lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: rfclover at datadriven.co.uk (rfclover@...adriven.co.uk)
Subject: 7350reass - alleged *BSD remote kernel exploit

[I'm sending this anonymously. I think it's only fair game if this was left
lying around on my system. To the group I believe responsible for this, I
wasn't aware there was any tough blood between us 8-).]

Aside from this, the attackers were rather methodical. I believe the files
left lying around may have been a gimmick to fool me into thinking I was
indeed compromised with a remote kernel exploit. Although I'm unable to
ascertain the method of entry, I believe it could have been as something as
trivial as a guessed user password. But Just In Case 8-).

There was also a file that I believe may have been created by the attackers.
It contained the following text, which is not clear to me:

I am the Dragon and you call me insane? My movements are followed and
recorded as avidly as those of a mighty nebula. Before me, you are a slug in
the sun. You are privy to a great becoming and you recognize nothing. You
are an ant in the afterbirth. It is in your nature to do one thing
correctly: before me you rightly tremble.

If for some reason the attachment doesn't get through, I have created a site
containing 7350reass.tar.gz:

http://www.angelfire.com/apes/7350reass/ 

>From the site... 

Since when do you guys place your exploits on 'owned' systems? 8-) 

I have tarred up the two files that were found on a compromised machine on
my subnet. They can be downloaded below. It purports to be a remote kernel
exploit for *BSD systems. This is very dubious, but in the interests of
security, it may still be worthy of a forensics analysis. Unfortunately, I
do not have the password that allows the encrypted exploit to run, so you're
on your own here.

Regardless of whether or not this is a fake exploit, everyone is urged to
take proper security precautions before running untrusted executables on
your systems. It may be best to play around with this on a spare system at
hand.

>From the EXAMPLE file: 


./7350reass 10.0.0.2 
7350reass - OpenBSD/FreeBSD/NetBSD remote kernel exploit 
fragment reassembly numeric overflow + logic fuckup 
-s & -l (21/04) 

inferior exploits for this bug rely on 3 values.. we 
only need the ip_reass delta, but still, patience 
is required to find this.. this shouldn't be a 
problem.. you don't need root to run this, as 
everything can be crafted via setsockopt.. 

mhhh, should get you in.. < 5 minutes.. 
no guarantees though.. 

OpenBSD developers are weenies ;) 

TESO: 2^32-1 SecurityFocus: 2>>2 


password: 
[*] finding ip_reass delta.. FOUND: 154 
[*] checking for timeout during reassembly error.. PASSED 
[*] final stage of exploitation. you should receive a 
shell prompt in a matter of minutes if all is fine.. 
FreeBSD saturn 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Sep 6 10:18:37 EST
2002     ubel@...urn:/usr/src/sys/compile/SATURN i386 
uid=0(root) gid=0(wheel)



--
Personalised email by http://another.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 7350reass.tar.gz
Type: application/x-tar
Size: 26275 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20021022/5013949c/7350reass.tar.tar

Powered by blists - more mailing lists