Gso Call For Papers

GovernmentSecurity.org > General GSO > In The News

GSecur

Apr 14 2004, 05:37 PM

GSO would like to start a newsletter/zine (all depends on how much material we get)
So if you want to submit a paper to be included in issue #1 please send me a plain text file with the subject "Zine" to admin@governmentsecurity.org.

Topics we would like covered

System Hardening
Exploit Tutorials
Exploit Development
Your own tool or code releases
Security Tool Review
Political Articles on Legislature effecting the security community

What I also need is some one that can do an ASCII art logo for GSO. PM GSecur if you can do it.

The deadline is April 30th.

liquidSilver

Apr 14 2004, 05:48 PM

Sounds like a great idea! Awesome - About the ASCII thingie - I might know some cool guys who can make something, I write them a email!

liquidSilver

Apr 14 2004, 07:08 PM

THe ASCII art have been made, just need a little tweak, and it works perfect - also a thank to t0bban for helping me!

easternerd

Apr 14 2004, 08:41 PM

that would be a really cool feature..
everyone can make a combined effort to make this a success.
looking forward for the first article.
hope to chip in with something soon.

GSecur

Apr 14 2004, 09:00 PM

definatly chip in we need stuff or the project will die

GSecur

Apr 14 2004, 09:01 PM

Contributors So far : mSMittens: CISSP Notes: Security Models: Access Control Models

Tyrano

Apr 14 2004, 09:34 PM

have you thought about making it in pdf format? so there can be pictures and such

GSecur

Apr 14 2004, 09:56 PM

That could be an idea, but it might make editing a pain.

tweakz20

Apr 14 2004, 10:03 PM

great idea!

it would be cool if you would offer something in return (if not very many things come back)... like 2600 gives you a shirt i think if they except your article (don't expect you to do that, but it's just a thought)

if i think of something for it, i'll send it to you (don't expect anything soon though.. school ruins my 'social' life)

btw, you spelled professionals wrong^

packet

Apr 14 2004, 10:19 PM

I'll try to get "A Review of the Foundstone Enterprise Vulnerability Manager" written up...

Actually a very cool product.

--P>G>>

Gotisch

Apr 14 2004, 11:58 PM

are articles about the basics desired too ?

dissolutions

Apr 15 2004, 12:48 AM

ABout the basics are desired as well,but refrain from "hacking for stros etc"
It'd be much more appreciative if you could right something up about the basics of VoIP or TCP/IP.

qod

Apr 15 2004, 01:52 AM

that would be a great addition to the site, i will see if i have time to write something up.

nuorder

Apr 15 2004, 05:37 AM

lookin good so far

Yorn

Apr 15 2004, 08:45 PM

QUOTE

The so called "black hats" do most of the contributing around here.

Awww gee, so I suppose we aren't allowed to contribute to the call for papers, either, eh?

Naw, I'm not a black hat, but one of the issues I was going to talk about was the mshta methods for installing a file and how a dedicated hacker would bypass generic virusscanners to do so.

For example, within 5 minutes of the release of any IE exploit, I can create a POC (proof-of-concept) that will download and execute an exe that opens your CD-ROM tray.

Well, for the most part, anyway. A lot of time I will delay releasing a POC on these forums cause I'm worried that a "script-kiddie" will use it. The reality is, administrators need to know in order to adapt their web scan engines for their AV, IDS, or other software so they can catch hostile web applications.

But there is an even easier way to handle it. It involves deleting mshta or doing ONE registry edit that will prevent a visual basic script from running. For example, just the other day I released information on how to disable the Windows Firewall in XP service pack 2. It was a simple batch file. It's ridiculous that Microsoft makes it *that* easy to disable stuff as important as a firewall.

Anyway, I gotta stop ranting. Just name a subject and I'll write up something on it by April 30th.

GSecur

Apr 16 2004, 01:44 AM

We have had a great response from members! A number of articles have been sent so keep up the good work.

I will start posting up article titles and authors that have submitted.

BUT WE STILL NEED MORE! So tell your friends, contributors outside of GSO are all welcome!

Killaloop

Apr 16 2004, 08:01 AM

QUOTE (Yorn @ Apr 15 2004, 08:45 PM)

QUOTE

The so called "black hats" do most of the contributing around here.

don't talk about that method or I'm jobless

the mshta method is nothing for a scriptkiddis hands..its too easy to use and still far to powerful even if its already around for years.
microsoft failed to do something here, but for administrators it for sure would be good to know...
comparing the amount of scriptkids to admins on this board I would say don't provide a step by step way of how to use it.

the security aspect would be of more interesst, how it works, why it works, how to prevent it .. etc

but what am I talking ... you exactly know how you have to write it so noone has to be scared of some scriptkid

however I talk too much it looks like ... should write a article about "How to get a real life"

Charlievarley

Apr 16 2004, 10:51 AM

A few I found worth covering

Buffer Overflow in ISO9660 File System Component of Linux Kernel

CODE

www.idefense.com/application/poi/display?id=101&type=vulnerabilities
April 14, 2004

I. BACKGROUND

Linux is a free Unix-type operating system originally created by Linus
Torvalds with the assistance of developers around the world. The 'isofs'
component of the Linux kernel mediates file system interactions with
ISO-9660 format CD-ROMs.

II. DESCRIPTION

The Linux kernel performs no length checking on symbolic links stored on
an ISO9660 file system, allowing a malformed CD to perform an arbitrary
length overflow in kernel memory.

Symbolic links on ISO9660 file systems are supported by the 'Rock Ridge'
extension to the standard format. The vulnerability can be triggered by
performing a directory listing on a maliciously constructed ISO file
system, or attempting to access a file via a malformed symlink on such a
file system. Many distributions allow local users to mount CDs, which
makes them potentially vulnerable to local elevation attacks.

The relevant functions are as follows:

fs/isofs/rock.c: rock_ridge_symlink_readpage()
fs/isofs/rock.c: get_symlink_chunk()

There is no checking that the total length of the symlink being read is
less than the memory space that has been allocated for storing it. By
supplying many CE (continuation) records, each with another SL (symlink)
chunk, it is possible for an attacker to build an arbitrary length data
structure in kernel memory space.

A proof of concept exploit has been written that allows a local user to
gain root level access. It is also possible to cause execution of code
with kernel privileges.

III. ANALYSIS

In order to exploit this vulnerability, an attacker must be able to
mount a maliciously constructed file system. This may be accomplished by
the following:

a. Having an account on the machine to be compromised and inserting a
malformed disk. Some distributions allow local users to mount removable
media without needing to be root and with some configurations. This
happens automatically when a disk is inserted. The proof of concept
exploit works from floppy disk as well as CD-ROM.

If the attacker can reboot the machine from his or her own media or
supply command line options to the kernel during the initialization
process after rebooting, exploiting this vulnerability may not be
necessary to gain further access. In this situation, the attacker will
not be able to directly access any encrypted file systems.

b. If encrypted virtual file systems are implemented, and the attacker
gains access to an account able to mount one, then an attacker may be
able to mount his or her own maliciously formed file system via the
encryption interface. This would allow them access to any already
mounted file systems.

c. Being root already. If the attacker has already gained root, but the
kernel has some form of patch preventing root being able to perform
certain functions, he or she may still be able to mount a file system.
As the vulnerability occurs in kernel space, it may be possible for them
to neutralize the restrictions.

IV. DETECTION

The issue affects the 2.4.x, 2.5.x and 2.6.x kernel. Other kernel
implementations may also be vulnerable.

V. WORKAROUNDS

Disable user mounting of removable media devices.

VI. VENDOR RESPONSE

Affected vendors have provided the following comments/patches:

Slackware

"Slackware will be waiting for a new upstream kernel version that will
address this issue. None of our existing releases allow a non-root user
to mount a CD-ROM, and the exploit requires physical access to the
machine"

SUSE

"SUSE Security have published a SUSE Security Announcement at
http://www.suse.de/security/ and update packages that fix the
vulnerability. The update packages are available for download at
,ftp://ftp.suse.com/pub/suse/i386/update//rpm/i586/, but we
encourage our users to make use of the YOU (Yast Online Update) utility
for quick and secure installation of security updates."

Debian

http://www.security.debian.org/2004/dsa-479 alpha+ia32+powerpc
http://www.security.debian.org/2004/dsa-480 hppa
http://www.security.debian.org/2004/dsa-481 ia64
http://www.security.debian.org/2004/dsa-482 powerpc/apus
http://www.security.debian.org/2004/dsa-483 mips+mipsel

Mandrake Linux

MDKSA-2004:029
www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:029

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0109 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

January 9, 2004 Exploit acquired by iDEFENSE
February 20, 2004 Initial vendor notification
February 20, 2004 iDEFENSE clients notified
April 14, 2004 Coordinated public disclosure

IX. CREDIT

Greg MacManus (iDEFENSE Labs) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information

Backdoor in X-Micro WLAN 11b Broadband Router

CODE

Backdoor in the X-Micro WLAN 11b Broadband Router

FCC ID: RAFXWL-11BRRG
Firmware Version: 1.2.2, 1.2.2.3 (probably others too)
Remote: yes, easily expoitable
Type: administration password, which always works

The following username and password works in every case, even if you
set an other password on the web interface:
Username: super
Password: super

By default the builtin webserver is listening on all network
interfaces (if connected to the internet, then it is accessible from
the internet too). Using the webinterface one can install new
firmware, download the old, view your password, etc., so he can:
- make your board totally unusable, beyond repair
- install viruses, trojans, sniffers, etc. in your router
- get your password for your provider and maybe for your emails.

Possible fixes:
1. Set up portforwarding, and forward port 80, this way from the WAN
interface an attack is impossible. But be aware, that anyone in your
local LAN (possible over a wireless connection) can login to your
router.

2. Upload a fixed firmware. I've made an unofficial (but fixed)
one. You can download it from
http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.1/xm-11brrg-0.1.bin
This firmware is unofficial. NO WARRANTY.
This firmware also fix other bugs, for a list see:
http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.1/Changes
The tool, which used to create the image also released under the
GPL: http://xmicro.risko.hu/US8181-20040410.tar.gz
DOCS: http://xmicro.risko.hu/

I don't know that the folks at X-Micro (who built this so nasty
backdoor in this device) when will reply, I bcc'ed this mail to them.
I've chosen not contact with them earlier, because they violated the
GPL seriously, the open source community tried to communicate with
them, but without any positive results. And I'm sure that they know
about this remote backdoor.

AdmiralB

Apr 17 2004, 08:35 AM

how about the BRUTE-FORCING techniques against website passwords

tweakz20

Apr 17 2004, 07:34 PM

QUOTE

comparing the amount of scriptkids to admins on this board I would say don't provide a step by step way of how to use it.

i disagree... this is a learning board, and people are here to learn, not get held back because a skid might read it... besides, you learn from how to articles, and we all want skids to learn, right? and also, most won't even do it, just get really confused and go play with their power ranger dolls

@ AdmiralB
brute forcing will get you caught in no time...

syiron

Apr 19 2004, 08:23 PM

i agree with that. so i thinks we can change the experience and experiment right.

celox

Apr 19 2004, 09:50 PM

I e-mailed a article about exploiting port 4000 on linux machines, i hope that it will make the e-zine.

GSecur

Apr 21 2004, 03:52 AM

Keep all the papers coming guys!

xlulux

Apr 21 2004, 02:06 PM

i will do things in spanish if you want, thats my first language and i would be happy to give it a shot ... other than that i could maybe do a bit on social engineering

rapt0r

Apr 21 2004, 08:02 PM

I think another outlet for this newsletter could be on security related BBS sites. There is a security related FIDONET area that includes alot of EZINES. For exposure purposes if you send the EZINES to me at ejandk@hotmail.com I will post them all to FIDONET for you to get more exposure.

I can also do German translations for you if you wish.

Rapt0r

GSecur

Apr 21 2004, 08:47 PM

Thanks bud. Wow Fidonet, I thought that diied with the BBS days. Tell me more, I loved the bbs days.

ssj4conejo

Apr 25 2004, 07:28 AM

can the article also possibly include phone phreaking? heh...

tweakz20

Apr 25 2004, 08:07 PM

wow, ssj4conejo, after being on this site, i forgot all about that... lol

it's a different type of hack and it is involved in this kind of discussion... phreaking can be used educationally.. so gsecur... what'd you say??

GSecur

Apr 26 2004, 10:55 AM

I'm open to phreaking articles if someone wants to write it

GSecur

Apr 26 2004, 02:48 PM

This is the last week for papers, get them in soon!

ToukoN

Apr 26 2004, 09:27 PM

I´d love to write an article, I really would. Too bad my teachers want me to do exams in Biology, English, Physics and Maths this week.

If I manage to get some free time, will it be ok if I try to write an article about something like basic security guidelines, networking layers and their security problems or maybe just something about tcp/ip?

Anyway, great idea!

CloudyOne

May 5 2004, 08:26 AM

I would like to know how we go about subscribing to this magazine

I think i missed the post about how much it costs and where to sign up.

Yorn

May 5 2004, 06:14 PM

I don't know where GSO is at with this topic. I didn't get a chance to write up anything because I'm working on some end of the school year kinds of items relating directly to my job. My guess is that those still in school were doing the same.

supermax

May 5 2004, 09:48 PM

I personlay have time to write a paper but not the ebst as I could ahve do but like most of people in here school... but I am pretty sure that if every one in here read it and that they got good comment they will make a second and etc so you will get a second chance

tweakz20

May 5 2004, 10:30 PM

yeah, i would write something too, but i'm studying for A+ and Network+ exams (for a good job this summer before i become of legal age) along with school.. oh boy, this summer is gonna be awesome

w00dy

May 6 2004, 02:09 AM

sure are a lot of excuses as to why ppl cant write papers

Tyrano

May 27 2004, 04:45 AM

WHERE IS DA ZINE!?!?!

chris105

Jul 9 2004, 09:50 PM

I could write a very noob guide to socket programming in VB, its not much but I Im not that advanced at it yet.

t0bban

Jul 18 2004, 03:13 PM

QUOTE (chris105 @ Jul 9 2004, 09:50 PM)

I could write a very noob guide to socket programming in VB, its not much but I Im not that advanced at it yet.

Please do.
When you're done, please let me know and I will take a look at it. I coded alot winsock applications in VB in the old days.
Now I code .NET :-)

As for the articles; I've had less time than most people do, and now it's getting better so I've started to write an article on Netcat. The specialist group has already seen parts of it, it'll be released in public when I get it done. Cheers

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.