Full Disclosure mailing list archives
Re: Bugtraq Security Systems XMAS Advisory 0001
From: Bugtraq Security Systems <research () bugtraq org>
Date: Thu, 25 Dec 2003 07:51:48 -0500 (EST)
Hi John! We at Bugtraq Security Systems take great grievance in your accusations. Especially coming from such a prominent Interweb netizen as yourself. As we nopsled around the digital frontier in these times of vigilance, we feel that frontier laws apply. Team Bugtraq Security thus challenges you to a duel at defcon 2004. Furthermore, in light of your overall infosec excellence we would like to take this oppurtunity to point out your incredible skill level to our list reading friends: [1] http://www.finchhaven.com/pages/incidents/ACK_hole.c.html In light of this sourcecode, Team Bugtraq Security would like to urge you to initialise len arguments yourself, instead of relying on a random stack value to make sure the 'bytes' read(2) len arg is initialised to a safe value, instead of relying on MB sized receive buffers. We suggest you start by reading the read(2) manual page (man 2 read). We're sure that someone as mature as yourself will fix this remotely reachable overflow in this piece of security critical software as soon as possible. Ofcourse, having discovered this dastardly issue Team Bugtraq Security would like full credit for saving you from future attacks. Love, Team Bugtraq Security [1] /* ACK_hole01.c - Sun Aug 11 13:00:54 PDT 2002 * John Sage - jsage () finchhaven com * * A first attempt at a TCP/IP network data sink * along the lines of trafficrcv.c - see: * http://www.psc.edu/~web100/pathprobe/ * * Now based upon WR Stevens tcpserv04.c * "UNIX Network Programming", p.128 * modified to do nothing with packets received * * Version 0.0.4 - add EINTR error handling - Sun Aug 11 13:00:54 PDT 2002 * Version 0.0.3 - add syslog logging - Sun Aug 11 07:13:38 PDT 2002 * Version 0.0.2 * It works; not sure what all of it does :-/ * but it works: no zombies, no local ports * left hanging in CLOSE_WAIT as with trafficrcv.c * */ #include "unp.h" #include "error.c" #ifndef RCVBUFF #define RCVBUFF (1024 * 1024) #endif /* USAGE */ static void usage(char name[]) { fprintf(stdout, "Usage: %s [-p port]\n",name); } /* SIGCHLD zombie killer, from UNP p.128 */ void sig_chld(int signo) { pid_t pid; int stat; while ( (pid = waitpid(-1, &stat, WNOHANG)) > 0 ) fprintf(stdout, "Child %d terminated in sig_chld, zombie killed!\n", pid); return; } /* MAIN */ int main(int argc, char **argv) { char c; char *databuf; char message[256]; int bytes; int errflg = 0; int i; int listenfd, connfd; int port; long connaddr; pid_t childpid; socklen_t clilen; struct sockaddr_in cliaddr, servaddr; while ((c = getopt (argc, argv, "?p:")) != -1) { switch (c) { case '?': errflg++; case 'p': port = atoi(optarg); break; default: errflg++; break; } } if (errflg) { usage(argv[0]); exit (2); } fprintf(stdout, "\nACK_hole is listening on port %d!\n", port); /* SOCKET */ listenfd = socket(AF_INET, SOCK_STREAM, 0); bzero(&servaddr, sizeof(servaddr)); servaddr.sin_family = AF_INET; servaddr.sin_addr.s_addr = htonl(INADDR_ANY); servaddr.sin_port = htons(port); /* BIND */ if (bind(listenfd, (SA *) &servaddr, sizeof(servaddr)) == -1) { perror("BIND failed"); exit(-1); } /* Allocate receive data buffer */ if ((databuf = malloc(RCVBUFF)) == NULL) { fprintf(stdout, "malloc of data buffer failed!\n"); exit(-1); } /* LISTEN */ listen(listenfd, LISTENQ); for ( ; ; ) { clilen = sizeof(cliaddr); /* ACCEPT with EINTR handling */ if ( (connfd = accept(listenfd, (SA *) &cliaddr, &clilen)) < 0) { if (errno ==EINTR) continue; /* back to for ( ; ; ) */ else err_sys("accept error"); } printf("CONNECT received from: "); connaddr = cliaddr.sin_addr.s_addr; for (i = 0; i < 4; i++) { printf("%d.", connaddr & 0xff); connaddr = connaddr >> 8; } printf("%d,", ntohs(cliaddr.sin_port)); printf(" to local port %d!\n", ntohs(servaddr.sin_port)); /* log to syslog, too.. */ sprintf(message, "Connection from remote host %s:%d to local port %d", inet_ntoa(cliaddr.sin_addr), ntohs(cliaddr.sin_port), ntohs(servaddr.sin_port)); syslog(LOG_INFO, message); /* SIGCHLD */ signal(SIGCHLD, sig_chld); /* FORK */ if ( (childpid = fork()) == 0 ) { close(listenfd); /* READ */ read(connfd, databuf, bytes); /* do nothing */ exit(0); } /* CLOSE */ close(connfd); } /* end for ( ; ; ) */ } /* end main */ On Wed, 24 Dec 2003, John Sage wrote:
hmm.. On Wed, Dec 24, 2003 at 08:04:59PM -0500, Bugtraq Security Systems wrote:From: Bugtraq Security Systems <research () bugtraq org> To: mudge <mudge () uidzero org> cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Bugtraq Security Systems XMAS Advisory 0001 Date: Wed, 24 Dec 2003 20:04:59 -0500 (EST) With interpretive art, the names are often just placeholders. Bugtraq Security Systems requests that all the readers replace the names in this advisory, including ours, with their own. Indeed, we exhort you to feel that if you are not selling your integrity for stock options, not pretending that each new bug found and fixed somehow makes the world a better place, not sacrificing a sense of humor for a sense of importance, that you are in fact, GOBBLES./* snip */ "interpretive art"? pul-leeeze. Another preteen/early teen, too full of himself. zzzz...... wake me when this thread is over. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Bugtraq Security Systems XMAS Advisory 0001 Bugtraq Security Systems (Dec 24)
- Re: Bugtraq Security Systems XMAS Advisory 0001 madsaxon (Dec 24)
- Re: Bugtraq Security Systems XMAS Advisory 0001 mudge (Dec 24)
- Re: Bugtraq Security Systems XMAS Advisory 0001 Bugtraq Security Systems (Dec 24)
- Re: Bugtraq Security Systems XMAS Advisory 0001 John Sage (Dec 24)
- Re: Bugtraq Security Systems XMAS Advisory 0001 Ciro (Dec 25)
- Re: Bugtraq Security Systems XMAS Advisory 0001 Bugtraq Security Systems (Dec 25)
- RE: Bugtraq Security Systems XMAS Advisory 0001 Justin Shin (Dec 25)
- Re: Bugtraq Security Systems XMAS Advisory 0001 John Sage (Dec 25)
- Re: Bugtraq Security Systems XMAS Advisory 0001 Bugtraq Security Systems (Dec 25)
- Re: Bugtraq Security Systems XMAS Advisory 0001 John Sage (Dec 25)
- Re: Bugtraq Security Systems XMAS Advisory 0001 vb (Dec 26)
- [Out-of-Office reply] Re: Bugtraq Security Systems XMAS Advisory 0001 John Sage (Dec 26)
- Re: Bugtraq Security Systems XMAS Advisory 0001 Jason Coombs (Dec 26)
- Re: Bugtraq Security Systems XMAS Advisory 0001 Bugtraq Security Systems (Dec 24)
- Re: Bugtraq Security Systems XMAS Advisory 0001 John Sage (Dec 25)