lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 14 Sep 2014 00:12:21 +1000
From: Kemble Wagner <>
Subject: [FD] libre office listening on port 1599


First of this is my first post I do not claim to be a security expert
and do not possess a great expansive skill sets for such inquiry
however I do get curious at times and endevour in a hit and miss kind
of way.

Having said that I often find myself getting curious from time to time
and running things I probably shouldn't on occasion. I see after some
googling the issue that has me confused has already been reported but
not resolved at first I thought one of the files I had may of
contained a some multi-platform code to hook a listener I only assumed
it was multi-platform as I am running Linux, however if I was right
which I am unsure of still it makes sense to add multiple payloads to
a single file.

I simply do not trust a lot of sites that appear under certain
searches particularly a lot of the newbie harvesting articles created
to capitalize on the new polularity of Backtrack/Kali I often figured
it would be a great exploit to run a site that attracts first time
Kali users and who have a wealth of tools they do not know how to use
pre installed and no idea they shouldn't be running Firefox with the
default root account, or they are just too excited and lazy to make a
secure user account, which I admit I have done when I ran it on usb
from time to time till I could be bothered making a secure account

This had me becoming over diligent about what files I ran from sites
after becoming  more aware of files which to me are seemingly innocent
with ways to host a payload inside them like non executable pdfs and
other docs so openly shared and easily achieved these days.

So I discovered running a ppt file which I dont normally use so I
opened with system default libre office created a socket listening on
1599 I googled it and linked below is the most relevant post but there
are many others too anyway attached are my tracebacks I hope someone
maybe able to decipher more for me I also ran an strace on a small pdf
from a trusted source and still found it binding to port 1599 I figure
this is either a workaround function and possibly not the work of
anything suspect but potentially insecure or it is in fact well placed
code that could be laying dormant or used for a malicious purpose for
how long and no I don't have much more than assumptions about this I
cant really collect more info and interpret than I already have.

a section I thought that was worth noting is one of the files accessed
/etc/passwd during strace.

open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=2433, ...}) = 0
mmap(NULL, 2433, PROT_READ, MAP_SHARED, 3, 0) = 0x7f631fa3f000
lseek(3, 2433, SEEK_SET)                = 2433
munmap(0x7f631fa3f000, 2433)            = 0
close(3)                                = 0
access("/home/james/.config", F_OK)      = 0
getcwd("/home/james/scripts", 4096)      = 19

P.S  I did quickly scan over the posting guidelines for FD but forgive
me if I made an error on formatting or relevant topic matter.

bug report debian

Original URLs of origin

View attachment "strace.Scripting-with-the-xss.pdf.txt" of type "text/plain" (28622 bytes)

View attachment "xss-tutorial.ppt.strace.txt" of type "text/plain" (66896 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists