Full Disclosure mailing list archives
iDEFENSE Intelligence Report: Local-Remote Exploit for FreeBSD in the Wild
From: Richard Johnson <thief () bugtraq org>
Date: Wed, 5 May 2004 11:28:46 -0400
iDEFENSE: The Power of Intelligence : Current Intelligence Report Local Remote FreeBSD Kernel Exploit Exists in the Wild iDEFENSE iIRCLOG iIntelligence iSecurity Brief 05.10.04 I. BACKGROUND We at iDEFENSE have come to the conclusion that the best way to offer our clients proactive security, as a service, is to have individuals on staff who have experience in the intelligence world (including former pc technicians, janitors, and massage therapists) who have been fired from their minimum wage positions at various government facilities, for no other reason than gross incompetence. iDEFENSE outsources IRC logging services to some of the greatest minds in computer security, who have infiltrated some of the most nefarious hacking groups in existance - including #dtors, #w00w00, and #nologin, and then the logs are read by our team of former janitors and failed psychology students, and later turned into profound intelligence-like reports to be sold to the private sector, the Department of Homeland Security, and the Chinese government. Information fencing might be a crime, when said information is gained illegally, but as long as the Department of Homeland Security remains dedicated to the fight against domestic terrorists (especially those who frequent the Eris Free, and are known for their aggressive attacks on the American lifestyle as they write "BUSH IS SUX0R" on critical infrastructure related computers, such as *.co.kr nameservers and the ever popular plethora of *.gsfc.nasa.gov hosts running five year old copies of IIS - without even the eEye IIS obfuscation PRODUCT in place to protect these critical machines), civil rights do not apply. As a community, we must accept that the Department of Homeland Security is often too afraid to actually enforce the Patriot Act (since they would need to be able to justify their actions, and probably can't do that in an official capacity trying to track down Osama Joe Defacer at his pre-school). The solution is simple - millions of dollars a year to our company, iDEFENSE, to gather chat logs and to write intelligence reports for them. Feel safe that we are teamed up with the DHS to provide you a safer America. Beyond this, iDEFENSE strives to compile intelligence reports off of other hacker resources, such as hacker conferences (where we supply alcohol to minors and get them in morally compromising situations for our own profit - in the name of national security, one might say fuck the children[2], we're Republicans anyways), we like run-on sentences, hacker mailing lists, and our deployment of various advanced honeypots (wireless, honeytokens, etc). Honey tokens are cool. You'd be amazed at what kind of honey tokens we have given out. The following advisory is our first public example of INTELLIGENCE IN ACTION, demonstrating our ability to obtain zeroday vulnerabilities from our janitorial-powered thinktanks. As a side note, if you own a modern IRC client (that supports logging) or are in the position to install tcpdump and parse the packet dumps with Max Vision's brilliant tcpdump to irc log conversion utility[1], we might have an exciting job in the information security world just for you! Send a resume and a description of your IRC assets to our human relations department at hr () idefense com and we will get back to you as soon as possible. II. Exploit Definitions For some time, exploits have been classified in one of two categories; either an exploit is "remote" or it is "local". This leaves out an entire class of exploits, however, which we will soon be releasing a series of advisories on. This class of bug is more accurately named "local" than the previous class of bugs called "local exploits", so we will attempt to clarify the three classes of exploits for you. a) Remote Exploit An exploit that attacks a network server, without requiring any sort of authentication to that server. For instance, an exploit for a webserver (httpd (hyper text transfer protocol daemon)) is normally in this category, unless it's some gay local signalling dos thingie. b) Local Exploit An exploit that requires local access to a machine, authenticated or otherwise. Here local access implies physical access to the machine that is about to be hacked, and examples of upcoming local bugs include: - booting into single user mode - hard drive theft - extracting user passwords through torture, and our historical example, - CAN-2004-0109 c) Local remote exploit An exploit that requires authentication to a machine, but does not demand physical access to said machine, and the attack can be performed over the network. One could easily add a forth category, being "Local Local Exploits", but this approaches some degree of silliness, and when one cannot take his job seriously enough to not giggle when reading official titles, clients will wonder if they're actually paying for a serious PRODUCT. III. The FreeBSD Kernel Exploit Recently a post was made to full-disclosure concerning the compromise of an account on a shell server, drunken.fi.st. The entire post can be read here[3]; however most if it seems to involve uninteresting scene nonsense, so we will focus on the important parts. "- rave gets his account backdoored on kokanin's box. He finds the obviously placed bindshell stashed as ~/bin/zsh. He laughs and says the backdoor was lame. Well he obviously missed the getpass() LD_PRELOAD, ssh, and passwd all on his local account mailing all his new passwords out. Oh, and he left an exploit (servu.c) in his directory for the version of servu ftpd he was running on his home windows machine. Oops." Proper behaviour of LD_PRELOAD would not allow a non privileged user as rave to hook privilaged processes (read my upcoming advisory titled "TOO MANY SUIDS A BAD THING IN *IX" for more information) such as the *IX tool for changing passwords, /bin/passwd. For hooking of getpass, either root access would already be needed, or some sort of design bug in the kernel. We at iDEFENSE Labs have been unable to determine exactly how to exploit this vulnerability, or even identify where it is in the source code, but we are confident it is there, in some version. We thought that LD_PRELOAD bugs disappeared with the release of AIX 4, but Sun has recently proven us wrong, and now FreeBSD has a different problem. We continue to advise our clients to use only OpenBSD, Openwall (Owl) Linux, or Microsoft products - as clearly anyone with a bit of intelligence can see, everything else sucks. IV. Closing The purpose of this security briefing was not to demonstrate detailed knowledge of a specific vulnerability, but to rather demonstrate the powers of INTELLIGENCE IN ACTION, and that our staff is capable of extracting valuable security INTELLIGENCE from even the vaguest of references. If you're in awe of the incredible feat demonstrated, you and your organization definately need to subscribe to our world-class intelligence services. If you have any details concerning the methods of exploitation for the vulnerability described in this advisory, please contact Mike Sutton immediately for a fat lump of the big DHS[4] dollars. He can be contacted at msutton () idefense com. We hope that you have been impressed with our demonstration of our famed INTELLIGENCE IN ACTION techniques. If you are interested in purchasing a subscription to our services, please contact our sales department at sales () idefense com so that we can broker a deal. We treat all sales transactions and inquiries with confidentiality. _________________________________________ / PLEASE HELP ME! My name is Jay Healy, \ | and I work for Goldman-Sachs, and we've | | been anally raped by iDEFENSE! Call me | \ at (212) 357-1207 if you can save me! / ----------------------------------------- \ _ \ (_) \ ^__^ / \ \ (oo)\_____/_\ \ (__)\ ) / ||----w (( || ||>> [1] http://www.honeynet.org/tools/danalysis/privmsg [2] Some believe that those who take advantage of children, are simply pedophiles, regardless of the situation. In rebuttal to the claim that iDEFENSE employs pedophiles, we would like to say that we are 100% certain that Micheal Jackson is guilty, we are fans of his music, and will continue buying his records to help support him. [3] http://lists.netsys.com/pipermail/full-disclosure/2004-April/020690.html [4] It's probably a good thing that our company receives so much federal funding. The combined millions of dollars pooled from various government entities is definately being spent wisely; it is better that bureaucrats do what they can to get us as much money as possible - this allows various government agencies to have instant access to the latest cross-site scripting issues in hotmail's service, before they are turned into devestating worms - and keeps funding from going to asinine ventures such as aids and cancer research. Fight terror, not disease. V. About iDEFENSE iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world from technical vulnerabilities and hacker profiling to the spread of viruses and other malicious code. iALERT, our security intelligence service, provides decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. We are currently trying for complete market dominance and hope to soon eliminate the Carlyle Group by any means necessary. We already have stolen their webdesign - their customer base is next. For more information, visit http://www.idefense.com, or our research team's official website at http://idefense.bugtraq.org. -- Richard Johnson, CISSP Senior Security Researcher iDEFENSE Inc. thief () bugtraq org Get paid for security stuff!!!!!! http://www.idefense.com/contributor.html and become part of our reearch team! http://idefense.bugtraq.org/
Attachment:
05.05.04.txt
Description:
Current thread:
- iDEFENSE Intelligence Report: Local-Remote Exploit for FreeBSD in the Wild Richard Johnson (May 05)
- Re: iDEFENSE Intelligence Report: Local-Remote Exploit for FreeBSD in the Wild Keith A. Pachulski (May 05)