lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: zorkshin at tampabay.rr.com (Justin Shin)
Subject: Bugtraq Security Systems XMAS Advisory 0001

Ah, more Something Awful goons!

-- Justin

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Bugtraq
Security Systems
Sent: Thursday, December 25, 2003 7:52 AM
To: John Sage
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Bugtraq Security Systems XMAS Advisory 0001


Hi John!

We at Bugtraq Security Systems take great grievance in your accusations.
Especially coming from such a prominent Interweb netizen as yourself. As
we nopsled around the digital frontier in these times of vigilance, we
feel that frontier laws apply. Team Bugtraq Security thus challenges you to
a
duel at defcon 2004. Furthermore, in light of your overall infosec
excellence we would like to take this oppurtunity to point out your
incredible skill level to our list reading friends:

[1] http://www.finchhaven.com/pages/incidents/ACK_hole.c.html

In light of this sourcecode, Team Bugtraq Security would like to urge you
to initialise len arguments yourself, instead of relying on a random stack
value to make
sure the 'bytes' read(2) len arg is initialised to a safe value, instead
of relying on MB sized receive buffers. We suggest you start by reading
the read(2) manual page (man 2 read). We're sure that someone as mature
as yourself will fix this remotely reachable overflow in this piece of
security critical software as soon as possible. Ofcourse, having
discovered this dastardly issue Team Bugtraq Security would like full
credit for saving you from future attacks.

Love,
Team Bugtraq Security

[1]

/* ACK_hole01.c - Sun Aug 11 13:00:54 PDT 2002
 * John Sage - jsage@...chhaven.com
 *
 * A first attempt at a TCP/IP network data sink
 *   along the lines of trafficrcv.c - see:
 *   http://www.psc.edu/~web100/pathprobe/
 *
 * Now based upon WR Stevens tcpserv04.c
 *   "UNIX Network Programming", p.128
 *   modified to do nothing with packets received
 *
 * Version 0.0.4 - add EINTR error handling - Sun Aug 11 13:00:54 PDT 2002
 * Version 0.0.3 - add syslog logging - Sun Aug 11 07:13:38 PDT 2002
 * Version 0.0.2
 *   It works; not sure what all of it does :-/
 *   but it works: no zombies, no local ports
 *   left hanging in CLOSE_WAIT as with trafficrcv.c
 *
 */

#include "unp.h"
#include "error.c"

#ifndef RCVBUFF
#define RCVBUFF (1024 * 1024)
#endif

/* USAGE */

static void
usage(char name[])
{
  fprintf(stdout, "Usage: %s [-p port]\n",name);
}
/* SIGCHLD zombie killer, from UNP p.128 */

void
sig_chld(int signo)
{
  pid_t pid;
  int   stat;
  while ( (pid = waitpid(-1, &stat, WNOHANG)) > 0 )
    fprintf(stdout, "Child %d terminated in sig_chld, zombie killed!\n",
pid);
  return;
}

/* MAIN */

int
main(int argc, char **argv)
{
  char      c;
  char      *databuf;
  char      message[256];
  int       bytes;
  int       errflg = 0;
  int       i;
  int       listenfd, connfd;
  int       port;
  long      connaddr;
  pid_t     childpid;
  socklen_t clilen;
  struct    sockaddr_in cliaddr, servaddr;

  while ((c = getopt (argc, argv, "?p:")) != -1) {
    switch (c) {
    case '?':
      errflg++;
    case 'p':
      port = atoi(optarg);
      break;
    default:
      errflg++;
      break;
    }
  }

  if (errflg) {
    usage(argv[0]);
    exit (2);
  }

  fprintf(stdout, "\nACK_hole is listening on port %d!\n", port);

/* SOCKET */

  listenfd = socket(AF_INET, SOCK_STREAM, 0);

  bzero(&servaddr, sizeof(servaddr));
  servaddr.sin_family = AF_INET;
  servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
  servaddr.sin_port = htons(port);

/* BIND */
  if (bind(listenfd, (SA *) &servaddr, sizeof(servaddr)) == -1) {
    perror("BIND failed");
    exit(-1);
  }

/* Allocate receive data buffer */

  if ((databuf = malloc(RCVBUFF)) == NULL) {
      fprintf(stdout, "malloc of data buffer failed!\n");
      exit(-1);
  }

/* LISTEN */

  listen(listenfd, LISTENQ);

  for ( ; ; ) {
    clilen = sizeof(cliaddr);

 /* ACCEPT with EINTR handling */

    if ( (connfd = accept(listenfd, (SA *) &cliaddr, &clilen)) < 0) {
      if (errno ==EINTR)
        continue; /* back to for ( ; ; ) */
      else
        err_sys("accept error");
    }

    printf("CONNECT received from: ");
    connaddr = cliaddr.sin_addr.s_addr;
    for (i = 0; i < 4; i++) {
      printf("%d.", connaddr & 0xff);
      connaddr = connaddr >> 8;
    }
    printf("%d,", ntohs(cliaddr.sin_port));
    printf(" to local port %d!\n", ntohs(servaddr.sin_port));

    /* log to syslog, too.. */
    sprintf(message, "Connection from remote host %s:%d to local port %d",
            inet_ntoa(cliaddr.sin_addr),
            ntohs(cliaddr.sin_port),
            ntohs(servaddr.sin_port));
    syslog(LOG_INFO, message);

/* SIGCHLD */

    signal(SIGCHLD, sig_chld);

/* FORK */

    if ( (childpid = fork()) == 0 ) {
      close(listenfd);

/* READ */

      read(connfd, databuf, bytes);
      /* do nothing */
      exit(0);
    }

/* CLOSE */

    close(connfd);

  } /* end for ( ; ; ) */

} /* end main */

On Wed, 24 Dec 2003, John Sage wrote:

> hmm..
>
> On Wed, Dec 24, 2003 at 08:04:59PM -0500, Bugtraq Security Systems wrote:
> > From: Bugtraq Security Systems <research@...traq.org>
> > To: mudge <mudge@...zero.org>
> > cc: full-disclosure@...ts.netsys.com
> > Subject: Re: [Full-Disclosure] Bugtraq Security Systems XMAS Advisory
0001
> > Date: Wed, 24 Dec 2003 20:04:59 -0500 (EST)
> >
> >
> > With interpretive art, the names are often just placeholders. Bugtraq
> > Security Systems requests that all the readers replace the names in this
> > advisory, including ours, with their own. Indeed, we exhort you to feel
> > that if you are not selling your integrity for stock options, not
> > pretending that each new bug found and fixed somehow makes the world a
> > better place, not sacrificing a sense of humor for a sense of
importance,
> > that you are in fact, GOBBLES.
>
> /* snip */
>
> "interpretive art"?
>
> pul-leeeze. Another preteen/early teen, too full of himself.
>
>
> zzzz......
>
>
> wake me when this thread is over.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ