Slashdot Mirror

http://www.milw0rm.com/exploits/7309

Here you go, found with a pretty simple Google search.

Also, incidentally, older versions of RDP were susceptible to man-in-the-middle attacks to grab passwords and inject commands. I think newer versions do some certificate checking to verify the server to which they're connected.

LOL.. And linux has no vulnerabilities?

http://milw0rm.com/platforms/linux

Just last year there were DOZENS of kernel vulnerabilities on Linux and NT had almost none. Ofcource since you're part of the online linux cheer-leading squad you ignore facts.

Linux is an average Unix clone. Get used to it. Although, to be fair, I guess the "clone" part is redundant. Everything in the F/OSS world is a copy of existing successful proprietary products.

Okay great, so now look at these links http://www.milw0rm.com/exploits/8266 http://www.milw0rm.com/exploits/8896 pre-compile them and have fun, it took about 2 seconds to find a way to access the root account which can over turn any lock out on the system, once your in a terminal look around, erase logs and leave, no proof, no suspension.

Okay great, so now look at these links http://www.milw0rm.com/exploits/8266 http://www.milw0rm.com/exploits/8896 pre-compile them and have fun, it took about 2 seconds to find a way to access the root account which can over turn any lock out on the system, once your in a terminal look around, erase logs and leave, no proof, no suspension.

Oh wow, a privilege escalation bug in an operating system. That completely invalidates all my points. If you know anything about OS security you'd know that there exist and have existed and will exist privilege escalation bugs for all popular operating systems.

Its Not Like Linux Doesn't Have Any

Those are all from 2009 BTW. Anyway the point isn't to bash Linux or Windows for that matter, but I'll be impressed when someone can actually provide a valid critique of NT design. Maybe too much to ask for in a comment, but w/e...

Oh wow, a privilege escalation bug in an operating system. That completely invalidates all my points. If you know anything about OS security you'd know that there exist and have existed and will exist privilege escalation bugs for all popular operating systems.

Its Not Like Linux Doesn't Have Any

Those are all from 2009 BTW. Anyway the point isn't to bash Linux or Windows for that matter, but I'll be impressed when someone can actually provide a valid critique of NT design. Maybe too much to ask for in a comment, but w/e...

Oh wow, a privilege escalation bug in an operating system. That completely invalidates all my points. If you know anything about OS security you'd know that there exist and have existed and will exist privilege escalation bugs for all popular operating systems.

Its Not Like Linux Doesn't Have Any

Those are all from 2009 BTW. Anyway the point isn't to bash Linux or Windows for that matter, but I'll be impressed when someone can actually provide a valid critique of NT design. Maybe too much to ask for in a comment, but w/e...

Oh wow, a privilege escalation bug in an operating system. That completely invalidates all my points. If you know anything about OS security you'd know that there exist and have existed and will exist privilege escalation bugs for all popular operating systems.

Its Not Like Linux Doesn't Have Any

Those are all from 2009 BTW. Anyway the point isn't to bash Linux or Windows for that matter, but I'll be impressed when someone can actually provide a valid critique of NT design. Maybe too much to ask for in a comment, but w/e...

Oh wow, a privilege escalation bug in an operating system. That completely invalidates all my points. If you know anything about OS security you'd know that there exist and have existed and will exist privilege escalation bugs for all popular operating systems.

Its Not Like Linux Doesn't Have Any

Those are all from 2009 BTW. Anyway the point isn't to bash Linux or Windows for that matter, but I'll be impressed when someone can actually provide a valid critique of NT design. Maybe too much to ask for in a comment, but w/e...

Oh wow, a privilege escalation bug in an operating system. That completely invalidates all my points. If you know anything about OS security you'd know that there exist and have existed and will exist privilege escalation bugs for all popular operating systems.

Its Not Like Linux Doesn't Have Any

Those are all from 2009 BTW. Anyway the point isn't to bash Linux or Windows for that matter, but I'll be impressed when someone can actually provide a valid critique of NT design. Maybe too much to ask for in a comment, but w/e...

Oh wow, a privilege escalation bug in an operating system. That completely invalidates all my points. If you know anything about OS security you'd know that there exist and have existed and will exist privilege escalation bugs for all popular operating systems.

Its Not Like Linux Doesn't Have Any

Those are all from 2009 BTW. Anyway the point isn't to bash Linux or Windows for that matter, but I'll be impressed when someone can actually provide a valid critique of NT design. Maybe too much to ask for in a comment, but w/e...

Do you have any proof showing that UAC and Protected Mode does not guard against this exploit or others? So far from the security researchers, I've only read very specific conditions under the latest systems that it's a problem.

Oh, so you have already read about conditions where this happens? Guess I dont have to answer this one then, do I?

Besides, I already gave you an example earlier. But just for shits and giggles, here's one that references the chances at 1% on IE8/Vista or IE8/Win7:

DEP Bypassed

Now, while 1% seems a trivial number, it is actually quite large when installed base is taken into account... or only a few million machines.

Then add to that, such an exploit can be attempted multiple times on a machine, which raises the likeliness of the exploit working.

And here's one more recent that states it is even more likely and has been proven to be possible:

Aurora Exploit

Hmmm... does that one sound familiar? Maybe the one this patch is supposed to address?

Or this one: Crappy Ass Microsoft Javascript implementation vector for bypassing DEP

And one that was made available to govts and large security software vendors: DEP being bypassed

And one (just to add it to the list) to bypass XP and hardware DEP: ANI Cursor Exploit

Should I go on? There are TONS of pages I can go through... and I havent even started on the hotfixes and other patches Microsoft has released to fix earlier issues with DEP and UAC.

Knowing what I've read about the various security contests, the only thing that needs to be done is execute code as the user.

But what limited scope is this? Does the vulnerability get contained within the Low profile of IE? If it drops files in there, who gives a damn? Even if it can execute code at the medium privilege level, it still doesn't have access to core system files and settings.

Hmmm... I dunno... what did the .NET stuff do for both Firefox and IE? Is .NET really truly fixed this time? This is the 6th major attempt to do so, and probably the few dozenth attempt overall.

The severity of the vulnerability to me under Windows is what I care more about, simply saying the application is "vulnerable" isn't enough.

True... but then again, I make most of my "repair" money at the company I work for from fixing virus ridden machines running on default settings (DEP and UAC enabled) from customers who have (or claim to have) done nothing and clicked on nothing - other than visiting malicious sites before the most recent .NET patch.

Not that I'm downplaying the exploit nor any fixes for it, I'm just trying to shed light on the various methods used to prevent such things from gaining much traction on a user's computer.

If the exploit can get by IE Protected Mode and execute under medium integrity I'd be a bit worried, but the attack surface is very limited until it generates a UAC prompt.

When exactly does it do that? And you realize there are mechanisms built into Windows Vista and Windows Seven to bypass UAC, correct? I'm cleaning a machine right now with Vista on it (and UAC & DEP enabled), where winlogon was infected (along with just under 100 other files).

If the user clicks OK to the UAC prompt and lets the thing get elevated privileges, well, at that point I no longer blame the application--I blame the user.

I agree... but that is not needed in vari

- everything on your site is pwned

Linux servers are usually rock solid and secure.

LOL. http://milw0rm.com/platforms/linux

The fake 'security' of linux only exists in your head. The core of Windows is an order of magnitude more secure than the core of Linux. If you cant see that then you're too retarded to speak to. Might want to add another layer to your tin-foil hat too.

http://www.cutekittens.com/ how about that one? :D

Oh man, that site is AWESOME!!! I can't believe what those women were doing. I can't believe it's a free site. Thanks!

http://www.cutekittens.com/ how about that one? :D

Here's the exploit code for firefox.
Apparently, it should crash and open up calc.exe. On my machine (win7 RC1) it crashes bringing up the error report thingy.
No calc.exe for me. :(

Does this mean I'm "safe"?

Here are a bunch more.

I haven't found one yet for the second bulletin I posted. Feel free to conduct your own research.

Summary from http://www.milw0rm.com/exploits/8880 seems pretty serious but quite difficult to fix all of them in 2 weeks.

Timeline :

05/21/2009 - sent initial email to vendor with a link to a private resource for viewing various kloxo hiab575 vulnerability info 05/23/2009 - received the following: "Thanks for the info. I will review this and let you know." (no signature) 05/30/2009 - sent an email asking if there were any updates 06/01/2009 - received the following: "Sorry for the delay. I am currently looking into this, and will reply in a couple of hours time." (no signature) 06/04/2009 - nothing heard from vendor, and the private resource containing the vulnerability info still does not appear to have been accessed

2 weeks have passed since the initial notification. Vendor appears uninterested.

ISSUE 1 - uid/gid reuse ISSUE 2 - unprivileged port use ISSUE 3 - default passwords ISSUE 4 - useradd string in the process list ISSUE 5 - XSS ISSUE 6 - remotely create partially user controlled file names and directories. Locally append uncontrolled data to any file ISSUE 7 - local users can take control of any file or directory ISSUE 8 - local users can take control of any file or directory ISSUE 9 - local users can overwrite any file on the box ISSUE 10 - yet another symlink attack for local users ISSUE 11 - metachar injection, local command execution as root ISSUE 12 - web stats world readable password hashes ISSUE 13 - local users can overwrite any file on the box ISSUE 14 - metachar injection, local command execution as root ISSUE 15 - remotely block any - or every - IP addr in hosts.deny ISSUE 16 - remote CPU and mem usage DoS ISSUE 17 - local users can truncate and control any file ISSUE 18 - just 2 more symlinks to own any file on the box ISSUE 19 - file manager, view and edit any file ISSUE 20 - file manager PT II ISSUE 21 - file manager PT III ISSUE 22 - local user symlink attack ISSUE 23 - local user symlink attack (last one) ISSUE 24 - sql injection in the "Forgot Password" form

LMAO! can you say botnet material? That network was like a hackers playground.

Being somebody who has been affected by the attack on Vaserv (luckily my primary system was unscathed but the other 3 are MIA as of right now) I got curious and found this in regards to the vulnerabilities in HyperVM
link

Summary from http://www.milw0rm.com/exploits/8880 [milw0rm.com] seems pretty serious but quite difficult to fix all of them in 2 weeks.

It wouldn't have killed them to at least look at the details during those two weeks.

There is only so much due diligence you can do if their claims are not true.

Phillip.

Reading through the information on Milw0rm's own site, it appears they had an email exchange with someone at LXLabs for two weeks, then decided on their own to release the information. Two weeks is not nearly enough time to even decide if something like this is worth looking at, let alone find a fix, develop it, test it, implement it, and push it to all clients.

Fair enough, I would agree that in most cases two weeks is not nearly enough time. Even if you can, by some superhuman feat of organisation, create+QA+publish a fix/workaround that day it'll take time for the users to test and make the update available on their services (you can't just chuck a patch on a large production system without some oversight).

But I would certainly not go as far as to suggest that two weeks is not enough time to decide if something like this is even worth looking at. To have not even accessed the resource containing further exploit information (I assume this was available on a service that would log access, an unadvertised and unlinked location on a web server for instance) in two weeks seems wrong to me. Would you not at least download it, virus-/other-check it, and attach anything relevant to your internal record for the issue so the team/person who reviews these things has access to the info?

Having read the released information I would agree that Milw0rm's premature release was at least unprofessional if not down right irresponsible, but (assuming Milw0rm's report is true and accurate) I think that the vendor's response was similarly lacking in due diligence.

But once you've informed the supplier, and allowed enough time for a fix to be created, tested, rolled into a patch, QAed, released to clients and tested+installed by clients, what other alternative is there?

You're assuming the bolded part is true. Reading through the information on Milw0rm's own site, it appears they had an email exchange with someone at LXLabs for two weeks, then decided on their own to release the information. Two weeks is not nearly enough time to even decide if something like this is worth looking at, let alone find a fix, develop it, test it, implement it, and push it to all clients. I hope the guys at Milw0rm get sued into oblivion over this. Their actions were completely irresponsible and directly led to millions of dollars of damage, potentially billions of dollars of damage (over 100,000 accounts were destroyed, assuming those accounts spent on $10 per month on hosting that's millions of dollars in damage to the hosting provider alone). VAServ is based in the UK and LXLabs is based in India; I have no idea what the laws are like in those countries, but let's hope Milw0rm faces criminal charges there over this. Security research is an important field and requires a certain level of trust, accountability, and responsibility for it to function properly. By releasing this information publicly without sufficient notice, Milw0rm breached those traits and deserves to suffer the consequences for doing so.

No, you truly can. You can't blame it for 100% of the problem, but without doubt, people who make viruses are preying on others. What outcome to you expect, when those preyed upon are already struggling just to get through the day and raise their kids or whatever?

You might expect someone selling a product to not lie about security.

You might expect someone selling a product with completely false security marketing to at least read the information regarding any published vulnerabilities - note that the vendor apparently did acknowledge the notification, but did not read the details.

Lxlabs has really been preying upon their customers all along: they've been selling an extremely poor product and lying about their product's security design.

I have very mixed feelings on security firms releasing exploits to the public just to try and get results. In my (admittedly limited) experience, more bad has come from releasing exploits publicly than good.

These vulnerabilities are so simple - and many lead to root access. I'd be surprised if these vulnerabilities haven't been found in the past by others; it's likely that people who found them have been exploiting the application for some time. See the exploits - the application is clearly flawed and was designed with little regard to security. With a security failure of this magnitude, I think it's best that everyone know about the exploits. If I used this product, I wouldn't trust the vendor's ability to write a secure product at all; I'd switch to a more secure product ASAP.

Summary from http://www.milw0rm.com/exploits/8880 seems pretty serious but quite difficult to fix all of them in 2 weeks.

      Timeline :

      05/21/2009 - sent initial email to vendor with a link to a private
                                resource for viewing various kloxo hiab575
                                vulnerability info
      05/23/2009 - received the following: "Thanks for the info. I will
                                review this and let you know." (no signature)
      05/30/2009 - sent an email asking if there were any updates
      06/01/2009 - received the following: "Sorry for the delay. I am
                                currently looking into this, and will reply in a couple
                                of hours time." (no signature)
      06/04/2009 - nothing heard from vendor, and the private resource
                                containing the vulnerability info still does not
                                appear to have been accessed

      2 weeks have passed since the initial notification. Vendor appears
      uninterested.

      ISSUE 1 - uid/gid reuse
      ISSUE 2 - unprivileged port use
      ISSUE 3 - default passwords
      ISSUE 4 - useradd string in the process list
      ISSUE 5 - XSS
      ISSUE 6 - remotely create partially user controlled file names
                            and directories. Locally append uncontrolled data to
                            any file
      ISSUE 7 - local users can take control of any file or directory
      ISSUE 8 - local users can take control of any file or directory
      ISSUE 9 - local users can overwrite any file on the box
      ISSUE 10 - yet another symlink attack for local users
      ISSUE 11 - metachar injection, local command execution as root
      ISSUE 12 - web stats world readable password hashes
      ISSUE 13 - local users can overwrite any file on the box
      ISSUE 14 - metachar injection, local command execution as root
      ISSUE 15 - remotely block any - or every - IP addr in hosts.deny
      ISSUE 16 - remote CPU and mem usage DoS
      ISSUE 17 - local users can truncate and control any file
      ISSUE 18 - just 2 more symlinks to own any file on the box
      ISSUE 19 - file manager, view and edit any file
      ISSUE 20 - file manager PT II
      ISSUE 21 - file manager PT III
      ISSUE 22 - local user symlink attack
      ISSUE 23 - local user symlink attack (last one)
      ISSUE 24 - sql injection in the "Forgot Password" form

See http://milw0rm.com/exploits/8704.

You'd be surprised. It's easy enough for someone with just a bit of knowledge to read an article that raves about custom firmware, download said firmware, and flash the router. Plus, DD-WRT is configured rather poorly by default (doesn't everyone want telnet?) and is vulnerable to a rather elementary XSS exploit.

The XSS exploit can be prevented by logging out of the router when you're done, but here's the catch -- DD-WRT provides no logout button/link/etc. I recall someone suggesting it on the mailing list, and it earned them a good-ol' fanboy flaming. The solution, of course, is to close your browser -- but again, there are plenty of users out there who don't know that.

Hahaha then too,
but my guess is that spazztastic is referring to ms09-002

http://milw0rm.com/video/watch.php?id=96

See, here's where you're wrong: Joomla makes it incredibly easy to grant full editing access to anyone visiting your site!

How?

With hundreds of essential 3rd-party modules! These action-packed add-ons feature high-quality and easy-to-use SQL injection exploits, empowering your visitors to take full control and do whatever they want to your site.

Now that's usability!

rm -rf /var/www/myjoomlasite

The core's not the problem, but the 3rd-party add-ons can hurt you badly.

Check out http://milw0rm.com/ and do a quick search for Joomla and see why.

ActiveX probably.

Here's the exploit code referenced in the article update... The second one apparently works on Vista, too. http://www.milw0rm.com/exploits/7403 http://www.milw0rm.com/exploits/7410

Here's the exploit code referenced in the article update... The second one apparently works on Vista, too. http://www.milw0rm.com/exploits/7403 http://www.milw0rm.com/exploits/7410

Not actual validation, but a good starting point for Apple's argument:
http://milw0rm.com/platforms/osX

That's cool.

http://milw0rm.com/platforms/osX
Says the latest remote exploit for OS X is when you're using 1+ yr old Quicktime.

Nice to know.

Then there's this:
http://milw0rm.com/platforms/windows
Holy crap. Just keep scrolling....

That's cool.

http://milw0rm.com/platforms/osX
Says the latest remote exploit for OS X is when you're using 1+ yr old Quicktime.

Nice to know.

Then there's this:
http://milw0rm.com/platforms/windows
Holy crap. Just keep scrolling....

you probably shouldn't click that unless you trust the owner/controller of milw0rm.com to not infect whichever system you have. </warning >

darkpixel@hoth:~/tmp$ uname -a
Linux hoth 2.6.27-7-generic #1 SMP Fri Oct 24 06:42:44 UTC 2008 i686 GNU/Linux

I feel pretty safe...

*time passes*

*time passes*

...hmm...

darkpixel@hoth:~/tmp$ wget -c http://milw0rm.com/sploits/2008-MS08-067.rar
*snip*
MS08-067.rar' saved [12506/12506]
darkpixel@hoth:~/tmp$ unrar e 2008-MS08-067.rar
*snip*

darkpixel@hoth:~/tmp$ clamscan .
./MS08-067.c: OK
./srvsvc.h: OK
./srvsvc_c.c: OK
./mem.h: OK
./srvsvc.idl: OK
./MS08-067.exe: OK
./srvsvc_s.c: OK

----------- SCAN SUMMARY -----------
Known viruses: 454416
Engine version: 0.94.1rc1
Scanned directories: 1
Scanned files: 7
Infected files: 0
Data scanned: 0.11 MB
Time: 6.840 sec (0 m 6 s)
darkpixel@hoth:~/tmp$ wine MS08-067.exe

fixme:system:SetProcessDPIAware stub!
fixme:iphlpapi:NotifyAddrChange (Handle 0x7d8699f8, overlapped 0x7d8699dc): stub
fixme:shell:DllCanUnloadNow stub

MS08-067 Exploit for CN by EMM@ph4nt0m.org

MS08-067.exe <Server>

darkpixel@hoth:~/tmp$

Damn me and my refusal to run any MS software at home... If only I had a vmware image of XP. I wonder if WINE emulates windows well enough to attack another machine...

From milw0rm here

-metric

Why is WebKit worth switching to when Chrome had five vulnerabilities in two days?

2008-09-05: http://milw0rm.com/exploits/6367
2008-09-05: http://milw0rm.com/exploits/6386
2008-09-05: http://milw0rm.com/exploits/6372
2008-09-04: http://milw0rm.com/exploits/6365
2008-09-03: http://milw0rm.com/exploits/6355
2008-09-03: http://milw0rm.com/exploits/6353

WebKit isn't touching my machine, thank you very much. Might throw Bunny(the fuzzer) at the codebase, though.

Why is WebKit worth switching to when Chrome had five vulnerabilities in two days?

2008-09-05: http://milw0rm.com/exploits/6367
2008-09-05: http://milw0rm.com/exploits/6386
2008-09-05: http://milw0rm.com/exploits/6372
2008-09-04: http://milw0rm.com/exploits/6365
2008-09-03: http://milw0rm.com/exploits/6355
2008-09-03: http://milw0rm.com/exploits/6353

WebKit isn't touching my machine, thank you very much. Might throw Bunny(the fuzzer) at the codebase, though.

Why is WebKit worth switching to when Chrome had five vulnerabilities in two days?

2008-09-05: http://milw0rm.com/exploits/6367
2008-09-05: http://milw0rm.com/exploits/6386
2008-09-05: http://milw0rm.com/exploits/6372
2008-09-04: http://milw0rm.com/exploits/6365
2008-09-03: http://milw0rm.com/exploits/6355
2008-09-03: http://milw0rm.com/exploits/6353

WebKit isn't touching my machine, thank you very much. Might throw Bunny(the fuzzer) at the codebase, though.

Why is WebKit worth switching to when Chrome had five vulnerabilities in two days?

2008-09-05: http://milw0rm.com/exploits/6367
2008-09-05: http://milw0rm.com/exploits/6386
2008-09-05: http://milw0rm.com/exploits/6372
2008-09-04: http://milw0rm.com/exploits/6365
2008-09-03: http://milw0rm.com/exploits/6355
2008-09-03: http://milw0rm.com/exploits/6353

WebKit isn't touching my machine, thank you very much. Might throw Bunny(the fuzzer) at the codebase, though.

Why is WebKit worth switching to when Chrome had five vulnerabilities in two days?

2008-09-05: http://milw0rm.com/exploits/6367
2008-09-05: http://milw0rm.com/exploits/6386
2008-09-05: http://milw0rm.com/exploits/6372
2008-09-04: http://milw0rm.com/exploits/6365
2008-09-03: http://milw0rm.com/exploits/6355
2008-09-03: http://milw0rm.com/exploits/6353

WebKit isn't touching my machine, thank you very much. Might throw Bunny(the fuzzer) at the codebase, though.

Why is WebKit worth switching to when Chrome had five vulnerabilities in two days?

2008-09-05: http://milw0rm.com/exploits/6367
2008-09-05: http://milw0rm.com/exploits/6386
2008-09-05: http://milw0rm.com/exploits/6372
2008-09-04: http://milw0rm.com/exploits/6365
2008-09-03: http://milw0rm.com/exploits/6355
2008-09-03: http://milw0rm.com/exploits/6353

WebKit isn't touching my machine, thank you very much. Might throw Bunny(the fuzzer) at the codebase, though.

I keep hearing about "security improvements"... There's two exploits in two days of life. It's an immature codebase, but if this's what we've got to look forward to, well, count me out.

http://milw0rm.com/exploits/6353
http://milw0rm.com/exploits/6355

I keep hearing about "security improvements"... There's two exploits in two days of life. It's an immature codebase, but if this's what we've got to look forward to, well, count me out.

http://milw0rm.com/exploits/6353
http://milw0rm.com/exploits/6355

http://www.milw0rm.com/exploits/6355 Google's new Web browser (Chrome) allows files (e.g., executables) to be automatically downloaded to the user's computer without any user prompt.

Not if your systems are properly secured.

This is precisely my point. It is impossible to completely secure your systems, and it is impossible to know how your systems are going to change in the future.

New classes of exploits come out all the time, and there is absolutely no way that you can account for them. In addition, everybody here knows how quickly a project can go from well-designed theory to poorly implemented pwnage-bait.

Lets say you have your theoretical Linux server locked down completely, following all the industry best practices and performing daily log audits. In the real world, this will never happen, but let's pretend...

Would your server have stood up to the root exploit that came out last February? Maybe, maybe not. Would it have been compromised by the Debian OpenSSL fuckup? How about Kaminsky's DNS exploit? the BGP exploit? Maybe, maybe not. Will it stand up to the thousands of other unpublished exploits that are traded and sold on daily basis? Highly doubtful.

The only thing you have protecting you is the fact that the people who will do the attacking don't know what valuable data is on that server, nor what configuration it is running. Don't be a dumbass and post that information on public forums.