Date: Sun, 14 Sep 2014 00:12:21 +1000
From: Kemble Wagner <oobe.trouble@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] libre office listening on port 1599

Hi

First of this is my first post I do not claim to be a security expert
and do not possess a great expansive skill sets for such inquiry
however I do get curious at times and endevour in a hit and miss kind
of way.

Having said that I often find myself getting curious from time to time
and running things I probably shouldn't on occasion. I see after some
googling the issue that has me confused has already been reported but
not resolved at first I thought one of the files I had may of
contained a some multi-platform code to hook a listener I only assumed
it was multi-platform as I am running Linux, however if I was right
which I am unsure of still it makes sense to add multiple payloads to
a single file.

I simply do not trust a lot of sites that appear under certain
searches particularly a lot of the newbie harvesting articles created
to capitalize on the new polularity of Backtrack/Kali I often figured
it would be a great exploit to run a site that attracts first time
Kali users and who have a wealth of tools they do not know how to use
pre installed and no idea they shouldn't be running Firefox with the
default root account, or they are just too excited and lazy to make a
secure user account, which I admit I have done when I ran it on usb
from time to time till I could be bothered making a secure account

This had me becoming over diligent about what files I ran from sites
after becoming  more aware of files which to me are seemingly innocent
with ways to host a payload inside them like non executable pdfs and
other docs so openly shared and easily achieved these days.

So I discovered running a ppt file which I dont normally use so I
opened with system default libre office created a socket listening on
1599 I googled it and linked below is the most relevant post but there
are many others too anyway attached are my tracebacks I hope someone
maybe able to decipher more for me I also ran an strace on a small pdf
from a trusted source and still found it binding to port 1599 I figure
this is either a workaround function and possibly not the work of
anything suspect but potentially insecure or it is in fact well placed
code that could be laying dormant or used for a malicious purpose for
how long and no I don't have much more than assumptions about this I
cant really collect more info and interpret than I already have.

a section I thought that was worth noting is one of the files accessed
/etc/passwd during strace.


open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=2433, ...}) = 0
mmap(NULL, 2433, PROT_READ, MAP_SHARED, 3, 0) = 0x7f631fa3f000
lseek(3, 2433, SEEK_SET)                = 2433
munmap(0x7f631fa3f000, 2433)            = 0
close(3)                                = 0
access("/home/james/.config", F_OK)      = 0
getcwd("/home/james/scripts", 4096)      = 19


P.S  I did quickly scan over the posting guidelines for FD but forgive
me if I made an error on formatting or relevant topic matter.

LINKS
bug report debian

https://www.mail-archive.com/debian-openoffice@lists.debian.org/msg33087.html

Original URLs of origin

http://www.cs.rutgers.edu/~vinodg/teaching/spring-2014-cs419/slides/web-security.ppt
http://www.quotium.com/content/uploads/2014/01/Scripting-with-the-Phishes.pdf

View attachment "strace.Scripting-with-the-xss.pdf.txt" of type "text/plain" (28622 bytes)

View attachment "xss-tutorial.ppt.strace.txt" of type "text/plain" (66896 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists