| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8158470.1035268515047.JavaMail.root@172.16.100.50> From: rfclover at datadriven.co.uk (rfclover@...adriven.co.uk) Subject: 7350reass - alleged *BSD remote kernel exploit [I'm sending this anonymously. I think it's only fair game if this was left lying around on my system. To the group I believe responsible for this, I wasn't aware there was any tough blood between us 8-).] Aside from this, the attackers were rather methodical. I believe the files left lying around may have been a gimmick to fool me into thinking I was indeed compromised with a remote kernel exploit. Although I'm unable to ascertain the method of entry, I believe it could have been as something as trivial as a guessed user password. But Just In Case 8-). There was also a file that I believe may have been created by the attackers. It contained the following text, which is not clear to me: I am the Dragon and you call me insane? My movements are followed and recorded as avidly as those of a mighty nebula. Before me, you are a slug in the sun. You are privy to a great becoming and you recognize nothing. You are an ant in the afterbirth. It is in your nature to do one thing correctly: before me you rightly tremble. If for some reason the attachment doesn't get through, I have created a site containing 7350reass.tar.gz: http://www.angelfire.com/apes/7350reass/ >From the site... Since when do you guys place your exploits on 'owned' systems? 8-) I have tarred up the two files that were found on a compromised machine on my subnet. They can be downloaded below. It purports to be a remote kernel exploit for *BSD systems. This is very dubious, but in the interests of security, it may still be worthy of a forensics analysis. Unfortunately, I do not have the password that allows the encrypted exploit to run, so you're on your own here. Regardless of whether or not this is a fake exploit, everyone is urged to take proper security precautions before running untrusted executables on your systems. It may be best to play around with this on a spare system at hand. >From the EXAMPLE file: ./7350reass 10.0.0.2 7350reass - OpenBSD/FreeBSD/NetBSD remote kernel exploit fragment reassembly numeric overflow + logic fuckup -s & -l (21/04) inferior exploits for this bug rely on 3 values.. we only need the ip_reass delta, but still, patience is required to find this.. this shouldn't be a problem.. you don't need root to run this, as everything can be crafted via setsockopt.. mhhh, should get you in.. < 5 minutes.. no guarantees though.. OpenBSD developers are weenies ;) TESO: 2^32-1 SecurityFocus: 2>>2 password: [*] finding ip_reass delta.. FOUND: 154 [*] checking for timeout during reassembly error.. PASSED [*] final stage of exploitation. you should receive a shell prompt in a matter of minutes if all is fine.. FreeBSD saturn 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Sep 6 10:18:37 EST 2002 ubel@...urn:/usr/src/sys/compile/SATURN i386 uid=0(root) gid=0(wheel) -- Personalised email by http://another.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 7350reass.tar.gz Type: application/x-tar Size: 26275 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20021022/5013949c/7350reass.tar.tar
Powered by blists - more mailing lists