[Full-Disclosure] RE: Full-Disclosure Digest, Vol 2, Issue 44
The link is not ok should be: http://xyz.lanl.gov/abs/cs.CR/0501038 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: donderdag 20 januari 2005 18:00 To: full-disclosure@lists.netsys.com Subject: Full-Disclosure Digest, Vol 2, Issue 44 Send Full-Disclosure mailing list submissions to full-disclosure@lists.netsys.com To subscribe or unsubscribe via the World Wide Web, visit https://lists.netsys.com/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Full-Disclosure digest... Today's Topics: 1. harddisk encryption (Lentila de Vultur) 2. ASH Hashing Algorithm ([EMAIL PROTECTED]) 3. [TURBOLINUX SECURITY INFO] 20/Jan/2005 (Turbolinux) 4. Re: [ISN] Book Review: Forensic Discovery (Anthony Zboralski) -- Message: 1 Date: Thu, 20 Jan 2005 10:27:59 +0100 (MET) From: Lentila de Vultur [EMAIL PROTECTED] Subject: [Full-Disclosure] harddisk encryption To: full-disclosure@lists.netsys.com Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii hi, i'm evaluating a software that performs harddisk encryption for deploying in my company. the software in question is utimaco safeguard easy v4.10 (www.utimaco.com) running on w2k. i am interested in communitty's oppinion about this product. has anyone performed a detailed analysis of it? i googled around but i couldn't find much information, except that the version 3.20 sr1 has earned an eal3 certification from the german federal agency for it security. tia -- this e-mail is certified content-free. Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl -- Message: 2 Date: Wed, 19 Jan 2005 20:47:51 -0800 (PST) From: [EMAIL PROTECTED] Subject: [Full-Disclosure] ASH Hashing Algorithm To: bugtraq@securityfocus.com Cc: full-disclosure@lists.netsys.com Message-ID: [EMAIL PROTECTED] Content-Type: text/plain;charset=iso-8859-1 With the current class of cryptographic algorithms growing weaker we face an increasingly large problem. I went ahead took two SHA-2 algorithms and created ASH-1 and ASH-2. The modifications are algorithm neutral and fairly simple, but add security and flexibility to the SHA family. The hashing algorithm is detailed in this paper: http://xxx.lanl.gov.nyud.net:8090/abs/cs.CR/0501038 Comments, criticism, and help all appreciated. Thanks, D.J. Capelis Network Security and Cryptography Researcher -- Message: 3 Date: Thu, 20 Jan 2005 15:35:51 +0900 From: Turbolinux [EMAIL PROTECTED] Subject: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 20/Jan/2005 To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Content-Type: Text/Plain; charset=us-ascii -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is an announcement only email list for the x86 architecture. Turbolinux Security Announcement 20/Jan/2005 The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) xpdf - Buffer overflow (2) libtiff - Multiple vulnerabilities in libtiff (3) XFree86 - Multiple vulnerabilities in libXpm (4) imlib - Two vulnerabilities discovered in imlib === * xpdf - Buffer overflow === More information: Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. The buffer overflow was found in the Gfx::doImage function in Gfx.cc in xpdf version 3.00. Impact: These vulnerabilities may allow remote attackers to execute arbitrary code via malformed PDF files. Affected Products: - Turbolinux 10 Server Solution: Please use the turbopkg (zabom) tool to apply the update. - # turbopkg or # zabom -u xpdf - Turbolinux 10 Server Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/xpdf-3.00-5.src.rpm 4604490 d33abd903ee32d277260d1c230dcfe70 References: CVE [CAN-2004-1125] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1125 === * libtiff - Multiple vulnerabilities in libtiff === More information: The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files.
[Full-Disclosure] iDEFENSE Security Advisory 01.20.05: 3Com OfficeConnect Wireless 11g AP Information Disclosure Vulnerability
3Com OfficeConnect Wireless 11g AP Information Disclosure Vulnerability iDEFENSE Security Advisory 01.20.05 www.idefense.com/application/poi/display?id=188type=vulnerabilities January 20, 2005 I. BACKGROUND The 3Com OfficeConnect Wireless 11g Access Point provides users with access to network resources, the Internet, and e-mail at speeds up to 54 Mbps and at distances up to 100 meters (328 feet). More information about the product is available at http://www.3com.com/products/en_US/detail.jsp?tab=features pathtype=purchasesku=3CRWE454G72 II. DESCRIPTION Remote exploitation of an input validation vulnerability in 3Com Corp.'s OfficeConnect Wireless 11g Access Point allows attackers to glean sensitive router information. The 3Com OfficeConnect Wireless 11g Access Point (AP) provides an administrative interface via a web server accessible on port 80. This interface is exposed by default on the internal ethernet interface and the wireless interface, and it is also possible to expose it on the external ethernet interface. The problem specifically exists due to insufficient privilege checks when accessing various URLs without going through the formal logon process. An unauthenticated attacker can glean sensitive information from the device via the following URLs: /main/config.bin /main/profile.wlp?PN=ggg /main/event.logs These URLs will expose the administrative username and password in clear text, the WEP key and SSID, and the router log file respectively. III. ANALYSIS Successful exploitation allows remote attackers to glean sensitive router information, allowing the attacker to gain full control of the device. Compromise of the Access Point (AP) allows an attacker to potentially redirect traffic, access nodes behind the AP that are otherwise unaddressable and potentially monitor traffic from a remote location. This can lead to further compromise of other computers. IV. DETECTION It has been reported that firmware version 1.00.08 shipped on the 3Com OfficeConnect Wireless 11g Access Point is vulnerable. It is suspected that earlier versions are also vulnerable. V. WORKAROUND iDEFENSE is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE Firmware version 1.03.07A for 3CRWE454G72 has been released to addresses the vulnerability. http://www.3com.com/products/en_US/result.jsp?selected=6sort=effdt order=descsku=3CRWE454G72 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2005-0112 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/21/2004 Initial vendor notification - No response 01/06/2005 Secondary vendor notification 01/07/2005 Initial vendor response 01/20/2004 Public disclosure IX. CREDIT Patrik, cqure.net is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] PHRACK #63 CALL FOR PAPERS
[-]=[-] +++ =: P H R A C K - F I N A L := +++ ...a glorious era comes to an end. #63 will be our last PHRACK RELEASE -- EVER... FINAL CALL FOR PAPERS * FINAL CALL FOR PAPERS * FINAL CALL FOR PAPERS --- Deadline: 10 July 2005 at 11:59pm http://www.phrack.org/cfp_final.txt --- Phrackstaff is pleased to bring you our LAST EVER CALL FOR PAPERS for the FINAL RELEASE of PHRACK. We are preparing for a hardcover and ezine release at a major hacker convention near you! We ask everyone to submit a paper. Great care will be taken to ensure that only the best articles make it into PHRACK FINAL. As usual, papers can be on any topic related to the following: - hacking - phreaking - spying - carding - cybernetics - radio - electronics - forensics - reverse engineering - cryptography - anarchy - conspiracy - world news Since 1985, PHRACK MAGAZINE has been providing the hacker community with information on operating systems, network technologies and telephony, as well as relaying features of interest for the international computer underground. PHRACK MAGAZINE is made available to the public, as often as possible, free of charge. PHRACK STAFF --- preparing for hex2005 [EMAIL PROTECTED] Post Scriptum: - Phrackstaff will keep the website running for at least 2 years after PHRACK FINAL. - The last T-Shirts are sold for just $14.95 now. Enjoy it! - More about our decision in the release. Thanks and Goodbye. [-]=[-] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] SUSE Security Announcement: kernel local privilege escalation (SUSE-SA:2005:003)
-BEGIN PGP SIGNED MESSAGE- __ SUSE Security Announcement Package:kernel Announcement-ID:SUSE-SA:2005:003 Date: Friday, Jan 21st 2005 16:00 MET Affected products: 8.1, 8.2, 9.0, 9.1, 9.2 SUSE Linux Enterprise Server 8, 9 SUSE Linux Desktop 1.0 Novell Linux Desktop 9 Vulnerability Type: local privilege escalation Severity (1-10):7 SUSE default package: yes Cross References: CAN-2004-1235 CAN-2005-0001 Content of this advisory: 1) security vulnerability resolved: - local privilege escalation - local denial of service attacks problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: - see summary report 6) standard appendix (further information) __ 1) problem description, brief discussion Several exploitable security problems were identified and fixed in the Linux kernel, the core of every SUSE Linux product. - Due to missing locking in the sys_uselib system call a local attacker can gain root access. This was found by Paul Starzetz and is tracked by the Mitre CVE ID CAN-2004-1235. - Paul Starzetz also found a race condition in SMP page table handling which could lead to a local attacker gaining root access on SMP machines. This is tracked by the Mitre CVE ID CAN-2005-0001. - A local denial of service was found in the auditing subsystem which have lead a local attacker crashing the machine. This was reported and fixed by Redhat. - The sendmsg / cmsg fix from the previous kernel update was faulty on 64bit systems with 32bit compatibility layer and could lead to 32bit applications not working correctly on those 64bit systems. - The smbfs security fixes from a before-previous kernel update were faulty for some file write cases. - A local denial of service with Direct I/O access to NFS file systems could lead a local attacker to crash a machine with NFS mounts. - grsecurity reported a signed integer problem in the SCSI ioctl handling which had a missing boundary check. Due to C language specifics, this evaluation was not correct and there actually is no problem in this code. The signed / unsigned mismatch was fixed nevertheless. - Several more small non security problems were fixed. NOTE: Two days ago we released the Service Pack 1 for the SUSE Linux Enterprise Server 9. This kernel update contains fixes for the SUSE Linux Enterprise Server 9 GA version kernel line. A fix for the Service Pack 1 version line will be available shortly. 2) solution/workaround There is no workaround. Please install the provided update packages. 3) special instructions and notes SPECIAL INSTALL INSTRUCTIONS: == The following paragraphs will guide you through the installation process in a step-by-step fashion. The character sequence marks the beginning of a new paragraph. In some cases, the steps outlined in a particular paragraph may or may not be applicable to your situation. Therefore, please make sure to read through all of the steps below before attempting any of these procedures. All of the commands that need to be executed are required to be run as the superuser (root). Each step relies on the steps before it to complete successfully. Step 1: Determine the needed kernel type Please use the following command to find the kernel type that is installed on your system: rpm -qf /boot/vmlinuz Following are the possible kernel types (disregard the version and build number following the name separated by the - character) k_deflt # default kernel, good for most systems. k_i386# kernel for older processors and chip sets k_athlon # kernel made specifically for AMD Athlon(tm) family processors k_psmp# kernel for Pentium-I dual processor systems k_smp # kernel for SMP systems (Pentium-II and above) k_smp4G # kernel for SMP systems which supports a maximum of 4G of RAM kernel-64k-pagesize kernel-bigsmp kernel-default kernel-smp Step 2: Download the package for your system Please download the kernel RPM package for your distribution with the name as indicated by Step 1. The list of all kernel rpm packages is appended below.
[Full-Disclosure] Arbitrary files overwriting through skins in DivX Player 2.6
### Luigi Auriemma Application: DivX Player http://www.divx.com/divx/player/ Versions: = 2.6 Platforms:Windows Bug: arbitrary files overwriting through skins Exploitation: local (or remote through browser) Date: 21 Jan 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === As the name suggests, DivX Player is a Windows player for DivX files. It is included by default in the DivX codec distribuited by DivXNetworks. ### == 2) Bug == The skins used by DivX Player are zip files containing all the needed images and a script file. When the player loads a skin, it unpacks the zip into a folder with the same name of the DPS file located in the temporary system directory. An attacker can overwrite the files on the victim's disk in which is located the temporary folder (usually c:) using the classical directory traversal path like: ..\..\..\..\windows\notepad.exe Can be used both slash and backslash. ### === 3) The Code === http://aluigi.altervista.org/poc/divxplayerbug.dps It overwrites/creates the file c:\folder\divxplayerbug.txt However creating the zip files to exploit the vulnerability is very easy since you need only to modify the names of the files located in the central directory of the zip file (the final part). ### == 4) Fix == No fix. No reply from the vendor. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Netscape Overflow.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, i saw a flaw in IE that using a Javascript it could be possible to crash the browser. Berend-Jan Wever discovered this problem, which consist in the following script: HTML SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT /HTML I tested on netscape 7.2 (under windows) and the samething happened. Netscape 7.2 will crash with that script. Thanks, Carlos Ulver. Http://www.debarry2.com.br/carlos My key: http://debarry2.com.br/carlos/contato.htm -BEGIN PGP SIGNATURE- Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com iQA/AwUBQfEuiDgovyLCKuNEEQKJWwCdG3joB1hjk5TM21Zi+Sjscarrff0AoP2z PzLg95wCSBghgOkO0eLXTYJi =vlob -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [Fwd: NOVL-2005-10096251 GroupWise WebAccess error handling modules (report)]
Original Message Subject: NOVL-2005-10096251 GroupWise WebAccess error handling modules (report) Date: Fri, 21 Jan 2005 12:37:51 -0700 From: [EMAIL PROTECTED], [EMAIL PROTECTED], Inc. [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 For Immediate Disclosure == Summary == Security Alert: NOVL-2005-10096251 Title: GroupWise WebAccess Error modules loading (report) Date: 21-January-2005 Revision: Original Product Name: GroupWise 6.5, GroupWise 6.5 WebAccess OS/Platform(s): NetWare, Windows, Linux Reference URL: http://support.novell.com/servlet/tidfinder/10096251 Vendor Name: Novell, Inc. Vendor URL: http://www.novell.com Security Alerts: http://support.novell.com/security-alerts Affects: login.htt, about.htt Identifiers: BugTraq 387566 - http://www.securityfocus.com/archive/1/387566 Credits: Marc Ruef maru scip ch, but thanks, too, to Pete Connolly pete connolly btinternet com for actually notifying Novell's security team Description By specifying a query string (?error=value, or ?merge=value) on the WebAccess login URL (for example http://webacc.company.com/servlet/webacc?merge=about), an unauthenticated user is able get read-only access to various public templates and informational files, including the about page for the WebAccess server which includes the version of GroupWise that is installed. == Impact === The server is not granting access to private files, and no files can be modified through this attack. The about page which contains the version of the GroupWise software installed is available, however, it is not considered restricted information, since this same information is available on the normal login URL page. Customers that are concerned about the version information being made public can edit login.htt and about.htt template files to remove this information. These templates are located in the following default locations: NetWare - sys:\tomcat\4\webapps\ROOT\WEB-INF\classes\com\novell\webaccess\templates\frames Linux - /var/opt/novell/gw/WEB-INF/classes/com/novell/webaccess/templates/frames Windows - C:\NOVELL\JAVA\SERVLETS\COM\NOVELL\WEBACCESS\TEMPLATES\FRAMES Remove line 313 in login.htt and line 37 in about.htt. Additionally, Novell will be making changes in the next update of GroupWise, version 6.5.4, to address these issues. The changes will be to ignore any query string parameters if the user is not authenticated. Q. What files do non-authenticated users have access to? A. Read only access to template files are allowed, which are stored in a public directory on the server, as well as a version file, which contains the version of the GroupWise software that is installed. There is no security risk in displaying the template files without data--the template files themselves do not contain confidential information. For the GroupWise 6.5.4 release, this will be addressed so that no unauthenticated users will be able to access any information other than the login page. Q. What query strings expose this behavior? A. The error query string and the merge query string can be used to access read-only versions of the WebAccess templates and the about information for the server. Note that there is no user data in these templates since the user is not authenticated. The merge query string works in the following way: when a user is logged in, actions that return data are performed. The resulting data is merged into the template specified by merge (or error if an error condition occurred) to produce useable output for the authenticated user. In the case where there is no authentication, there is no data to merge into the template. Authentication is not bypassed and there is no generic or ghost user logged in. Q. What information or access is inappropriately divulged to unauthenticated users? A. This approach offers no means for accessing restricted files on the server. If the version information about the server is deemed restricted, the administrator can edit the about.htt and login.htt template files to remove this information. These templates are located at template\frames on an installed WebAccess server. Q. Is there any way for an attacker to write data into the server through this method? A. The approach outlined provides no mechanism for modifying data or files on the server. Q. Is it possible to use HTML injection to carry out a social engineering attack? A. This supposition is false as the attack described has no ability to modify data or files on the server in order to inject malicious code into WebAccess pages. Recommended Actions
[Full-Disclosure] [ GLSA 200501-28 ] Xpdf, GPdf: Stack overflow in Decrypt::makeFileKey2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200501-28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Xpdf, GPdf: Stack overflow in Decrypt::makeFileKey2 Date: January 21, 2005 Bugs: #77888, #78128 ID: 200501-28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A stack overflow was discovered in Xpdf, potentially resulting in the execution of arbitrary code. GPdf includes Xpdf code and therefore is vulnerable to the same issue. Background == Xpdf is an open source viewer for Portable Document Format (PDF) files. GPdf is a Gnome-based PDF viewer that includes some Xpdf code. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 app-text/xpdf = 3.00-r7 = 3.00-r8 2 app-text/gpdf2.8.2 = 2.8.2 --- 2 affected packages on all of their supported architectures. --- Description === iDEFENSE reports that the Decrypt::makeFileKey2 function in Xpdf's Decrypt.cc insufficiently checks boundaries when processing /Encrypt /Length tags in PDF files. Impact == An attacker could entice an user to open a specially-crafted PDF file which would trigger a stack overflow, potentially resulting in execution of arbitrary code with the rights of the user running Xpdf or GPdf. Workaround == There is no known workaround at this time. Resolution == All Xpdf users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-text/xpdf-3.00-r8 All GPdf users should also upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-text/gpdf-2.8.2 References == [ 1 ] CAN-2005-0064 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064 [ 2 ] iDEFENSE Advisory http://www.idefense.com/application/poi/display?id=186type=vulnerabilitiesflashstatus=true Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200501-28.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Netscape Overflow.
Ok, here at Ie 6.0.2800.1106 Sp1 crashed. On Fri, 21 Jan 2005 11:54:33 -0800, Thushara Wijeratna [EMAIL PROTECTED] wrote: Not a problem with IE 6.0 Win XP2. Browser mentions stack overflow but doesn't crash. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Scan for IRC
I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scan for IRC
On Fri, Jan 21, 2005 at 05:34:00PM -0600, RandallM wrote: I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? Well, default port for IRC is 6667, but many servers offer other ports as well. If you know the networks involved then check their webpages for the list of servers/ports you'll want to monitor. -Ath -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence. Paula Cole - ME pgpTk0PiM4jKI.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Scan for IRC
Other ports commonly used are 7000 and 9000. --- greetings N. Baramov [irc.tu-varna.edu] On Saturday 22 January 2005 00:10, Oliver Leitner wrote: from what i know normally irc runs on tcp 6667 assides of that irc can be on any port, so id try to rather block the central big servers instead of going for the port, and dont forget to block all known or unknown web pages that feature webirc portals... well, that are my few thoughts. greetings Oliver Leiter Technical Staff http://www.shells.at On Saturday 22 January 2005 00:34, RandallM wrote: I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Scan for IRC
On Sat, 2005-01-22 at 03:25 +, Nikolay Baramov wrote: Other ports commonly used are 7000 and 9000. And another, perhaps even more commonly used port, is 443 since that is allowed unproxied/uninspected through most firewalls. (clear-text IRC on port 443, although IRC can also be run over SSL) Regards, Frank signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scan for IRC
On Fri, 21 Jan 2005 17:34:00 -0600, RandallM [EMAIL PROTECTED] wrote: I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? Not only can an IRC server be on any port (as mentioned by Oliver Leitner), but clients can also tunnel the connection through proxies, or even fully encrypt chat sessions inside SSL, within an SSH tunnel, or in a binary packet protocol such as SILC. Assuming the communication is in the clear, you could use Snort to detect IRC communication, regardless of port. More on this topic can be found here: http://www.giac.org/practical/GSEC/Chris_Hanna_GSEC.pdf Kevin (P.S. I don't know who Chris Hanna is, but the paper seems sound.) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scan for IRC
On Fri, Jan 21, 2005 at 05:34:00PM -0600, RandallM wrote: I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? In addition to the ports you and others mentioned, don't forget 194, 994 and 6665-6668/TCP. 994 is typically IRC over SSL so all you'll likely be able to detect with a sniffer is the existence of 994/TCP traffic, not that its actually SSL. My suggestion? Looking for 194, 994 and 6665-6668/TCP will only help you locate legitimate IRC servers running on standard ports. But the really interesting traffic will be on other ports. So use ngrep: ngrep -i NICK|PRIVMSG tcp (or something similar) Snort has a set of signatures that could easily be modified to work on arbitrary ports to detect IRC -- check out SID 542, 1463 and 1729. -jon ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scan for IRC
--On Friday, January 21, 2005 5:34 PM -0600 RandallM [EMAIL PROTECTED] wrote: I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? You'll have a lot more success using something like snort or tcpdump to catch them. For example, you could easily write a couple of rules that would catch any IRC communications, regardless of the port used. alert tcp $HOME_NET any - any any (msg:IRC communications; content: JOIN; sid: 100; rev:1;) alert tcp $HOME_NET any - any any (msg:IRC communications; content: PRIVMSG; sid: 101; rev:1;) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Packet/Signature-based Firewall
Hi I was wondering are there any Budget/OpenSource signature-based firewall around like the one Packeteer has? (packetshaper) Thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html