The so called "black hats" do most of the contributing around here.
Awww gee, so I suppose we aren't allowed to contribute to the call for papers, either, eh?
Naw, I'm not a black hat, but one of the issues I was going to talk about was the mshta methods for installing a file and how a dedicated hacker would bypass generic virusscanners to do so.
For example, within 5 minutes of the release of any IE exploit, I can create a POC (proof-of-concept) that will download and execute an exe that opens your CD-ROM tray.
Well, for the most part, anyway. A lot of time I will delay releasing a POC on these forums cause I'm worried that a "script-kiddie" will use it. The reality is, administrators need to know in order to adapt their web scan engines for their AV, IDS, or other software so they can catch hostile web applications.
But there is an even easier way to handle it. It involves deleting mshta or doing ONE registry edit that will prevent a visual basic script from running. For example, just the other day I released information on how to disable the Windows Firewall in XP service pack 2. It was a simple batch file. It's ridiculous that Microsoft makes it *that* easy to disable stuff as important as a firewall.
Anyway, I gotta stop ranting. Just name a subject and I'll write up something on it by April 30th.
don't talk about that method or I'm jobless :)
the mshta method is nothing for a scriptkiddis hands..its too easy to use and still far to powerful even if its already around for years.
microsoft failed to do something here, but for administrators it for sure would be good to know...
comparing the amount of scriptkids to admins on this board I would say don't provide a step by step way of how to use it.
the security aspect would be of more interesst, how it works, why it works, how to prevent it .. etc
but what am I talking ... you exactly know how you have to write it so noone has to be scared of some scriptkid :)
however I talk too much it looks like ... should write a article about "How to get a real life"
Buffer Overflow in ISO9660 File System Component of Linux Kernel
www.idefense.com/application/poi/display?id=101&type=vulnerabilities
April 14, 2004
I. BACKGROUND
Linux is a free Unix-type operating system originally created by Linus
Torvalds with the assistance of developers around the world. The 'isofs'
component of the Linux kernel mediates file system interactions with
ISO-9660 format CD-ROMs.
II. DESCRIPTION
The Linux kernel performs no length checking on symbolic links stored on
an ISO9660 file system, allowing a malformed CD to perform an arbitrary
length overflow in kernel memory.
Symbolic links on ISO9660 file systems are supported by the 'Rock Ridge'
extension to the standard format. The vulnerability can be triggered by
performing a directory listing on a maliciously constructed ISO file
system, or attempting to access a file via a malformed symlink on such a
file system. Many distributions allow local users to mount CDs, which
makes them potentially vulnerable to local elevation attacks.
The relevant functions are as follows:
fs/isofs/rock.c: rock_ridge_symlink_readpage()
fs/isofs/rock.c: get_symlink_chunk()
There is no checking that the total length of the symlink being read is
less than the memory space that has been allocated for storing it. By
supplying many CE (continuation) records, each with another SL (symlink)
chunk, it is possible for an attacker to build an arbitrary length data
structure in kernel memory space.
A proof of concept exploit has been written that allows a local user to
gain root level access. It is also possible to cause execution of code
with kernel privileges.
III. ANALYSIS
In order to exploit this vulnerability, an attacker must be able to
mount a maliciously constructed file system. This may be accomplished by
the following:
a. Having an account on the machine to be compromised and inserting a
malformed disk. Some distributions allow local users to mount removable
media without needing to be root and with some configurations. This
happens automatically when a disk is inserted. The proof of concept
exploit works from floppy disk as well as CD-ROM.
If the attacker can reboot the machine from his or her own media or
supply command line options to the kernel during the initialization
process after rebooting, exploiting this vulnerability may not be
necessary to gain further access. In this situation, the attacker will
not be able to directly access any encrypted file systems.
b. If encrypted virtual file systems are implemented, and the attacker
gains access to an account able to mount one, then an attacker may be
able to mount his or her own maliciously formed file system via the
encryption interface. This would allow them access to any already
mounted file systems.
c. Being root already. If the attacker has already gained root, but the
kernel has some form of patch preventing root being able to perform
certain functions, he or she may still be able to mount a file system.
As the vulnerability occurs in kernel space, it may be possible for them
to neutralize the restrictions.
IV. DETECTION
The issue affects the 2.4.x, 2.5.x and 2.6.x kernel. Other kernel
implementations may also be vulnerable.
V. WORKAROUNDS
Disable user mounting of removable media devices.
VI. VENDOR RESPONSE
Affected vendors have provided the following comments/patches:
Slackware
"Slackware will be waiting for a new upstream kernel version that will
address this issue. None of our existing releases allow a non-root user
to mount a CD-ROM, and the exploit requires physical access to the
machine"
SUSE
"SUSE Security have published a SUSE Security Announcement at
http://www.suse.de/security/ and update packages that fix the
vulnerability. The update packages are available for download at
,ftp://ftp.suse.com/pub/suse/i386/update//rpm/i586/, but we
encourage our users to make use of the YOU (Yast Online Update) utility
for quick and secure installation of security updates."
Debian
http://www.security.debian.org/2004/dsa-479 alpha+ia32+powerpc
http://www.security.debian.org/2004/dsa-480 hppa
http://www.security.debian.org/2004/dsa-481 ia64
http://www.security.debian.org/2004/dsa-482 powerpc/apus
http://www.security.debian.org/2004/dsa-483 mips+mipsel
Mandrake Linux
MDKSA-2004:029
www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:029
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0109 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
January 9, 2004 Exploit acquired by iDEFENSE
February 20, 2004 Initial vendor notification
February 20, 2004 iDEFENSE clients notified
April 14, 2004 Coordinated public disclosure
IX. CREDIT
Greg MacManus (iDEFENSE Labs) is credited with this discovery.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
X. LEGAL NOTICES
Copyright (c) 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information
Backdoor in X-Micro WLAN 11b Broadband Router
Backdoor in the X-Micro WLAN 11b Broadband Router
FCC ID: RAFXWL-11BRRG
Firmware Version: 1.2.2, 1.2.2.3 (probably others too)
Remote: yes, easily expoitable
Type: administration password, which always works
The following username and password works in every case, even if you
set an other password on the web interface:
Username: super
Password: super
By default the builtin webserver is listening on all network
interfaces (if connected to the internet, then it is accessible from
the internet too). Using the webinterface one can install new
firmware, download the old, view your password, etc., so he can:
- make your board totally unusable, beyond repair
- install viruses, trojans, sniffers, etc. in your router
- get your password for your provider and maybe for your emails.
Possible fixes:
1. Set up portforwarding, and forward port 80, this way from the WAN
interface an attack is impossible. But be aware, that anyone in your
local LAN (possible over a wireless connection) can login to your
router.
2. Upload a fixed firmware. I've made an unofficial (but fixed)
one. You can download it from
http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.1/xm-11brrg-0.1.bin
This firmware is unofficial. NO WARRANTY.
This firmware also fix other bugs, for a list see:
http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.1/Changes
The tool, which used to create the image also released under the
GPL: http://xmicro.risko.hu/US8181-20040410.tar.gz
DOCS: http://xmicro.risko.hu/
I don't know that the folks at X-Micro (who built this so nasty
backdoor in this device) when will reply, I bcc'ed this mail to them.
I've chosen not contact with them earlier, because they violated the
GPL seriously, the open source community tried to communicate with
them, but without any positive results. And I'm sure that they know
about this remote backdoor.
comparing the amount of scriptkids to admins on this board I would say don't provide a step by step way of how to use it.
i disagree... this is a learning board, and people are here to learn, not get held back because a skid might read it... besides, you learn from how to articles, and we all want skids to learn, right? and also, most won't even do it, just get really confused and go play with their power ranger dolls
@ AdmiralB
brute forcing will get you caught in no time...
i will do things in spanish if you want, thats my first language and i would be happy to give it a shot ... other than that i could maybe do a bit on social engineering
I think another outlet for this newsletter could be on security related BBS sites. There is a security related FIDONET area that includes alot of EZINES. For exposure purposes if you send the EZINES to me at ejandk@hotmail.com I will post them all to FIDONET for you to get more exposure.
I can also do German translations for you if you wish.
Sign In
Register
Help
This topic is locked
MultiQuote
