lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: keithp at corp.ptd.net (Keith A. Pachulski)
Subject: iDEFENSE Intelligence Report: Local-Remote
	Exploit for FreeBSD in the Wild

yah, this is one of the reasons I started filtering all of gobbles
emails right to the trash..

dude -- grow up, its getting old

On Wed, 2004-05-05 at 11:28, Richard Johnson wrote:
> iDEFENSE: The Power of Intelligence : Current Intelligence Report
> 
> 
> Local Remote FreeBSD Kernel Exploit Exists in the Wild
> iDEFENSE iIRCLOG iIntelligence iSecurity Brief 05.10.04
> 
> I. BACKGROUND
> We at iDEFENSE have come to the conclusion that the best way to offer
> our clients proactive security, as a service, is to have individuals 
> on staff who have experience in the intelligence world (including
> former pc technicians, janitors, and massage therapists) who have been
> fired from their minimum wage positions at various government
> facilities, for no other reason than gross incompetence.
> 
> iDEFENSE outsources IRC logging services to some of the greatest minds
> in computer security, who have infiltrated some of the most nefarious 
> hacking groups in existance - including #dtors, #w00w00, and #nologin,
> and then the logs are read by our team of former janitors and failed 
> psychology students, and later turned into profound intelligence-like
> reports to be sold to the private sector, the Department of Homeland 
> Security, and the Chinese government.
> 
> Information fencing might be a crime, when said information is gained 
> illegally, but as long as the Department of Homeland Security remains
> dedicated to the fight against domestic terrorists (especially those
> who frequent the Eris Free, and are known for their aggressive attacks
> on the American lifestyle as they write "BUSH IS SUX0R" on critical 
> infrastructure related computers, such as *.co.kr nameservers and the
> ever popular plethora of *.gsfc.nasa.gov hosts running five year old 
> copies of IIS - without even the eEye IIS obfuscation PRODUCT in place
> to protect these critical machines), civil rights do not apply.  As a
> community, we must accept that the Department of Homeland Security is 
> often too afraid to actually enforce the Patriot Act (since they would
> need to be able to justify their actions, and probably can't do that 
> in an official capacity trying to track down Osama Joe Defacer at his 
> pre-school).  The solution is simple - millions of dollars a year to 
> our company, iDEFENSE, to gather chat logs and to write intelligence 
> reports for them.
> 
> Feel safe that we are teamed up with the DHS to provide you a safer 
> America.
> 
> Beyond this, iDEFENSE strives to compile intelligence reports off of 
> other hacker resources, such as hacker conferences (where we supply 
> alcohol to minors and get them in morally compromising situations for
> our own profit - in the name of national security, one might say fuck
> the children[2], we're Republicans anyways), we like run-on sentences,
> hacker mailing lists, and our deployment of various advanced honeypots 
> (wireless, honeytokens, etc).  Honey tokens are cool.  You'd be amazed
> at what kind of honey tokens we have given out.
> 
> The following advisory is our first public example of INTELLIGENCE IN 
> ACTION, demonstrating our ability to obtain zeroday vulnerabilities 
> from our janitorial-powered thinktanks.
> 
> As a side note, if you own a modern IRC client (that supports logging)
> or are in the position to install tcpdump and parse the packet dumps 
> with Max Vision's brilliant tcpdump to irc log conversion utility[1],
> we might have an exciting job in the information security world just 
> for you!  Send a resume and a description of your IRC assets to our 
> human relations department at hr@...fense.com and we will get back to
> you as soon as possible.
> 
> II. Exploit Definitions
> 
> For some time, exploits have been classified in one of two categories;
> either an exploit is "remote" or it is "local".  This leaves out an 
> entire class of exploits, however, which we will soon be releasing a
> series of advisories on.  This class of bug is more accurately named 
> "local" than the previous class of bugs called "local exploits", so we
> will attempt to clarify the three classes of exploits for you.
> 
>  a) Remote Exploit
>     An exploit that attacks a network server, without requiring any
>     sort of authentication to that server.  For instance, an exploit 
>     for a webserver (httpd (hyper text transfer protocol daemon)) is
>     normally in this category, unless it's some gay local signalling 
>     dos thingie.
>  
>  b) Local Exploit
>     An exploit that requires local access to a machine, authenticated 
>     or otherwise.  Here local access implies physical access to the 
>     machine that is about to be hacked, and examples of upcoming 
>     local bugs include:
>      - booting into single user mode
>      - hard drive theft
>      - extracting user passwords through torture,
>     and our historical example,
>      - CAN-2004-0109
>  c) Local remote exploit
>     An exploit that requires authentication to a machine, but does not
>     demand physical access to said machine, and the attack can be 
>     performed over the network.
> 
> One could easily add a forth category, being "Local Local Exploits",
> but this approaches some degree of silliness, and when one cannot take
> his job seriously enough to not giggle when reading official titles, 
> clients will wonder if they're actually paying for a serious PRODUCT.
> 
> III. The FreeBSD Kernel Exploit
> 
> Recently a post was made to full-disclosure concerning the compromise
> of an account on a shell server, drunken.fi.st.  The entire post can
> be read here[3]; however most if it seems to involve uninteresting 
> scene nonsense, so we will focus on the important parts.
> 
>  "- rave gets his account backdoored on kokanin's box. He finds the
>  obviously placed bindshell stashed as ~/bin/zsh. He laughs and says
>  the backdoor was lame. Well he obviously missed the getpass()
>  LD_PRELOAD, ssh, and passwd all on his local account mailing all his
>  new passwords out. Oh, and he left an exploit (servu.c) in his
>  directory for the version of servu ftpd he was running on his home
>  windows machine. Oops."
> 
> Proper behaviour of LD_PRELOAD would not allow a non privileged user as
> rave to hook privilaged processes (read my upcoming advisory titled
> "TOO MANY SUIDS A BAD THING IN *IX" for more information) such as the
> *IX tool for changing passwords, /bin/passwd.  For hooking of getpass,
> either root access would already be needed, or some sort of design bug
> in the kernel.
> 
> We at iDEFENSE Labs have been unable to determine exactly how to 
> exploit this vulnerability, or even identify where it is in the source
> code, but we are confident it is there, in some version.
> 
> We thought that LD_PRELOAD bugs disappeared with the release of AIX 4,
> but Sun has recently proven us wrong, and now FreeBSD has a different 
> problem.  We continue to advise our clients to use only OpenBSD, 
> Openwall (Owl) Linux, or Microsoft products - as clearly anyone with 
> a bit of intelligence can see, everything else sucks.
> 
> IV. Closing
> 
> The purpose of this security briefing was not to demonstrate detailed
> knowledge of a specific vulnerability, but to rather demonstrate the 
> powers of INTELLIGENCE IN ACTION, and that our staff is capable of 
> extracting valuable security INTELLIGENCE from even the vaguest of
> references.  If you're in awe of the incredible feat demonstrated, you
> and your organization definately need to subscribe to our world-class 
> intelligence services.
> 
> If you have any details concerning the methods of exploitation for the
> vulnerability described in this advisory, please contact Mike Sutton
> immediately for a fat lump of the big DHS[4] dollars.  He can be 
> contacted at msutton@...fense.com.
> 
> We hope that you have been impressed with our demonstration of our 
> famed INTELLIGENCE IN ACTION techniques.  If you are interested in 
> purchasing a subscription to our services, please contact our sales 
> department at sales@...fense.com so that we can broker a deal.
> 
> We treat all sales transactions and inquiries with confidentiality.
>            _________________________________________
>           / PLEASE HELP ME! My name is Jay Healy,   \
>           | and I work for Goldman-Sachs, and we've |
>           | been anally raped by iDEFENSE!  Call me |
>           \ at (212) 357-1207 if you can save me!   /
>            -----------------------------------------
>                 \                _
>                  \              (_)
>                   \   ^__^       / \
>                    \  (oo)\_____/_\ \
>                       (__)\       ) /
>                           ||----w ((
>                           ||     ||>>
> 
> [1] http://www.honeynet.org/tools/danalysis/privmsg
> [2] Some believe that those who take advantage of children, are simply
>     pedophiles, regardless of the situation.  In rebuttal to the claim
>     that iDEFENSE employs pedophiles, we would like to say that we are
>     100% certain that Micheal Jackson is guilty, we are fans of his 
>     music, and will continue buying his records to help support him.
> [3] http://lists.netsys.com/pipermail/full-disclosure/2004-April/020690.html
> [4] It's probably a good thing that our company receives so much 
>     federal funding.  The combined millions of dollars pooled from 
>     various government entities is definately being spent wisely;
>     it is better that bureaucrats do what they can to get us as much 
>     money as possible - this allows various government agencies to 
>     have instant access to the latest cross-site scripting issues in
>     hotmail's service, before they are turned into devestating worms -
>     and keeps funding from going to asinine ventures such as aids and
>     cancer research.  Fight terror, not disease.
> 
> V. About iDEFENSE
> 
> iDEFENSE is a global security intelligence company that proactively
> monitors sources throughout the world from technical vulnerabilities 
> and hacker profiling to the spread of viruses and other malicious code. 
> iALERT, our security intelligence service, provides decision-makers, 
> frontline security professionals and network administrators with timely 
> access to actionable intelligence and decision support on cyber-related 
> threats. We are currently trying for complete market dominance and hope
> to soon eliminate the Carlyle Group by any means necessary.  We already
> have stolen their webdesign - their customer base is next.  For more 
> information, visit http://www.idefense.com, or our research team's 
> official website at http://idefense.bugtraq.org.
-- 
|Keith A. Pachulski | PenTeleData LP1 Information Security and Privacy|
|Phone: (800) 281.3564 x2454 | Pager: 6103497095@...xt.com|
|PGP: 6B56 C8DC 6201 6D1A BFF5  5799 E193 ABAA 9549 74D0|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040505/c6294adb/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ