[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: keithp at corp.ptd.net (Keith A. Pachulski)
Subject: iDEFENSE Intelligence Report: Local-Remote
Exploit for FreeBSD in the Wild
yah, this is one of the reasons I started filtering all of gobbles
emails right to the trash..
dude -- grow up, its getting old
On Wed, 2004-05-05 at 11:28, Richard Johnson wrote:
> iDEFENSE: The Power of Intelligence : Current Intelligence Report
>
>
> Local Remote FreeBSD Kernel Exploit Exists in the Wild
> iDEFENSE iIRCLOG iIntelligence iSecurity Brief 05.10.04
>
> I. BACKGROUND
> We at iDEFENSE have come to the conclusion that the best way to offer
> our clients proactive security, as a service, is to have individuals
> on staff who have experience in the intelligence world (including
> former pc technicians, janitors, and massage therapists) who have been
> fired from their minimum wage positions at various government
> facilities, for no other reason than gross incompetence.
>
> iDEFENSE outsources IRC logging services to some of the greatest minds
> in computer security, who have infiltrated some of the most nefarious
> hacking groups in existance - including #dtors, #w00w00, and #nologin,
> and then the logs are read by our team of former janitors and failed
> psychology students, and later turned into profound intelligence-like
> reports to be sold to the private sector, the Department of Homeland
> Security, and the Chinese government.
>
> Information fencing might be a crime, when said information is gained
> illegally, but as long as the Department of Homeland Security remains
> dedicated to the fight against domestic terrorists (especially those
> who frequent the Eris Free, and are known for their aggressive attacks
> on the American lifestyle as they write "BUSH IS SUX0R" on critical
> infrastructure related computers, such as *.co.kr nameservers and the
> ever popular plethora of *.gsfc.nasa.gov hosts running five year old
> copies of IIS - without even the eEye IIS obfuscation PRODUCT in place
> to protect these critical machines), civil rights do not apply. As a
> community, we must accept that the Department of Homeland Security is
> often too afraid to actually enforce the Patriot Act (since they would
> need to be able to justify their actions, and probably can't do that
> in an official capacity trying to track down Osama Joe Defacer at his
> pre-school). The solution is simple - millions of dollars a year to
> our company, iDEFENSE, to gather chat logs and to write intelligence
> reports for them.
>
> Feel safe that we are teamed up with the DHS to provide you a safer
> America.
>
> Beyond this, iDEFENSE strives to compile intelligence reports off of
> other hacker resources, such as hacker conferences (where we supply
> alcohol to minors and get them in morally compromising situations for
> our own profit - in the name of national security, one might say fuck
> the children[2], we're Republicans anyways), we like run-on sentences,
> hacker mailing lists, and our deployment of various advanced honeypots
> (wireless, honeytokens, etc). Honey tokens are cool. You'd be amazed
> at what kind of honey tokens we have given out.
>
> The following advisory is our first public example of INTELLIGENCE IN
> ACTION, demonstrating our ability to obtain zeroday vulnerabilities
> from our janitorial-powered thinktanks.
>
> As a side note, if you own a modern IRC client (that supports logging)
> or are in the position to install tcpdump and parse the packet dumps
> with Max Vision's brilliant tcpdump to irc log conversion utility[1],
> we might have an exciting job in the information security world just
> for you! Send a resume and a description of your IRC assets to our
> human relations department at hr@...fense.com and we will get back to
> you as soon as possible.
>
> II. Exploit Definitions
>
> For some time, exploits have been classified in one of two categories;
> either an exploit is "remote" or it is "local". This leaves out an
> entire class of exploits, however, which we will soon be releasing a
> series of advisories on. This class of bug is more accurately named
> "local" than the previous class of bugs called "local exploits", so we
> will attempt to clarify the three classes of exploits for you.
>
> a) Remote Exploit
> An exploit that attacks a network server, without requiring any
> sort of authentication to that server. For instance, an exploit
> for a webserver (httpd (hyper text transfer protocol daemon)) is
> normally in this category, unless it's some gay local signalling
> dos thingie.
>
> b) Local Exploit
> An exploit that requires local access to a machine, authenticated
> or otherwise. Here local access implies physical access to the
> machine that is about to be hacked, and examples of upcoming
> local bugs include:
> - booting into single user mode
> - hard drive theft
> - extracting user passwords through torture,
> and our historical example,
> - CAN-2004-0109
> c) Local remote exploit
> An exploit that requires authentication to a machine, but does not
> demand physical access to said machine, and the attack can be
> performed over the network.
>
> One could easily add a forth category, being "Local Local Exploits",
> but this approaches some degree of silliness, and when one cannot take
> his job seriously enough to not giggle when reading official titles,
> clients will wonder if they're actually paying for a serious PRODUCT.
>
> III. The FreeBSD Kernel Exploit
>
> Recently a post was made to full-disclosure concerning the compromise
> of an account on a shell server, drunken.fi.st. The entire post can
> be read here[3]; however most if it seems to involve uninteresting
> scene nonsense, so we will focus on the important parts.
>
> "- rave gets his account backdoored on kokanin's box. He finds the
> obviously placed bindshell stashed as ~/bin/zsh. He laughs and says
> the backdoor was lame. Well he obviously missed the getpass()
> LD_PRELOAD, ssh, and passwd all on his local account mailing all his
> new passwords out. Oh, and he left an exploit (servu.c) in his
> directory for the version of servu ftpd he was running on his home
> windows machine. Oops."
>
> Proper behaviour of LD_PRELOAD would not allow a non privileged user as
> rave to hook privilaged processes (read my upcoming advisory titled
> "TOO MANY SUIDS A BAD THING IN *IX" for more information) such as the
> *IX tool for changing passwords, /bin/passwd. For hooking of getpass,
> either root access would already be needed, or some sort of design bug
> in the kernel.
>
> We at iDEFENSE Labs have been unable to determine exactly how to
> exploit this vulnerability, or even identify where it is in the source
> code, but we are confident it is there, in some version.
>
> We thought that LD_PRELOAD bugs disappeared with the release of AIX 4,
> but Sun has recently proven us wrong, and now FreeBSD has a different
> problem. We continue to advise our clients to use only OpenBSD,
> Openwall (Owl) Linux, or Microsoft products - as clearly anyone with
> a bit of intelligence can see, everything else sucks.
>
> IV. Closing
>
> The purpose of this security briefing was not to demonstrate detailed
> knowledge of a specific vulnerability, but to rather demonstrate the
> powers of INTELLIGENCE IN ACTION, and that our staff is capable of
> extracting valuable security INTELLIGENCE from even the vaguest of
> references. If you're in awe of the incredible feat demonstrated, you
> and your organization definately need to subscribe to our world-class
> intelligence services.
>
> If you have any details concerning the methods of exploitation for the
> vulnerability described in this advisory, please contact Mike Sutton
> immediately for a fat lump of the big DHS[4] dollars. He can be
> contacted at msutton@...fense.com.
>
> We hope that you have been impressed with our demonstration of our
> famed INTELLIGENCE IN ACTION techniques. If you are interested in
> purchasing a subscription to our services, please contact our sales
> department at sales@...fense.com so that we can broker a deal.
>
> We treat all sales transactions and inquiries with confidentiality.
> _________________________________________
> / PLEASE HELP ME! My name is Jay Healy, \
> | and I work for Goldman-Sachs, and we've |
> | been anally raped by iDEFENSE! Call me |
> \ at (212) 357-1207 if you can save me! /
> -----------------------------------------
> \ _
> \ (_)
> \ ^__^ / \
> \ (oo)\_____/_\ \
> (__)\ ) /
> ||----w ((
> || ||>>
>
> [1] http://www.honeynet.org/tools/danalysis/privmsg
> [2] Some believe that those who take advantage of children, are simply
> pedophiles, regardless of the situation. In rebuttal to the claim
> that iDEFENSE employs pedophiles, we would like to say that we are
> 100% certain that Micheal Jackson is guilty, we are fans of his
> music, and will continue buying his records to help support him.
> [3] http://lists.netsys.com/pipermail/full-disclosure/2004-April/020690.html
> [4] It's probably a good thing that our company receives so much
> federal funding. The combined millions of dollars pooled from
> various government entities is definately being spent wisely;
> it is better that bureaucrats do what they can to get us as much
> money as possible - this allows various government agencies to
> have instant access to the latest cross-site scripting issues in
> hotmail's service, before they are turned into devestating worms -
> and keeps funding from going to asinine ventures such as aids and
> cancer research. Fight terror, not disease.
>
> V. About iDEFENSE
>
> iDEFENSE is a global security intelligence company that proactively
> monitors sources throughout the world from technical vulnerabilities
> and hacker profiling to the spread of viruses and other malicious code.
> iALERT, our security intelligence service, provides decision-makers,
> frontline security professionals and network administrators with timely
> access to actionable intelligence and decision support on cyber-related
> threats. We are currently trying for complete market dominance and hope
> to soon eliminate the Carlyle Group by any means necessary. We already
> have stolen their webdesign - their customer base is next. For more
> information, visit http://www.idefense.com, or our research team's
> official website at http://idefense.bugtraq.org.
--
|Keith A. Pachulski | PenTeleData LP1 Information Security and Privacy|
|Phone: (800) 281.3564 x2454 | Pager: 6103497095@...xt.com|
|PGP: 6B56 C8DC 6201 6D1A BFF5 5799 E193 ABAA 9549 74D0|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040505/c6294adb/attachment.bin
Powered by blists - more mailing lists