Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked

[Chris Umphress]

On Fri, 3 Dec 2004 21:52:30 +, n3td3v <[EMAIL PROTECTED]> wrote:

> The argument that Lycos EU are not DDos'ing  is not washable. Its DDoS
> plain and simple.

Of course it's a form of DDoS. But who started it? Remember, Lycos
provides e-mail services which the spammers have been taking advantage
of for years -- using up Lycos' bandwidth.

> Resign or be sacked.

Um, isn't this the message Lycos is trying to send spammers?

Chris

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Government Uses Color Laser Printers to Track Documents.

[Chris Umphress]

> Next time you make a printout from your color laser printer,
> shine an LED flashlight beam on it and examine it closely
> with a magnifying glass. You might be able to see the small,
> scattered yellow dots printed there that could be used to
> trace the document back to you.

So they're using my yellow toner and expecting me to be happy about
it? Is it tax deductable? ;)

> Lorelei Pagano, a counterfeiting specialist with the U.S.
> Secret Service, stresses that the government uses the
> embedded serial numbers only when alerted to a forgery. "The
> only time any information is gained from these documents is
> purely in [the case of] a criminal act," she says.

This is like the semi-recent OnStar issue, right?

> John Morris, a lawyer for The Center for Democracy and
> Technology , says, "That type of assurance doesn't really
> assure me at all, unless there's some type of statute." He
> adds, "At a bare minimum, there needs to be a notice to
> consumers."

Absolutely. A "you're being tracked, have a good day" would be nice.

> Crean describes the device as a chip located "way in the
> machine, right near the laser" that embeds the dots when the
> document "is about 20 billionths of a second" from printing.
> 
> "Standard mischief won't get you around it," Crean adds.

I have to wonder how long it will take modding sites to pick this up.
 
> Neither Crean nor Pagano has an estimate of how many laser
> printers, copiers, and multifunction devices track
> documents, but they say that the practice is commonplace
> among major printer companies.

This sounds a lot like "But everyone does it!" That never worked for me.

> Unlike ink jet printers, laser printers, fax machines, and
> copiers fire a laser through a mirror and series of lenses
> to embed the document or image on a page. Such devices range
> from a little over $100 to more than $1000, and are designed
> for both home and office.

Black-only laser printers are down as low as $100. Color is still
$500+, just clearifying.

> Crean says Xerox pioneered this technology about 20 years
> ago, to assuage fears that their color copiers could easily
> be used to counterfeit bills.

It can be done with inkjet printers now.

Anyhow, my $0.02. I probably won't be buying a new (or old) color
laser printer in the near future.

Chris

-- 
Chris Umphress <http://daga.dyndns.org/>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Why is IRC still around?

[Chris Umphress]

> 1) A hell of a lot of viruses/worms/trojans use IRC to wreck further havoc?

yes, some do. The three most common forms of viral use of IRC that I see are:

1. Virus/worm/trojan writers have it connect to a server and notify a
channel that it has infected xx.xx.xx.xx. This is an attempt to keep
the virus writer anonymous.
2. mIRC scripts (I'm not going to say more)
3. bot nets which are a form of DoS attack.

> 2) A considerable amount of "script kiddies" originate and grow through IRC?

True, but some of our experts gain some of their knowlege from IRC as
well. It's a two-way street.

> 3) A wee bit of software piracy occurs?

yes, but people also have Kazaa (FastTrack), Nuttella, FTP, warez
sites, and Newsgroups.

> 4) That many organized DoS attacks through PC zombies are initiated through 
> IRC?

This goes back to mIRC scripting. The ones that don't would be able to
check a website/blog/wiki to look for commands.

> 5) The anonymity of the whole thing helps to foster all the illegal
> and malicious activity that occurs?
> The list goes on and on...

Anything on the Internet has a certain level of anonymity that is
available. There are proxies, temporary e-mail accounts, etc.

> Sorry to offend those that use IRC legitimately (LOL - find something
> else to chat with your buddies), but why the hell are we not pushing
> to sunset IRC?
>
> What would IT be like today without IRC (or the like)? Am I narrow
> minded to say that it would be a much safer place?

I'm not offended. IRC has the ability to let you hold a "conference"
with people from all over the world. Or to just have fun. Sure there
are other chatting platforms that could be used, but they aren't as
flexible.
If IRC were to suddenly stop existing, Bulletin boards and Wiki would
become even more popular. Most of them allow the same level of
anonymity that IRC gives to people. Or some poor soul's blog would be
overrun with "comments". Unfortunately, all of the things you have
listed as the downside to IRC would happen anyway.

My 2c worth

-- 
Chris Umphress <http://daga.dyndns.org/>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Slightly off-topic: www.georgewbush.com

[Chris Umphress]

> Be fair now...
> 
> NOTHING is more fucked up than the US election.

Not even Microsoft?

-ouch-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] SAVE THE WORLD FROM APOCALYSE

[Chris Umphress]

I can imagine security right now if only the inventor of the internet
had been elected the last time around instead of Bush. 


On Mon, 1 Nov 2004 22:59:18 +, n3td3v <[EMAIL PROTECTED]> wrote:
> Vote bush out or the world will sky dive into an apocalyse.
> 
> (i don't care if this is off topic, this relates to security of
> everyone, not just geeks on the internet who have found a
> bufferoverflow in X product)
> 
> Thanks,
> 
> n3td3v
> 
> [ security enthusiast ]
> 
> [ http://www.geocities.com/n3td3v ]
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


-- 
Chris Umphress <http://daga.dyndns.org/>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

[Chris Umphress]

> yes, but this is the point! when i happen to unarj a package with the
> unarj version you have as user "root", then unarj *will* have the
> permission to overwrite /etc or whatever. it won't kindly ask but just
> overwrite, or does it? (you've shown unarj in action with sudo when
> test.txt was non-existant).

arj does ask if you want to overwrite an existing file.

--- snip 
[EMAIL PROTECTED]:/home$ ls -l /usr/local/bin/test.txt
/usr/bin/ls: /usr/local/bin/test.txt: No such file or directory
[EMAIL PROTECTED]:/home$ ./chris/test/arj x chris/test/test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004]

Processing archive: chris/test/test.arj
Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42
Error (13): Permission denied
Can't open ../usr/local/bin/test.txt
OK to extract to a new filename?
Break signaled!
[EMAIL PROTECTED]:/home$ sudo ./chris/test/arj x chris/test/test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004]

Processing archive: chris/test/test.arj
Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42
Extracting ../../usr/local/bin/test.txt to ../usr/local/bin/test.txt   OK 
 1 file(s)
[EMAIL PROTECTED]:/home$ sudo ./chris/test/arj x chris/test/test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004]

Processing archive: chris/test/test.arj
Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42
ARJ 13 04-10-11 12:21:48, DISK 13 04-10-11 12:21:48
../usr/local/bin/test.txt  is same or newer, Overwrite?
Break signaled!
[EMAIL PROTECTED]:/home$ ls -l /usr/local/bin/test.txt
-rw-r--r--  1 root root 13 2004-10-11 12:21 /usr/local/bin/test.txt
--

I found a copy of unarj [2.63] and repeated the same test (using
unarj). It tried to extract with "../../" where arj had only used
"../". "unarj" had one other difference from "arj" that I noticed.
When it encountered a file that already existed, it automatically
skipped extraction of that file.

On a side-note, ARJ is more of a dos/windows archiving format. I had
assumed that noone in their right mind would run this tool as root on
an archive that they had not created. Every *nix package format that I
can find is based off of tar/gzip or the RPM file format. I guess
there is always a possibility that someone will run unarj as root,
though.

-- 
Chris Umphres 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

[Chris Umphress]

> [EMAIL PROTECTED]:~$ unarj x test.arj
> ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [27 Jun 2004]
> 
> Processing archive: test.arj
> Archive created: 2004-10-12 01:15:49, modified: 2004-10-12 01:15:49
> usr/bin/namei, Create this directory? Yes
> Extracting ../usr/bin/namei   to usr/bin/namei   OK
>  1 file(s)
> 
> so it's not taking all the ../ into account and also an .arj created with
> full path is created in $PWD. arj + unarj are both v3.10.

Good point. I tried extracting again with 3.10, and it only leaves the
one "../" on the front.

> ...somehow i don't expect programs to mess with /usr. not as a user and
> not as root.

I just picked /usr, it could have been /etc, /var or any other
standard directory that every *nix distribution has. Regardless, if I
try to make unarj write to a directory that I don't have the
neccessary permissions for, it asks me to pick an alternate location
to extract to.

> /me wonders about which version of arj/unarj "doubles" is talking about

I don't see a problem, but it would be interesting to see which
version "doubles" is refering to.

-- 
Chris Umphres 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

[Chris Umphress]

> 
> http://www.google.com/search?q=%22directory+traversal%22&meta=
> 
> doubles

I know what a directory traversal is. I did a little test run of this
"bug." For sanitary reasons, I did not install arj when I compiled it.
It was merely moved to ~/test. Here is what I've done to test what you
are saying:

---

  [EMAIL PROTECTED]:/usr/local/bin# touch test.txt
  [EMAIL PROTECTED]:/usr/local/bin# chown root.root test.txt

  [EMAIL PROTECTED]:~/test$ arj a test.arj ../../../usr/local/bin/test.txt
  ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004]
  
  Creating archive  : test.arj
  Adding../../../usr/local/bin/test.txt  100.0%
   1 file(s)

  [EMAIL PROTECTED]:/usr/local/bin# rm -rf test.txt

  [EMAIL PROTECTED]:~/test$ unarj x test.arj
  UNARJ (Demo version) 2.30 Copyright (c) 1991 Robert K Jung
  
  Processing archive: test.arj
  Archive date  : 2012-11-10 27:44:04
  Can't open ../../usr/local/bin/test.txt
  0 file(s)

  Found 1 error(s)!
  [EMAIL PROTECTED]:~/test$ cd ..
  [EMAIL PROTECTED]:~$ unarj x test/test.arj
  UNARJ (Demo version) 2.30 Copyright (c) 1991 Robert K Jung
  
  Processing archive: test/test.arj
  Archive date  : 2012-11-10 27:44:04
  Can't open ../../usr/local/bin/test.txt
  0 file(s)

  Found 1 error(s)!
  [EMAIL PROTECTED]:~$ sudo unarj x test/test.arj
  UNARJ (Demo version) 2.30 Copyright (c) 1991 Robert K Jung
  
  Processing archive: test/test.arj
  Archive date  : 2012-11-10 27:44:04
  Extracting ../../usr/local/bin/test.txt  CRC OK
  1 file(s)

  [EMAIL PROTECTED]:/usr/local/bin# ls -l test.txt
  -rw-r--r--  1 root root 13 2012-11-11 02:42 test.txt


Apart from it removing one "../" from the filename I gave it, it
worked exactly as I expected.

-- Chris

-- 
Chris Umphres 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

[Chris Umphress]

That was certainly a useful explanation. Isn't stuff on this list
supposed to be readable? Anyhow, if I'm reading what you've said
correctly, it's supposed to work that way. Most programs pass the
"../" (or "..\") to the OS to handle.

-- Chris

On Sun, 10 Oct 2004 15:43:10 -0700, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> yyoo  wwaauu  ddoouubblleess  iiss  hheerree
>  ttoo
> rroocckk  ddaa  hhoouussee  nndd  ttoo  tthhrrooww  uunnaarrjj  ddiirr-
> -
> ttrraannssvveerrssaall  bbuugg  iinn  yyaarr  ffaaccee!!  uunnaarrjj
> ee  uunnppaacckkss  aa  ddaa  sshhiitt  ttoo  ddaa  ccuueenntt
> ddiirr  uunnaarrjj  xx  uunnppaacckkss  ttoo  mmaannyy  ddiirrss
>  nndd
> iitt  aaiinntt  ggooaa  cczzeecchh  iiff  yyoouu  hhaavvee  ddaa
>  eevviill
> //////////  sshhiitt  iinn  ddaa  ppaatthh!!
> ddoouubblleess
> 
> Concerned about your privacy? Follow this link to get
> secure FREE email: http://www.hushmail.com/?l=2
> 
> Free, ultra-private instant messaging with Hush Messenger
> http://www.hushmail.com/services-messenger?l=434
> 
> Promote security and make money with the Hushmail Affiliate Program:
> http://www.hushmail.com/about-affiliate?l=427
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


-- 
Chris Umphres 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html