[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200312251633.hBPGXWVf016340@ms-smtp-01.tampabay.rr.com>
From: zorkshin at tampabay.rr.com (Justin Shin)
Subject: Bugtraq Security Systems XMAS Advisory 0001
Ah, more Something Awful goons!
-- Justin
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Bugtraq
Security Systems
Sent: Thursday, December 25, 2003 7:52 AM
To: John Sage
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Bugtraq Security Systems XMAS Advisory 0001
Hi John!
We at Bugtraq Security Systems take great grievance in your accusations.
Especially coming from such a prominent Interweb netizen as yourself. As
we nopsled around the digital frontier in these times of vigilance, we
feel that frontier laws apply. Team Bugtraq Security thus challenges you to
a
duel at defcon 2004. Furthermore, in light of your overall infosec
excellence we would like to take this oppurtunity to point out your
incredible skill level to our list reading friends:
[1] http://www.finchhaven.com/pages/incidents/ACK_hole.c.html
In light of this sourcecode, Team Bugtraq Security would like to urge you
to initialise len arguments yourself, instead of relying on a random stack
value to make
sure the 'bytes' read(2) len arg is initialised to a safe value, instead
of relying on MB sized receive buffers. We suggest you start by reading
the read(2) manual page (man 2 read). We're sure that someone as mature
as yourself will fix this remotely reachable overflow in this piece of
security critical software as soon as possible. Ofcourse, having
discovered this dastardly issue Team Bugtraq Security would like full
credit for saving you from future attacks.
Love,
Team Bugtraq Security
[1]
/* ACK_hole01.c - Sun Aug 11 13:00:54 PDT 2002
* John Sage - jsage@...chhaven.com
*
* A first attempt at a TCP/IP network data sink
* along the lines of trafficrcv.c - see:
* http://www.psc.edu/~web100/pathprobe/
*
* Now based upon WR Stevens tcpserv04.c
* "UNIX Network Programming", p.128
* modified to do nothing with packets received
*
* Version 0.0.4 - add EINTR error handling - Sun Aug 11 13:00:54 PDT 2002
* Version 0.0.3 - add syslog logging - Sun Aug 11 07:13:38 PDT 2002
* Version 0.0.2
* It works; not sure what all of it does :-/
* but it works: no zombies, no local ports
* left hanging in CLOSE_WAIT as with trafficrcv.c
*
*/
#include "unp.h"
#include "error.c"
#ifndef RCVBUFF
#define RCVBUFF (1024 * 1024)
#endif
/* USAGE */
static void
usage(char name[])
{
fprintf(stdout, "Usage: %s [-p port]\n",name);
}
/* SIGCHLD zombie killer, from UNP p.128 */
void
sig_chld(int signo)
{
pid_t pid;
int stat;
while ( (pid = waitpid(-1, &stat, WNOHANG)) > 0 )
fprintf(stdout, "Child %d terminated in sig_chld, zombie killed!\n",
pid);
return;
}
/* MAIN */
int
main(int argc, char **argv)
{
char c;
char *databuf;
char message[256];
int bytes;
int errflg = 0;
int i;
int listenfd, connfd;
int port;
long connaddr;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
while ((c = getopt (argc, argv, "?p:")) != -1) {
switch (c) {
case '?':
errflg++;
case 'p':
port = atoi(optarg);
break;
default:
errflg++;
break;
}
}
if (errflg) {
usage(argv[0]);
exit (2);
}
fprintf(stdout, "\nACK_hole is listening on port %d!\n", port);
/* SOCKET */
listenfd = socket(AF_INET, SOCK_STREAM, 0);
bzero(&servaddr, sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
servaddr.sin_port = htons(port);
/* BIND */
if (bind(listenfd, (SA *) &servaddr, sizeof(servaddr)) == -1) {
perror("BIND failed");
exit(-1);
}
/* Allocate receive data buffer */
if ((databuf = malloc(RCVBUFF)) == NULL) {
fprintf(stdout, "malloc of data buffer failed!\n");
exit(-1);
}
/* LISTEN */
listen(listenfd, LISTENQ);
for ( ; ; ) {
clilen = sizeof(cliaddr);
/* ACCEPT with EINTR handling */
if ( (connfd = accept(listenfd, (SA *) &cliaddr, &clilen)) < 0) {
if (errno ==EINTR)
continue; /* back to for ( ; ; ) */
else
err_sys("accept error");
}
printf("CONNECT received from: ");
connaddr = cliaddr.sin_addr.s_addr;
for (i = 0; i < 4; i++) {
printf("%d.", connaddr & 0xff);
connaddr = connaddr >> 8;
}
printf("%d,", ntohs(cliaddr.sin_port));
printf(" to local port %d!\n", ntohs(servaddr.sin_port));
/* log to syslog, too.. */
sprintf(message, "Connection from remote host %s:%d to local port %d",
inet_ntoa(cliaddr.sin_addr),
ntohs(cliaddr.sin_port),
ntohs(servaddr.sin_port));
syslog(LOG_INFO, message);
/* SIGCHLD */
signal(SIGCHLD, sig_chld);
/* FORK */
if ( (childpid = fork()) == 0 ) {
close(listenfd);
/* READ */
read(connfd, databuf, bytes);
/* do nothing */
exit(0);
}
/* CLOSE */
close(connfd);
} /* end for ( ; ; ) */
} /* end main */
On Wed, 24 Dec 2003, John Sage wrote:
> hmm..
>
> On Wed, Dec 24, 2003 at 08:04:59PM -0500, Bugtraq Security Systems wrote:
> > From: Bugtraq Security Systems <research@...traq.org>
> > To: mudge <mudge@...zero.org>
> > cc: full-disclosure@...ts.netsys.com
> > Subject: Re: [Full-Disclosure] Bugtraq Security Systems XMAS Advisory
0001
> > Date: Wed, 24 Dec 2003 20:04:59 -0500 (EST)
> >
> >
> > With interpretive art, the names are often just placeholders. Bugtraq
> > Security Systems requests that all the readers replace the names in this
> > advisory, including ours, with their own. Indeed, we exhort you to feel
> > that if you are not selling your integrity for stock options, not
> > pretending that each new bug found and fixed somehow makes the world a
> > better place, not sacrificing a sense of humor for a sense of
importance,
> > that you are in fact, GOBBLES.
>
> /* snip */
>
> "interpretive art"?
>
> pul-leeeze. Another preteen/early teen, too full of himself.
>
>
> zzzz......
>
>
> wake me when this thread is over.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists