Hi,
This issue has been discussed in vuln-dev (2001-01-26), see:
http://www.securityfocus.com/templates/archive.pike?end=2001-01-27tid=15872
4fromthread=0start=2001-01-21threads=1list=82
Posted also on suse security list, and aparently overlooked.
Yes, it was overread on [EMAIL
Hiding a version number does not someone who knows what they are doing, but it
does stop script kiddies out there. If a 14 year old kid can not figure out what
they are dealing with, they will move on to easier targets.
"William D. Colburn (aka Schlake)" wrote:
The FAQ file that comes with
From Anonymous [EMAIL PROTECTED] Wed Jan 31 18:06:24 2001
Date: Thu, 31 Jan 2001 18:06:19 -0400
From: Anonymous [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Bind8 exploit
Message-ID: [EMAIL PROTECTED]
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Mailer: Internet Mail
Hi,
Please beware of running code such as this. It will do it's best to attack
NAI's nameserver. It's a typical, though well disguised, shellcode trick.
Look in the Linux shellcode:
\xa1\x45\x03\x96 == 161.69.3.150 == dns1.nai.com
More details after I have a better look...
Max
At 04:12 PM
UNYUN [EMAIL PROTECTED] writes:
SPS Advisory #41
Apple Quick Time Plug-in Buffer Overflow
UNYUN [EMAIL PROTECTED]
Shadow Penguin Security (http://shadowpenguin.backsection.net)
--
[Date]
July 31, 2001
[Vulnerable]
QuickTime
What does the community think of this change in direction?
(Myself, I think it is a terrible idea to charge money for security
information access, and that closing BIND up like this is also going
to be harmful)
---
To: [EMAIL PROTECTED]
Subject: PRE-ANNOUNCEMENT: BIND-Members Forum
Date: Wed,
On Wed, Jan 31, 2001 at 02:13:07PM -0500, Lucas Holt wrote:
Hiding a version number does not someone who knows what they are doing, but it
does stop script kiddies out there. If a 14 year old kid can not figure out what
they are dealing with, they will move on to easier targets.
agreed, but
On Wed, 31 Jan 2001 08:15:01 -0700 "William D. Colburn (aka Schlake)"
[EMAIL PROTECTED] wrote:
The FAQ file that comes with the distribution already covers all this.
While it used to seem like a good idea to obfuscate version numbers,
things like nmap can be written for just about any
Here is more detailed information about the "trojan" bind8 exploit posted
to Bugtraq.
When you run the alleged tsig exploit it actually manages to run the Linux
shellcode on the local system (in my environment I used a Redhat 6.2
install in VMware (local network only)).
The exploit forks, sends
Source: ++ CmdAsp.asp ++
Nice coding job!
During normal webserver operations IIS, by default, impersonates the
account IUSR_COMPUTER. This account has minimal access rights.
They're not so minimal. It does have access to cmd.exe, which really means
it has too much, IMHO.
In IIS 5.0
Hi,
The attached netfilter module try to make hardest fake
MTU discovery. The comments are inside the code, expecially
in the head. I posted it in the linux kernel mailing list
getting no response, about the code sanity and so on.
It seems to work without problems but feedbacks are welcomed,
Hi,
It's ok for those of us with local tools but I suggest someone implement a
cgi script on a site to take a pasted block of hex code like the one below
and convert any values in the printable range to their equivalent ASCII
character. The people at securityfocus could use it before approving.
Analyzis of the bind8 trojaned exploit
--
here's the code:
0x8049540 shellcode: jmp0x8049576 shellcode+54
0x8049542 shellcode+2:pop%esi
0x8049543 shellcode+3:mov$0x1,%ebx
0x8049548 shellcode+8:mov%esi,%ecx
0x804954a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Linux-Mandrake Security Update Advisory
Package name: xemacs
Date:
Hi,
bug same as provious in man on debian (suse also?).
Just look:
mezon@beata$ m4 -G %x%x%x%x
m4: 40012a48380491e00: No such file or directory
mezon@beata$
or
mezon@beata$ m4 -G %p
m4: 0x40012a48: No such file or directory
--
Tomasz Kuzniar [EMAIL PROTECTED]
* Polska Platforma Internetowa *
On Wed, 31 Jan 2001, Matt Lewis wrote:
How did this get approved, did anyone test it or review it?
i don't think that the moderator's job is to test all the exploits that
get mailed to the list.
the moderator's job is to reject messages which don't adhere to the policy
of the list.
that
"Theo" == Theo de Raadt [EMAIL PROTECTED] writes:
Theo What does the community think of this change in direction?
What "change in direction"?
Theo (Myself, I think it is a terrible idea to charge money for
Theo security information access, and that closing BIND up like
Theo
I have been asked to forward this to the list by an anonymous
contributor:
Original Message-
I find this rather disturbing that some systems will still be vulnerable
till April, 2001. Luckily for any that are interested, you can integrate
Open Source bind
The recent vulnerabilities in BIND must have overlooked one
flaw amongst that extensive list that makes every version deployed on
the planet vulnerable, the flaw that makes the ISC bind oversight committee
crash, coredump and lose its mind with this new, for-pay, "leet" bind
vulnerability list.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
Caldera Systems, Inc. Security Advisory
Subject:BIND buffer overflow
Advisory number:CSSA-2001-008.1
Issue date:
This won't help anything other than giving the organizations with more
money/resources an advantage over others. IMHO, if you want to stomp out the
problem, you need to disseminate it far and wide (along with the solution),
which will render the hole useless to those that would exploit it.
On Wed, 31 Jan 2001, Matt Lewis wrote:
It attacks dns1.nai.com, and I haven't researched it extensively yet,
wanted to get this out. There's quite possibly other things going on as
well, locally.
well, there is something going on locally, read it bellow
I straced it and got odd results,
Yup. Its kinda cute. It overflows its own buffer in the set_ptr
function and changes the return address to point into the shellcode.
As always the philosophy of BUGTRAQ is 'caveat emptor'. BUGTRAQ's
moderation is meant to keep discussion. It's not meant to verify
the legitimacy of the
As I expected, there has been a flood of responses to the news about ISC's
plan for a bind-members program. Rather than approve each, I have
summarized many of them here. I realize that this is an emotional issue
for many, but please remember that posts consisting of the entire original
message
Although that is a great idea in general, it would not have helped in this
case. The ruse was very well hidden and and ASCII inspection would not
have revealed the nai.com address.
I think forums like Bugtraq *should* post exploit code that is submitted,
so that other experts in the community
Below I have excerpted the obvious pieces of the trojan. The functions
which do the deed are set_ptr, and the call to dnsprintflabel.
I just thought some people may have wanted to know how the person who
wrote the trojan hid the shellcode among the seemingly correct exploit.
--Perry
***
***
On Wed, 31 Jan 2001, Jesper M. Johansson wrote:
I can't repro this. I get the code to execute, but I cannot repro the
privilege escalation. No matter what application protection level I set this
at I can't get it to execute as anything other than IUSR. I tried on Windows
Run whoami.exe from
Yesterday, Matt Lewis wrote:
How did this get approved, did anyone test it or review it?
and Today, Brett Eldridge pointed out:
i don't think that the moderator's job is to test all the exploits that
get mailed to the list.
[...]
that said, anybody who blindly uses exploit code deserves
_=_ Warped Force Advisory _=_
Author: darkyoda [EMAIL PROTECTED]
Subject:Multiple vulnerabilities in Prospero 1.3.5 CGI
Discovered: 12.15.00
Announced: 2.1.01
Vendor Status: Maintainer notified 12.27.00. New version
29 matches
Mail list logo