Full Disclosure mailing list archives
AW: *ALERT* Advisory / Exploit for mpg123 *ALER T*
From: vogt () hansenet com
Date: Wed, 15 Jan 2003 10:46:27 +0100
A short analysis and questions:
Affected Software: mpg123 (pre0.59s) http://www.mpg123.de
I tried Debian's standard, which is pre0.59r and it complains about an invalid MP3 header. I also downloaded and compiled (make linux, i.e. no machine-specific optimisations) pre0.59s and tried it out. While it doesn't complain about the invalid header, the included instructions for finding a target don't work, either. So I can neither verify nor falsify this claim, but given gobbles past track record, I would give them the benefit of the doubt here.
When the player is exploited, a few things happen. First, all p2p-serving software on the machine is infected,
This is the really interesting part. Even on Windos, where infection per se is trivial, there are still multiple targets. On Linux and BSD systems, infection seems unlikely unless the player is installed as suid-root. None of the ones mentioned are. So Hydra is almost certainly a stock piece of code that attaches to the program, possibly the various means available through LD_* - dynamic loader fun. I only know the technical details for Linux, but I'm fairly sure similiar techniques work for BSD and Windos. So the infection could work without the need of changing the binary. Using Shaun Clowes technique, this could even be done while the p2p program is running. So far, gobbles makes a bold, but entirely possible claim.
where it is added to their records and stored until a later time, when it can be used as evidence in criminal proceedings against those criminals
who
think it's OK to break the law.
This is where things fall apart. While IANAL, I am quite certain that such evidence would not be admitted by the court, especially not in a criminal case, where it's the job of LEAs to gather evidence, and there are stringent requirements for how to handle it. Not to even mention that modification of data can in itself be a criminal offense.
5) We have our own private version of this hydra actively infecting p2p users, and building one giant ddosnet.
So the attack is coming shortly. You don't announce a ddos net if you're not going to use it soon, do you? The risk to loose it after what sounds like a lot of work isn't worth risking just for some boasting, is it? In summary: I am certain that the part about the RIAA is bullshit. Whatever your opinion about the RIAA, they aren't dumb enough for this stunt. And if they were, the NDA would certainly forbid any discussion of the entire thing, not just the technical details of some exploits. The DDOS part sounds more likely, but announcing a ddos net on bugtraq before you use it? That would be a first. So, gobbles - what are you really up to? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- AW: *ALERT* Advisory / Exploit for mpg123 *ALER T* vogt (Jan 15)