipulating the formula: C = (A xor K) - B yields: A = (C + B) xor K Thus, the "Administrator" password can be calculated if the "Control" password and password recovery key are known. The password recovery key is trivial to obtain by holding down the Shift key and pressing "OK" in the FoolProof control panel's initial password dialog box. If the "Control" password is compromised, the "Administrator" password can be compromised as well. Example: Administrator password is "12345": A = 31 32 33 34 35 00 00 00 00 00 00 00 00 00 00 00 (hexadecimal) Control password is "HelloWorld": C = 48 65 6C 6C 6F 57 6F 72 6C 64 00 00 00 00 00 00 Recovery key (reported by FoolProof control panel): K = BD AD 8C 83 80 A6 B8 BC AC 8C 2A 45 48 4A 46 4C Offsets (constant): B = 44 3A 53 4B 46 4F 49 4A 40 28 2A 45 48 4A 46 4C Recovery process (ADMINPW.EXE algorithm): A xor K = 8C 9F BF B7 B5 A6 B8 BC AC 8C 2A 45 48 4A 46 4C (A xor K) - B = 48 65 6C 6C 6F 57 6F 72 6C 64 00 00 00 00 00 00 (A xor K) - B = "HelloWorld" = Control password Reverse recovery process: C + B = 8C 9F BF B7 B5 A6 B8 BC AC 8C 2A 45 48 4A 46 4C (C + B) xor K = 31 32 33 34 35 00 00 00 00 00 00 00 00 00 00 00 (C + B) xor K = "12345" = Administrator password The "Administrator" password can be successfully determined knowing only the "Control" password and the password recovery key. 4. Exploit The following program calculates the "Administrator" password from the password recovery key and the "Control" password. Usage: Invoke the program with the following arguments: foolpw HEXADECIMAL_RECOVERY_KEY CONTROL_PASSWORD Example: C:\> foolpw BDAD8C8380A6B8BCAC8C2A45484A464C HelloWorld 12345 Source code: /* foolpw.c Copyright (C) 2004 Cyrillium Security Solutions and Services. Demonstrates a weakness in FoolProof Security password recovery system. See CYSA-0329 for details. CYRILLIUM SECURITY SOLUTIONS AND SERVICES DOES NOT PROVIDE ANY WARRANTY FOR THIS PROGRAM, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DE
Re: [Full-Disclosure] another new worm submission
Paul Schmehl wrote: --On Friday, June 04, 2004 03:55:05 PM -0500 insecure <[EMAIL PROTECTED]> wrote: McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is not a worm, it's a trojan. Your systems are being remotely compromised, possibly with an auto-rooter targeting the lsass vulnerability, which instructs the compromised system to download, install, and run this trojan. This trojan includes a keystroke logger, and additional components that you seem to have missed. Assume that system and any web site passwords have been compromised. Warn the users of these systems that unless they change any financial site passwords they are likely to be victims of theft. How are these system getting compromised? Why don't you have this patch deployed yet? Why are these systems reachable from the Internet over port 445? For someone who knows nothing about his network, you sure are willing to make a lot of assumptions. You admit you don't know how the systems were compromised and you don't know what compromised them, yet you castigate him for leaving port 445 open and not patching and you assume this happened *remotely*? You've got more problems than new worms. One of which is miserable comforters. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ You're right, I made an assumption that the systems were being compromised remotely rather than being deliberately and maliciously hacked by insiders. Would this somehow be less of a problem? Having systems with routable addresses reachable through port 445 is the most likely avenue of compromise, if this is not the case then Josh would be well advised to determine exactly what is going on with his network. He did say there were more than one infected system that were displaying symptoms of attack against lsass, and that he couldn't find AV definitions to pick it up, although it's been detectable as a variant for up to six weeks, and someone else posted detections by 8 different AV packages. I also stated that there are other components which he didn't find, which was another assumption but one which is proven true by a quick perusal of any AV vendors' write-up on this. Since the malware he posted doesn't spread automatically and doesn't attack lsass, there is obviously something else going on, which was the point I was trying to make. Apparently I was too obtuse for some people. I think I suggested some avenues of investigation that may prove helpful to the OP. In what way were your comments helpful? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] weather.com contact
Anyone know anyone at weather.com? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Using Xbox live for covert communication
> > Then why not find a friend in germany and pretend to plan a biological > attack? > See how "un-monitored" and "private" it is then-:) > worth a try for securitys sake ? yes! Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
