Copy Link
Add to Bookmark
Report
Phrack Inc. Volume 07 Issue 50 File 03
.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
3 of 16
// // /\ // ====
// // //\\ // ====
==== // // \\/ ====
/\ // // \\ // /=== ====
//\\ // // // // \=\ ====
// \\/ \\ // // ===/ ====
------------------------------------------------------------------------------
----<>----
=--=--=--=--=--=--=--=
Portable BBS Hacking
by: Khelbin
=--=--=--=--=--=--=--=
This hack basically has little to do with the BBS software itself but
with the archiver which is being used. I've used this technique on a
mock Renegade setup and with pkzip/pkunzip as the archiver. I'm sure
that this same type of technique will be successful on many other BBS
platforms and with other archivers as well. While explaining this, I will
use Renegade and pkzip/pkunzip as my example.
A Renegade setup is most likely vulnerable if it will pkunzip any user
supplied zipfile. This is because Renegade's default command to unzip files
is "pkunzip -do <filename>". The -d flag unzips the file retaining any
directories which were included into the zip file and the -o flag will
automatically overwrite any file.
Suppose the remote system is also setup in a normal Renegade fashion.
Let's use this file tree as an example:
C:\RENEGADE\
C:\RENEGADE\TEMP\
C:\RENEGADE\DATA\
The other subdirectories are unimportant for our discussion. Suppose
that C:\TEMP is where our uploaded file will go for it to be unzipped and
then scanned for viruses. C:\RENEGADE\DATA\ is where the USERS.DAT file
is stored, containing all the users login information.
Wouldn't it be nice if we could put our own USERS.DAT in there instead?
To do this, you must first generate a USERS.DAT file. This is easy enough.
Just download a copy of Renegade which is the same version as the target
machine and then use the user editor to make a "SYSOP" account with the
password "SYSOP" (this should be the default anyway on the USERS.DAT file).
Here's how we prepare the zipfile on our own machine:
C:\>md tmp
C:\>md c:\tmp\ddsdata
C:\>copy c:\renegade\data\users.dat c:\tmp\ddsdata
C:\>cd tmp
C:\TMP>pkzip -pr evil.zip
Now we get out our trusty hex editor and edit evil.zip. Change every
occurrence of "ddsdata" in evil.zip to read "../data" and make sure that the
slash is a forward-slash and not a back-slash. Now when you upload
evil.zip to this particular BBS, it will expand to "../data/users.dat"
and your USERS.DAT file will overwrite their USERS.DAT file since the -od
flag is default on Renegade.
Now you can login as SYSOP with a password SYSOP and do as you please.
You could also overwrite virtually any file on a BBS like this and believe
me, many do have this vulnerability or something very close to it. You are
only limited in how much you can traverse up and down directories by DOS's
maximum file length of 12 (8 plus "." plus 3 = 12). I quickly tried
inserting a few blocks into the zipfile in order to produce a limitless
amount of traversing which but it seemed to corrupt the file for some
reason.
Removing the -o flag is not a fix for this bug. Without the -o flag,
you can "hang" the system in a denial of service attack. By again hex
editing the names of the files within your evil.zip, you can make it have
two files with the same name. When it tries to unzip the second file, it
will prompt locally whether to overwrite the file or not and "hang" the
board. Instead, the -d flag is what should be removed.
This is just an example as I'm sure many other BBS systems do this same
type of uncompressing. I'd also bet that arj, lha, and several others, can
also be hex edited and yield similar results. Either way, it's either take
out the "restore/create directories within archive" option or pay the price.
----<>----
German Hacker "Luzifer" convicted by SevenUp / sec@sec.de
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SYNOPSIS
========
On February 5th, 1997, Wilfried Hafner aka "Luzifer" was sentenced to
three years incarceration - no parole, no probation. I've got the story
for you right from the courtroom in Munich, Germany. This is one of the
first ever cases in which a hacker in Germany actually gets convicted, so
it's particularly interesting. (Although the court and I use the term
"hacking", this is actually a case of unethical electronic fraud.)
LUZIFER
=======
Wilfried Hafner (Luzifer) was born on April 6, 1972, in Breschau Italy.
According to his own circulum vitae, which he quoted in court himself,
he's been a pretty smart guy: He started programming at 8 years,and cracked
about 600 Commodore programs, at 14, got a modem and then started a BBS.
In 1990 he was blueboxing to some overseas partylines to communicate with
others. But he didn't seem to use any other "elite" chat systems like x.25
or IRC, so most people (including myself) didn't know him that well. In
1992 he moved to South Germany to goto school.
WHAT HE DID
===========
Luzifer set up some overseas partylines in the Dominican Republic,
Indonesia, The Philippines, and Israel. Some lines included live chat,
but most were just sex recordings. Then he used a local company PBX (a
Siemens Hicom 200 model), from his homeline, which was only "protected"
by a one digit code, to dialout to his partylines and his girlfriend in
Chile. He also was blueboxing (which the prosecution calls "C5-hacking")
from five lines simultaneously, mostly via China. To trick the partyline
provider and overseas telcos (who are aware of computer-generated calls)
he wrote a little program that would randomize aspects of the calls
(different calling intervals and different durations for the calls).
He got arrested the first time on 03/29/95, but was released again after
13 days. Unfortunately he restarted the phreaking right away. If he'd
had stopped then, he would just have gotten 1 year probation. However, he
was arrested again in January 1996, and has been in prison since.
Here are some numbers (shouts to Harper(tm)'s Index):
- Number of logged single phone connections: 18393
- Profit he makes for 1 min. partyline calls: US$ 0.35 - 0.50
- Total Damage (= lost profit of telco): US$ 1.15 Million
- Money that Luzifer got from the partylines: US$ 254,000
- Paragraph in German Law that covers this fraud: 263a StG
- Duration of all calls, if made sequentially: 140 days
THE TRIAL
=========
This trial was far less spectacular than OJ's. While 7 days had been
scheduled, the trial was over after the second day. The first day went
quite quick: The court didn't have enough judges available (two were present,
but three required), so it had to be postponed after some minutes.
At the second day, both, the prosecution and Luzifers two lawyers, made
a deal and plead guilty for three years prison (but no financial punitive).
In Germany, all sentences over two years cannot be carried out on probation.
But he has been allowed the use of a notebook computer. Rumor has it that
he might be get an "open" execution, meaning that he has to sleep in the
prison at night, but can work or study during the day.
The deal looked like the prosecution dropped all counts (including
the one abusing the PBX in the first place) but two: one for the blueboxing
before getting arrested, and one count for blueboxing afterwards. They don't
treat all 18393 connections as a separate count, but just each start of the
"auto-call-program".
QUOTES
======
Here are some interesting and funny quotes from the trial:
"Just for fun and technical curiosity" - Defendant
"Wouldn't one line be enough for technical experience"? - Judge
"I ordered 21 lines, but just got 5" - Defendant
"Lots of criminal energy" - Prosecutor
"He's obsessed and primarily competing with other hackers" - Lawyer
"A generation of run down computer kids" - Prosecutor
"He may keep the touchtone dialer, but we cannot return his laser fax,
because the company's PBX number is stored in its speedial" - Prosecutor
"Myself and the Telekom have learned a lot" - Prosecutor
"New cables must be installed, new satelites have to be shot into the air"
- Prosecutor about the consequences of used up trunks and intl. lines
"The German Telekom is distributing pornography with big profits" - Lawyer
----<>----
Yet another Lin(s)ux bug!
By: Xarthon
IP_MASQ is a commonly used new method of traffic forwarding which
may be enabled in newer Linux kernel versions. I have been doing some
research into this new feature.
IP_MASQ fails to check to make sure that a packet is in the non
routable range. If you are able to get any packet to its destination, the
header of that packet is rewritten.
Because of the lack of non-routable ip checking, the same tactics
that would be used a gateway machine, may also be used on a machine that
uses ip_masq.
So in conclusion, you are able to spoof as if you are on the
inside network, from the outside. But hey, what can you expect from
Linux?
----<>----
11.22.96
daemon9 and w0zz's adventure into warez-pup land...
*W|ZaRD* u there?
-> *W|ZaRD* yes?
<w0zz> d9
<d9> hi w0zz
*W|ZaRD* r u the prez of BREED?
*** |COBRA| invites you to channel #supreme
<d9> I am hungry
-> *W|ZaRD* yup
*_e|f_* hi there - you got a minute?
*W|ZaRD* alright.. i got a question for u...
*** d9 (plugHead@onyx.infonexus.com) has joined channel #supreme
*** Topic for #supreme: [SpR] Still in discussion phase! [SpR]
*** #supreme _e|f_ 848703589
*** Users on #supreme: d9 @{Imagine} @BL|ZZaRD @W|ZaRD @|COBRA| @_e|f_
<_e|f_> re d9
*** Mode change "+o d9" on channel #supreme by _e|f_
<|COBRA|> today is going to be a bad day :(
*W|ZaRD* would you be interested in merging with like 4-6 other groups to become 1 group.??
*W|ZaRD* i mean. all the other groups have like 11 sitez and 8-10 suppliers like NGP
*W|ZaRD* and if we merge we could be up there with Prestige, and Razor
<_e|f_:#supreme> hello d9
<d9> *W|ZaRD* i mean. all the other groups have like 11 sitez and 8-10 suppliers like NGP
-> *W|ZaRD* hmm
*** Inviting w0zz to channel #supreme
<_e|f_> we got a discussion going on here for big plans for a lot of us "smaller" groups (smaller as
compared to razor, prestige etc) :)
<d9> ah
*** Mystic12 (NONE@wheat-53.nb.net) has joined channel #supreme
<_e|f_> this is all still in discussion stages
<w0zz:#!r00t> hahahaha
*** Mode change "+o Mystic12" on channel #supreme by W|ZaRD
<_e|f_:#supreme> but would you be interested in a joint venture between a few of us smaller release groups
to combine into one large release group - to challenge razor and prestige?
<d9> w0zz
<w0zz> you've been sucked into warez kiddie conspiracies
<d9> join me
<w0zz:#!r00t> where are you?
*** Inviting w0zz to channel #supreme
*** w0zz (wozz@big.wookie.net) has joined channel #supreme
<d9> well...
*** Mode change "+o w0zz" on channel #supreme by d9
<w0zz> werd
<_e|f_> re wozz
<d9> hi w0zz
<w0zz> hi there
<_e|f_> i can send u a log to flesh out a few more details if you like
<w0zz> i've got mackin' warez
<d9> hmm
<d9> sure
*w0zz* you recording this for line noise ?
*w0zz* ;)
-> *w0zz* indeed...;)
*w0zz* heh
<d9> the thing is, I have all this porn I want to unload...
<w0zz> yah, i got da mackin porn too
<d9> but, no good place to distro it...
*** ^DRiFTeR^ (~Drifter@203.30.237.48) has joined channel #supreme
*** Mode change "+o ^DRiFTeR^" on channel #supreme by _e|f_
<_e|f_> hey drifter
<d9> I was using this panix account, but all that SYN flooding stopped that cold...
<_e|f_> drifter is muh vp :)
<RAgent:#!r00t> do you even know what BREED is, route?
<d9> warez pups?
<_e|f_:#supreme> drifter: d9 and wozz are from breed
<_e|f_:#supreme> blizzard and wizard are from NGP
<^DRiFTeR^:#supreme> k
<d9:#!r00t> HAHAHAhahahaha
<Mystic12:#supreme> I am also from NGP
*** Signoff: Mystic12 (Leaving)
<W|ZaRD:#supreme> so is Mystic12
<RAgent:#!r00t> well, looks like it. just wondered if you knew them at all
<d9> w0zz... you get the new shit I send you?
*** Mystic12 (NONE@wheat-53.nb.net) has joined channel #supreme
<w0zz:#supreme> yah
<_e|f_:#supreme> sorry mystic - didnt see yew there
<d9:#!r00t> nope!
*** Mode change "+o Mystic12" on channel #supreme by W|ZaRD
<w0zz> indexed and everything
<RAgent:#!r00t> hahaha
<w0zz> i spanked my monkey for hours
<RAgent:#!r00t> whee
<d9> werd.
<d9:#!r00t> AAAAAHAHAHahahhahaha WOZZ!
<_e|f_> brb
<d9> hmm
#supreme Mystic12 H@ NONE@wheat-53.nb.net (CCINC)
#supreme ^DRiFTeR^ H@ ~Drifter@203.30.237.48 (ReaLMS oF Da NiTe - HrD)
#supreme w0zz H@ wozz@big.wookie.net (w0zz)
#supreme d9 H@ plugHead@onyx.infonexus.com (Built Demon Tough)
#supreme {Imagine} H@ BOB@199.190.110.99 (.:tORn f#E?h:. v1.45 by SLaG)
#supreme BL|ZZaRD H@ blizzard@ip222.tol.primenet.com (hehe)
#supreme W|ZaRD H@ m3ntal@ip201.tol.primenet.com (M3NTaL)
#supreme |COBRA| H@ cobra@slbri3p24.ozemail.com.au (100% ReVpOwEr)
#supreme _e|f_ H@ _e|f_@203.26.197.12 (blah)
<w0zz:#!r00t> werd
*** Mode change "-ooo _e|f_ |COBRA| W|ZaRD" on channel #supreme by d9
*** Mode change "-ooo BL|ZZaRD w0zz ^DRiFTeR^" on channel #supreme by d9
*** Mode change "-o Mystic12" on channel #supreme by d9
<W|ZaRD> hehe
*** Mode change "+o w0zz" on channel #supreme by d9
<_e|f_> sigh
<W|ZaRD> what would the new group name be.. if this happened?
<d9> the new name?
<W|ZaRD> hmm. nice takeover
<W|ZaRD> hehe
<w0zz> werd
<d9> w0zz, what do you think?
<W|ZaRD> new group name
<_e|f_> d9: ops plz
<d9> r00t? guild?
<d9> wait
<_e|f_> this is only a temp channel neway d9
<W|ZaRD> guild wuz already used
<d9> those are taken...
<_e|f_> so its a waste to do a takeover
<w0zz> i like r00t
<w0zz> oh
<w0zz> yeah
<w0zz> those guys are eleet
<d9> yah
<d9> I hear r00t has this 10 year old that can break into .mil sites...
*** d9 is now known as daemon9
<w0zz> duod, he's like D.A.R.Y.L.
<W|ZaRD> hehe
<daemon9> yah..
<_e|f_> d9: i take it by this yew aint interested?
<_e|f_> :\
<daemon9> anyway, bak to pr0n.
<W|ZaRD> anywayz.. op me d00d
<w0zz> me too
<w0zz> must have m0re pr0n
*** Mode change "+m" on channel #supreme by daemon9
<daemon9> yes
*** w0zz has left channel #supreme
<daemon9> more pr0n
<w0zz:#!r00t> werd
<w0zz:#!r00t> that rooled
<daemon9> mega-pr0n
<W|ZaRD> porn
<W|ZaRD> hehe
<daemon9> kiddie-pr0n
<W|ZaRD> op me plz
<daemon9> wizard, you are fine the way you are.
*** w0zz is now known as [w0zzz]
*** daemon9 has left channel #supreme
*** daemon9 is now known as r0ute
<r0ute> hahaha
<[w0zzz]> heh
<r0ute> that was fun.
<r0ute> good way to wake up from a nap
----<>----
Large Packet Attacks
(AKA Ping of Death)
---------------------------------
[ Introduction ]
Recently, the Internet has seen a large surge in denial of service
attacks. A denial of service attack in this case is simply an action of some
kind that prevents the normal functionality of the network. It denies service.
This trend began a few months back with TCP SYN flooding and continues with the
"large packet attack". In comparison with SYN flooding, the large packet attack
is a much more simple attack in both concept (explained below) and execution
(the attack can be carried out by anyone with access to a Windows 95 machine).
TCP SYN flooding is more complex in nature and does not exploit a flaw so much
as it exploits an implementation weakness.
The large packet attack is also much more devastating then TCP SYN
flooding. It can quite simply cause a machine to crash, whereas SYN flooding
may just deny access to mail or web services of a machine for the duration of
the attack. For more information on TCP SYN flooding see Phrack 49, article 13.
(NOTE: The large packet attack is somewhat misleadingly referred to as 'Ping of
Death` because it is often delivered as a ping packet. Ping is a program that
is used to test a machine for reachablity to see if it alive and accepting
network requests. Ping also happens to be a convenient way of sending the
large packet over to the target.)
The large packet attack has caused no end of problems to countless
machines across the Internet. Since its discovery, *dozens* of operating
system kernels have been found vulnerable, along with many routers, terminal
servers, X-terminals, printers, etc. Anything with a TCP/IP stack is in fact,
potentially vulnerable. The effects of the attack range from mild to
devastating. Some vulnerable machines will hang for a relatively short period
time then recover, some hang indefinitely, others dump core (writing a huge
file of current memory contents, often followed by a crash), some lose
all network connectivity, many rebooted or simply gave up the ghost.
[ Relevant IP Basics ]
Contrary to popular belief, the problem has nothing to do with the
`ping` program. The problem lies in the IP module. More specifically,
the problem lies the in the fragmentation/reassembly portion of the IP module.
This is portion of the IP protocol where the packets are broken into smaller
pieces for transit, and also where they are reassembled for processing. An IP
packet has a maximum size constrained by a 16-bit header field (a header is a
portion of a packet that contains information about the packet, including
where it came from and where it is going). The maximum size of an IP packet
is 65,535 (2^16-1) bytes. The IP header itself is usually 20 bytes so this
leaves us with 65,515 bytes to stuff our data into. The underlying link layer
(the link layer is the network logically under IP, often ethernet) can seldom
handle packets this large (ethernet for example, can only handle packets up to
1500 bytes in size). So, in order for the link layer to be able to digest a
large packet, the IP module must fragment (break down into smaller pieces)
each packet it sends to down to the link layer for transmission on the network.
Each individual fragment is a portion of the original packet, with its own
header containing information on exactly how the receiving end should put it
back together. This putting the individual packets back together is called
reassembly. When the receiving end has all of the fragments, it reassembles
them into the original IP packet, and then processes it.
[ The attack ]
The large packet attack is quite simple in concept. A malicious user
constructs a large packet and sends it off. If the destination host is
vulnerable, something bad happens (see above). The problem lies in the
reassembly of these large packets. Recall that we have 65,515 bytes of space
in which to stuff data into. As it happens, a few misbehaved applications
(and some specially crafted evil ones) will allow one to place slightly more
data into the payload (say 65,520 bytes). This, along with a 20 byte IP
header, violates the maximum packet size of 65,535 bytes. The IP module will
then simply break this oversized packet into fragments and eschew them to
their intended destination (target). The receiving host will queue all of the
fragments until the last one arrives, then begin the process of reassembly.
The problem will surface when the IP module finds that the packet is in
fact larger than the maximum allowable size as an internal buffer is
overflowed. This is where something bad happens (see above).
[ Vulnerability Testing and Patching ]
Testing to see if a network device is vulnerable is quite easy.
Windows NT and Windows 95 will allow construction of these oversized
packets without complaining. Simply type: `ping -l 65508 targethost`. In
this case, we are delivering an oversized IP packet inside of a ping packet,
which has a header size of 8 bytes. If you add up the totals, 20 bytes of IP
header + 8 bytes of ping header + 65,508 bytes of data, you get a 65,536 byte
IP packet. This is enough to cause affected systems to have problems.
Defense is preventative. The only way to really be safe from this
attack is to either ensure your system is patched, or unplug its network tap.
There are patches available for just about every vulnerable system. For
a copious list of vulnerable systems and patches, check out a 'Ping of Death'
webpage near you.
daemon9
Editor, Phrack Magazine
(daemon9@netcom.com)
---------------------------------------------------------------------------
To: route@onyx.infonexus.com
From: xxxx xxxxxxxxxxx <xxxx@xxxxxxxxxx.com>
Subject: Re: ?
Status: RO
Actually, hang on. I've looked your story up and down looking for ways to
make it more interesting and I can't. I think it's actually just too
technical for us and lacks a newsworthiness that was evident in the SYN
article. I mean, you never tell us why we should care about this, and
frankly, I don't know why we should. So, you're welcome to take another
pass at it, otherwise, I'll give you the kill fee of $100.
xxxx
[ Too techinical? Any less techincal and I would have to make everything
rhyme so people wouldn't fall asleep. ]
---------------------------------------------------------------------------
----<>----
Netware Insecurities
Tonto
[the rant]
I realize that to most security professionals and
system administrators who will see this magazine,
the term "NetWare security" is a punchline. That
unfortunately does not change the fact that many
people in the field, myself included, must deal
with it daily. Really, honestly, I do agree with
you. Please don't write me to tell me about how
futile it is. I already know.
Since its release, not much security news has really
surfaced surrounding Novell NetWare 4. A lot of the
security flaws that were present in 3.1x were 'fixed'
in 4.x since Novell pretty much redesigned the way
the user/resource database worked, was referenced,
and stored. Some flaws remained, although fixes for
them are well-known, and easily applied. However,
NetWare 4 came with its own batch of new security
flaws, and Novell has done a poor job of addressing
them, hoping that consumer-end ignorance and the
client/server software's proprietary design will hide
these holes. You'd figure they would know better by
now.
The ability to use a packet sniffer to snag RCONSOLE
passwords still exists; NetWare 4 institutes client-end
authentication to implement its auto-reconnect feature;
the list goes on. Below are just a couple of examples
of such bugs and how to deal with them. As new Novell
products bring many existing LANs out onto the Internet,
I think you will see more of this sort of thing coming
to the surface. I hope that when it does, Novell decides
to take a more responsible role in security support for
its products. I'd hate for such a widely used product
to become the next HP/UX.
[the exploits]
[BUG #1]
This bug is known to affect NetWare 4.10. It's probably present in 4.01
and other versions that support Directory Services, but I haven't
verified this. I'm only a CNA, so I tried to verify this bug by talking
to a group of CNEs and nobody had heard of this, although there are
apparently other bugs in previous versions of LOGIN.EXE.
The bug is a combination of some weak code in LOGIN-4.12
(SYS:\LOGIN\LOGIN.EXE) and a default User object in NDS - the user template
USER_TEMPLATE. LOGIN allows input fields to be passed directly, instead
of filtered, if they are passed to LOGIN correctly -- by specifying an
object's context explicitly (as opposed to implicitly by using CX) and
putting the User object's name in quotes.
F:\PUBLIC>LOGIN SVR1/"USER_TEMPLATE"
For Server object SVR1 in an appropriate context, this would probably work
and give a generic level of user access, perhaps to other volumes,
programs, etc. That will vary depending on the setup of the server.
The fix is simple. Load SYS:\PUBLIC\NWADMIN.EXE and disable the user
template's login. But from now on, you will have to manually enable
login for any new User objects created in your tree.
[BUG #2]
This isn't a bug as much as a failed attempt to add security to a DOS file
system. But since Novell touts (and teaches) it as a file system security
tool, it is worth addressing.
NetWare comes with a tool called FLAG, which is supposed to be the NetWare
equivalent of UNIX's chmod(), in that it controls file attributes for files
on local and NetWare file systems. The problem lies in that Novell
thought it would be neat to incorporate its tool into the world of DOS file
attributes as well. So they made FLAG alter DOS file attributes
automatically to correspond with the new attributes installed by FLAG.
This would've been cool, except that DOS's ATTRIB.EXE can also be used to
change the DOS-supported file attributes set by FLAG. (Archive, Read-only,
Hidden, and System, respectively) And since ATTRIB doesn't reference NDS
in any way, the problem is obvious; A file that was marked Read-only by
its owner, using FLAG, could be compromised by a user other than its owner,
with ATTRIB, and then altered or deleted.
There isn't an easy fix for something that is this broken, so it is
simply recommended that you use IRFs (carefully) to designate file rights
on your server.
[ 01-07-97 - Tont0 ]
----<>----
EOF