Volume 2 Issue 11 7/8/99 ** ** ***** * * ** * * *** ** *** ** ** *** ** * ** ** * ** ******** ** **** ******** * ** *** **** ******** *** *** ** * *** * ******** *** * ** **** **** * ** *** ********* * **** ** * *** * ** ** **** ** ** ** **** ** ** ** * *** * ** ** ** ** ** ** ** ** ** ** ** *** ********* ** ** ** ** ** ** ** ** ** ******** * ** ** ** ** ** ** ** ** ** ** ******* * ** ** ** ** ** ** ** ** ** ** ** ***** ** ** ** ** ** ** ** ****** ** **** * * **** ** * *** *** ** *** * ***** **** ** ******* * ** ** *** *** *** *** ***** * ** http://www.thepoison.org/antidote bof_ptr = (long *)buffer; for (i = 0; i < bufsize - 4; i += 4) *(bof_ptr++) = get_sp() - offs; printf ("Creating termcap f1le\n"); printf ("b1tch is Fe3lyn 1t.\n"; ------------------------------ In this issue of Antidote, we have over 700 subscribers and getting more everyday! The only thing that we ask of you when you read Antidote, is that you go to: www.thepoison.org/popup.html and click on our sponsors. One issue of Antidote takes us about a week to put together and going to our sponsor only takes you about 15 seconds (if that). So please go visit our sponsor because it is the only thing we ask of you. --=\\Contents\\=-- 0.0 - Beginning 0.01 - What? 0.02 - FAQ 0.03 - Authors 0.04 - Shouts 0.05 - Writing 1.00 - News 1.01 - Heathen.A Is at the Gates 1.02 - Leave it to Clever to Hack 1.03 - Harvard Caught in Hacker Crossfire 1.04 - Cyberwar and Sabotage 1.05 - Network Solutions Cracked 1.06 - 3 Blind hackers 2.00 - Exploits (new & older) 2.01 - cablemode.ip.hijack.txt 2.02 - cfingerd.bof.txt 2.03 - domino.txt 3.00 - Misc SAY.W - SAY WHAT? Various quotes that might be humorous, stupid, true, or just plane making fun of something or someone. FEAT.S - FEATURED SITES: www.thepoison.org/hosting www.403-security.org www.hackernews.com ------------------------------ ************************************************** ________________________________________________ | ___ ___ __ __ | | | | |.-----.-----.| |_|__|.-----.-----. | | | || _ |__ --|| _| || | _ | | | |___|___||_____|_____||____|__||__|__|___ | | | http://www.thepoison.org/hosting |_____| | | | | Low affordable pricing starting at $10! | |________________________________________________| ************************************************** 0.01 --=\\What?\\=-- What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is basically current news and happenings in the underground world. We aren't going to teach you how to hack or anything, but we will supply you with the current information and exploits. Mainly Antidote is just a magazine for people to read if they have some extra time on there hands and are bored with nothing to do. If you want to read a maga- zine that teaches you how to hack etc, then you might want to go to your local book- store and see if they carry '2600'. ------------------------------ 0.02 --=\\FAQ\\=-- Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked Questions". Please read this before e-mailing us with questions and if the question isn't on here or doesn't make sense, then you can e-mail us with your question. > What exactly is "Antidote"? See section 0.01 for a complete description. > I find Antidote to not be shot for the beginner or does not teach you the basics, why is that? Antidote is for everyone, all we are basically is a news ezine that comes out once a week with the current news, exploits, flaws and even programming. All of the articles that are in here are recieved second hand (sent to us) and we very rarely edit anyone's articles. > I just found Antidote issues on your webpage, is there anyway I can get them sent to me through e-mail? Yes, if you go to www.thepoison.org/antidote there should be a text box where you can input your e-mail address. You will recieve a link to the current Antidote (where you can view it). > If I want to submit something, are there any 'rules'? Please see section 0.03 for a complete description. > If I submitted something, can I remain anonymous? Yes. Just make sure that you specify what information about yourself you would like to be published above your article (when sending it to us) and we will do what you say. > I submitted something and I didn't see it in the current/last issue, why is that? It could be that someone else wrote something similar to what you wrote and they sent it to us first. If you sent us something and we didn't e-mail you back, then you might want to send it again because we probably didn't get it (we respond to all e- mails no matter what). We might use your article in future issues off Antidote. > Can I submit something that I didn't "discover" or "write"? Yes you can, we take information that is written by anyone regardless if you wrote it or not. Well thats it for our FAQ. If you have a question that is not on here or the question is on here and you had trouble understanding it, then please feel free to e-mail lordoak@thepoison.org and he will answer your question. This FAQ will probably be updated every month. ------------------------------ 0.03 --=\\Authors\\=-- Lord Oak is the founder and current president of Antidote. Most work is done by him. Please feel free to e-mail him at: lordoak@thepoison.org Duece is the co-founder and co-president of Antidote, some work is done by him when he comes online. Feel free to e-mail him at: duece@thepoison.org ox1dation not really an author, just someone that helps us out a lot and we consider him as an author! His e-mail address is: ox1dation@thepoison.org ------------------------------ 0.04 --=\\Shouts\\=-- These are just some shout outs that we feel we owe to some people. Some are individuals and Some are groups in general. If you are not on this list and you feel that For some reason you should be, then please contact Lord Oak and he will post you on here and we are sorry for the Misunderstanding. Well, here are the shout outs: Lord Oak EazyMoney Duece opt1mus oX1dation PBBSER Forlorn Retribution 0dnek www.thepoison.org Like we said above, if we forgot you and/or you think you should be added, please e- mail lordoak@thepoison.org and he will be sure to add you. ------------------------------ 0.05 --=\\Writing\\=-- As many of you know, we are always open to articles/submittings. We will take almost anything that has to do with computer security. This leaves you open for: -Protecting the system (security/securing) -Attacking the system (hacking, exploits, flaws, etc....) -UNIX (really anything to do with it...) -News that has to do with any of the above.... The only thing that we really don't take is webpage hacks, like e-mailing us and saying "www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If you have any questions about what is "acceptable" and not, please feel free to e-mail Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please note that if we recieve two e-mails with the same topic/idea then we will use the one that we recieved first. So it might be a good idea to e-mail one of us and ask us if someone has written about/on this topic so that way you don't waste your time on writing something that won't be published. An example of this would be: If Joe sends me an e-mail with the topic being on hacking hotmail accounts on thursday. And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will take Joe's article because he sent it in first. But keep in mind, we might use your article for the next issue! If you have something that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or duece@thepoison.org and one of us will review the article and put it in Antidote (if we like it). ------------------------------ _________________________________ ) ___ ( ( //___/ / // ) ) // ) ) ) ) /____ / // / / __ / / ( ( / / // / / ) ) ) ) / / ((___/ / ((___/ / ( ( http://www.403-security.org ) ) For the latest hacks and news ( (___________________________________) 1.01 --=\\Heathen.A Is at the Gates\\=-- [www.pcworld.com] Network Associates' Anti-Virus Emergency Response Team is warning users about what it terms a "medium risk" virus called Heathen.A. Heathen.A is a multipartite virus, as it uses two classes of files, an .exe portion and a .doc portion, for its infection. The virus was originally spread from a newsgroup and replicates itself across Microsoft Word 97 files, but it does not destroy data. "It's delivered if someone receives an e-mail with an infected Word 97 document, or if they access any server file that is infected," says Allison Taylor, product marketing manager for corporate antivirus solutions at Network Associates. "It doesn't carry a particular payload except for dropping a patch into your [Windows] 95/98 shell." "It runs a modified version of your Windows Explorer system and then infects the Word 97 documents," Taylor explains. "So once you've been infected, any Word 97 file that you open from then on will also be infected." The macro drops three system files, heathen.vex, heathen.vdl, and heathen.vdo, into a system's C:/Windows subdirectory. When the system is rebooted, the heathen.vex file is renamed explorer.exe, according to AVERT Labs. NAI has assigned the Heathen.A virus a medium-risk level as it is not engineered to appear to be coming from a known user, and because it infects new systems only if a user opens an infected Word 97 file. Heathen.A does not send itself through e-mail as Melissa and Worm.ExploreZip do. NAI has issued a virus update to protect against the Heathen.A virus at AVERT Labs' Web site. http://www.pcworld.com/pcwtoday/article/0,1510,11586,00.html ------------------------------ 1.02 --=\\Leave it to Clever to Hack\\=-- [www.cbs.com] The term "computer hacker" used to refer to geeks who wreck havoc in cyberspace. But, in a fit of fury against her husband, who she felt was spending too much time on-line, Kelli Michetti redefined the term. Wielding a meat cleaver, she hacked his computer, say Ohio authorities. Investigators say the 29-year-old Michetti was fed up with her husband, because he was constantly online, often talking to other women through the Internet. Michetti first tried to cut the power, then attacked the computer with her cleaver. She pleaded no contest to a couple of minor charges and was fined $200. http://www.cbs.com/flat/story_164947.html ------------------------------ 1.03 --=\\Harvard Caught in Hacker Crossfire\\=-- [www.zdnet.com] On Wednesday, the Cambridge, Mass., university removed an independent security Web site known as Packet Storm, which it had been mirroring on its servers for only 10 days. The reason: A directory of material hidden in the Web site, and thus on Harvard's servers, that had "sexually related material and personal attacks on an individual not affiliated with the University," said Joe Wrinn, director of news and public affairs for Harvard, in a statement released by Harvard on Thursday. "We agreed to have a site that had security-related materials only," said Wrinn. "Both parties involved were using us in a way that was completely inappropriate." Ken Williams, a North Carolina State University employee and the Webmaster of Packet Storm, angrily refuted the allegations. "This statement is incorrect, and even libelous itself by implying that I had 'sexually related material' on the server," he wrote in an e-mail. "I never did!" According to Williams, the directory -- labeled "/jp" because it was a collection of material satirizing AntiOnline founder and chief John P. Vranesevich -- had a parody of the AntiOnline site. But others familiar with the site said that the parody also contained photos of nude women that were intended to be more sarcastic than sexual. Harvard obviously didn't get the joke. Harvard's Wrinn did not know specifically what sort of "sexual" content was contained on the site. Harvard in the hot seat -- "We are in the middle of this and it's inappropriate," said Harvard's Wrinn, sounding distinctly uncomfortable with the attention that the issue was attracting. Harvard intends to send the complete contents of the site back to Williams so that he can post it elsewhere. No wonder: Packet Storm wasn't just a small-time site -- it had been the place to go for both hackers and security experts to get up-to-date security information. "Packet Storm was a huge compilation of security tools," said Brian Martin, known as "Jericho," one of the Webmasters at hacker news and information site Attrition.org. "It was updated daily with tools. It was always there." Among organizations that used and mirrored the site: The Department of Defense and the Federal Bureau of Investigation, claimed Webmaster Williams. 'I didn't have an anti-J.P. Temple of Hate' Yet, Williams had also sided with many others in hacker circles who have been waging a war -- of mainly -- words against AntiOnline's Vranesevich and his latest ally, Caroline Meinel, security researcher and webmaster of The Happy Hacker. "I didn't have an anti-J.P. Temple of Hate or anything," said Williams. "But there are companies, organizations, and individuals out there that [we believe] are black-eyes of the industry." So, Williams attached a non-public directory to the Web site that archived parodies and criticisms of AntiOnline's founder. The directory represented a single facet of a complex war of image in the hacker not- so-underground. For the most part, AntiOnline and its main foe, Attrition.org, have squared off with conflicting allegations of slander, libel and plagiarism. Hitting close to home -- For AntiOnline's Vranesevich, the directory buried inside of the Packet Storm site hit a little too close to home. "I can understand a parody -- I have no problem with that," said the 20-year-old Pennsylvania Webmaster, adding that he thought Williams crossed the line into poor taste by adding high school yearbook pictures of Vranesevich and his family to the on- line archive. Williams acknowledged that the photos had been put up, but that since they had come from a source already online, the Packet Storm Webmaster thought the pictures were fair game. Vranesevich's answer? The Webmaster notified Harvard of the hidden directory in a letter to the university's provost -- and Harvard quickly took the site down. Did Harvard act too quickly? -- B.K. DeLong, a Boston-based computer security consultant, thought Harvard acted too quickly. "I am kind of disappointed that an institution like Harvard was so quick to pull the plug just to avoid a potential suit," he said. Yet, Harvard wasn't the only one to act quickly. By late Wednesday night, the Keebler Elves -- the cybergang that claimed responsibility for hacking into the National Oceanic and Atmospheric Administration last week -- defaced another government Web site with the news. "Now, because [of] JP ... Packetstorm is no more, and never will be again," the hacked site lamented. Unnamed hackers also struck at AntiOnline more directly. AntiOnline's site came under a denial-of-service attack -- which floods a particular site with random data -- so severe that its Internet service provider pulled the site for almost 12 hours on Thurs- day, said Vranesevich. Ugly threats -- Other attacks were even less friendly. "I have received more death threats in the last 24 hours by phone, than I have in five years," he said. Not quite an apology, Vranesevich added that he never intended the entire Packet Storm site to be taken down. "I know what it's like to have the university stomp its foot down on you. When I was a student at the University of Pittsburgh, I had my Web site shut down," he said. "But I never threatened anyone." In his mind, the contents of "/jp" did. http://www.zdnet.com/zdnn/stories/news/0,4586,2287456-2,00.html ------------------------------ 1.04 --=\\Cyberwar and Sabotage\\=-- [www.newsweek.com] Covert action is seductive to policymakers in a bind. When diplomacy fails and force falls short, presidents often turn to the CIA for secret solutions to vexing problems. Unable to make the air war against Serbian leader Slobodan Milosevic effective, and un- willing to invade with ground troops, President Clinton has decided to try a cland- estine third way. Earlier this month national-security adviser Sandy Berger presented Clinton with a covert plan to squeeze Milosevic. The president liked the idea. Senior intelligence officials tell NEWSWEEK that last week Clinton issued a "finding," a highly classified document authorizing the spy agency to begin secret efforts "to find other ways to get at Milosevic," in the words of one official. Two weeks ago Berger secretly briefed members of the House and Senate Intelligence committees about the details of the two-part plan. According to sources who have read the finding, the CIA will train Kosovar rebels in sabotage age-old tricks like cutting telephone lines, blowing up buildings, fouling gasoline reserves and pilfering food supplies in an effort to undermine public support for the Serbian leader and damage Yugoslav targets that can't be reached from the air. That much is unsurpris- ing. But the CIA has also been instructed to conduct a cyberwar against Milosevic, using government hackers to tap into foreign banks and, in the words of one U.S. off- icial, "diddle with Milosevic's bank accounts." The finding was immediately criticized by some lawmakers who questioned the wisdom and legality of launching a risky covert action that, if discovered, could prolong the war, alienate other NATO countries and possibly blow back on the United States. Under the finding, the allies were to be kept in the dark about the plan. Other members of Congress privy to the finding wondered about its timing. Why did Clinton authorize the operation just as diplomats had begun making progress on a peace agreement? The White House declined to comment on the finding, and NEWSWEEK does not have access to the entire document. But some intelligence officials with knowledge of its contents worry that the finding was put together too hastily, and that the potential consequences haven't been fully thought out. "If they pull it off, it will be great," says one government cyberwar expert. "If they screw it up, they are going to be in a world of trouble." http://www.newsweek.com/nw-srv/printed/us/in/in0922_1.htm ------------------------------ 1.05 --=\\Network Solutions Cracked\\=-- [www.wired.com] Network Solutions was reeling Friday from an attack on its Web servers that redirected users visiting its Web site to other locations. "The FBI and Network Solutions are cooperating in determining the location" of the attack, said Network Solutions spokesman Brian O'Shaughnessy. "It was a DNS modify that was sent through the system that was accomplished by spoofing." He means that the IP addresses for Network Solutions servers were altered in the domain name system servers with a falsified template, so that Web browsers requesting the sites were instead sent to the IP address of another site. Network Solutions fixed the IP address Friday morning, but the changes will take some time to reach the domain name servers spread across the Net. Until that "emergency zone release" propagates, users visiting three Network Solutions sites -- Networksolutions.com, netsol.com, and dotpeople.com -- may be redirected to the Web sites of the Internet Corporation for Assigned Names and Numbers and the Inter- net Council of Registrars (CORE), he said. It is unclear exactly how long the crack has been in effect. "We are aware of the problem and have been looking into it for a while," Scott Hollenbech, a Network Solutions staffer, in an email to CORE early Friday morning. O'Shaughnessy said the source of the attack originated at a computer owned by SoftAware, an ISP located in the same building as ICANN in Marina del Rey, California. The attack was either done through physical or virtual access to one of their machines. "We've corrected it," O'Shaughnessy said. "It should take about 24 hours before every- thing's resolved." Jim Rutt, CEO of Network Solutions, said that investigators were working with prelimi- nary evidence only and that the perpetrator has covered his tracks well. "It is easy to leave a breadcrumb trail," he said. It is a famous hacker trick" to launch an attack behind multiple servers. But Patrick Greenwell, Internet architect for DSL provider Telocity, said the blame might lie elsewhere. "NSI could be culpable in that they have not pushed for the implementation of DNS Sec, which is a security measure for these types of things," he said. "It requires authenti- cation." Greenwell said that his analysis was based only on what little preliminary information was available, but that he believed the fault could largely be pinned on the Berkeley Internet Name Daemon, or BIND. BIND is an implementation of DNS protocols, which Greenwell said are inherently in- secure. Because the software operates on the vast majority of DNS servers across the Internet, upgrading it would be difficult to do while maintaining backward compatibil- ity. While it's unfortunate that this happened, I don't think it would be fair to point the finger at NSI," he said. "DNS is an inherently insecure protocol." "This has nothing to do with BIND," O'Shaughnessy said. Domain name addresses can be authenticated through varying levels of security, from a simple email method, to a password-protection scheme, to powerful PGP encryption. O'Shaughnessy said he could not immediately determine what method of security Network Solutions uses to secure its own domain name data. O'Shaughnessy added that the attack was reminiscent of one carried out by Eugene Kashpureff, who pleaded guilty in March of 1998 to one count of computer fraud for exploiting an NSI security hole. The Internet Council of Registrars, one of five registrars participating in the initial test period for domain competition, posted a statement on its Web site saying that it "strongly condemns these acts and may take legal action against the perpetrators." ICANN also condemned the crack as "an attempt to undermine the stability of the domain name system." The group has said it will cooperate with any investigation into the matter. http://www.wired.com/news/news/technology/story/20567.html ------------------------------ 1.06 --=\\3 Blind hackers\\=-- [www.globaltechnology.com] Three blind Arab brothers are facing charges for allegedly hacking into some of Israel's most sensitive computer systems. The three young men allegedly broke into the computer systems and telephone switch- boards of scores of Israeli institutions, including the Mossad intelligence agency and the Shin Bet security service. Muzher, Munzer and Shadi Budair, from the village of Kafr Qasem, appeared in Tel Aviv district court yesterday and are being held in custody on charges related to computer theft. Police allege that the brothers listened in on sensitive telephone conversations, intercepted classified information and passed it on to the Palestinian Authority and military intelligence officers from Egypt and Jordan. The brothers, each born blind, are reputed to be computer geniuses. Police said they were amazed to discover during a search of the Budair home last month that none of their equipment included special tools for the blind. The brothers have refused to co-operate with the police and deny all allegations against them. They are represented by lawyer Avigdor Feldman, who has defended many security prisoners, including Mordechai Vanunu, jailed 12 years ago for giving away Israeli nuclear secrets. Mr. Feldman said most of the evidence against the Budairs has been classified as "secret material" and he still doesn't know all the details of the charges. The prosecutor told the court yesterday that he intends to summon more than 165 witnesses to give evidence against the brothers. Police suspect them of stealing thousands of dollars worth of telephone calls abroad on behalf of friends calling the Persian Gulf states. They are also suspected of making thousands of dollars worth of illegal purchases by way of the Internet and by hacking in o the computer systems of Israel's television shopping channel. According to sources close to the interrogation, Muzher, 23, and Munzer, 22, have in the past few years visited a number of Arab countries, where they contacted security and military officials and offered to share information gleaned from hacking into the compu- ters of some of Israel's most sensitive security bodies, including the Mossad. The youngest brother, Shadi, is described as a minor under the age of 18, although his exact age is unclear. He faces charges of obstructing justice. Police Detective David Osmo, the officer in charge of the investigation, alleged that the brothers had been involved in illegal activity since at least 1996. "They have unique technological ability and knowledge and a complete mastery of communi- cations and computers," he said. "Their skill has made it all the more difficult to collect the evidence against them." Their mother, Halima, said her sons had done nothing wrong. "I'm sure of their inno- cence" she said. "They are at home 24 hours a day and have never broken the law. I know my sons very well. This is not the first time that the police have raided our home. This time, they confiscated all the cellular phones and the computers. I believe they are doing this only because we are Arabs." Relatives of the Budairs say the three young men have been the target of repeated police arrests over the past four years. Kamel Issa, a teacher from the village school where Munzer and Muzher studied, described the brothers as "very ambitious young men with a remarkable influence on others." He said they invented a secret language, intelligible only to them. http://www.globetechnology.com/gam/News/19990702/UHACKN.html ------------------------------ 2.01 --=\\cablemode.ip.hijack.txt\\=-- The purpose of this is to show you how bad cable modems security is and that even with a win box you can take someone else's IP. You can hijack IP's using a cable modem and it's very simple in any operating system. Just follow the steps: 1) Choose someone's IP that you wish to have. Make sure the IP is on the same network. Most cable modem providers use DHCP. The fist thing you have to do is find the victims IP. Remember the victims IP has to be in the same network and with the same service provider for this to work. 2) Now this is probably the hardest thing in this file (but it's still easy), you have to wait until the victims computer is off or you can Smurf kill his connection. When you think his computer is off-line just try to ping it to see if you get a response. Do this by going to a DOS prompt and typing ping (victims IP). If you get a response then you have to try harder. After you get his PC off-line then you go into your network properties and edit the IP settings, but instead of having yours there you put the victims IP, host, and domain. 3) Restart. If you restart and you get an IP conflict this means that the victims computer is on, if you don't get an IP conflict then try to go to your web browser and see if it works. With some cable modem providers you might have to also add the Gateway, Subnet mask (255.255.55.0), Host, DNS search, and Domain. Now you can go. Everything will work until the victims PC is back on. Once it is back online it will take the IP away because it will tell you that you have the wrong Mac addresses. *Linux* This is also possible in Linux, but is not the best way. You can change your Mac address to the victims PC and this is more secure and much easier. There are a couple of scripts to change your address, just look around. Warning: Some cable modem service providers will know when you're using the wrong IP, but hey, it might be useful. Copyright (c) 1999 Wildman www.hackcanada.com ------------------------------ 2.02 --=\\cfingerd.bof.txt Hi, there is a remote buffer over flow in cfingerd 1.3.2 in search_fake(): int search_fake(char *username) { char parsed[80]; bzero(parsed, 80); sscanf(username, "%[^.].%*[^\r\n]\r\n", parsed); ... called from process_username(), that is called from main: int main(int argc, char *argv[]) { char username[100], syslog_str[200]; ... if (!emulated) { if (!fgets(username, sizeof(username), stdin)) { ... /* Check the finger information coming in and return its type */ un_type = process_username(username); see parsed[80] and username[100]. Anyway search_illegal() is called before than search_fake() so only [A-z0-9] and many other char can be used in oreder to execute arbitrary code. Debian is not vulnerable because a patch fix this and other cfingerd weakness (i think it's an example of bad coding) but searching in bugtraq archive i haven't found anything. I take opportunity to inform that i'm developing a secure (i hope) finger daemon: mayfingerd. In order to make mayfingerd more portable i need some unprivileged account in hosts running *BSD, Solaris, AIX etc. Bugtraq readers can help me? I hope it will be released together with hping2 the next month. Sorry for my bad english forever :) antirez ------------------------------ 2.03 --=\\domino.txt\\=-- This information was forwarded to Security Focus by someone that requested to be anonymous. http://www.l0pht.com/advisories/domino3.txt It seems nine months after L0pht posted their advisory on file view problems in Lotus Notes, the problem is alive and well. So well in fact that doing a simple query via a search engine found dozens of *very* high profile web servers open. Everything from Military sites, political parties, police departments and even software vendors. This is a follow-up to the Advisory published by the L0pht in October 1998. Data that can be accessed by unauthorized users may include: usernames, server names and IP addresses, dial-up server phone numbers, administration logs, files names, and data files (including credit card information, proprietary corporate data, and other information stored in eCommerce related databases.) In some instances, it may be possible for an unauthorized user to modify these files or perform server administration functions via the web administration interface. The directory browsing "feature" is invoked when a user appends "?open" to a Domino URL. ex. http://www.example.com/?open. If the server is vulnerable, it will display the contents of the webroot directory. In situations where multiple web sites are hosted on the same server, the unauthenticated user may be able to view data from any of these virtual servers. This configuration weakness can be corrected by disabling database browsing. The Lotus documentation suggests: 1. From the Domino Administrator, click the Configuration tab, and open the Server document. 2. Click the Internet Protocols - HTTP tab. 3. In the "Allow HTTP clients to browse databases" field, choose No. 4. Save the document. The database access issue is caused by improper ACLs over sensitive .nsf files on the Domino server. For example, an unauthorized user may attempt to access the Name and Address Book by appending the database name to the Domino Server URL- http://example.com/names.nsf (this syntax invokes an explicit ?open command). User created databases containing any variety of public or non-public information may be read if proper ACLs are not placed on these files. The following system files are potentially vulnerable: admin4.nsf, webadmin.nsf, certlog.nsf, log.nsf, names.nsf, catalog.nsf, domcfg.nsf, and domlog.nsf. These files contain a wealth of information that may allow an unauthorized user to penetrate additional hosts and or networks. In some instances, these files may be modified by the attacker to change the intended behavior of the web site. One particular example, cited by the L0pht in a January 1998 Advisory, demonstrates the ability to completely redirect all traffic destined for the vulnerable web site to a third party "evil" web site. To remedy this problem, it is suggested that each site running Domino web servers verify that proper ACLs have been placed on both custom and system related .nsf files. These recommendations should be considered not only for Internet connected Domino servers, but also for corporate Intranet servers. Aleph One aleph1@underground.org ------------------------------ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- . Quote #5- . . . . "I'm like addicted to lying... I do it so I can get what I want" . . -JP . . . -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _| _| _| _| _| _| _| Antidote is an HNN Affiliate _| _| http://www.hackernews.com _| _| _| _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| All ASCII art in this issue is done by Lord Oak [lordoak@thepoison.prg] and permission is needed before using.