Re: BugTraq: EFS Win 2000 flaw

2001-01-23 Thread Ryan Russell 

On Fri, 19 Jan 2001, Russ wrote:

 To the best of my knowledge, Peter Guttman(sp?) has demonstrated for years
 now that there is no form of over-writing which makes any substantial
 difference to the ability to recover previously written data from a computer
 hard disk.

 My understanding of current "high security" standards wrt the re-use of
 disks which previously contained classified materials is that they only be
 re-used in similarly classified systems, or, are destroyed beyond any form
 of molecular reconstruction (e.g. melted).

I see a big difference in being able to recover some files by simply
booting to a different OS vs. having to break out the electron microscope
and manually piece bits together.  I could boot DOS or Linux to read a
deleted file... I don't think I'd be able to find someone who could read
the bits from 3 writes ago off of a physical disk surface for me... unless
you gave me a huge amount of time and money.

If the problem does exist as described... the possibility that a
government forensics lab might recover some data is no exucse for not
handling temp files properly for EFS.

Ryan

Re: BugTraq: EFS Win 2000 flaw

2001-01-23 Thread Dan Kaminsky 

 To the best of my knowledge, Peter Guttman(sp?) has demonstrated for years
 now that there is no form of over-writing which makes any substantial
 difference to the ability to recover previously written data from a
computer
 hard disk.

Guttman's paper, "Secure Deletion of Data from Magnetic and Solid-State
Memory" (available at
http://www-tac.cisco.com/Support_Library/field_alerts/fn13070.html ) has
become something of a classic, and for good reason:  It's absolutely
fascinating reading, describing in detail what most of us suspected and some
of us never imagined.

The paper, however, is five years old, and quite frankly needs to be
understood in that context.

Now, I'm *not* saying that Guttman's points are flawed, just that it's
likely that the mechanisms used to recover data from 300 Megabyte drives
probably don't scale to 80 Gigabyte disks using GMR(Gigantic
Magnetoresistance) technology.  The extra surface area and analog bit
density used to divine past generations of data has almost certainly been
exploited in the 16x explosion in data density since Guttman's paper was
written.

My *guess*, however, is that as drive densities have increased, the
requirements for more and more advanced error correction(to increase yields
on platters with miniscule deformities) has led to greater redundancy and
increased platter space to entirely redundant--and
reconstructable--information

Furthermore, it's impossible that drive scanning technology hasn't advanced
in sync with drive capacity--the bottom line is, somebody needed to design
the sensors to work out the kinks from each generation of disk.  Companies
like OnTrack(who, incidentally, worked very well for me) have made rather
successful businesses of proven what's gone is not necessarily gone.

So essentially, Guttman was right, and Guttman is probably still right.  But
the technologies used to recover deleted data has probably advanced just as
much as the technology used to store the data in the first place.

 My understanding of current "high security" standards wrt the re-use of
 disks which previously contained classified materials is that they only be
 re-used in similarly classified systems, or, are destroyed beyond any form
 of molecular reconstruction (e.g. melted).

Exactly.  It is the job of the medium to store information.  It is the job
of the incinerator to delete it.  Violation of the barriers between
establishing functionality and enforcing security leads to systems that
allow too much access to an unstable service.

 So to suggest that your perceived EFS flaw can be resolved by over-writing
 is naive. The only solution is to encrypt in memory or use some removable
 partition as the temp space.

Russ, you're absolutely correct about the need for memory encryption, though
removable media has equivalent risks(with the exception of possibly being
more conveniently incinerated).  The correct behavior is for a disk to never
receive anything that gives it plaintext-equivalent access to any of the
actual information contained within the encrypted data.  That means no
decryption keys ever get written, no passwords get saved, and most
importantly, *no plaintext data gets stored, not even "temporarily"*. The
moment an "Encrypted File System" writes a plaintext version of the data to
the disk, all is lost--whether or not an apparently laughable delete(really,
"dab white-out on the page number on the index in the back of the book)
operation is actually carried out.

Lets not forget--an encrypted file system exists for *no other reason* but
to resist attack.  Encryption does not add speed.  It does not add
stability.  It does not add anything *but* resistance against an attacker
who lacks the key material.  If Rickard's analysis is correct--something
that should be independently verified--EFS offers attackers a rich array of
simple attacks that do not require discovery of the key material.  You can
draw your own conclusions from that.

Yours Truly,

Dan Kaminsky
Cisco Systems, Inc.
http://www.doxpara.com

Re: ICMP fragmentation required but DF set problems.

2001-01-23 Thread Niels Provos 

PMTU discovery is used by TCP (primarily if not exclusively). Isn't it
possible to 1. check TCP sequence numbers in ICMP frag. needed messages
generated as a response to a TCP datagram (in the same way they should be
checked on any ICMP dest. unreachable to prevent a trivial DoS),
2. disregard any other ICMP frag. needed message?
That's how we do it in OpenBSD in the IPv4 case.

Since the ICMP has to include the IP packet + 8 bytes from the
following header, you can just look up any tcb that corresponds to the
quoted TCP header in the ICMP need fragment message.  If you dont have
such a tcb, you ignore the ICMP message.  This basically reduces the
attack to an adversary who can sniff your connection, but that would
allow her to do all kinds of other things to your TCP connection.

IPv6 is another case though.  Here you have mandatory PMTU for all
protocols.

Niels.

Reply to EFS note on Bugtraq

2001-01-23 Thread Ryan Russell 

Due to some mail trouble, I'm manually forwarding this note.  The
signature should check out.

Ryan

From:   Microsoft Security Response Center
Sent:   Monday, January 22, 2001 2:17 PM
To: '[EMAIL PROTECTED]'
Cc: Microsoft Security Response Center
Subject:Re: BugTraq: EFS Win 2000 flaw

-BEGIN PGP SIGNED MESSAGE-

Hi All -

While EFS does indeed work as Rickard discusses, this is not new
information.  For instance, "Encrypting File System for Windows 2000"
(http://www.microsoft.com/WINDOWS2000/library/howitworks/security/encr
ypt.asp, p 22) notes the following:
 "EFS also incorporates a crash recovery scheme whereby no data is
lost in the event of a fatal error such as system crash, disk full,
or hardware failure. This is accomplished by creating a plaintext
backup of the original file being encrypted or decrypted. Once the
original is successfully encrypted or decrypted, the backup is
deleted.  NOTE: Creating a plaintext copy has the side-effect that
the plaintext version of the file may exist on the disk, until those
disk blocks are used by NTFS for some other file."

The plaintext backup file is *only* created if an existing plaintext
document is coverted to encrypted form.  If a file is created within
an encrypted folder, it will be encrypted right from the start, and
no plaintext backup file will be created.  Microsoft recommends this
as the preferred procedure for using EFS to protect sensitive
information.   "Encrypting File System for Windows 2000", page 22,
makes this recommendation:
 "... it is recommended that it is always better to start by creating
an empty encrypted folder and creating files directly in that folder.
Doing so, ensures that plaintext bits of that file never get saved
anywhere on the disk. It also has a better performance as EFS does
not need to create a backup and then delete the backup, etc."

Even if the plaintext backup file were not created, it would still be
a bad idea to create a sensitive file in plaintext and then encrypt
it later.  Many common operations, such as adding data to or removing
data from a file, compressing and decompressing a file, defragmenting
a drive, or opening a file using an application that creates
temporary files, can result in plaintext being left on the drive.  It
is simply not feasible for any software package to be able to track
down and erase all the plaintext "shreds" that may have been created
during the file's plaintext existence.  The only way to ensure that
there is no plaintext on the drive is to encrypt the file right from
the start.

Nevertheless, we are investigating this issue to see whether there
are improvements we can make.  No matter what the solution, it will
still be better for customers to create sensitive files encrypted
from the start; however, we believe it may be possible to prevent the
plaintext backup file from being retained on the drive.  Regards,

Scott Culp
Security Program Manager
Microsoft Security Response Center



- - -Original Message-
From: Rickard Berglind [EMAIL PROTECTED] 
Sent: Fri, 19 Jan 2001 12:29:50 +0100
To: [EMAIL PROTECTED]
Subject: BugTraq: EFS Win 2000 flaw

I have found a major problem with the encrypted filesystem
( EFS ) in Windows 2000 which shows that encrypted files
are still very available for a thief or attacker.

The problem comes from how EFS works when the encryption
is done. When a user marks a file for encryption a
backup-file, called efs0.tmp, will be created. When
the copy is in place the orginal file will be deleted
and then recreated, now encrypted, from the efs0.tmp-
file.
And finally, when the new encrypted file is succesfully
created, the temporary-file ( which will never be shown
in the user interface ) will be deleted as well.
So far, so good. The only file remaining is the one
which is encrypted.

But the flaw is this: the temporary-file is deleted
in the same way any other file is "deleted" - i.e.
the entry in the $mft is marked as empty and the clusters
where the file was stored will be marked in the $Bitmap
as available, but the psysical file and the information it
contains will NOT be deleted. The information in the
file which the user have encrypted will be left in the backup
file efs0.tmp in total plaintext on the surface of the disk.
When new files are added to the partition will they
gradually overwrite the secret information, but if
the encrypted file was large - the information could
be left for months.
So how can this be exploited ? If someone steals
a laptop or have psysical access to the disk it will
be easy to use any low level disk editor to search
for the information. For example, the Microsoft
Support Tool "dskprobe.exe" works fine for locating
old efs0.tmp-files and read information, in plain-text,
that the user thought was safe.
In my opinion there should be a function in the EFS
which physically overwrites the efs0.tmp at least once
to make it a lot harder for an

[Security Announce] MDKSA-2001:014 - MySQL and php update

2001-01-23 Thread Linux Mandrake Security Team 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Linux-Mandrake Security Update Advisory


Package name:   MySQL and php
Date:   January 22nd, 2001
Advisory ID:MDKSA-2001:014

Affected versions:  7.2


Problem Description:

 A security problem exists in all versions of MySQL after 3.23.2 and
 prior to 3.23.31.  The problem is that the SHOW GRANTS command could
 be executed by any user making it possible for anyone with a MySQL
 account to get the crypted password from the mysql.user table.  The new
 3.23.31 version fixes this.

 Due to library changes, the previously announced PHP update
 (MDKSA-2001:013) has been updated as well so that the php-mysql module
 supports this new version of MySQL.  It also corrects the upgrade
 scripts in the package, however you will still need to verify that PHP
 support is enabled in your /etc/httpd/conf/httpd.conf Apache
 configuration file and verify that the installed modules are
 uncommented in your /etc/php.ini file.


Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:
  rpm --checksig package.rpm
You can get the GPG public key of the Linux-Mandrake Security Team at
  http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS
If you use MandrakeUpdate, the verification of md5 checksum and GPG
signature is performed automatically for you.

Linux-Mandrake 7.2:
06ccef6a0a68e631847b10d1d30a79f9  7.2/RPMS/MySQL-3.23.31-1.1mdk.i586.rpm
c17be32deca79950d9a61a78442dfe8e  7.2/RPMS/MySQL-bench-3.23.31-1.1mdk.i586.rpm
748534a09c309bdc02689497f0f0e178  7.2/RPMS/MySQL-client-3.23.31-1.1mdk.i586.rpm
856f12fe37b031db9e1fa267fe5fc5fa  7.2/RPMS/MySQL-devel-3.23.31-1.1mdk.i586.rpm
3aef6e7d31fc0d2fc6d561b32a46ba94  7.2/RPMS/MySQL-shared-3.23.31-1.1mdk.i586.rpm
3ae3695872918ca460de8a54946b0c08  7.2/SRPMS/MySQL-3.23.31-1.1mdk.src.rpm

fe069a4995c82e7f1548f2a6a2d806f6  7.2/RPMS/mod_php-4.0.4pl1-1.2mdk.i586.rpm
416ad3191b034c53a18ec38ec100d831  7.2/RPMS/php-4.0.4pl1-1.2mdk.i586.rpm
1ec671999473d7b800bc2b24ad95625d  7.2/RPMS/php-dba_gdbm_db2-4.0.4pl1-1.2mdk.i586.rpm
1491a462a960192dbcb41f873aab5e6d  7.2/RPMS/php-devel-4.0.4pl1-1.2mdk.i586.rpm
25e3ba4887b2bf90580df6402d07306b  7.2/RPMS/php-gd-4.0.4pl1-1.2mdk.i586.rpm
f9e2732a884495a4cd8d9f812db0146e  7.2/RPMS/php-imap-4.0.4pl1-1.2mdk.i586.rpm
22fa6e8b8ab089fd2f1ff4f782df7d63  7.2/RPMS/php-ldap-4.0.4pl1-1.2mdk.i586.rpm
27fef2a3d3cbcb6053e6c8f5e1680faa  7.2/RPMS/php-manual-4.0.4pl1-1.2mdk.i586.rpm
854e5f9b837b998dad8f523a0fffa6f0  7.2/RPMS/php-mysql-4.0.4pl1-1.2mdk.i586.rpm
f25f06f33133c126c592929a5b54f796  7.2/RPMS/php-pgsql-4.0.4pl1-1.2mdk.i586.rpm
61dbb4df3f9993cb742aaa59306e9cd1  7.2/RPMS/php-readline-4.0.4pl1-1.2mdk.i586.rpm
70ac8cd0cf8808ce8cbd9546d3a0dac9  7.2/SRPMS/php-4.0.4pl1-1.2mdk.src.rpm


To upgrade automatically, use MandrakeUpdate.

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".

You can download the updates directly from one of the mirror sites
listed at:

  http://www.linux-mandrake.com/en/ftp.php3.

Updated packages are available in the "updates/[ver]/RPMS/" directory.
For example, if you are looking for an updated RPM package for
Linux-Mandrake 7.2, look for it in "updates/7.2/RPMS/".  Updated source
RPMs are available as well, but you generally do not need to download
them.

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other security advisories for Linux-Mandrake at:

  http://www.linux-mandrake.com/en/security/

If you want to report vulnerabilities, please contact

  [EMAIL PROTECTED]


Linux-Mandrake has two security-related mailing list services that
anyone can subscribe to:

[EMAIL PROTECTED]

  Linux-Mandrake's security announcements mailing list.  Only
  announcements are sent to this list and it is read-only.

[EMAIL PROTECTED]

  Linux-Mandrake's security discussion mailing list.  This list is open
  to anyone to discuss Linux-Mandrake security specifically and Linux
  security in general.

To subscribe to either list, send a message to
  [EMAIL PROTECTED]
with "subscribe [listname]" in the body of the message.

To remove yourself from either list, send a message to
  [EMAIL PROTECTED]
with "unsubscribe [listname]" in the body of the message.

To get more information on either list, send a message to
  [EMAIL PROTECTED]
with "info [listname]" in the body of the message.

Optionally, you can use the web interface to subscribe to or

Re: BugTraq: EFS Win 2000 flaw

2001-01-23 Thread Jeremy Epstein 

Russ,

 To the best of my knowledge, Peter Guttman(sp?) has demonstrated for years
 now that there is no form of over-writing which makes any substantial
 difference to the ability to recover previously written data from
 a computer
 hard disk.

You're correct that Peter Gutmann (note spelling) has shown that you can
recover anything, given enough time  money, from an erased disk.  It's not
outrageously expensive or difficult, but it's certainly non-trivial.  But I
don't think that's what the point was.  I think the point was that the data
is NEVER overwritten on disk.  That's much easier than Peter's schemes for
retrieving data.  You don't need any special hardware to do it, unlike
Peter's schemes.

[None of which is to take away from Peter's excellent research...]

 My understanding of current "high security" standards wrt the re-use of
 disks which previously contained classified materials is that they only be
 re-used in similarly classified systems, or, are destroyed beyond any form
 of molecular reconstruction (e.g. melted).

That's generally true, although it depends on how classified the data was.
Disks containing Secret data could be reused for unclassified work with
sufficient overwriting, but Top Secret was never reusable.  That was a few
years ago; it may have changed.

 So to suggest that your perceived EFS flaw can be resolved by over-writing
 is naive. The only solution is to encrypt in memory or use some removable
 partition as the temp space.

Disagree.  Security isn't an absolute.  Overwriting makes it significantly
harder to recover deleted data, although certainly not impossible.  It's
enough of an impediment that it may encourage the attacker to go read
someone else's disk.  And that may be enough, depending on the sensitivity
of the data.

--Jeremy

[SAFER] Security Bulletin 010123.EXP.1.10

2001-01-23 Thread Security Research Team 

__

  S.A.F.E.R. Security Bulletin 010123.EXP.1.10
__


TITLE: Buffer overflow in Lotus Domino SMTP Server
DATE : January 23, 2001
NATURE   : Remote execution of code, Denial-of-Service
AFFECTED : Lotus Notes/Domino 5 (up to and including 5.05)

PROBLEM:

Buffer overflow exists in Lotus Domino SMTP server, which can lead to 
Denial-of-Service or remote execution of code in context of user which SMTP server is 
running as.

DETAILS:

Lotus Domino/Notes server has a 'policy' feature, which is used to define relaying 
rules. However, improper bounds checking allow remote user to overflow the buffer and 
execute arbitrary code.

If policy is enabled to check for domain name it is possible to trigger the overflow.

-- cut --
#!/usr/bin/perl
$req="a" . "%A"x200 . "A"x600 . "%allowed.domain.com\@allowed.domain.com";
print "ehlo foo\nmail from: blah\@example.com\nrcpt to:$req\ndata\nfoo\n.\nquit\n";
-- cut --

Modify the 'allowed.domain.com' to the domain name which Notes SMTP server is 
accepting mail for (check policies). Pipe the output through the netcat (for example), 
and you should be able to crash the remote server.

Further examination of the crash demonstrates that we are able to overwrite contents 
of EIP register as well, which is the proof of remote code execution possibility.

To recover from the crash, you might be required to remove 'log.nsf' and/or 'mail.box' 
files afterwards (due to corruption) - be careful while testing for this problem.

This vulnerability has been confirmed on Notes release for Linux and Windows. Others 
platforms have not been tested.

FIXES:

Lotus has been informed about this problem on November 2nd, 2000. Mail has been 
'silently ignored', but the problem has eventually been fixed in 5.0.6 release, and it 
has been confirmed in a response to our attempt to inform them about the
problem again on January 8th. Fix details are available at:

http://www.notes.net/r5fixlist.nsf/6d4eae9850a5c2c28525690400551b57/5eea8322c479de968525697d00737ad5?OpenDocument

Lotus says that it was 'potential denial of service attack'. However, it is more 
serious than DoS - code execution is possible. All users that use policy feature 
should upgrade to Notes/Domino 5.0.6.

CREDITS:

Fyodor Yarochkin [EMAIL PROTECTED]
Vanja Hrustic [EMAIL PROTECTED]
Thomas Dullien [EMAIL PROTECTED]
Emmanuel Gadaix [EMAIL PROTECTED]



This advisory is also available at http://www.safermag.com/advisories/

__

   S.A.F.E.R. - Security Alert For Enterprise Resources
  Copyright (c) 2001 The Relay Group
  http://www.safermag.com    [EMAIL PROTECTED]
__

No Subject

2001-01-23 Thread Ben Li 

*** Aa explotable example of this has been found using white text.  I think
it's time this hits the list, wether MS likes it or not -Ben ***


  DHTML/CSS/web-based email Vulnerability


  Report: Dylan Griffiths ([EMAIL PROTECTED]) and Ben Li ([EMAIL PROTECTED])
  Discovery: Ben Li

  Jan 15, 2001

  Originally sent Jan 6, 2001 (not Jan 6, 2000)



  

Summary:

There is a bug in many 4th generation browsers that allows users of web based
email to be mis-directed to unintended destinations when mail management
buttons are clicked.  This is due to interactions between the browser and CSS
DIV tags, and the DHTML LAYER tag.


Vendor contact:

It would be impossible to contact every web-based email provider out there in
a timely manner so those with the most users will be given priority.

Microsoft, Netscape, Opera, USANet and Yahoo! were sent a preliminary copy of
this report on 6 Jan 2001 since they have the largest web-based email
subscriber bases and thus the most potential vulnerable users.  Microsoft was
the only vendor that responded interactively and has stated that they do not
believe this to be an issue.  The vendors were sent a second preliminary copy
of this report on 14 Jan 2001 with no response from any vendors other than
Microsoft.


Details:

A properly malformed page containing the DIV (or LAYER) tag anchors a
BROKEN* clickable image (an image surrounded by A HREF=.../A) over top of
the page containing other links by using a z-index of zero (effectively on
top of everything else) in the style for the image.  Since it is a broken
image, the page is not obscured by the image, and clicks directed to links on
the page will instead send the user to the page specified in the HREF for the
floating image.

This could be exploitable by sending crafted HTML to users of web-based email
providers (such as Hotmail, ZDNet mail, etc) or possibly by sending the same
email to users with email clients that render HTML.  This is vulnerability
could also exist in other HTML-rendering applications as well (for example,
Napster, CuteMX, etc).

* the SRC address for the image refers to a resource that cannot be found at
that address


Examples:

1. A user gets an stupid-looking (or blank) malicious mail in their web-based
email. They click "delete" (or other navigation tools: forward, back, save
address, etc) to delete the message, and are sent to a nasty place like
goatse.cx, which is linked to by the floating image.  Alternatively, the user
is directed to a counterfeited page on the attacker's server asking the user
to re-login or supply information asking them for verification of adulthood
through a credit card number.

2. A user is logged in to Hotmail and views the message contained in the HTML
code example below.  Since the floating image covers the entire page (the
image is 3000 by 3000 pels in our example below), they would be unable to log
out or navigate from the current message by clicking elements on the page and
would need to navigate out of the message using the back button (or its
keyboard counterpart) or by specifying a new URL to view using the address
bar.

3. A user is logged in to Hotmail and clicks the ad banner, which has a
broken image positioned over it which directs the user to another site,
resulting in monetary losses for Microsoft and the people advertising with
the banner.


Browser specifics:

The presentation of links in DHTML can be very complex because of the
interactions between link rendering, image rendering, page layering, other
elements, and CSS.  Thus different browsers are vulnerable to different
variations of the exploit code below and on different web-based email sites.
Additionally, some page elements (for example, form elements) may be assigned
an effective Z-order of -1 in the browser (which is above the Z-order of 0
for the floating image), resulting in vulnerable image and text links but not
form elements.  Your mileage will vary.

Internet Explorer for Windows and Mozilla are largely vulnerable because
there is no easy way of turning off CSS (doing so seems to correct the issue
in other browsers).  Mozilla is, however, harder to trick into allowing the
layer overlay to obstruct links below it.  If the domain from which the image
is sourced does resolve but does not contain the image file, Mozilla reduces
the image to a link with the ALT text.  If the domain doesn't resolve, it
will use a placeholder image in its place.

Opera is partially vulnerable on Hotmail (some buttons are obscured by the
large image shown in the code above, others are not), and not vulnerable on
ZDNet mail because of how ZDNet mail implements their buttons.  ZDNet mail
and Yahoo! also use frames to separate the message display frame from
navigation/other frames which reduces this vulnerability to only the message
display frame.

Netscape 4.7 is vulnerable to both DIV and LAYER on the PC and appears to
be vulnerable to

Solaris /usr/bin/cu Vulnerability

2001-01-23 Thread hal King 

In Solaris 2.6 patch 106468-02 replaces cu in Sol 7 patch 108372-01 replaces
   it for gets() use. The script does SegFault in 8, but no core file... I am
   running 10/2000 revision and 108372 came out in may, so it's probably cool.

--

hal king Unix System Group[EMAIL PROTECTED]
pgp key http://web.utk.edu/~hck/hal.asc No hot dog, email.

Re: MySQL 3.23.31 Overflow [exploit] (fwd)

2001-01-23 Thread Michael Widenius 
Hi!

I got forwarded this 'exploit' of MySQL:

Lus Hello...
Lus Here's a exploit for this...
Lus [See attached...]

Lus Regardz,
Lus Lus Miguel Silva aka wC

Lus Member of lonoss.org and unsecurity.org
Lus http://www.lonoss.org/
Lus http://www.unsecurity.org/
Lus http://www.ispgaya.pt/ Student

Lus Personal WebPage at:
Lus http://paginas.ispgaya.pt/~lms/
Lus 
Lus http://www.unsecurity.org/wC/

Lus Personal Code at:
Lus www.unsecurity.org/wC/MyCode/

Lus /*

Lus  Linux MySQL Exploit by Luis Miguel Silva [aka wC]
Lus  [EMAIL PROTECTED]
Lus  19/01/y2k+1

Lus  Compile:

Lusgcc MySQLXploit.c -o MySQLX

Lus  Run with:

LusYou can specify the offset for the exploit passing it as the 1st arg...

LusExample: ./MySQLX 0 --- this is the default offset :]

Lus  Advisorie: 
Lus  [from a bugtraq email]

Lus  Hi,

Lus  all versions of MySQL  3.23.31 have a buffer-overflow which crashs the
Lus  server and which seems to be exploitable (ie. 4141414 in eip)

Lus  Problem :
Lus  An attacker could gain mysqld privileges (gaining access to all the
Lus  databases)

Lus  Requirements :
Lus  You need a valid login/password to exploit this

Lus  Solution :
Lus  Upgrade to 3.23.31

Lus  Proof-of-concept code :
Lus  None

Lus  Credits :
Lus  I'm not the discoverer of this bug
Lus  The first public report was made by [EMAIL PROTECTED] via the MySQL
Lus  mailing-list
Lus  See the following mails for details

Lus  Regards,
Lus  Nicob

cut

I have looked at the 'exploit' and tested this against a 3.23.30
server, but it didn't work.  The server gave nicely the error:

-
(/my/tmp) exploit 0

MySQL [all versions  3.23.31] Local Exploit by [EMAIL PROTECTED]

Trying to allocate memory for buffer (130 bytes)...SUCCESS!
Using address : 0x41414141
Offset: 0
Buffer Size   : 130
Oh k...i have the evil'buffer right here :P
So...[if all went well], prepare to be r00t...
Enter password:
ERROR 1064 at line 1: You have an error in your SQL syntax near '^‰1ÀˆF‰F
 °
  ‰óV
   
̀1ۉØ@̀èÜÿÿÿ/bin/shA' at line 1

-

I can't see how this particular exploit could work, as MySQL strips
all not-ASCII characters from the column name and stops as the first
not-ASCII character.  In other words, an exploit like this could
theoretically work if the assembler code only used bytes in this
region, but as this particular program didn't do that...

Anyway, this is just a typical example why one should be careful of
not running mysqld as root, but as it's own user.

Regards,
Monty

[SECURITY] [DSA-012-1] New version of micq released

2001-01-23 Thread debian-security-announce 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-012-1   [EMAIL PROTECTED]
http://www.debian.org/security/   Martin Schulze
January 22, 2001
- 

Package: micq
Vulnerability  : remote buffer overflow
Debian-specific: no

PkC has reported that there is a buffer overflow in sprintf() in micq
versions 0.4.6, that allows to a remote attacker able to sniff packets
to the ICQ server to execute arbitrary code on the victim system.

We recommend you upgrade your micq package immediately.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- 

  Potato was released for the alpha, arm, i386, m68k, powerpc and sparc
  architectures.

  Source archives:

http://security.debian.org/dists/stable/updates/main/source/micq_0.4.3-4.dsc
  MD5 checksum: b564dd2d8e937611bd90d73096d4a138
http://security.debian.org/dists/stable/updates/main/source/micq_0.4.3.orig.tar.gz
  MD5 checksum: ddc011d3509d593284bf9336e0a9f829
http://security.debian.org/dists/stable/updates/main/source/micq_0.4.3-4.diff.gz
  MD5 checksum: f86304bdbec4d1cf86fb991fc8355f39

  Intel ia32 architecture:


http://security.debian.org/dists/stable/updates/main/binary-i386/micq_0.4.3-4_i386.deb
  MD5 checksum: b5a2d7327ffc35ab49a1e4f64c6f2567

  Motorola 680x0 architecture:


http://security.debian.org/dists/stable/updates/main/binary-m68k/micq_0.4.3-4_m68k.deb
  MD5 checksum: a07906bae588eaec0b20974a8a871704

  Sun Sparc architecture:


http://security.debian.org/dists/stable/updates/main/binary-sparc/micq_0.4.3-4_sparc.deb
  MD5 checksum: 59d5b78bea7f4cce3ea4ca7b5b28d005

  Alpha architecture:


http://security.debian.org/dists/stable/updates/main/binary-alpha/micq_0.4.3-4_alpha.deb
  MD5 checksum: 06264f9d8a99edfcc43fac35080cc544

  PowerPC architecture:


http://security.debian.org/dists/stable/updates/main/binary-powerpc/micq_0.4.3-4_powerpc.deb
  MD5 checksum: fbd7bb304918dad6f59d75c5a220dd31

  ARM architecture:


http://security.debian.org/dists/stable/updates/main/binary-arm/micq_0.4.3-4_arm.deb
  MD5 checksum: 492b4162cc8f59c5dae6e56860ae6bfe


  These files will be moved into
  ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.

For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .

- 
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [EMAIL PROTECTED]
Package info: `apt-cache show pkg' and http://packages.debian.org/pkg
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6bK4rW5ql+IAeqTIRAiMpAJwJSCw++1gi200ZdlN3s2dY8eiM4QCdEv1q
OCg4/8B3PhZLbcmy+9zVAKg=
=OUwR
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

[SECURITY] [DSA-015-1] New version of sash released

2001-01-23 Thread debian-security-announce 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-015-1   [EMAIL PROTECTED]
http://www.debian.org/security/   Martin Schulze
January 23, 2001
- 

Package: sash
Vulnerability  : broken maintainer script
Debian-specific: yes

Versions of sash prior to 3.4-4 did not clone /etc/shadow properly
which lead into readable files for anybody.  This was fixed by the
Debian maintainer.

This package only exists in stable, so if you are running unstable you
won't see a bugfix unless you use the resources from the bottom of
this message to the proper configuration.

We recommend you upgrade your sash package immediately.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- 

  Potato was released for the alpha, arm, i386, m68k, powerpc and sparc
  architectures.


  Source archives:

http://security.debian.org/dists/stable/updates/main/source/sash_3.4-6.diff.gz
  MD5 checksum: f65d5dfd23acc395b99651076e8029bd
http://security.debian.org/dists/stable/updates/main/source/sash_3.4-6.dsc
  MD5 checksum: c78f46d34405afcbaae29726dd9f8e89
http://security.debian.org/dists/stable/updates/main/source/sash_3.4.orig.tar.gz
  MD5 checksum: 9c631eb171371b69276ff6692100beb6

  Intel ia32 architecture:


http://security.debian.org/dists/stable/updates/main/binary-i386/sash_3.4-6_i386.deb
  MD5 checksum: 4273648c65527f88855887f97bb6eeab

  Motorola 680x0 architecture:


http://security.debian.org/dists/stable/updates/main/binary-m68k/sash_3.4-6_m68k.deb
  MD5 checksum: 7bc34c6c7b0b1f6793693853711c76ad

  Sun Sparc architecture:


http://security.debian.org/dists/stable/updates/main/binary-sparc/sash_3.4-6_sparc.deb
  MD5 checksum: 1fdadd243c5aabc329edcb880dcd2581

  Alpha architecture:


http://security.debian.org/dists/stable/updates/main/binary-alpha/sash_3.4-6_alpha.deb
  MD5 checksum: 57837ce03d6c55dad077d67cc18ed38a

  PowerPC architecture:


http://security.debian.org/dists/stable/updates/main/binary-powerpc/sash_3.4-6_powerpc.deb
  MD5 checksum: b5bf950effb0517552e0056ce995120e

  ARM architecture:

http://security.debian.org/dists/stable/updates/main/binary-arm/sash_3.4-6_arm.deb
  MD5 checksum: d7e3253ef764c1bb10b04caafd7b9c30


  These files will be moved into
  ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.

For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .

- 
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [EMAIL PROTECTED]
Package info: `apt-cache show pkg' and http://packages.debian.org/pkg

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6bNE0W5ql+IAeqTIRAgLoAJ9CohteWM4aVgKghMRRZ1JjiHcdbACfeYRe
2SKtPRjH2k9IRbcwHZ6+RIw=
=OHfM
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Patch for Potential Vulnerability in Oracle XSQL Servlet

2001-01-23 Thread Oracle Security Alerts 

Patch for Potential Vulnerability in Oracle XSQL Servlet

Description:
A potential security vulnerability in Oracle XSQL Servlet has been
discovered when using stylesheets as URL parameters which permits the
execution of arbitrary Java code on the Oracle 8.1.7.0.0 database server
with elevated privileges. This vulnerability was discovered in Oracle8i,
Release 8.1.7.0.0, Enterprise Edition running Oracle Internet
Application Server (iAS) and XSQL Servlet, Release 1.0.0.0, on MS
Windows 2000. It also exists in XSQL releases 1.0.1.0 to 1.0.3.0 on all
platforms.

Solution:
Oracle has corrected this vulnerability in the new release of XSQL
Servlet as well as provided more secure behavior by default. The new
release of XSQL Servlet, Release 1.0.4.0, can be obtained from Oracle
Technology Network, OTN, http://otn.oracle.com/tech/xml/xsql_servlet. A
patch will also be available in the upcoming Oracle8i, Release 8.1.7.1,
patch set and available for use with iAS Release 1.0.2.1.

Credits:
Oracle Corporation wishes to thank Georgi Guninski for discovering this
vulnerability and promptly bringing it to Oracle's attention.

Re: BugTraq: EFS Win 2000 flaw

2001-01-23 Thread Bryce Walter 

One of the advertised features of EFS was protection of data in the event of
say a stolen laptop.  EFS was supposed to protect against someone throwing
the harddrive into another system that they did have admin access on, and
circumventing the NTFS permissions in that manner.

Again this issue shows that physical security is the underlying trump card.

--
Correct me if I'm wrong, but the use of programs that utilize direct disk
access (such as DiskProbe) is restricted to the Local Administrator
account (as per
http://www.microsoft.com/windows2000/guide/professional/solutions/manageme
nt.asp). If an would be attacker has this kind of access, he automatically
has the sufficient power (due to the existence of the recovery agent
certificate, unless the computer is part of a domain (but that's another
story) to decrypt any locally stored file.


_
Get your FREE download of MSN Explorer at http://explorer.msn.com

Re: Buffer Overflow still exists in Netscape = 4.76

2001-01-23 Thread Henryk Plötz 

Hi fish stiqz,

   Well, after reading you first message regarding this, I tried your
tool and loaded a page with 2 A's into my netscape and it crashed
the same moment. Impressive.

   So, I decided to try this again and see, whether I could reproduce
the different behavior with different sizes you wrote about.
I started with 1000 A's and gradually increased it, always hitting
reload after i generated a new file. And ... nothing happened.
   I tried hitting reload multiple times, hitting shift+reload and
viewing the source and apart from the time it took to load big pages,
absolutely nothing changed. When I got a file with 1M A's and still
nothing happened, I loaded this file into a newly opened window and ...
crash.

   So I tried this again and, if you first generate a page with a form
that only has 1000 or so A's, then change that file to have much more
A's and only hit reload (Not open a new window and open the file there,
or hit Back - Forward in the history) it won't crash.

   Another thing to note: it crashes after loading all the A's but not
before reaching End-Of-File.

   I'm not using a rpm but got the binary from netscape (well, I think
so):

$ md5sum netscape-4.76.tgz
577f4545020a6bcbd016db549fa16f61  netscape-4.76.tgz

   And yet two other notes:
In this part of the universe netscape dies of SIGBUS and not SIGSEGV
(see gdb-dump at the end of this posting)
I also tried a file with 20M A's and the only thing that I noticed was a
significant decrease in loading speed after loading some 34% or so.

 Exactly what did you do that it didn't segfault on you?  In all my tests
 Netscape has died either as soon as the page loads or as soon as you try
 to go somewhere else (or reload).

   Maybe Frank did what I did, as my Netscape really won't die of
anything when using a small file first.

$ gdb netscape core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i686-pc-linux-gnu"...(no debugging symbols
found)...
Core was generated by `netscape crash.htm'.
Program terminated with signal 7, Bus error.
Reading symbols from /lib/libBrokenLocale.so.1...done.
Loaded symbols for /lib/libBrokenLocale.so.1
Reading symbols from /usr/X11R6/lib/libXt.so.6...done.
Loaded symbols for /usr/X11R6/lib/libXt.so.6
Reading symbols from /usr/X11R6/lib/libSM.so.6...done.
Loaded symbols for /usr/X11R6/lib/libSM.so.6
Reading symbols from /usr/X11R6/lib/libICE.so.6...done.
Loaded symbols for /usr/X11R6/lib/libICE.so.6
Reading symbols from /usr/X11R6/lib/libXmu.so.6...done.
Loaded symbols for /usr/X11R6/lib/libXmu.so.6
Reading symbols from /usr/X11R6/lib/libXpm.so.4...done.
Loaded symbols for /usr/X11R6/lib/libXpm.so.4
Reading symbols from /usr/X11R6/lib/libXext.so.6...done.
Loaded symbols for /usr/X11R6/lib/libXext.so.6
Reading symbols from /usr/X11R6/lib/libX11.so.6...done.
Loaded symbols for /usr/X11R6/lib/libX11.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /usr/lib/libstdc++-libc6.1-1.so.2...done.
Loaded symbols for /usr/lib/libstdc++-libc6.1-1.so.2
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_dns.so.2...done.
Loaded symbols for /lib/libnss_dns.so.2
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
#0  0x401fca71 in __kill () from /lib/libc.so.6
(gdb) bt
#0  0x401fca71 in __kill () from /lib/libc.so.6
#1  0x8940170 in PR_ClearPendingException ()
#2  signal handler called
#3  0x4022c68e in _IO_sgetn (fp=0x92b9700, data=0x8ebd000, n=4096) at
genops.c:431
#4  0x40227c03 in _IO_fread (buf=0x8ebd000, size=1, count=4096,
fp=0x92b9700) at iofread.c:42
#5  0x83d2ed1 in cache_DBDataToExtCacheDBInfoStruct ()
#6  0x83d3d26 in NET_ProcessFile ()
#7  0x83dd2d7 in NET_ProcessNet ()
#8  0x82ce0ab in fe_GetSecondaryURL ()
#9  0x4003d3a1 in XtAppProcessEvent () from /usr/X11R6/lib/libXt.so.6
#10 0x82bd5cc in fe_EventLoop ()
#11 0x82bffc5 in main ()
#12 0x401f6a5e in __libc_start_main (main=0x82be7a4 main, argc=2,
argv=0xb874, init=0x827f548 _init, fini=0x894914c _fini,
rtld_fini=0x4000aa20 _dl_fini,
stack_end=0xb86c) at ../sysdeps/generic/libc-start.c:92
--
Henryk Pltz
Gre von der Ostsee
 S/MIME Cryptographic Signature

Re: BugTraq: EFS Win 2000 flaw

2001-01-23 Thread Russ 

In case anyone's interested, here's a summary of the responses I received to
my incorrect assertions;

I should say that I was under the honest belief that companies, such as
OnTrack, made available services which could recover overwritten data at a
reasonable price. I called them this morning and asked, they responded that
if the data was overwritten then it was basically not possible to recover.
They wouldn't say whether they did make such a service available, but the
implication is clearly that its not as trivial, or inexpensive, as I
believed it to be. Thanks to Ryan Russell for setting me straight on that.

Frank Knobbe [EMAIL PROTECTED] pointed out that PCGuardian's
Encryption Plus Hard Disk software works well on Windows 2000 and does
complete disk encryption (enter password at boot to decrypted system files),
solving the EFS issues posed by Rickard.

Kris Kennaway [EMAIL PROTECTED] was succinct; "Don't be silly. If the file
was overwritten even once then it can't be recovered in software. Not many
people have access to expensive scanning equipment which can pick up
residual magnetisation of the storage medium."

Camillo Srs [EMAIL PROTECTED] said; "F-Secure FileCrypto does a
secure delete, that is overwrite, of the original when doing an initial
encryption. Nevertheless, any files created after encryption comes into
effect are immediately written to disk in encrypted form, without any
intermediate steps of writing temporary plaintext to disk."

Roman Fischer [EMAIL PROTECTED] said; "PGPDisk creates one large file.
On this file, it reads/writes the data. Thus it overwrites the same parts of
the file all the time, not leaving any temp files behind (other than maybe
in swap space or memory)."


Its probably also interesting to note that Microsoft makes significant
mention of EFS' ability to encrypt temporary files created by applications
(e.g. Word), thereby protecting encrypted data from leakage, in their EFS
White Paper;

http://www.microsoft.com/technet/win2000/win2ksrv/technote/nt5efs.asp

"EFS is integrated with the operating system so that it stops the leaking of
key information to page files and ensures that all temporary copies of an
encrypted file are encrypted."

Note they mention "that all temporary copies of an encrypted file are
encrypted", which doesn't address Rickard's observations of the plaintext
copy of a file being encrypted. They also make no mention of the temporary
file being created in their graphic "Figure 1 File Encryption Process" on
that page.

Bottom line is that my assertion was wrong that it was naive to believe that
over-writing was a resolution to the problems observed by Rickard. While not
assuring files couldn't be obtained, it does offer significant resistance to
attack (Dan Kaminsky's phrase.)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Re: eEye Iris the Network traffic analyser DoS

2001-01-23 Thread Marc Maiffret 

This indeed is a bug in Iris 1.01 beta and it has been fixed within Iris
2.0. Iris 2.0 should be released within the next two days. All users of Iris
1.01 are being contacted and sent a url to 2.0 once it is released.

The one thing to note is that someone has to actually click and view the
"evil" packet in order for Iris to crash.  If you simply open iris and start
sniffing and receive the "evil" packet, without clicking to view it, then
Iris will not crash.

Thanks much to grazer for contacting us prior to posting to Bugtraq so that
we could work on a fix for this problem.

Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.349.9062
F.949.349.9538
http://eEye.com


| -Original Message-
| From: Bugtraq List [mailto:[EMAIL PROTECTED]]On Behalf Of grazer
| Sent: Sunday, January 21, 2001 6:27 PM
| To: [EMAIL PROTECTED]
| Subject: eEye Iris the Network traffic analyser DoS
|
|
| Hi there,
|
| There exists a vulnerability that will cause the iris network
| traffic analyser to hang.
| I have included an exploit, that will demonstrate the bug, the
| exploit will send a packet to the remote host,
| when the remote host opens the packet (to examine it) iris will
| quit, leaving an error message.
|
| Sincerely yours,
|
| Wouter ter Maat aka grazer
| digit-labs information security
| http://www.digit-labs.org
|
|

Re: Buffer overflow in bing

2001-01-23 Thread Kris Kennaway 

On Fri, Jan 19, 2001 at 08:30:01PM +0100, Pierre Beyssac wrote:
 On Fri, Jan 19, 2001 at 06:52:27PM +0100, Paul Starzetz wrote:
  The buffer overflowed is a 80 byte static local buffer:
  static char buf[80];
 
 It is patched by default in FreeBSD's package collection. Here's
 the patch below (author: [EMAIL PROTECTED]).

Actually, the patch was mine :-)


revision 1.1
date: 2000/03/05 05:30:54;  author: kris;  state: Exp;
This is a setuid root binary. sprintf()s of DNS hostnames into undersized
buffers are bad. Fix this. It should also drop privileges for extra
safety, but doesn't.
=

Kris

-- 
NOTE: To fetch an updated copy of my GPG key which has not expired,
finger [EMAIL PROTECTED]

 PGP signature

Re: Buffer overflow in MySQL 3.23.31

2001-01-23 Thread Joao Gouveia 

Hi,

- Original Message -
From: "Nicolas GREGOIRE" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, January 18, 2001 5:44 PM
Subject: Buffer overflow in MySQL  3.23.31


 Hi,

 all versions of MySQL  3.23.31 have a buffer-overflow which crashs the
 server and which seems to be exploitable (ie. 4141414 in eip)

 Problem :
 An attacker could gain mysqld privileges (gaining access to all the
 databases)

 Requirements :
 You need a valid login/password to exploit this

Not allways, in a default instalation one can exploit like this:
mysql -ustring -equery , no need for a valid database, login, nor
password.
Also, afaik, this can't easly be exploited just by using a "select
a.(buffer).a" because buffer must be part of a valid SQL query. I didn't
test it, but i supose it's true.
The real danger of this flaw, i think, is the possibility of beeing
exploited remotely.
If there is a simple php script ( for example ), that has a sql query like
"$SQL=select * from table where index=$index" ( providing that $index isn't
quoted), one can exploit using somethig like: script.php?index=a.(buffer).b


 Solution :
 Upgrade to 3.23.31

 Proof-of-concept code :
 None

 Credits :
 I'm not the discoverer of this bug
 The first public report was made by [EMAIL PROTECTED] via the MySQL
 mailing-list
 See the following mails for details

Best regards,

Joao Gouveia
--
[EMAIL PROTECTED]

def-2001-06: Easycom/Safecom 10/100 Multiple DoS

2001-01-23 Thread Peter Gründl 

==
   Defcom Labs Advisory def-2001-06

 Easycom/Safecom 10/100 Multiple DoS

Author: Peter Grndl [EMAIL PROTECTED]
Release Date: 2001-01-23
==
=[Brief Description]=-
The Easycom/Safecom print server from I-Data International contains
multiple vulnerabilites that allow a malicious user to bring down the
print server. Execution of arbitrary code is also possible.

=[Affected Systems]=--
- Easycom/Safecom, firmware 404.590
- Most likely older firmware revisions as well

--=[Detailed Description]=
The print server has a web service running on port 80 and on port 631.
Both are vulnerable to a long URL request. The long URL results in a
buffer overflow on the server. The effect can either be that the unit
crashes or execution of arbitrary code on the server.

The PrintGuide service on port 5742 will cease to respond, if you send
two bursts (80 connects in each burst) of null characters to the port.

The FTP service on TCP port 21 is vulnerable to data flooding. The
flooding results in the unit being disconnected from the network.

The web services on port 80 and port 631 are both vulnerable to long
HTTP requests. An infinite HTTP request will result in the unit being
disconnected from the network. This is done by eg. issuing a normal
GET request and filling A's into an HTTP header field, like "host:".

The TCP/IP implementation on the Easycom/Safecom unit is vulnerable
to flooding. Sending large burst of "normal" network packets to the
unit at eg. 10 mbit will result in the unit being disconnected from
the network.

---=[Workaround]=-
No vendor supplied workaround known. You could put your unit behind a
filtering router, and make sure the ports aren't accessible from the
network (except from the managing console, of course).

-=[Vendor Response]=--
This issue was brought to the vendor's attention on the 30th of
November, 2000. Vendor promises to look into it, but has not yet come
up with any indication on when a fix would be available.

==
 This release was brought to you by Defcom Labs

   [EMAIL PROTECTED] www.defcom.com
==

Re: def-2001-05: Netscape Fasttrack Server Caching DoS

2001-01-23 Thread Peter W 

On Mon, Jan 22, 2001 at 01:30:33PM +0100, Peter Grndl wrote:

Defcom Labs Advisory def-2001-05

Oooh, how fancy! ;-)

 --=[Detailed Description]=
 The Fasttrack 4.1 server caches requests for non-existing URLs with
 valid extensions (eg. .html). The cached ressources are not freed
 again (at least not after half an hour), so a malicious user could
 cause the web server to perform very sluggishly, simply by requesting
 a lot of non-existing html-documents on the web server.

 ---=[Workaround]=-
 None known.

I can't test these because iPlanet's download system is too broken,
stupid, and annoying for me to grab iWS ft 4.1 to verify, but:

Almost certainly effective workaround #1:
 Disable caching per http://help.netscape.com/kb/corporate/2313-1.html

Probable workaround #2:
 Most  of the NES/iWS built-in functions are cache-safe. That is, using
them does not prevent the server from using its cache accelerator. Some
functions are conditionally cache-safe, e.g. the "flex-log" function is
cache safe with the default configuration, but if certain attributes of
requests are logged, then the cache cannot function.
 3rd-party functions are assumed to be cache-unsafe unless they
explicitly set the rq-directive_is_cacheable flag (see
http://developer.netscape.com:80/docs/manuals/enterprise/nsapi/svrplug.htm)
so you should be able to write a quick NSAPI module like this:
  NSAPI_PUBLIC int PW_null(pblock *pb, Session *sn, Request *rq)
  {
/* note we do not touch rq-directive_is_cacheable */
return REQ_NOACTION;
  }
and then use that in obj.conf, e.g.
 # near the top of obj.conf
 Init fn="load-modules" shlib="/path/to/PW_null.so" funcs="PW-null"
 #
 # inside your Object config
 Error reason="Not Found" fn="PW-null"
 # then your regular 404 handler, e.g.
 Error reason="Not Found" fn="send-error" path="/path/to/errorpage.html"
This should make iWS realize that the file not found URLs are not
cacheable, without affecting other documents.

I also expect that sites using query-handler instead of send-error for
their 404 errors won't have the problem Herr Gruendl describes.

 -=[Vendor Response]=--
 This issue was brought to the vendor's attention on the 7th of
 December, 2000. Vendor replied that the Fasttrack server is not meant
 for production environments and as that, the issue will not be fixed.

Also worth noting is that there do not seem to be *any* service packs
for iWS FastTrack 4.1. Since iWS Enterprise has had at least one huge
hole (remote code execution via SSL/TLS implementation bug), I expect
that iWS FastTrack is an awfully dangerous app to make available to
others. Probably a good idea to limit iWS ft to local access with some
sort of on-host firewall or packet filter.

I assume you have not found iWS Enterprise Edition to be vulnerable?

-Peter
http://www.tux.org/~peterw/

Re: ICMP fragmentation required but DF set problems.

2001-01-23 Thread antirez 

On Sun, Jan 21, 2001 at 04:40:53PM +0100, Pavel Kankovsky wrote:
 On Mon, 15 Jan 2001, antirez wrote:

It's possible to slowdown (a lot) connections between two
arbirary hosts (but at least one with the PMTU discovery enabled)
using some spoofed TCP/IP packet. Maybe you can do more
against some TCP/IP stack.
 ...
There isn't a clear solution.

 PMTU discovery is used by TCP (primarily if not exclusively). Isn't it
 possible to 1. check TCP sequence numbers in ICMP frag. needed messages
 generated as a response to a TCP datagram (in the same way they should be
 checked on any ICMP dest. unreachable to prevent a trivial DoS),
 2. disregard any other ICMP frag. needed message?

You can't if you wan't break the UDP PMTU discovery API
that applications can use, and to look-up UDP non-connections
don't seems possible.

Anyway we may use this semi-fix:

When the DF bit is set the IP-ID field isn't used at all.
Also only packets with the DF bit set will generate the ICMP
frag needed in respose, so the trick is to sign the outgoing
packets with the DF bit set and store the (only 16 bit) HMAC(srcip|dstip)
in the ip-id field. The key is generated at start-up and
updated every X packets and/or Y seconds. When we got back
the ICMP we can check the signature since the IP header is
quoted. Note that you need to check the signature against
the current and the last key, so in the middle case the attack
may be mounted anyway using 2^14 spoofed ICMP packets in the middle case.

This isn't perfect security but it's better than nothing,
if you consider that this don't break anything of standard.
To reach more security you may break the TOS and the
HMAC will be of 24 bits, 2^23 packets required in the middle
case, but actually 2^22 since you check with a bogus key (one of the two
between the last and the current).

Anyway this combined with a reasonable MTU-info short expiration
time will make the attack quite hard, at least compared
with the one packet needed with the current implementations.
Obviuosly this will load your CPU, but the hash function
can be quite weakfast, since the attacker can collect just
an HMAC for every phisical IP address he owns.

I implemented this as a netfilter hook for linux 2.4 and it
works well. I wan't release beta code, expecially when
in kernel space, so I'll double check it and then send it
to bugtraq.
My implementation uses the MD4-based trasformation that
you can find under linux/drivers/char/random.c

This sounds reasonable?

regards,
antirez

--
Salvatore Sanfilippo  |  [EMAIL PROTECTED]
http://www.kyuzz.org/antirez  |  PGP: finger [EMAIL PROTECTED]

[RHSA-2001:003-07] Updated mysql packages available for Red Hat Linux 7

2001-01-23 Thread bugzilla 

-
   Red Hat, Inc. Red Hat Security Advisory

Synopsis:  Updated mysql packages available for Red Hat Linux 7
Advisory ID:   RHSA-2001:003-07
Issue date:2001-01-18
Updated on:2001-01-23
Product:   Red Hat Linux
Keywords:  mysql security buffer overflow
Cross references:  
Obsoletes: RHBA-2000:133  RHBA-2000:067
-

1. Topic:

The MySQL database that shipped with Red Hat Linux 7 and the updates for it
have been reported by the MySQL authors to have security problems.

2. Relevant releases/architectures:

Red Hat Linux 7.0 - alpha, i386

3. Problem description:

The MySQL database that shipped with Red Hat Linux 7 and the updates for
it  have been reported by the MySQL authors to have security problems.

These problems (buffer overflow and information protection issues) have
been fixed in version 3.23.32, which also contains the earlier fixes.

Note that MySQL has updated its client library since the initial version
shipped with Red Hat Linux 7.  A new package, mysqlclient9, must be used
for running applications linked with the libmysqlclient.so.9 library.

4. Solution:

Because of dependencies, the packages must be installed as a group.

After downloading all RPMs needed for your particular architecture, run:

rpm -Uvh mysql*

Note that in rare cases, the shutdown of the old database fails after
upgrade - to ensure a smooth upgrade, shut the database down before
upgrading:

service mysqld stop

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

24381 - Buffer Overflow in MySQL 3.23.31
22649 - encrypt() function not supported
24589 - mysql logrotate script returns an error, log doesn't get rotated

6. RPMs required:

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/SRPMS/mysql-3.23.32-1.7.src.rpm
ftp://updates.redhat.com/7.0/SRPMS/mysqlclient9-3.23.22-3.src.rpm

alpha:
ftp://updates.redhat.com/7.0/alpha/mysql-3.23.32-1.7.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/mysql-devel-3.23.32-1.7.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/mysql-server-3.23.32-1.7.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/mysqlclient9-3.23.22-3.alpha.rpm

i386:
ftp://updates.redhat.com/7.0/i386/mysql-3.23.32-1.7.i386.rpm
ftp://updates.redhat.com/7.0/i386/mysql-devel-3.23.32-1.7.i386.rpm
ftp://updates.redhat.com/7.0/i386/mysql-server-3.23.32-1.7.i386.rpm
ftp://updates.redhat.com/7.0/i386/mysqlclient9-3.23.22-3.i386.rpm



7. Verification:

MD5 sum   Package Name
--
1d13ef56b8898abf8841510db3c0be49  7.0/SRPMS/mysql-3.23.32-1.7.src.rpm
f538d811ec522c86ab890657e859a4f4  7.0/SRPMS/mysqlclient9-3.23.22-3.src.rpm
c838e7245d2ca45357e556317873fcca  7.0/alpha/mysql-3.23.32-1.7.alpha.rpm
5a5049769bd785e800fe629c7875dec8  7.0/alpha/mysql-devel-3.23.32-1.7.alpha.rpm
5cb73bca58042bb7604361c224878f08  7.0/alpha/mysql-server-3.23.32-1.7.alpha.rpm
e5f65a87cb3e019456d842d565693476  7.0/alpha/mysqlclient9-3.23.22-3.alpha.rpm
d8097aa8c188b386803267446286a01a  7.0/i386/mysql-3.23.32-1.7.i386.rpm
528a72c7b017458f6cad65978b93305e  7.0/i386/mysql-devel-3.23.32-1.7.i386.rpm
8ec7d8b903e1608de50f49196837e40c  7.0/i386/mysql-server-3.23.32-1.7.i386.rpm
38a96abb2b68fa9354f715da47767386  7.0/i386/mysqlclient9-3.23.22-3.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
rpm --checksig  filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg filename

8. References:

http://www.mysql.com/documentation/mysql/bychapter/manual_News.html#News-3.23.31


Copyright(c) 2000, 2001 Red Hat, Inc.

Re: BugTraq: EFS Win 2000 flaw

2001-01-23 Thread Attonbitus Deus 

 So to suggest that your perceived EFS flaw can be resolved by over-writing
 is naive. The only solution is to encrypt in memory or use some removable
 partition as the temp space.


I agree with the use of 'percevied' in this case.  Though the behavior is
interesting in regard to the creation of the unencrypted .tmp file, I
believe this more of a procedural issue than an implementation one.
Recommended EFS procedures call for the encryption of a direcory, not
file-by-file as the procedure indicated by Berglind suggests. If you copy an
unencrypted file and paste it into an encrypted directory, the file and the
temporary file are both encrypted.

This is actually covered in the docs regarding EFS.

HTH.
-
Attonbitus Deus
[EMAIL PROTECTED]

FreeBSD Security Advisory: FreeBSD-SA-01:09.crontab

2001-01-23 Thread FreeBSD Security Advisories 

-BEGIN PGP SIGNED MESSAGE-

=
FreeBSD-SA-01:09   Security Advisory
FreeBSD, Inc.

Topic:  crontab allows users to read certain files

Category:   core
Module: crontab
Announced:  2001-01-23
Credits:Kyong-won Cho [EMAIL PROTECTED]
Affects:FreeBSD 3.x (all releases), 4.x (all releases prior to 4.2)
FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the
correction date.
Corrected:  2000-11-11 (FreeBSD 4.1.1-STABLE)
2000-11-20 (FreeBSD 3.5.1-STABLE)
FreeBSD only:   No

I.   Background

crontab(8) is a program to edit crontab(5) files for use by the cron
daemon, which schedules jobs to run at specified times.

II.  Problem Description

crontab(8) was discovered to contain a vulnerability that may allow
local users to read any file on the system that conform to a valid
crontab(5) file syntax.  Due to crontab(5) syntax requirements, the
files that may be read is limited and subject to the following
restrictions:

* The file is a valid crontab(5) file, or:
* The file is entirely commented out; every line contains either only
  whitespace, or begins with a '#' character.

The greatest security vulnerability is the disclosure of crontab
entries owned by other users, which may contain sensitive data such as
keying material (although this would often be publically disclosed
anyway at the time when the crontab job executes, via process
arguments and environment, etc).

All released versions of FreeBSD prior to the correction date
including FreeBSD 4.1.1 are vulnerable to this problem.  The problem
was corrected prior to the release of FreeBSD 4.2.

III. Impact

Malicious local users can read arbitrary local files that conform to
a valid crontab file syntax.

IV.  Workaround

One of the following:

1) Utilize crontab allow/deny files (/var/cron/allow and
/var/cron/deny) to limit access to use the crontab(8) utility.

2) Remove the setuid privileges from /usr/sbin/crontab.  However, this
will not allow users other than root to use cron.

V.   Solution

One of the following:

Upgrade the vulnerable FreeBSD system to 3.5-STABLE or 4.1.1-STABLE
after the correction date.

To patch your present system: download the relavent patch from the
below location and execute the following commands as root:

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:09/crontab-4.x.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:09/crontab-4.x.patch.asc

Verify the detached PGP signature using your PGP utility.

# cd /usr/src/usr.sbin/cron/crontab
# patch -p  /path/to/patch
# make depend  make all install
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBOm32m1UuHi5z0oilAQGA+QQAhArbkzv/lo8QibLjyEFB3lta0IC5HSrJ
hPuetiP/XViZNXntIAtm26M9QGRAhw0M1s9CU6PGD0zVJHtfh/nRoNxdU9vFLhJ6
xbJf6Wai6VTJpQK7dwXKIi6nplKlOSLhd6ZhvP1fe/6bDsbYywOxJdYGJZcyKtFA
vG1n8lhzhog=
=EJ7/
-END PGP SIGNATURE-

Re: ICMP fragmentation required but DF set problems.

2001-01-23 Thread antirez 

On Mon, Jan 22, 2001 at 06:15:33PM -0500, Niels Provos wrote:
 IPv6 is another case though.  Here you have mandatory PMTU for all
 protocols.

In this case, and even with IPv4 if you want UDP PMTU API and so on,
the only way seems to sign the outgoing packets with an HMAC and
a local key. So you will be able to check if the quoted packet in the
ICMP error was sent by your host.
With IPv4 you can use the ip.id field since it's useless with
the DF bit set, but a 16 bit protection is very weak.
Another way may be to add a bogus IP option, since fully-standard
TCP/IP stacks will ignore the option, that contains the HMAC,
but unfortunatelly all kinds of firewalls will drop this packets.

With IPv6 the clearest way seems a new next-header with the HMAC
that provide the autentication. No key exchange is needed,
you just sign your own packets to recognize it later.

antirez

--
Salvatore Sanfilippo  |  [EMAIL PROTECTED]
http://www.kyuzz.org/antirez  |  PGP: finger [EMAIL PROTECTED]

[CORE SDI ADVISORY] Weakl authentication in ATT's VNC

2001-01-23 Thread Iván Arce 

CORE SDI
   http://www.core-sdi.com

Vulnerability report for weak authentication in ATT VNC


Date Published: 2001-01-23

Advisory ID: CORE-2001011501

Bugtraq ID: 2275

CVE CAN: None currently assigned.

Title: Weak authentication in ATT VNC

Class: Design error

Remotely Exploitable: yes

Locally Exploitable: no

Release Mode: USER RELEASE

Vulnerability Description:

 As stated in the VNC home page ( http://www.uk.research.att.com/vnc/ ):

 "VNC stands for Virtual Network Computing. It is, in essence, a remote
 display system which allows you to view a computing 'desktop'
 environment not only on the machine where it is running, but from
 anywhere on the Internet and from a wide variety of machine
 architectures".

 VNC uses a challenge/response mechanism for authenticating
 clients in order to avoid the transmition of clear text passwords
 over insecure channels and prevent unauthorized clients to
 get access to the VNC server.

 A design flaw in the client authentication mechanism permits an attacker
 to obtain legit credentials from a valid client in order to gain
 unauthorized access to the server.
 The attack can be perfomed by an attacker eavesdropping the client/server
 communications with the ability to modify the data flow. NO TCP hijacking
 techniques are required.

 There are other security issues related to the fact that
 VNC does not provide a secure transport protocol that ensures
 confidentiality for the data transmited, those are well known and
 considered design decisions from the VNC development team.
 This advisory does not include them, the advisory addresses a
 security flaw in the design of the authentication mechanism that
 makes it unsuitable to fulfill its design goal.

Vulnerable Packages/Systems:

 VNC up to version 3.3.3 on all supported platforms.


Solution/Vendor Information/Workaround:

 It is advisable to tunnel communications between the VNC server and
 client through a cryptographycally strong end-to-end authenticated
 channel.
 References for doing so are provided in the VNC FAQ
 (http://www.uk.research.att.com/vnc/faq.html) and specifics on how to
 tunnel VNC over SSH are provided at:

  http://www.uk.research.att.com/vnc/sshvnc.html

Vendor notified on: 2001-01-15

Credits:

 This vulnerability was found by Emiliano Kargieman, Agustin Azubel
 and Maximiliano Caceres from Core SDI, http://www.core-sdi.com

 This advisory was drafted with the help of the SecurityFocus.com
 Vulnerability Help Team. For more information or assistance drafting
 advisories please mail [EMAIL PROTECTED]

 This and other CORE SDI advisories are available at:
 http://www.core-sdi.com/english/publications.html


Technical Description:

 1. Man in the middle attack against client/server authentication

  VNC authenticates communication between client and server using a
  challenge-response mechanism.
  Due to design flaws in the challenge/response mechanism it is
  possible to perfom a man in the middle attack and obtain
  unauthorized access to the VNC server.

  The client authentication mechanism is described below:

   Asumming that C (the VNC client) is trying to authenticate to
   S (the VNC server), the following protocol is used:

   - A DES key (k) is shared by both endpoints and used for the
 challenge-response.

   - 'C' connects to 'S' and both endpoints exchange software/protocol
 version information

   - 'S' generates a 16 byte challenge and sends it to 'C'

   - 'C' encrypts the received challenge with 'k' and sends the result
 ('rc') to 'S'

   - 'S' encrypt the challenge with 'k' and compares the result ('rs')
  with the response 'rc' received from the client.

   - If rc==rs access is granted to the client. Otherwise access is
 denied.

  A classical man-in-the-middle attack can be perfomed against the
  described protocol.

  Assuming that the attacker ('M') has access to the data flowing between
  client and server and is able to modify such data, an attack scenario
  THAT DOES NOT imply a TCP session hijacking attack is outlined:

  - 'M' connects to 'S' and both endpoints exchange software/protocol
 version information

  - 'S' generates a 16 byte challenge ('r1') and sends it to 'M', now
'M' has a connection established with 'S' with the authentication
 pending a response to the server.

  - 'M' waits for a connection from a legit client 'C' to 'S'

  - Upon connection from the client 'C' to the server 'S', the server
(as per the protocol design) generates a 16 byte challenge
('r2') and sends it to 'C'.

  - 'M' modifies the data traveling from 'S' to 'C' and replaces
 'r2' with 'r1'

  - 'C' receives 'r1' and encrypts it with the shared key 'k', the
 result ('r1c') is sent to the server 'S'

  - 'M' captures the response 'r1c' sent to the server 'S' and uses
it in its own pending connection.

  - 'S' receives 2 equal responses (r1c), one from 'C'

Security Update: CSSA-2001-005.0 password sniffing in kdesu

2001-01-23 Thread Caldera Support Info 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

__
   Caldera Systems, Inc.  Security Advisory

Subject:password sniffing in kdesu
Advisory number:CSSA-2001-005.0
Issue date: 2001 January, 23
Cross reference:
__


1. Problem Description

   KDE2 comes with a program called kdesu that is used to run certain
   administration commands under the account of the super user (for
   instance, every time the KDE control center asks you for the root
   password, you actually talk to kdesu).

   There is a bug in kdesu that allows any user on the system to steal
   the passwords you enter at the kdesu prompt.

2. Vulnerable Versions

   System   Package
   ---
   OpenLinux eDesktop 2.4   All packages previous to
kdebase2-2.0-6 and kdelibs2-2.0-6
Note that you are not vulnerable
if you didn't install the KDE2
update.

3. Solution

   Workaround:

 There is no real workaround for this bug, and the following is _not_
 a permanent solution to the problem; this is merely a temporary
 solution until you have installed the update.

 As the super user, create directories in /tmp that have the same
 name as the socket used by kdesu:

mkdir /tmp/kdesud_UID_0

 where UID ranges over all user IDs of users on your system. Note
 that the trailing 0 is the display number, so if you run several
 X servers on your machine, you need to repeat the process for
 display 1, 2, etc.

 In order to protect just yourself, the following will do the trick:

mkdir /tmp/kdesud_`id -u`_0

   The proper solution is to upgrade to the fixed packages.

4. OpenLinux eDesktop 2.4

   5.1 Location of Fixed Packages

   The upgrade packages can be found on Caldera's FTP site at:

   ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

   The corresponding source code package can be found at:

   ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

   5.2 Verification

   23a677755332e24db259ebce9a754e14  SRPMS/kdebase2-2.0-6.src.rpm
   083b8ddaf4f67d2d0b4146245034229b  RPMS/kdebase2-2.0-6.i386.rpm
   b759a751da20a2d6c6c296da94e1656e  RPMS/kdebase2-opengl-2.0-6.i386.rpm
   7970d51bc04e4e23e03b01f001f56780  SRPMS/kdelibs2-2.0-6.src.rpm
   20aa5f2327d8978700c22c8afce9df34  RPMS/kdelibs2-2.0-6.i386.rpm
   cfd8744b1950a9c5f5cf4ecd7adc0f3b  RPMS/kdelibs2-devel-2.0-6.i386.rpm
   c922e03e8f1024a134d2542e61afca22  RPMS/kdelibs2-devel-static-2.0-6.i386.rpm
   d394c163bda790719881fc0defc3dca9  RPMS/kdelibs2-doc-2.0-6.i386.rpm

   5.3 Installing Fixed Packages

   Upgrade the affected packages with the following commands:

  rpm -Fhv kde*2.0-6.i386.rpm

5. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 8718.

6. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

7. Acknowledgements

   Caldera Systems, Inc. wishes to thank Sebastian Krahmer (SuSE) and
   Waldo Bastian (KDE) for their assistance.

__
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6bWEY18sy83A/qfwRAt0AAKC1eQpXRqVC2d4crHFEXaYuO08EDACfek/L
XOoqPc1KETiu0+vLLy5XelU=
=UqjX
-END PGP SIGNATURE-

FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86

2001-01-23 Thread FreeBSD Security Advisories 

-BEGIN PGP SIGNED MESSAGE-

=
FreeBSD-SA-01:07   Security Advisory
FreeBSD, Inc.

Topic:  Multiple XFree86 3.3.6 vulnerabilities

Category:   ports
Module: XFree86-3.3.6, XFree86-aoutlibs
Announced:  2001-01-23
Credits:Chris Evans [EMAIL PROTECTED]
Michal Zalewski [EMAIL PROTECTED]
Affects:Ports collection prior to the correction date.
Corrected:  2000-10-24 (XFree86-3.3.6)
Vendor status:  Fixed in XFree86 4.0.1, no patches released by vendor.
FreeBSD only:   NO

I.   Background

XFree86 is a popular X server.  It exists in three versions in the
FreeBSD ports collection: 3.3.6 and 4.0.2, as well as a.out libraries
based on XFree86 3.3.3.

II.  Problem Description

The XFree86-3.3.6 port, versions prior to 3.3.6_1, has multiple
vulnerabilities that may allow local or remote users to cause a denial
of service attack against a vulnerable X server.  Additionally, local
users may be able to obtain elevated privileges under certain
circumstances.

X server DoS:
  Remote users can, by sending a malformed packet to port 6000 TCP,
  cause the victim's X server to freeze for several minutes. During
  the freeze, the mouse does not move and the screen does not update
  in any way. In addition, the keyboard is unresponsive, including
  console-switch and kill-server key combinations. Non-X processes,
  such as remote command-line logins and non-X applications, are
  unaffected by the freeze.

Xlib holes:
  Due to various coding flaws in libX11, privileged (setuid/setgid)
  programs linked against libX11 may allow local users to obtain
  elevated privileges.

libICE DoS:
  Due to inadequate bounds checking in libICE, a denial of service
  exists with any application using libICE to listen on a network port
  for network services.

The XFree86-aoutlibs port contains the XFree86 libraries from the
3.3.3 release of XFree86, in a.out format suitable for use with
applications in the legacy a.out binaryformat, most notably being the
FreeBSD native version of Netscape.  It is unknown whether Netscape is
vulnerable to the problems described in this advisory, but it believed
that the only potential vulnerability is the libICE denial-of-service
condition described above.

The XFree86 and XFree86-aoutlibs ports are not installed by default
(although XFree86 is available as an installation option in the
FreeBSD installer), nor are they "part of FreeBSD" as such: they are
part of the FreeBSD ports collection, which contains almost 4500
third-party applications in a ready-to-install format.  The ports
collections shipped with FreeBSD 3.5.1 and 4.1.1 contain these problem
since they were discovered after the releases, but the XFree86 problem
was corrected prior to the release of FreeBSD 4.2.  At the time of
advisory release, the XFree86-aoutlibs port has not been corrected.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

Local or remote users may cause a denial of service attack against an
X server or certain X applications.  Local users may obtain elevated
privileges with certain X applications.

If you have not chosen to install the XFree86 3.3.6 port/package or
the XFree86-aoutlibs port/package, or you are running XFree86 4.0.1 or
later, then your system is not vulnerable to this problem.

IV.  Workaround

Deinstall the XFree86-3.3.6 and XFree86-aoutlibs ports/packages, if
you you have installed them.

Note that any statically linked binaries which make use of the
vulnerable XFree86 routines may still be vulnerable to the problems
after deinstallation of the port/package.  However due to the
difficulty of developing a reliable scanning utility for such binaries
no such utility is provided.

V.   Solution

One of the following:

1) Upgrade your entire ports collection and rebuild the XFree86-3.3.6
port.

2) Deinstall the old package and install an XFree86-4.0.2 package
obtained from:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.2_5.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.2_5.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.2_5.tgz

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.

NOTE: XFree86-3.3.6 packages are no longer made available, only the
newer XFree86-4.0.2 packages.

Note also that the XFree86-aoutlibs port has not yet been fixed: there
is currently no solution to the problem other than removing the
port/package and recompiling any dependent software to use ELF
libraries, or switching to an ELF-based version of the software, if
available (e.g. the

win32/memory locking (Re: Reply to EFS note on Bugtraq)

2001-01-23 Thread Peter W 

On Mon, Jan 22, 2001 at 05:28:50PM -0800, Ryan Russell wrote:

 Due to some mail trouble, I'm manually forwarding this note.

 From:   Microsoft Security Response Center

 Subject:Re: BugTraq: EFS Win 2000 flaw

  "... it is recommended that it is always better to start by creating
 an empty encrypted folder and creating files directly in that folder.
 Doing so, ensures that plaintext bits of that file never get saved
 anywhere on the disk. It also has a better performance as EFS does
 not need to create a backup and then delete the backup, etc."

Bits _never_ get written to the disk? Guaranteed never to use swap space?

The GnuPG FAQ (http://www.gnupg.org/faq.html#q6.1) suggests that it is
not possible to make a Windows program insist on physical RAM the way a
program can in Open Systems. Does EFS really use only physical RAM? If
so, is there some win32 API that can be used by other application designers
who want to guarantee that certain blocks of allocated memory are *never*
swapped out to disk? The most likely candidate I've come across is
VirtualLock() which, unfortunately, "does not mean that the page will not be
paged to disk" (http://msdn.microsoft.com/library/techart/msdn_virtmm.htm).

Thanks,

-Peter

[SECURITY] [DSA 018-1] New version of tinyproxy released

2001-01-23 Thread debian-security-announce 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-018-1   [EMAIL PROTECTED]
http://www.debian.org/security/   Martin Schulze
January 23, 2001
- 

Package: tinyproxy
Vulnerability  : remote nobody exploit
Debian-specific: no

PkC have found a heap overflow in tinyproxy that could be remotely
exploited.  An attacker could gain a shell (user nobody) remotely.

We recommend you upgrade your tinyproxy package immediately.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- 

  Potato was released for the alpha, arm, i386, m68k, powerpc and sparc
  architectures.


  Source archives:


http://security.debian.org/dists/stable/updates/main/source/tinyproxy_1.3.1-2.diff.gz
  MD5 checksum: 747119973db206dfa681357262b92e05
http://security.debian.org/dists/stable/updates/main/source/tinyproxy_1.3.1-2.dsc
  MD5 checksum: b7566742b8d8f4ff165463b6ab7d9855

http://security.debian.org/dists/stable/updates/main/source/tinyproxy_1.3.1.orig.tar.gz
  MD5 checksum: b81229f1cb0212cb12e3bfdbaccdb820

  Intel ia32 architecture:


http://security.debian.org/dists/stable/updates/main/binary-i386/tinyproxy_1.3.1-2_i386.deb
  MD5 checksum: e542b2d9f936912d2b5d39eb2adbf39d

  Motorola 680x0 architecture:


http://security.debian.org/dists/stable/updates/main/binary-m68k/tinyproxy_1.3.1-2_m68k.deb
  MD5 checksum: e73a5a6cd23ef8a9d6e35ada4b809515

  Sun Sparc architecture:


http://security.debian.org/dists/stable/updates/main/binary-sparc/tinyproxy_1.3.1-2_sparc.deb
  MD5 checksum: 98352a16b4dae2724f89e689c4d25d0e

  Alpha architecture:


http://security.debian.org/dists/stable/updates/main/binary-alpha/tinyproxy_1.3.1-2_alpha.deb
  MD5 checksum: 1c535ecf48a66d30a19246d45de8c40a

  PowerPC architecture:


http://security.debian.org/dists/stable/updates/main/binary-powerpc/tinyproxy_1.3.1-2_powerpc.deb
  MD5 checksum: 9815f334c4954841a7025be8bde96776

  ARM architecture:


http://security.debian.org/dists/stable/updates/main/binary-arm/tinyproxy_1.3.1-2_arm.deb
  MD5 checksum: 2bb2d2793731b196aaebad9c396b3af0


  These files will be moved into
  ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.

For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .

- 
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [EMAIL PROTECTED]
Package info: `apt-cache show pkg' and http://packages.debian.org/pkg

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6bfo+W5ql+IAeqTIRAgnEAJ445ztA5GrwpGbQCWB7ZkS6H430OACghIvN
S8NLr/T7dxpcgIP6yZAgNJk=
=bIEj
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

[SECURITY] [DSA-014-1] New version of splitvt released

2001-01-23 Thread debian-security-announce 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-014-1   [EMAIL PROTECTED]
http://www.debian.org/security/   Martin Schulze
January 23, 2001
- 

Package: splitvt
Vulnerability  : buffer overflow and format string attack
Debian-specific: no

It was reported recently that splitvt is vulnerable to numerous buffer
overflow attack and a format string attack.  An attacker was able to
gain access to the tty group.

We recommend you upgrade your splitvt package immediately.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- 

  Potato was released for the alpha, arm, i386, m68k, powerpc and sparc
  architectures.

  Source archives:


http://security.debian.org/dists/stable/updates/main/source/splitvt_1.6.3-7.1.diff.gz
  MD5 checksum: 158e4c37b56d09e4fb7e6d4a1eda6551
http://security.debian.org/dists/stable/updates/main/source/splitvt_1.6.3-7.1.dsc
  MD5 checksum: c7924da369529b09acf6a7234ec07c08

http://security.debian.org/dists/stable/updates/main/source/splitvt_1.6.3.orig.tar.gz
  MD5 checksum: e95e166145ec51d2a9d80aa6472f9f98

http://security.debian.org/dists/stable/updates/main/source/splitvt_1.6.5-0potato1.diff.gz
  MD5 checksum: 475d1066c013102625c79757b3615d9b

http://security.debian.org/dists/stable/updates/main/source/splitvt_1.6.5-0potato1.dsc
  MD5 checksum: dcfd3f56c5f7a3686e35a2de47614944

http://security.debian.org/dists/stable/updates/main/source/splitvt_1.6.5.orig.tar.gz
  MD5 checksum: f93974daa4f39945b3d5b9cc39bb1b0f

  Intel ia32 architecture:


http://security.debian.org/dists/stable/updates/main/binary-i386/splitvt_1.6.3-7.1_i386.deb
  MD5 checksum: d814d49f46f8108590554abc8ed79737

http://security.debian.org/dists/stable/updates/main/binary-i386/splitvt_1.6.5-0potato1_i386.deb
  MD5 checksum: ccb41228b11505bb25dc2f09830b3964

  Motorola 680x0 architecture:


http://security.debian.org/dists/stable/updates/main/binary-m68k/splitvt_1.6.5-0potato1_m68k.deb
  MD5 checksum: fae77f348ae28c89de0e51965cbafd35

  Sun Sparc architecture:


http://security.debian.org/dists/stable/updates/main/binary-sparc/splitvt_1.6.3-7.1_sparc.deb
  MD5 checksum: 4197c4e30fe5e9f48187ba8df3526c7b

http://security.debian.org/dists/stable/updates/main/binary-sparc/splitvt_1.6.5-0potato1_sparc.deb
  MD5 checksum: 7bfd098f4a8f884a63805ae13c1e9cea

  Alpha architecture:


http://security.debian.org/dists/stable/updates/main/binary-alpha/splitvt_1.6.5-0potato1_alpha.deb
  MD5 checksum: e960372181b65e167c41f36707ef48cf

  PowerPC architecture:


http://security.debian.org/dists/stable/updates/main/binary-powerpc/splitvt_1.6.5-0potato1_powerpc.deb
  MD5 checksum: d0d3b36c20b2999c7c7610a48866167e

  ARM architecture:


http://security.debian.org/dists/stable/updates/main/binary-arm/splitvt_1.6.5-0potato1_arm.deb
  MD5 checksum: 1d697bed936476ae88fd478aba112be8


  These files will be moved into
  ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.

For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .

- 
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [EMAIL PROTECTED]
Package info: `apt-cache show pkg' and http://packages.debian.org/pkg

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6bNCrW5ql+IAeqTIRAqfqAJwMgM4s5GXEnSr98z630bk6YNhfDACfYjzj
GyZpBtaYKh+Zmku9aeYrqAs=
=g5Wy
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw

2001-01-23 Thread FreeBSD Security Advisories 

-BEGIN PGP SIGNED MESSAGE-

=
FreeBSD-SA-01:08   Security Advisory
FreeBSD, Inc.

Topic:  ipfw/ip6fw allows bypassing of 'established' keyword

Category:   core
Module: kernel
Announced:  2001-01-23
Credits:Aragon Gouveia [EMAIL PROTECTED]
Affects:FreeBSD 3.x (all releases), FreeBSD 4.x (all releases),
FreeBSD 3.5-STABLE and 4.2-STABLE prior to the
correction date.
Corrected:  2001-01-09 (FreeBSD 4.2-STABLE)
2001-01-12 (FreeBSD 3.5-STABLE)
FreeBSD only:   Yes

I.   Background

ipfw is a system facility which allows IP packet filtering,
redirecting, and traffic accounting.  ip6fw is the corresponding
utility for IPv6 networks, included in FreeBSD 4.0 and above.  It is
based on an old version of ipfw and does not contain as many features.

II.  Problem Description

Due to overloading of the TCP reserved flags field, ipfw and ip6fw
incorrectly treat all TCP packets with the ECE flag set as being part
of an established TCP connection, which will therefore match a
corresponding ipfw rule containing the 'established' qualifier, even
if the packet is not part of an established connection.

The ECE flag is not believed to be in common use on the Internet at
present, but is part of an experimental extension to TCP for
congestion notification.  At least one other major operating system
will emit TCP packets with the ECE flag set under certain operating
conditions.

Only systems which have enabled ipfw or ip6fw and use a ruleset
containing TCP rules which make use of the 'established' qualifier,
such as "allow tcp from any to any established", are vulnerable.  The
exact impact of the vulnerability on such systems is undetermined and
depends on the exact ruleset in use.

All released versions of FreeBSD prior to the correction date
including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable, but it was
corrected prior to the (future) release of FreeBSD 4.3.

III. Impact

Remote attackers who construct TCP packets with the ECE flag set may
bypass certain ipfw rules, allowing them to potentially circumvent
the firewall.

IV.  Workaround

Because the vulnerability only affects 'established' rules and ECE-
flagged TCP packets, this vulnerability can be removed by adjusting
the system's rulesets.  In general, it is possible to express most
'established' rules in terms of a general TCP rule (with no TCP flag
qualifications) and a 'setup' rule, but may require some restructuring
and renumbering of the ruleset.

V.   Solution

One of the following:

1) Upgrade the vulnerable FreeBSD system to FreeBSD 3.5-STABLE, or
or 4.2-STABLE after the correction date.

2) Patch your present system by downloading the relevant patch from the
below location:

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.x.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.x.patch.asc

[FreeBSD 3.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-3.x.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-3.x.patch.asc

Verify the detached PGP signature using your PGP utility.

Execute the following commands as root:

# cd /usr/src
# patch -p  /path/to/patch
# cp /usr/src/sys/netinet/tcp.h /usr/src/sys/netinet/ip_fw.h /usr/include/netinet/
# cd /usr/src/sbin/ipfw
# make depend  make all install
# cd /usr/src/sys/modules/ipfw
# make depend  make all install

For 4.x systems, perform the following additional steps:

# cp /usr/src/sys/netinet6/ip6_fw.h /usr/include/netinet6/
# cd /usr/src/sbin/ip6fw
# make depend  make all install
# cd /usr/src/sys/modules/ip6fw
# make depend  make all install

NOTE: The ip6fw patches have not yet been tested but are believed to
be correct.  The ip6fw software is not currently maintained and may be
removed in a future release.

If the system is using the ipfw or ip6fw kernel modules (see
kldstat(8)), the module may be unloaded and the corrected module
loaded into the kernel using kldload(8)/kldunload(8).  This will
require that the firewall rules be reloaded, usually be executing the
/etc/rc.firewall script.  Because the loading of the ipfw or ip6fw
module will result in the system denying all packets by default, this
should only be attempted when accessing the system via console or by
careful use of a command such as:

# kldload ipfw  sh /etc/rc.firewall

which performs both operations sequentially.

Otherwise, if the system has ipfw or ip6fw compiled into the kernel,
the kernel will also have to be recompiled and installed, and the
system will have to be rebooted for the changes to take effect.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

Re: BugTraq: EFS Win 2000 flaw

2001-01-23 Thread Timothy J. Miller 

Dan Kaminsky [EMAIL PROTECTED] writes:

  That means no
 decryption keys ever get written, no passwords get saved, and most
 importantly, *no plaintext data gets stored, not even "temporarily"*.

Interestingly, when a system hibernates everything in memory goes to
disk (into the hiber file or partition)-- and this includes the
sensitive data that the LSA holds that is not normally swapped out:
keypairs, kerberos tickets and encrypted files.

Make The Netopia R9100 Router To Crash

2001-01-23 Thread Julien Henry 

This post will be short because it does not need a lot 
of explanation. This is in a really specific case.

If you have the password of the router and if you are 
logged to it you will not be able to delete all the traces.
The router logs the connection and the disconnection 
of telnet sessions. If you want to delete the 
connection from the logs you just have to delete 
them. But if you want to delete the disconnection log 
you can't. 

The only way to do that is to make it crash. Just use 
the telnet program which is inside the router. Try to 
make a connection from the IP of the router to the IP 
of the router. It will crash it, as a consequence, you 
will NOT be logged ! In the log you only see things like 
that : 

01/24/01 01:01:15 --BOOT: Warm start v4.6 
01/24/01 01:01:10 * EXCEPTION: A6: 12F6890, A7: 
12F67DC
01/24/01 01:01:10 * EXCEPTION: A4: 0, A5: 124B474
01/24/01 01:01:10 * EXCEPTION: A2: 125F9AC, A3: 0
01/24/01 01:01:10 * EXCEPTION: A0: 125F9D8, A1: 0
01/24/01 01:01:10 * EXCEPTION: D6: 0, D7: 
C1FB0028
01/24/01 01:01:10 * EXCEPTION: D4: 0, D5: 0
01/24/01 01:01:10 * EXCEPTION: D2: 0, D3: 0
01/24/01 01:01:10 * EXCEPTION: D0: 0, D1: 6
01/24/01 01:01:10 * EXCEPTION: BERR SF 
SP+$10: 10845AE, SP+$14: E0045
01/24/01 01:01:10 * EXCEPTION: BERR SF 
SP+$08: 83A, SP+$0C: F9AC
01/24/01 01:01:10 * EXCEPTION: PC: 10845AE, SR: 
2004, F/V: C008