| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: thief at bugtraq.org (Richard Johnson)
Subject: iDEFENSE Intelligence Report: Local-Remote Exploit for FreeBSD in the Wild
iDEFENSE: The Power of Intelligence : Current Intelligence Report
Local Remote FreeBSD Kernel Exploit Exists in the Wild
iDEFENSE iIRCLOG iIntelligence iSecurity Brief 05.10.04
I. BACKGROUND
We at iDEFENSE have come to the conclusion that the best way to offer
our clients proactive security, as a service, is to have individuals
on staff who have experience in the intelligence world (including
former pc technicians, janitors, and massage therapists) who have been
fired from their minimum wage positions at various government
facilities, for no other reason than gross incompetence.
iDEFENSE outsources IRC logging services to some of the greatest minds
in computer security, who have infiltrated some of the most nefarious
hacking groups in existance - including #dtors, #w00w00, and #nologin,
and then the logs are read by our team of former janitors and failed
psychology students, and later turned into profound intelligence-like
reports to be sold to the private sector, the Department of Homeland
Security, and the Chinese government.
Information fencing might be a crime, when said information is gained
illegally, but as long as the Department of Homeland Security remains
dedicated to the fight against domestic terrorists (especially those
who frequent the Eris Free, and are known for their aggressive attacks
on the American lifestyle as they write "BUSH IS SUX0R" on critical
infrastructure related computers, such as *.co.kr nameservers and the
ever popular plethora of *.gsfc.nasa.gov hosts running five year old
copies of IIS - without even the eEye IIS obfuscation PRODUCT in place
to protect these critical machines), civil rights do not apply. As a
community, we must accept that the Department of Homeland Security is
often too afraid to actually enforce the Patriot Act (since they would
need to be able to justify their actions, and probably can't do that
in an official capacity trying to track down Osama Joe Defacer at his
pre-school). The solution is simple - millions of dollars a year to
our company, iDEFENSE, to gather chat logs and to write intelligence
reports for them.
Feel safe that we are teamed up with the DHS to provide you a safer
America.
Beyond this, iDEFENSE strives to compile intelligence reports off of
other hacker resources, such as hacker conferences (where we supply
alcohol to minors and get them in morally compromising situations for
our own profit - in the name of national security, one might say fuck
the children[2], we're Republicans anyways), we like run-on sentences,
hacker mailing lists, and our deployment of various advanced honeypots
(wireless, honeytokens, etc). Honey tokens are cool. You'd be amazed
at what kind of honey tokens we have given out.
The following advisory is our first public example of INTELLIGENCE IN
ACTION, demonstrating our ability to obtain zeroday vulnerabilities
from our janitorial-powered thinktanks.
As a side note, if you own a modern IRC client (that supports logging)
or are in the position to install tcpdump and parse the packet dumps
with Max Vision's brilliant tcpdump to irc log conversion utility[1],
we might have an exciting job in the information security world just
for you! Send a resume and a description of your IRC assets to our
human relations department at hr@...fense.com and we will get back to
you as soon as possible.
II. Exploit Definitions
For some time, exploits have been classified in one of two categories;
either an exploit is "remote" or it is "local". This leaves out an
entire class of exploits, however, which we will soon be releasing a
series of advisories on. This class of bug is more accurately named
"local" than the previous class of bugs called "local exploits", so we
will attempt to clarify the three classes of exploits for you.
a) Remote Exploit
An exploit that attacks a network server, without requiring any
sort of authentication to that server. For instance, an exploit
for a webserver (httpd (hyper text transfer protocol daemon)) is
normally in this category, unless it's some gay local signalling
dos thingie.
b) Local Exploit
An exploit that requires local access to a machine, authenticated
or otherwise. Here local access implies physical access to the
machine that is about to be hacked, and examples of upcoming
local bugs include:
- booting into single user mode
- hard drive theft
- extracting user passwords through torture,
and our historical example,
- CAN-2004-0109
c) Local remote exploit
An exploit that requires authentication to a machine, but does not
demand physical access to said machine, and the attack can be
performed over the network.
One could easily add a forth category, being "Local Local Exploits",
but this approaches some degree of silliness, and when one cannot take
his job seriously enough to not giggle when reading official titles,
clients will wonder if they're actually paying for a serious PRODUCT.
III. The FreeBSD Kernel Exploit
Recently a post was made to full-disclosure concerning the compromise
of an account on a shell server, drunken.fi.st. The entire post can
be read here[3]; however most if it seems to involve uninteresting
scene nonsense, so we will focus on the important parts.
"- rave gets his account backdoored on kokanin's box. He finds the
obviously placed bindshell stashed as ~/bin/zsh. He laughs and says
the backdoor was lame. Well he obviously missed the getpass()
LD_PRELOAD, ssh, and passwd all on his local account mailing all his
new passwords out. Oh, and he left an exploit (servu.c) in his
directory for the version of servu ftpd he was running on his home
windows machine. Oops."
Proper behaviour of LD_PRELOAD would not allow a non privileged user as
rave to hook privilaged processes (read my upcoming advisory titled
"TOO MANY SUIDS A BAD THING IN *IX" for more information) such as the
*IX tool for changing passwords, /bin/passwd. For hooking of getpass,
either root access would already be needed, or some sort of design bug
in the kernel.
We at iDEFENSE Labs have been unable to determine exactly how to
exploit this vulnerability, or even identify where it is in the source
code, but we are confident it is there, in some version.
We thought that LD_PRELOAD bugs disappeared with the release of AIX 4,
but Sun has recently proven us wrong, and now FreeBSD has a different
problem. We continue to advise our clients to use only OpenBSD,
Openwall (Owl) Linux, or Microsoft products - as clearly anyone with
a bit of intelligence can see, everything else sucks.
IV. Closing
The purpose of this security briefing was not to demonstrate detailed
knowledge of a specific vulnerability, but to rather demonstrate the
powers of INTELLIGENCE IN ACTION, and that our staff is capable of
extracting valuable security INTELLIGENCE from even the vaguest of
references. If you're in awe of the incredible feat demonstrated, you
and your organization definately need to subscribe to our world-class
intelligence services.
If you have any details concerning the methods of exploitation for the
vulnerability described in this advisory, please contact Mike Sutton
immediately for a fat lump of the big DHS[4] dollars. He can be
contacted at msutton@...fense.com.
We hope that you have been impressed with our demonstration of our
famed INTELLIGENCE IN ACTION techniques. If you are interested in
purchasing a subscription to our services, please contact our sales
department at sales@...fense.com so that we can broker a deal.
We treat all sales transactions and inquiries with confidentiality.
_________________________________________
/ PLEASE HELP ME! My name is Jay Healy, \
| and I work for Goldman-Sachs, and we've |
| been anally raped by iDEFENSE! Call me |
\ at (212) 357-1207 if you can save me! /
-----------------------------------------
\ _
\ (_)
\ ^__^ / \
\ (oo)\_____/_\ \
(__)\ ) /
||----w ((
|| ||>>
[1] http://www.honeynet.org/tools/danalysis/privmsg
[2] Some believe that those who take advantage of children, are simply
pedophiles, regardless of the situation. In rebuttal to the claim
that iDEFENSE employs pedophiles, we would like to say that we are
100% certain that Micheal Jackson is guilty, we are fans of his
music, and will continue buying his records to help support him.
[3] http://lists.netsys.com/pipermail/full-disclosure/2004-April/020690.html
[4] It's probably a good thing that our company receives so much
federal funding. The combined millions of dollars pooled from
various government entities is definately being spent wisely;
it is better that bureaucrats do what they can to get us as much
money as possible - this allows various government agencies to
have instant access to the latest cross-site scripting issues in
hotmail's service, before they are turned into devestating worms -
and keeps funding from going to asinine ventures such as aids and
cancer research. Fight terror, not disease.
V. About iDEFENSE
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world from technical vulnerabilities
and hacker profiling to the spread of viruses and other malicious code.
iALERT, our security intelligence service, provides decision-makers,
frontline security professionals and network administrators with timely
access to actionable intelligence and decision support on cyber-related
threats. We are currently trying for complete market dominance and hope
to soon eliminate the Carlyle Group by any means necessary. We already
have stolen their webdesign - their customer base is next. For more
information, visit http://www.idefense.com, or our research team's
official website at http://idefense.bugtraq.org.
--
Richard Johnson, CISSP
Senior Security Researcher
iDEFENSE Inc.
thief@...traq.org
Get paid for security stuff!!!!!!
http://www.idefense.com/contributor.html
and become part of our reearch team!
http://idefense.bugtraq.org/
-------------- next part --------------
iDEFENSE: The Power of Intelligence : Current Intelligence Report
Local Remote FreeBSD Kernel Exploit Exists in the Wild
iDEFENSE iIRCLOG iIntelligence iSecurity Brief 05.10.04
I. BACKGROUND
We at iDEFENSE have come to the conclusion that the best way to offer
our clients proactive security, as a service, is to have individuals
on staff who have experience in the intelligence world (including
former pc technicians, janitors, and massage therapists) who have been
fired from their minimum wage positions at various government
facilities, for no other reason than gross incompetence.
iDEFENSE outsources IRC logging services to some of the greatest minds
in computer security, who have infiltrated some of the most nefarious
hacking groups in existance - including #dtors, #w00w00, and #nologin,
and then the logs are read by our team of former janitors and failed
psychology students, and later turned into profound intelligence-like
reports to be sold to the private sector, the Department of Homeland
Security, and the Chinese government.
Information fencing might be a crime, when said information is gained
illegally, but as long as the Department of Homeland Security remains
dedicated to the fight against domestic terrorists (especially those
who frequent the Eris Free, and are known for their aggressive attacks
on the American lifestyle as they write "BUSH IS SUX0R" on critical
infrastructure related computers, such as *.co.kr nameservers and the
ever popular plethora of *.gsfc.nasa.gov hosts running five year old
copies of IIS - without even the eEye IIS obfuscation PRODUCT in place
to protect these critical machines), civil rights do not apply. As a
community, we must accept that the Department of Homeland Security is
often too afraid to actually enforce the Patriot Act (since they would
need to be able to justify their actions, and probably can't do that
in an official capacity trying to track down Osama Joe Defacer at his
pre-school). The solution is simple - millions of dollars a year to
our company, iDEFENSE, to gather chat logs and to write intelligence
reports for them.
Feel safe that we are teamed up with the DHS to provide you a safer
America.
Beyond this, iDEFENSE strives to compile intelligence reports off of
other hacker resources, such as hacker conferences (where we supply
alcohol to minors and get them in morally compromising situations for
our own profit - in the name of national security, one might say fuck
the children[2], we're Republicans anyways), we like run-on sentences,
hacker mailing lists, and our deployment of various advanced honeypots
(wireless, honeytokens, etc). Honey tokens are cool. You'd be amazed
at what kind of honey tokens we have given out.
The following advisory is our first public example of INTELLIGENCE IN
ACTION, demonstrating our ability to obtain zeroday vulnerabilities
from our janitorial-powered thinktanks.
As a side note, if you own a modern IRC client (that supports logging)
or are in the position to install tcpdump and parse the packet dumps
with Max Vision's brilliant tcpdump to irc log conversion utility[1],
we might have an exciting job in the information security world just
for you! Send a resume and a description of your IRC assets to our
human relations department at hr@...fense.com and we will get back to
you as soon as possible.
II. Exploit Definitions
For some time, exploits have been classified in one of two categories;
either an exploit is "remote" or it is "local". This leaves out an
entire class of exploits, however, which we will soon be releasing a
series of advisories on. This class of bug is more accurately named
"local" than the previous class of bugs called "local exploits", so we
will attempt to clarify the three classes of exploits for you.
a) Remote Exploit
An exploit that attacks a network server, without requiring any
sort of authentication to that server. For instance, an exploit
for a webserver (httpd (hyper text transfer protocol daemon)) is
normally in this category, unless it's some gay local signalling
dos thingie.
b) Local Exploit
An exploit that requires local access to a machine, authenticated
or otherwise. Here local access implies physical access to the
machine that is about to be hacked, and examples of upcoming
local bugs include:
- booting into single user mode
- hard drive theft
- extracting user passwords through torture,
and our historical example,
- CAN-2004-0109
c) Local remote exploit
An exploit that requires authentication to a machine, but does not
demand physical access to said machine, and the attack can be
performed over the network.
One could easily add a forth category, being "Local Local Exploits",
but this approaches some degree of silliness, and when one cannot take
his job seriously enough to not giggle when reading official titles,
clients will wonder if they're actually paying for a serious PRODUCT.
III. The FreeBSD Kernel Exploit
Recently a post was made to full-disclosure concerning the compromise
of an account on a shell server, drunken.fi.st. The entire post can
be read here[3]; however most if it seems to involve uninteresting
scene nonsense, so we will focus on the important parts.
"- rave gets his account backdoored on kokanin's box. He finds the
obviously placed bindshell stashed as ~/bin/zsh. He laughs and says
the backdoor was lame. Well he obviously missed the getpass()
LD_PRELOAD, ssh, and passwd all on his local account mailing all his
new passwords out. Oh, and he left an exploit (servu.c) in his
directory for the version of servu ftpd he was running on his home
windows machine. Oops."
Proper behaviour of LD_PRELOAD would not allow a non privileged user as
rave to hook privilaged processes (read my upcoming advisory titled
"TOO MANY SUIDS A BAD THING IN *IX" for more information) such as the
*IX tool for changing passwords, /bin/passwd. For hooking of getpass,
either root access would already be needed, or some sort of design bug
in the kernel.
We at iDEFENSE Labs have been unable to determine exactly how to
exploit this vulnerability, or even identify where it is in the source
code, but we are confident it is there, in some version.
We thought that LD_PRELOAD bugs disappeared with the release of AIX 4,
but Sun has recently proven us wrong, and now FreeBSD has a different
problem. We continue to advise our clients to use only OpenBSD,
Openwall (Owl) Linux, or Microsoft products - as clearly anyone with
a bit of intelligence can see, everything else sucks.
IV. Closing
The purpose of this security briefing was not to demonstrate detailed
knowledge of a specific vulnerability, but to rather demonstrate the
powers of INTELLIGENCE IN ACTION, and that our staff is capable of
extracting valuable security INTELLIGENCE from even the vaguest of
references. If you're in awe of the incredible feat demonstrated, you
and your organization definately need to subscribe to our world-class
intelligence services.
If you have any details concerning the methods of exploitation for the
vulnerability described in this advisory, please contact Mike Sutton
immediately for a fat lump of the big DHS[4] dollars. He can be
contacted at msutton@...fense.com.
We hope that you have been impressed with our demonstration of our
famed INTELLIGENCE IN ACTION techniques. If you are interested in
purchasing a subscription to our services, please contact our sales
department at sales@...fense.com so that we can broker a deal.
We treat all sales transactions and inquiries with confidentiality.
_________________________________________
/ PLEASE HELP ME! My name is Jay Healy, \
| and I work for Goldman-Sachs, and we've |
| been anally raped by iDEFENSE! Call me |
\ at (212) 357-1207 if you can save me! /
-----------------------------------------
\ _
\ (_)
\ ^__^ / \
\ (oo)\_____/_\ \
(__)\ ) /
||----w ((
|| ||>>
[1] http://www.honeynet.org/tools/danalysis/privmsg
[2] Some believe that those who take advantage of children, are simply
pedophiles, regardless of the situation. In rebuttal to the claim
that iDEFENSE employs pedophiles, we would like to say that we are
100% certain that Micheal Jackson is guilty, we are fans of his
music, and will continue buying his records to help support him.
[3] http://lists.netsys.com/pipermail/full-disclosure/2004-April/020690.html
[4] It's probably a good thing that our company receives so much
federal funding. The combined millions of dollars pooled from
various government entities is definately being spent wisely;
it is better that bureaucrats do what they can to get us as much
money as possible - this allows various government agencies to
have instant access to the latest cross-site scripting issues in
hotmail's service, before they are turned into devestating worms -
and keeps funding from going to asinine ventures such as aids and
cancer research. Fight terror, not disease.
V. About iDEFENSE
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world from technical vulnerabilities
and hacker profiling to the spread of viruses and other malicious code.
iALERT, our security intelligence service, provides decision-makers,
frontline security professionals and network administrators with timely
access to actionable intelligence and decision support on cyber-related
threats. We are currently trying for complete market dominance and hope
to soon eliminate the Carlyle Group by any means necessary. We already
have stolen their webdesign - their customer base is next. For more
information, visit http://www.idefense.com, or our research team's
official website at http://idefense.bugtraq.org.
Powered by blists - more mailing lists