Copy Link
Add to Bookmark
Report

Antidote Vol. 02 Issue 11

eZine's profile picture
Published in 
Antidote
 · 22 Aug 2019

  

Volume 2 Issue 11
7/8/99


** **
***** * * ** *
* *** ** *** ** **
*** ** * ** **
* ** ******** ** **** ********
* ** *** **** ******** *** *** ** * *** * ******** ***
* ** **** **** * ** *** ********* * **** ** * ***
* ** ** **** ** ** ** **** ** ** ** * ***
* ** ** ** ** ** ** ** ** ** ** ** ***
********* ** ** ** ** ** ** ** ** ** ********
* ** ** ** ** ** ** ** ** ** ** *******
* ** ** ** ** ** ** ** ** ** ** **
***** ** ** ** ** ** ** ** ****** ** **** *
* **** ** * *** *** ** *** * ***** **** ** *******
* ** ** *** *** *** *** *****
*
** http://www.thepoison.org/antidote


bof_ptr = (long *)buffer;
for (i = 0; i < bufsize - 4; i += 4)
*(bof_ptr++) = get_sp() - offs;
printf ("Creating termcap f1le\n");
printf ("b1tch is Fe3lyn 1t.\n";


------------------------------

In this issue of Antidote, we have over 700 subscribers and getting more everyday! The
only thing that we ask of you when you read Antidote, is that you go to:

www.thepoison.org/popup.html

and click on our sponsors. One issue of Antidote takes us about a week to put together
and going to our sponsor only takes you about 15 seconds (if that). So please go visit
our sponsor because it is the only thing we ask of you.


--=\\Contents\\=--

0.0 - Beginning
0.01 - What?
0.02 - FAQ
0.03 - Authors
0.04 - Shouts
0.05 - Writing
1.00 - News
1.01 - Heathen.A Is at the Gates
1.02 - Leave it to Clever to Hack
1.03 - Harvard Caught in Hacker Crossfire
1.04 - Cyberwar and Sabotage
1.05 - Network Solutions Cracked
1.06 - 3 Blind hackers
2.00 - Exploits (new & older)
2.01 - cablemode.ip.hijack.txt
2.02 - cfingerd.bof.txt
2.03 - domino.txt
3.00 - Misc

SAY.W - SAY WHAT? Various quotes that might be humorous, stupid, true, or just
plane making fun of something or someone.
FEAT.S - FEATURED SITES:
www.thepoison.org/hosting
www.403-security.org
www.hackernews.com

------------------------------


**************************************************
________________________________________________
| ___ ___ __ __ |
| | | |.-----.-----.| |_|__|.-----.-----. |
| | || _ |__ --|| _| || | _ | |
| |___|___||_____|_____||____|__||__|__|___ | |
| http://www.thepoison.org/hosting |_____| |
| |
| Low affordable pricing starting at $10! |
|________________________________________________|

**************************************************



<!-- 0.00 - Beginning //-->

0.01 --=\\What?\\=--

What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause
that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is
basically current news and happenings in the underground world. We aren't going to
teach you how to hack or anything, but we will supply you with the current information
and exploits. Mainly Antidote is just a magazine for people to read if they have some
extra time on there hands and are bored with nothing to do. If you want to read a maga-
zine that teaches you how to hack etc, then you might want to go to your local book-
store and see if they carry '2600'.

------------------------------


0.02 --=\\FAQ\\=--

Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked
Questions". Please read this before e-mailing us with questions and if the question
isn't on here or doesn't make sense, then you can e-mail us with your question.

> What exactly is "Antidote"?
See section 0.01 for a complete description.

> I find Antidote to not be shot for the beginner or does not teach you the basics,
why is that?
Antidote is for everyone, all we are basically is a news ezine that comes out once
a week with the current news, exploits, flaws and even programming. All of the
articles that are in here are recieved second hand (sent to us) and we very rarely
edit anyone's articles.

> I just found Antidote issues on your webpage, is there anyway I can get them sent
to me through e-mail?
Yes, if you go to www.thepoison.org/antidote there should be a text box where you can
input your e-mail address. You will recieve a link to the current Antidote (where you
can view it).

> If I want to submit something, are there any 'rules'?
Please see section 0.03 for a complete description.

> If I submitted something, can I remain anonymous?
Yes. Just make sure that you specify what information about yourself you would like
to be published above your article (when sending it to us) and we will do what you
say.

> I submitted something and I didn't see it in the current/last issue, why is that?
It could be that someone else wrote something similar to what you wrote and they sent
it to us first. If you sent us something and we didn't e-mail you back, then you
might want to send it again because we probably didn't get it (we respond to all e-
mails no matter what). We might use your article in future issues off Antidote.

> Can I submit something that I didn't "discover" or "write"?
Yes you can, we take information that is written by anyone regardless if you wrote it
or not.

Well thats it for our FAQ. If you have a question that is not on here or the question
is on here and you had trouble understanding it, then please feel free to e-mail
lordoak@thepoison.org and he will answer your question. This FAQ will probably be
updated every month.

------------------------------


0.03 --=\\Authors\\=--

Lord Oak is the founder and current president of Antidote. Most work is done by him.
Please feel free to e-mail him at: lordoak@thepoison.org
Duece is the co-founder and co-president of Antidote, some work is done by him when
he comes online. Feel free to e-mail him at: duece@thepoison.org
ox1dation not really an author, just someone that helps us out a lot and we consider
him as an author! His e-mail address is: ox1dation@thepoison.org

------------------------------


0.04 --=\\Shouts\\=--

These are just some shout outs that we feel we owe to some people. Some are individuals
and Some are groups in general. If you are not on this list and you feel that For some
reason you should be, then please contact Lord Oak and he will post you on here and we
are sorry for the Misunderstanding. Well, here are the shout outs:

Lord Oak EazyMoney
Duece opt1mus
oX1dation PBBSER
Forlorn Retribution
0dnek www.thepoison.org

Like we said above, if we forgot you and/or you think you should be added, please e-
mail lordoak@thepoison.org and he will be sure to add you.

------------------------------


0.05 --=\\Writing\\=--

As many of you know, we are always open to articles/submittings. We will take almost
anything that has to do with computer security. This leaves you open for:

-Protecting the system (security/securing)
-Attacking the system (hacking, exploits, flaws, etc....)
-UNIX (really anything to do with it...)
-News that has to do with any of the above....

The only thing that we really don't take is webpage hacks, like e-mailing us and saying
"www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If
you have any questions about what is "acceptable" and not, please feel free to e-mail
Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please
note that if we recieve two e-mails with the same topic/idea then we will use the one
that we recieved first. So it might be a good idea to e-mail one of us and ask us if
someone has written about/on this topic so that way you don't waste your time on
writing something that won't be published. An example of this would be:

If Joe sends me an e-mail with the topic being on hacking hotmail accounts on
thursday.
And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will
take Joe's article because he sent it in first.

But keep in mind, we might use your article for the next issue! If you have something
that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or
duece@thepoison.org and one of us will review the article and put it in Antidote (if
we like it).

------------------------------


_________________________________
) ___ (
( //___/ / // ) ) // ) ) )
) /____ / // / / __ / / (
( / / // / / ) ) )
) / / ((___/ / ((___/ / (
( http://www.403-security.org )
) For the latest hacks and news (
(___________________________________)



<!-- 1.00 - News //-->

1.01 --=\\Heathen.A Is at the Gates\\=--

[www.pcworld.com]

Network Associates' Anti-Virus Emergency Response Team is warning users about what it
terms a "medium risk" virus called Heathen.A.

Heathen.A is a multipartite virus, as it uses two classes of files, an .exe portion and
a .doc portion, for its infection. The virus was originally spread from a newsgroup and
replicates itself across Microsoft Word 97 files, but it does not destroy data.

"It's delivered if someone receives an e-mail with an infected Word 97 document, or if
they access any server file that is infected," says Allison Taylor, product marketing
manager for corporate antivirus solutions at Network Associates. "It doesn't carry a
particular payload except for dropping a patch into your [Windows] 95/98 shell."

"It runs a modified version of your Windows Explorer system and then infects the Word
97 documents," Taylor explains. "So once you've been infected, any Word 97 file that
you open from then on will also be infected."

The macro drops three system files, heathen.vex, heathen.vdl, and heathen.vdo, into a
system's C:/Windows subdirectory. When the system is rebooted, the heathen.vex file is
renamed explorer.exe, according to AVERT Labs.

NAI has assigned the Heathen.A virus a medium-risk level as it is not engineered to
appear to be coming from a known user, and because it infects new systems only if a
user opens an infected Word 97 file. Heathen.A does not send itself through e-mail as
Melissa and Worm.ExploreZip do.

NAI has issued a virus update to protect against the Heathen.A virus at AVERT Labs' Web
site.

http://www.pcworld.com/pcwtoday/article/0,1510,11586,00.html
------------------------------


1.02 --=\\Leave it to Clever to Hack\\=--

[www.cbs.com]

The term "computer hacker" used to refer to geeks who wreck havoc in cyberspace. But,
in a fit of fury against her husband, who she felt was spending too much time on-line,
Kelli Michetti redefined the term.

Wielding a meat cleaver, she hacked his computer, say Ohio authorities.

Investigators say the 29-year-old Michetti was fed up with her husband, because he was
constantly online, often talking to other women through the Internet.

Michetti first tried to cut the power, then attacked the computer with her cleaver.

She pleaded no contest to a couple of minor charges and was fined $200.

http://www.cbs.com/flat/story_164947.html
------------------------------


1.03 --=\\Harvard Caught in Hacker Crossfire\\=--

[www.zdnet.com]

On Wednesday, the Cambridge, Mass., university removed an independent security Web site
known as Packet Storm, which it had been mirroring on its servers for only 10 days.

The reason: A directory of material hidden in the Web site, and thus on Harvard's
servers, that had "sexually related material and personal attacks on an individual not
affiliated with the University," said Joe Wrinn, director of news and public affairs
for Harvard, in a statement released by Harvard on Thursday.

"We agreed to have a site that had security-related materials only," said Wrinn. "Both
parties involved were using us in a way that was completely inappropriate."

Ken Williams, a North Carolina State University employee and the Webmaster of Packet
Storm, angrily refuted the allegations.

"This statement is incorrect, and even libelous itself by implying that I had 'sexually
related material' on the server," he wrote in an e-mail. "I never did!"

According to Williams, the directory -- labeled "/jp" because it was a collection of
material satirizing AntiOnline founder and chief John P. Vranesevich -- had a parody of
the AntiOnline site.

But others familiar with the site said that the parody also contained photos of nude
women that were intended to be more sarcastic than sexual. Harvard obviously didn't get
the joke. Harvard's Wrinn did not know specifically what sort of "sexual" content was
contained on the site.

Harvard in the hot seat
--

"We are in the middle of this and it's inappropriate," said Harvard's Wrinn, sounding
distinctly uncomfortable with the attention that the issue was attracting. Harvard
intends to send the complete contents of the site back to Williams so that he can post
it elsewhere.

No wonder: Packet Storm wasn't just a small-time site -- it had been the place to go
for both hackers and security experts to get up-to-date security information.

"Packet Storm was a huge compilation of security tools," said Brian Martin, known as
"Jericho," one of the Webmasters at hacker news and information site Attrition.org. "It
was updated daily with tools. It was always there."

Among organizations that used and mirrored the site: The Department of Defense and the
Federal Bureau of Investigation, claimed Webmaster Williams.

'I didn't have an anti-J.P. Temple of Hate'
Yet, Williams had also sided with many others in hacker circles who have been waging a
war -- of mainly -- words against AntiOnline's Vranesevich and his latest ally,
Caroline Meinel, security researcher and webmaster of The Happy Hacker.

"I didn't have an anti-J.P. Temple of Hate or anything," said Williams. "But there are
companies, organizations, and individuals out there that [we believe] are black-eyes of
the industry."

So, Williams attached a non-public directory to the Web site that archived parodies and
criticisms of AntiOnline's founder.

The directory represented a single facet of a complex war of image in the hacker not-
so-underground. For the most part, AntiOnline and its main foe, Attrition.org, have
squared off with conflicting allegations of slander, libel and plagiarism.

Hitting close to home
--

For AntiOnline's Vranesevich, the directory buried inside of the Packet Storm site hit
a little too close to home.

"I can understand a parody -- I have no problem with that," said the 20-year-old
Pennsylvania Webmaster, adding that he thought Williams crossed the line into poor
taste by adding high school yearbook pictures of Vranesevich and his family to the on-
line archive.

Williams acknowledged that the photos had been put up, but that since they had come
from a source already online, the Packet Storm Webmaster thought the pictures were fair
game.

Vranesevich's answer? The Webmaster notified Harvard of the hidden directory in a
letter to the university's provost -- and Harvard quickly took the site down.

Did Harvard act too quickly?
--

B.K. DeLong, a Boston-based computer security consultant, thought Harvard acted too
quickly.

"I am kind of disappointed that an institution like Harvard was so quick to pull the
plug just to avoid a potential suit," he said.

Yet, Harvard wasn't the only one to act quickly. By late Wednesday night, the Keebler
Elves -- the cybergang that claimed responsibility for hacking into the National
Oceanic and Atmospheric Administration last week -- defaced another government Web site
with the news.

"Now, because [of] JP ... Packetstorm is no more, and never will be again," the hacked
site lamented.

Unnamed hackers also struck at AntiOnline more directly. AntiOnline's site came under a
denial-of-service attack -- which floods a particular site with random data -- so
severe that its Internet service provider pulled the site for almost 12 hours on Thurs-
day, said Vranesevich.

Ugly threats
--

Other attacks were even less friendly. "I have received more death threats in the last
24 hours by phone, than I have in five years," he said.

Not quite an apology, Vranesevich added that he never intended the entire Packet Storm
site to be taken down.

"I know what it's like to have the university stomp its foot down on you. When I was a
student at the University of Pittsburgh, I had my Web site shut down," he said. "But I
never threatened anyone."

In his mind, the contents of "/jp" did.

http://www.zdnet.com/zdnn/stories/news/0,4586,2287456-2,00.html
------------------------------


1.04 --=\\Cyberwar and Sabotage\\=--

[www.newsweek.com]

Covert action is seductive to policymakers in a bind. When diplomacy fails and force
falls short, presidents often turn to the CIA for secret solutions to vexing problems.
Unable to make the air war against Serbian leader Slobodan Milosevic effective, and un-
willing to invade with ground troops, President Clinton has decided to try a cland-
estine third way. Earlier this month national-security adviser Sandy Berger presented
Clinton with a covert plan to squeeze Milosevic.

The president liked the idea. Senior intelligence officials tell NEWSWEEK that last
week Clinton issued a "finding," a highly classified document authorizing the spy
agency to begin secret efforts "to find other ways to get at Milosevic," in the words
of one official. Two weeks ago Berger secretly briefed members of the House and Senate
Intelligence committees about the details of the two-part plan. According to sources
who have read the finding, the CIA will train Kosovar rebels in sabotage age-old tricks
like cutting telephone lines, blowing up buildings, fouling gasoline reserves and
pilfering food supplies in an effort to undermine public support for the Serbian leader
and damage Yugoslav targets that can't be reached from the air. That much is unsurpris-
ing. But the CIA has also been instructed to conduct a cyberwar against Milosevic,
using government hackers to tap into foreign banks and, in the words of one U.S. off-
icial, "diddle with Milosevic's bank accounts."

The finding was immediately criticized by some lawmakers who questioned the wisdom and
legality of launching a risky covert action that, if discovered, could prolong the war,
alienate other NATO countries and possibly blow back on the United States. Under the
finding, the allies were to be kept in the dark about the plan. Other members of
Congress privy to the finding wondered about its timing. Why did Clinton authorize the
operation just as diplomats had begun making progress on a peace agreement? The White
House declined to comment on the finding, and NEWSWEEK does not have access to the
entire document. But some intelligence officials with knowledge of its contents worry
that the finding was put together too hastily, and that the potential consequences
haven't been fully thought out. "If they pull it off, it will be great," says one
government cyberwar expert. "If they screw it up, they are going to be in a world of
trouble."

http://www.newsweek.com/nw-srv/printed/us/in/in0922_1.htm
------------------------------


1.05 --=\\Network Solutions Cracked\\=--

[www.wired.com]

Network Solutions was reeling Friday from an attack on its Web servers that redirected
users visiting its Web site to other locations.

"The FBI and Network Solutions are cooperating in determining the location" of the
attack, said Network Solutions spokesman Brian O'Shaughnessy.
"It was a DNS modify that was sent through the system that was accomplished by
spoofing."

He means that the IP addresses for Network Solutions servers were altered in the domain
name system servers with a falsified template, so that Web browsers requesting the
sites were instead sent to the IP address of another site.

Network Solutions fixed the IP address Friday morning, but the changes will take some
time to reach the domain name servers spread across the Net.

Until that "emergency zone release" propagates, users visiting three Network Solutions
sites -- Networksolutions.com, netsol.com, and dotpeople.com -- may be redirected to
the Web sites of the Internet Corporation for Assigned Names and Numbers and the Inter-
net Council of Registrars (CORE), he said.

It is unclear exactly how long the crack has been in effect.

"We are aware of the problem and have been looking into it for a while," Scott
Hollenbech, a Network Solutions staffer, in an email to CORE early Friday morning.

O'Shaughnessy said the source of the attack originated at a computer owned by
SoftAware, an ISP located in the same building as ICANN in Marina del Rey, California.
The attack was either done through physical or virtual access to one of their machines.

"We've corrected it," O'Shaughnessy said. "It should take about 24 hours before every-
thing's resolved."

Jim Rutt, CEO of Network Solutions, said that investigators were working with prelimi-
nary evidence only and that the perpetrator has covered his tracks well.

"It is easy to leave a breadcrumb trail," he said. It is a famous hacker trick" to
launch an attack behind multiple servers.

But Patrick Greenwell, Internet architect for DSL provider Telocity, said the blame
might lie elsewhere.

"NSI could be culpable in that they have not pushed for the implementation of DNS Sec,
which is a security measure for these types of things," he said. "It requires authenti-
cation."

Greenwell said that his analysis was based only on what little preliminary information
was available, but that he believed the fault could largely be pinned on the Berkeley
Internet Name Daemon, or BIND.

BIND is an implementation of DNS protocols, which Greenwell said are inherently in-
secure. Because the software operates on the vast majority of DNS servers across the
Internet, upgrading it would be difficult to do while maintaining backward compatibil-
ity.

While it's unfortunate that this happened, I don't think it would be fair to point the
finger at NSI," he said. "DNS is an inherently insecure protocol."
"This has nothing to do with BIND," O'Shaughnessy said.

Domain name addresses can be authenticated through varying levels of security, from a
simple email method, to a password-protection scheme, to powerful PGP encryption.
O'Shaughnessy said he could not immediately determine what method of security Network
Solutions uses to secure its own domain name data.

O'Shaughnessy added that the attack was reminiscent of one carried out by Eugene
Kashpureff, who pleaded guilty in March of 1998 to one count of computer fraud for
exploiting <http://www.wired.com/wired/archive/6.04/kashpureff.html> an NSI security
hole.

The Internet Council of Registrars, one of five registrars participating in the initial
test period for domain competition, posted a statement on its Web site saying that it
"strongly condemns these acts and may take legal action against the perpetrators."
ICANN also condemned the crack as "an attempt to undermine the stability of the domain
name system." The group has said it will cooperate with any investigation into the
matter.

http://www.wired.com/news/news/technology/story/20567.html
------------------------------


1.06 --=\\3 Blind hackers\\=--

[www.globaltechnology.com]

Three blind Arab brothers are facing charges for allegedly hacking into some of
Israel's most sensitive computer systems.

The three young men allegedly broke into the computer systems and telephone switch-
boards of scores of Israeli institutions, including the Mossad intelligence agency and
the Shin Bet security service.

Muzher, Munzer and Shadi Budair, from the village of Kafr Qasem, appeared in Tel Aviv
district court yesterday and are being held in custody on charges related to computer
theft. Police allege that the brothers listened in on sensitive telephone conversations,
intercepted classified information and passed it on to the Palestinian Authority and
military intelligence officers from Egypt and Jordan.

The brothers, each born blind, are reputed to be computer geniuses. Police said they
were amazed to discover during a search of the Budair home last month that none of their
equipment included special tools for the blind.

The brothers have refused to co-operate with the police and deny all allegations against
them. They are represented by lawyer Avigdor Feldman, who has defended many security
prisoners, including Mordechai Vanunu, jailed 12 years ago for giving away Israeli
nuclear secrets.

Mr. Feldman said most of the evidence against the Budairs has been classified as "secret
material" and he still doesn't know all the details of the charges.

The prosecutor told the court yesterday that he intends to summon more than 165
witnesses to give evidence against the brothers.

Police suspect them of stealing thousands of dollars worth of telephone calls abroad on
behalf of friends calling the Persian Gulf states. They are also suspected of making
thousands of dollars worth of illegal purchases by way of the Internet and by hacking in
o the computer systems of Israel's television shopping channel.

According to sources close to the interrogation, Muzher, 23, and Munzer, 22, have in the
past few years visited a number of Arab countries, where they contacted security and
military officials and offered to share information gleaned from hacking into the compu-
ters of some of Israel's most sensitive security bodies, including the Mossad.

The youngest brother, Shadi, is described as a minor under the age of 18, although his
exact age is unclear. He faces charges of obstructing justice.

Police Detective David Osmo, the officer in charge of the investigation, alleged that
the brothers had been involved in illegal activity since at least 1996.

"They have unique technological ability and knowledge and a complete mastery of communi-
cations and computers," he said. "Their skill has made it all the more difficult to
collect the evidence against them."

Their mother, Halima, said her sons had done nothing wrong. "I'm sure of their inno-
cence" she said. "They are at home 24 hours a day and have never broken the law. I know
my sons very well. This is not the first time that the police have raided our home. This
time, they confiscated all the cellular phones and the computers. I believe they are
doing this only because we are Arabs."

Relatives of the Budairs say the three young men have been the target of repeated police
arrests over the past four years.

Kamel Issa, a teacher from the village school where Munzer and Muzher studied, described
the brothers as "very ambitious young men with a remarkable influence on others."

He said they invented a secret language, intelligible only to them.

http://www.globetechnology.com/gam/News/19990702/UHACKN.html
------------------------------




<!-- 2.00 - Exploits //-->

2.01 --=\\cablemode.ip.hijack.txt\\=--

The purpose of this is to show you how bad cable modems security is and that
even with a win box you can take someone else's IP. You can hijack IP's using
a cable modem and it's very simple in any operating system.

Just follow the steps:

1) Choose someone's IP that you wish to have. Make sure the IP is on the same
network. Most cable modem providers use DHCP. The fist thing you have to do is
find the victims IP. Remember the victims IP has to be in the same network and
with the same service provider for this to work.

2) Now this is probably the hardest thing in this file (but it's still easy),
you have to wait until the victims computer is off or you can Smurf kill his
connection. When you think his computer is off-line just try to ping it to see
if you get a response. Do this by going to a DOS prompt and typing ping
(victims IP). If you get a response then you have to try harder.

After you get his PC off-line then you go into your network properties and edit
the IP settings, but instead of having yours there you put the victims IP,
host, and domain.

3) Restart. If you restart and you get an IP conflict this means that the
victims computer is on, if you don't get an IP conflict then try to go to your
web browser and see if it works. With some cable modem providers you might have
to also add the Gateway, Subnet mask (255.255.55.0), Host, DNS search, and
Domain.


Now you can go. Everything will work until the victims PC is back on. Once it
is back online it will take the IP away because it will tell you that you have
the wrong Mac addresses.


*Linux*
This is also possible in Linux, but is not the best way. You can change your
Mac address to the victims PC and this is more secure and much easier. There
are a couple of scripts to change your address, just look around.


Warning: Some cable modem service providers will know when you're using the
wrong IP, but hey, it might be useful.


Copyright (c) 1999 Wildman
www.hackcanada.com
------------------------------


2.02 --=\\cfingerd.bof.txt

Hi,
there is a remote buffer over flow in cfingerd 1.3.2
in search_fake():

int search_fake(char *username)
{
char parsed[80];

bzero(parsed, 80);
sscanf(username, "%[^.].%*[^\r\n]\r\n", parsed);
...


called from process_username(), that is called from main:

int main(int argc, char *argv[])
{
char username[100], syslog_str[200];
...

if (!emulated) {
if (!fgets(username, sizeof(username), stdin)) {

...
/* Check the finger information coming in and return its type */
un_type = process_username(username);


see parsed[80] and username[100].
Anyway search_illegal() is called before than search_fake()
so only [A-z0-9] and many other char can be used in oreder to
execute arbitrary code.

Debian is not vulnerable because a patch fix this and other
cfingerd weakness (i think it's an example of bad coding)
but searching in bugtraq archive i haven't found anything.

I take opportunity to inform that i'm developing a
secure (i hope) finger daemon: mayfingerd. In order to
make mayfingerd more portable i need some unprivileged
account in hosts running *BSD, Solaris, AIX etc. Bugtraq
readers can help me?

I hope it will be released together with hping2 the
next month.

Sorry for my bad english forever :)

antirez
------------------------------


2.03 --=\\domino.txt\\=--

This information was forwarded to Security Focus by someone
that requested to be anonymous.

http://www.l0pht.com/advisories/domino3.txt

It seems nine months after L0pht posted their advisory on file view
problems in Lotus Notes, the problem is alive and well. So well in fact
that doing a simple query via a search engine found dozens of *very* high
profile web servers open. Everything from Military sites, political
parties, police departments and even software vendors. This is a follow-up
to the Advisory published by the L0pht in October 1998.

Data that can be accessed by unauthorized users may include: usernames,
server names and IP addresses, dial-up server phone numbers,
administration logs, files names, and data files (including credit card
information, proprietary corporate data, and other information stored in
eCommerce related databases.) In some instances, it may be possible for
an unauthorized user to modify these files or perform server
administration functions via the web administration interface.

The directory browsing "feature" is invoked when a user appends "?open" to
a Domino URL. ex. http://www.example.com/?open. If the server is
vulnerable, it will display the contents of the webroot directory. In
situations where multiple web sites are hosted on the same server, the
unauthenticated user may be able to view data from any of these virtual
servers. This configuration weakness can be corrected by disabling
database browsing. The Lotus documentation suggests:

1. From the Domino Administrator, click the Configuration tab, and open
the Server document.
2. Click the Internet Protocols - HTTP tab.
3. In the "Allow HTTP clients to browse databases" field, choose No.
4. Save the document.

The database access issue is caused by improper ACLs over sensitive .nsf
files on the Domino server. For example, an unauthorized user may attempt
to access the Name and Address Book by appending the database name to the
Domino Server URL- http://example.com/names.nsf (this syntax invokes an
explicit ?open command). User created databases containing any variety of
public or non-public information may be read if proper ACLs are not placed
on these files.

The following system files are potentially vulnerable: admin4.nsf,
webadmin.nsf, certlog.nsf, log.nsf, names.nsf, catalog.nsf, domcfg.nsf,
and domlog.nsf. These files contain a wealth of information that may
allow an unauthorized user to penetrate additional hosts and or networks.
In some instances, these files may be modified by the attacker to change
the intended behavior of the web site. One particular example, cited by
the L0pht in a January 1998 Advisory, demonstrates the ability to
completely redirect all traffic destined for the vulnerable web site to a
third party "evil" web site.

To remedy this problem, it is suggested that each site running Domino web
servers verify that proper ACLs have been placed on both custom and system
related .nsf files. These recommendations should be considered not only
for Internet connected Domino servers, but also for corporate Intranet
servers.

Aleph One
aleph1@underground.org
------------------------------



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
. Quote #5- .
. .
. "I'm like addicted to lying... I do it so I can get what I want" .
. -JP .
. .
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-



_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
_| _|
_| _| _| _| _| _| _| _|
_| _| _| _|_| _| _|_| _| _|
_| _|_|_|_| _| _| _| _| _| _| _|
_| _| _| _| _|_| _| _|_| _|
_| _| _| _| _| _| _| _|
_| Antidote is an HNN Affiliate _|
_| http://www.hackernews.com _|
_| _|
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|

All ASCII art in this issue is done by Lord Oak [lordoak@thepoison.prg] and permission
is needed before using.

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos from Google Play