Slashdot Mirror

Where it all started: http://seclists.org/oss-sec/20... and http://seclists.org/oss-sec/20... and http://seclists.org/fulldisclo...

Where it all started: http://seclists.org/oss-sec/20... and http://seclists.org/oss-sec/20... and http://seclists.org/fulldisclo...

Where it all started: http://seclists.org/oss-sec/20... and http://seclists.org/oss-sec/20... and http://seclists.org/fulldisclo...

"Linux can be rooted by a command that makes your computer beep? That's fucking idiotic, man..."

And the patch that supposedly fixes the bug contains this gem :

--- /dev/null 2018-13-37 13:37:37.000000000 +0100
+++ b/beep.c 2018-13-37 13:38:38.000000000 +0100
1337a
1,112d
!id>~/pwn.lol;beep # 13-21 12:53:21.000000000 +0100
.

Which is supposed to be an exploit of patch:
according to that source, patch supports diff written in ed scripts (you, know the one editor that is supposed to be the punch line of every "VI vs EMACS" flamewar)
and ed in turn has "! command" to execute commands.

So yes, even the patch fixing the "beep" exploit can be exploited in turn and root the system too (... of any admin careless enough to run the build of the patched package on the bare system instead of inside some container and as a non-root user).

---

Back to beep itself :
- https://sigint.sh/#/holeybeep - a good source which analyzes how beep is exploitable (basically signal handler called at the exact wrong time, while performing a switcharoo on symlink target, between the console that gets opened on each beep, and the target file that gets opened when the signal kills the audio)
- https://github.com/johnath/bee... upstream audio.

Holy shit, you weren't kidding. Quoting selected bugs:

• The appliance ships with UDP port 8812 allowed through the firewall. The port correlates to an internal service that routes messages between backend processes. To authenticate access to this service, all messages must be encrypted with a secret key [...] These two default keys are 123456789ABCDEF0123456789ABCDEF0 and 0123456789ABCDEF0123456789ABCDEF.
• One of the applications that is exposed through the port 8812 message routing service executes a system command without sanitizing the arguments provided by the requesting application. This allows arbitrary commands to be executed on the appliance. Combined with Issue #1, this allows remote, unauthenticated command execution on the appliance as the "soggycat" user, which is root equivalent
• The secure shell daemon is running by default and the system is configured with static passwords for a number of root-equivalent accounts. The "soggycat" user account [...] also has two SSH keys configured for passwordless login. These keys were generated over eight years ago.
• All internal services communicate through UDP services bound to the 0.0.0.0 address. This exposes the internal workings of the appliance to an attacker with network access to the system. For example, a local user account without administrative rights would still be able to escalate privileges by communicating with these internal services.
• The rsync daemon allows read/write access to the "soggycat" home directory. Since this user account is root-equivalent, any attacker than talk to the rsync daemon can take full control of the appliance.

This is amateur hour, though still better than what runs our power grid and water treatment plants.

They probably shut down because the MITRE's CVE database is pretty much regarded as the canonical database for all vulnerabilities, open and proprietary. I've not see a security advisory that didn't have a CVE number for a long time. I don't remember ever seeing one with a reference to OSVDB.

MITRE itself has a list of things it thinks deserve CVE IDs: https://cve.mitre.org/cve/data_sources_product_coverage.html for details. Things outside of this list may not ever receive a CVE ID, even if they are valid vulnerabilities.

The takeaway is that lots of products have vulnerabilities but never receive CVEs or are included in the CVE dictionary. This is why alternates like OSVDB popped up, and why alternate vulnerability ID systems popped up recently (see DWF as a primary example).

It's a shame to lose something like OSVDB, as there really isn't a good canonical source of ALL vulnerabilities. MITRE's CVE works for vulnerabilities in big name products, but it is nowhere near inclusive of all vulnerabilities reported. Of course, OSVDB hasn't been updated recently either, so there's a big gap in even knowing what's out there. Maybe projects like DWF will help us move in that direction.

I'm not sure that Asus is a great choice anymore either. I copied this from a Full Disclosure release:
# Exploit Title: ASUS RT-N56U Persistent XSS
# Date: 2/2/2016
# Exploit Author: @GraphX
# Vendor Homepage: http://asus.com/
# Version: 3.0.0.4.374_239

1 Description:
It is possible for an authenticated attacker to bypass input sanitation in
the username input field of the Server Center page. An interception proxy
is not required with the use of the developer console and changing the
field value of the username after the third verification task is complete,
and before the password sanitation begins in the modify_account.asp file.

Alternatively, an attacker can bypass client side sanitation all together
by submitting a valid option and then changing the parameters in an
interception proxy.

There is a small amount of server-side sanitation, but this is easily
circumvented by making sure (in this example) the field value ends up
looking like this. user"> Keeping the the
src parameter as far to the right as possible appears to circumvent any
server-side sanitation attempts.

2 Proof of Concept

1)Login to router

2)navigate to:
http://aidisk/modify_account.asp?account=user&new_account=user&new_password=123&confirm_password=123

3 Solution:
Don't buy ASUS Routers.
**********NOTE******************
Other router models are likely affected by this vulnerability as they
appear to share the same or similar firmware (example: RT-N66U).
I have been unable to confirm this theory as the vendor is unresponsive.
http://seclists.org/fulldisclo...

http://phys.org/news/2014-03-w...
http://seclists.org/cert/2012/...
http://securityevaluators.com/...
http://securityevaluators.com/...
http://slashdot.org/submission...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://soylentnews.org/article...
http://secunia.com/advisories/...
http://secunia.com/advisories/...
http://secunia.com/advisories/...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

Since you are the one making the claim that all these oppressive laws are out there, why don't you provide an example of a law that an ordinary citizen risks getting arrested for without knowing such a law existed?

I'm not the parent poster, nor am I making the same claim he/she did in that laws are just to oppress people (I agree some laws have been used for this, but they do seem the exception and not the rule)

I only wanted to address one part of your reply separately, specifically "provide an example of a law that an ordinary citizen risks getting arrested for without knowing such a law existed?"

Now I must first point out that the chances of being actually arrested or even prosecuted in the following examples is pretty low, rare even (again, the exception more than the rule) but in each example it has happened at least once (once too many IMHO, for what little that's worth)

But there are plenty of laws people break all the time without even knowing it, and if the right person/people pressed the issue legally, you would be successfully prosecuted for breaking them (facts are facts after all.)
Some allow for arrest and jail time, if a judge so wished to do so.

One good technical example fit for slashdot - do you own a smartphone? Do you ever enable wifi?
If so chances are very good you have broken the law repetitively every day.

When the phone passes near an open unsecured AP, the phone by default will try to connect to it.
Perhaps just to read the MAC for location services, perhaps to use for data over the slower and more expensive cellular connection.
Either way if you haven't obtained the explicit permission from the APs owner to do this, you have violated the Computer Fraud and Abuse Act for "gaining unauthorized access to a computer, network, or a website"
This is a 3rd degree felony, up to 2 years in prison, and up to $10000 in fines.
http://www.msnbc.msn.com/id/84...
http://arstechnica.com/tech-po...
http://seclists.org/isn/2006/M...

I notice your slashdot handle is "bws111". Does that happen to be the initials of your real name? Well even so the extra numbers brings you back against the Computer Fraud and Abuse Act for "using a false name during an online registration process"
http://www.wired.com/2009/07/d...

Ever use sarcasm a lot like I do? Most of my slashdot posts use a ton of it, and in many US states that is a crime.
Disorderly Conduct laws frequently make it a crime to write anything that disturbs another person, and worse some states don't even require publishing that writing to the public, nor excludes fiction, for it to be a crime.

Illinois has such a law with a max $1500 fine and 30 days in jail.
Oklahoma has such laws where if your fictional writing describes a person being injured or killed, you can be arrested for "planning to cause serious bodily harm" with up to 10 years in prison.
Chicago has such laws and has actually acted on them.

Note all for "disorderly conduct":
http://www.wired.com/2007/04/t...
http://www.wired.com/politics/...

In California (and I believe other states) anti-grafitti laws state it is a criminal offence to have a permanent marker in public.
It is illegal simply to possess "broad-tipped indelible markers" or "aerosol cans" in a public place (such as when leaving the store you just purchased your new marker from) because they can be used to commit acts of vandalism.

http://phys.org/news/2014-03-w...
http://seclists.org/cert/2012/...
http://secunia.com/advisories/...
http://secunia.com/advisories/...
http://secunia.com/advisories/...
http://securityevaluators.com/...
http://securityevaluators.com/...
http://slashdot.org/submission...
http://soylentnews.org/article...
http://tech.slashdot.org/comme...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...
http://tech.slashdot.org/story...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

OTOH, OpenBSD's kernel is about 10X the size of Xen (where the BSD mantra of 'correctness' has a much tighter focus). As isolation mechanisms go, I trust Xen before any monolithic kernel. The upshot is that Xen also gives me the rich features (incl. drivers) of Linux and Windows.

Awwwww, you are so cute. You trust Xen more than kernel xyz? Really?

First of all, please read this.
Then take a look at this.

There are, let's see... right now, 35 CVEs assigned to the Xen project, in 2015 alone? 40 CVEs in 2014?

Compare and contrast with the number of CVEs published for OpenBSD. And the number of patches available for the latest version (5.8) of OpenBSD.. Here is a hint: 99% of these patches do not imply your machine is going to be ''owned'' by someone exploiting the bugs found. Yes, even the OpenSMTPD patches are pretty mild.

You can keep your Qubes OS, thank you very much, I'll stick to OpenBSD, despite all its defaults and warts.

Words of wisdom to meditate:

You've been smoking something really mind altering, and I think you should share it.

x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit.

You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.

(Source.)

Say what you will of this guy, he has got a point. Virtualization is great, but not for security. Period.

See subject: This is 1 time I'm GLAD I didn't upgrade! I.E.-> From the vulnerability report here http://seclists.org/fulldisclo... it appears that earlier models are NOT AFFECTED by this...

See, I personally consider to be the BEST archiver overall for years now - I haven't HAD a GOOD SOLID REASON to try others as I have license to it.

E.G.-> I used to consider WinZip that since it has a "perfect fit" for "Form fits function" in its GUI design (both do really for what they do).

However - WinRAR almost consistently does better in memory usage from tests I've seen & done myself, compressing the SAME datasets into it of many kinds, + WinRAR does more formats "natively" (minus having to "shell out" to an external program to do compression for a particular format).

WinRAR "took me away" from WinZip about, oh... 11 yrs. ago or more.

Any of you guys?

FEEL FREE to "Turn me on" to OTHER archivers & their value vs. what I just said, OR point me to tests that would "turn me away" from what I consider one of the BEST programs there is in the shareware/freeware realm.

APK

P.S.=> For once, an update would've turned into a "downdate" for me from this ware

At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers.

2. The reference by Fyodor that even if Sourceforge still isn't bundling anything on nmap, the page is designed to mislead the users with fake download buttons:

"So far they seem to be providing just the official Nmap files (as long as you don't click on the fake download buttons) (...)

Below I repost the original submission so you can compare:

Sourceforge Hijacks the Nmap Sourceforge Account

Gordon Lyon (better known as Fyodor, author of nmap and maintainer of the internet security resource sites insecure.org, nmap.org, seclists.org, and sectools.org) warns on the nmap development mailing list that the Sourceforge Nmap account was hijacked from him.

According to him the old Nmap project page (located at http://sourceforge.net/project..., screenshot) was changed to a blank page and its contents were moved to a new page (http://sourceforge.net/projects/nmap.mirror/, screenshot) which controlled by sf-editor1 and sf-editor3, in pattern mirroring the much discussed the takeover of GIMP-Win page discussed last week on Ars Technica, IT World and eventually this week Slashdot.

That happens after Sourceforge promises to stop "presenting third party offers for unmaintained SourceForge projects. At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers."

To their credit Fyodor states that "So far they seem to be providing just the official Nmap files (as long as you don't click on the fake download buttons) and we haven't caught them trojaning Nmap the way they did with GIMP" but reiterates "that you should only download Nmap from our official SSL Nmap site: https://nmap.org/download.html"

Because /. editors seem to have inconvenient hollidays I'll just spam this topic with the bahaviour of their mother company:

From http://seclists.org/nmap-dev/2...:

From: Fyodor
Date: Wed, 3 Jun 2015 00:56:23 -0700

Hi Folks! You may have already read the recent news about Sourceforge.net
hijacking the GIMP project account to distribute adware/malware.
Previously GIMP used this Sourceforge account to distribute their Windows
installer, but they quit after Sourceforge started tricking users with fake
download buttons which lead to malware rather than GIMP. Then Sourceforge
took over GIMP's account and began distributing a trojan installer which
tries to trick users into installing various malware and adware before
actually installing GIMP. Of course this goes directly against Sourceforge
CEO Michael Schumacher's promise less than two years ago:

"we want to reassure you that we will NEVER bundle offers with any project
without the developers consent"
--http://sourceforge.net/blog/advertising-bundling-community-and-criticism/

So much for that promise! Anyway, the bad news is that Sourceforge has
also hijacked the Nmap account from me. The old Nmap project page is now
blank:

http://sourceforge.net/project...

Meanwhile they have moved all the Nmap content to their new page which only
they control:

http://sourceforge.net/project...

You can see at the top that the owners of the Nmap page are now
'sf-editor1', and 'sf-editor3'. You can click on those to see other
projects they have hijacked.

So far they seem to be providing just the official Nmap files (as long as
you don't click on the fake download buttons) and we haven't caught them
trojaning Nmap the way they did with GIMP. But we certainly don't trust
them one bit! Sourceforge is pulling the same scheme that CNet
Download.com tried back when they started circling the drain:

http://insecure.org/news/downl...

We will ask Sourceforge to remove the hijacked Nmap page, but more
importantly we want to reiterate that you should only download Nmap from
our official SSL Nmap site:

https://nmap.org/download.html

If you don't trust SSL by itself (and we don't blame you), you can also
check the GPG signatures: https://nmap.org/book/install....

Cheers,
Fyodor

PS: Ars Technica has a good article about the Sourceforge/GIMP fiasco:
http://arstechnica.com/?p=6734...

PPS: Sourceforge now claims they will stop trojaning software without the
developer's permission, but they've broken that exact promise before.

Apparently the update left out a serious universal XSS vulnerability in IE11 unpatched. Source
Vulnerability Full Disclosure - 31 Jan 2015

If you look at one of the shouty places you will see that there are a few 'information wants to be free!' fanatics who advise publicizing everything, a few 'me first' types who advise selling vulnerabilities to the highest bidder, and many 'responsible disclosure' types who advise an anonymous and detailed bug report with a (also anonymous) callback method and a request to know how the patch is coming. Even the responsible types will mention that if bug-finders are ignored or threatened (it happens) or if the patching process is taking so long as to be indistinguishable from being ignored, then it is time to publish the details of the vulnerability through whatever channel seems wisest at the time.

The smartest thing to do right now is to not expose a buggy 25-year-old parser to any random person on the internet. Just disable function importing from the environment by default and put it behind a flag.

Here is a BSD-licensed patch for it: http://seclists.org/oss-sec/20...

You're welcome.

I'm sorry, I've meant to link to http://seclists.org/oss-sec/20... (you may want to walk the thread up a bit) and https://bugzilla.redhat.com/sh...

Looks like Apple has built in detection from IOS 5 (though being Apple it might well have an off switch for legal intercept type applications):
http://9to5mac.com/2011/06/07/...

And it looks like some developers have gotten together to do something for Android with a project called Android IMSI-Catcher Detector (AIMSICD)
https://secupwn.github.io/Andr...
http://seclists.org/fulldisclo...

Has anyone tried this?

Reminds me of this overflow bug which was fixed in sudo 1.6.3p6. It writes a single NUL byte past the end of a buffer, calls syslog(), and the restores the original overwritten byte. Seems unexploitable, right?

Wrong. Here's the detailed writeup of the exploit. It requires some jiggering with the parameters to get the exploit to work on a particular system, but you don't need a local root exploit to work every time, you just need it to work once and you own the system.

I know that Linux should be the only alternative to Windows/OSX at this point

What's wrong with BSD?

Of course, there's always this issue which I haven't seen mentioned recently. The fact that nothing similar has come forward on Linux is concerning to me....

There are a surprisingly large number of public key generators with weak random number generators:

• "Debian OpenSSL Package Random Number Generator Weakness"
• "Flaw Found in an Online Encryption Method"
• "NetBSD Intel Hardware Random Number Generator (RNG) Failure Encryption Weakness "
• "PasswordSafe 3.0 weak random number generator allows key recovery attack"

And those are the ones we know about.

For open source systems, the person or persons who inserted the weak code should be identified and kicked off the project. It may just be incompetence, but that's a good reason to keep them out of security-critical areas.

Weak keys don't just let the NSA in. They let the People's Liberation Army of China in, too.

The weakest links are not the cypher's strength or the key length. They are (a) the key management (b) the incredibly complex and demonstrably vulnerable hardware and software entrusted with reading, writing, modifying, and sharing the plaintext (c) the difficulty even highly trained professionals face when ensuring a given system is secure, and (d) the vulnerability of the human element to social engineering attacks. There has never existed a system connected to the Internet that has not suffered significant compromise. In other words, the only defensive measure with a proven track record against online attacks is the air gap. This is illustrated colourfully e.g. in the Bugtraq and Full Disclosure mailing list archives. While making the crypto better would increase the strength of one of the stronger links; it won't do anything for the strength of the whole chain.

The weakest links are not the cypher's strength or the key length. They are (a) the key management (b) the incredibly complex and demonstrably vulnerable hardware and software entrusted with reading, writing, modifying, and sharing the plaintext (c) the difficulty even highly trained professionals face when ensuring a given system is secure, and (d) the vulnerability of the human element to social engineering attacks. There has never existed a system connected to the Internet that has not suffered significant compromise. In other words, the only defensive measure with a proven track record against online attacks is the air gap. This is illustrated colourfully e.g. in the Bugtraq and Full Disclosure mailing list archives. While making the crypto better would increase the strength of one of the stronger links; it won't do anything for the strength of the whole chain.

"Hacking9 Magazine" got Epic Fail award, for an article called: "Nmap: The Internet Considered Harmful - DARPA Inference Cheking Kludge Scanning"

It was a spoof paper, written to expose the CRAP editorial policy at Hacking9.

They were PWN3D by a whitepaper...

http://seclists.org/nmap-dev/2012/q3/1050

"They clearly chose that title so just so they could refer to it as DICKS throughout the paper. There is even an ASCII penis in the "sample output" section, but apparently none of this raised any flags from Hakin9's "review board"."

pertinent link http://seclists.org/nmap-dev/2012/q3/1050

Hakin9 is a magazine that's not exactly too reputable.

It looks like someone took a paper "written" using SciGen and submitted it to them. Because they didn't read the paper at all, they didn't notice it was absolute bullshit courtesy of finest context-free grammars people could code.

Brilliant work - not only is SciGen great for busting less than reputable scientific publications that don't exactly value this "peer review" thing, but now it has busted security magazines too.

don't mods or plugins already get to pretty much do whatever they want? that is, I wasn't under the impression that they're in some security sandbox.

At least in Morrowind and Oblivion, mods are "sandboxed" in the sense that they do not contain any native code, and use a scripting language that only gives them access to game state, not permission to open files, etc.

So though I doubt we'll see a deluge of trojan Morrowind mods, it's a "real" exploit in the sense that mods can do more than was intended.

I'm sure you could find any number of buffer overflows if you looked, too. The security awareness in the industry is abysmal, all the way from the drivers to even simple game launchers.

Some details that people have been able to find so far.

1) The guy claimed to have hacked ColdFusion using some 0-day exploit. He could have just been going off this recent Adobe bulletin. But this bulletin was before the Linode announcement, so who knows. http://www.adobe.com/support/security/bulletins/apsb13-10.html

This hotfix resolves a vulnerability that could be exploited to impersonate an authenticated user (CVE-2013-1387).
This hotfix resolves a vulnerability that could be exploited by an unauthorized user to gain access to the ColdFusion administrator console (CVE-2013-1388).

2) One of the files in the directory list that has a unique name is actually accessible on linode.com: http://www.linode.com/y_key_57284cb2de704e02.html

3) Looks like seclists (nmap people) were targeted by this hack: http://seclists.org/nmap-dev/2013/q2/3

4) It is not clear if credit cards were compromised or not. While this "ryan" guy claims they were, we won't know unless the list is published or Linode admits to it.

Michael Sinatra over at seclists.org had the following to say:

This should be a lesson to all of us, since EDUCAUSE is definitely not alone here: We all do regular, legitimate business in ways that is sometimes indistinguishable from phishing, at least to regular users. That needs to stop. Email marketers and analytics junkies will not like to hear this, but we need to put an end to embedded email links that are redirected through other systems. IMO, we should put an end to *all* legitimate links in emails; instead have a business portal with all of the links to surveys, training sites, etc., and have notification emails for when new things appear on the portal. In addition, we could modify our SSO sites so that they alert users when they need to take care of something that we would normally use email for which to notify the user. Once that's done, we can assure users that we will NEVER ask them to click on a link in an email, just like we currently remind them that we never ask them for passwords.

If that is "too hard" and/or the analytics stuff is "too valuable" then we need to simply accept the risk that our users will get caught in phishing attacks. The bad guys have figured out that it is very easy to mimic our business practices, and they have gotten very good at doing it. Unless we change those practices, they will find us to be easy pickings.

A vuln that apparently was first reported in August 2012 is finally fixed (maybe) in January 2013.

.

Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

Because they need this guy in charge.

.
Why can't the larger companies, e.g. Microsoft and Oracle, respond to and fix the sucrity issues more quickly than on a timeline expressed in months?

I'm wondering if such a pipe system is used (or such a service is enabled) on the NVIDIA binary driver blob for the Linux kernel. Could that be another possible attack vector, or is that not possible with this?
.
NVIDIA for unix/Linux had another vulnerability earlier this year pointed out in the article at also at Nvidia's own customer web site http://nvidia.custhelp.com/app/answers/detail/a_id/3140 custhelp.com site for nvidia which showed that using VGA access to RAM allows indiscriminate access to RAM and possible escalation of user privileges with this memory access. Here's the comment from Dave Airlie at the email archive on seclists.org:

Notice how with binary blobs how end-users are screwed and dependent upon the provider of the blob to fix things. Nvidia didn't do anything until after public disclosure of the bug, even though they were notified of the exploit more than three months earlier.

No. But here's a more direct explanation posted by Donenfeld: http://seclists.org/fulldisclosure/2012/Dec/242

If Oracle doesn't have someone reading FullDisclosure every day, including the weekends, you deserve to be embarrassed and shamed by your customers. Hint: someone from the MariaDB team was adding to the discussion already by Sunday.

It seems you have a habit to make underlying security changes to apt-key net-update that make it easy for adversaries to own Ubuntu machines through redirection attacks and forged keys:

https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013681

This talk goes back to last year.

http://seclists.org/fulldisclosure/2011/Sep/221
I cannot remember the corresponding bug report, but it disappeared (as well as an article on Slashdot last year about it, if anyone remembers).

Yet, when Microsoft has forged certificates or gaping holes, it's a huge deal. I got out of Ubuntu on my systems and servers after this stuff started appearing, and apparently, the core security of Ubuntu is flawed.

Why should I trust your distro my systems when Debian doesn't suffer from these vulnerabilities, from which Ubuntu is based?

Looks like an infected kernel module so one of the below:
    1) server was cracked, and module compiled
    2) compromised kernel mod in distro

more likely #1 but probably too early to tell. Grepping kernel sources for some of the text in the module_init binary may be fun:
http://seclists.org/fulldisclosure/2012/Nov/94

Dunno about AC, but first glance seems to be that it exploits shitty PHP code in order to get itself hosted onto the websites.

According to TFA, it appears to target one specific kernel (Debian-based), and tries to do some hokey-pokey with RAM to get itself executed. If you want a better description go to the original report

TFA gives some details, however:

The kernel module in question has been compiled for a kernel with the version string 2.6.32-5. The -5 suffix is indicative of a distribution-specific kernel release. Indeed, a quick Google search reveals that the latest Debian squeeze kernel has the version number 2.6.32-5.

The module furthermore exports symbol names for all functions and global variables found in the module, apparently not declaring any private symbol as static in the sources. In consequence, some dead code is left within the module: the linker can't determine whether any other kernel module might want to access any of those dead-but-public functions, and subsequently it can't remove them.

...doesn't say exactly how, but there is one thing that is entirely left out of the equation... if it's a drive-by download, does it definitely require user involvement, or not? According to the original report, the complaints were that they customers were being redirected to a malicious site, but nothing about a trojan being involved.

,b>Devs cook up 'leakproof' all-Tor untrackable platform Whonix? You'll never find out, The Man

By John Leyden | 11.13.2012

http://www.theregister.co.uk/2012/11/13/whonix/

http://sourceforge.net/p/whonix/wiki/Home

"Developers are brewing an anonymous general purpose computing platform, dubbed Whonix.

Whonix is designed to ensure that applications (such as Flash and Java etc) can only connect through Tor. The design goal, at least, is that direct connections (leaks) ought to be impossible. "This is the only way we know of that can reliably protect your anonymity from client application vulnerabilities and IP/DNS and protocol leaks," the developers explain.

The main goal is to prevent the determination of users' IP address and location. Not even malware that has buried deep into machines can access IP address information. In this way, Whonix aims to be safer than Tor anonymity software alone.

Whonix can be used in conjunction with VPN technology - routing networks through isolated remote computer networks - for even greater security.

The technology is better described as design approach or platform than as an operating system. In one example, the implementation of anonymity is provided around Tor on two virtual machines using VirtualBox and Debian GNU/Linux. Whonix can be installed on every computer capable of running Virtual Box (virtualisation software), so it supports Windows, OS X, Linux, BSD and Solaris. Running the technology on physically separate machines (a Whonix gateway and a Whonix workstation) would also work, and might provide greater security, say the devs.

The technology is currently only at an Alpha stage of early development, making it suitable for use only for the computing equivalent of test pilots.

In a post to a full disclosure mailing list last week, the main developer behind the project explains its goal and requests help from other members of the development community.

More details on the emerging computing platform can be found in a development Wiki here. The developers are pretty open about the tradeoff in using their technology (more complex set-up, potentially slower) as well as the anonymity advantages of their approach.

Paul Ducklin, head of technology in Asia Pacific for Sophos, said the approach followed by Whonix is different from the Live CDs associated with more traditional anonymity systems. This brings advantages as well as some drawbacks.

"Whonix is different from most existing 'all-in-one anonymity' systems inasmuch as the lead developer decided not to stick to the idea of a Live CD but to go with a set of virtual machines that don't need to fit on a CD or to boot from one," Ducklin explained.

"This allows much greater functionality and easier security updating."

The main disadvantage is that Whonix is more complex than comparable systems.

"The safety and security of your Whonix environment is dependent on the safety and security of your host OS, of the virtualisation software and of its configuration," Ducklin told El Reg. "The anonymity system then becomes, at worst, no more secure than the host itself. So you just took one problem (guest anonymity) and made it two problems (guest anonymity and host security).

"Whonix's size also makes its internal surface area larger than is strictly necessary. That in turn brings its own risks."

Ducklin added that there are many "tricks and traps of anonymity online", many covered by the Whonix developer. He added that users would be well advised to review these before placing their faith in Whonix (or any other approach) to shield their identity online."

http://seclists.org/fulldisclosure/2012/Nov/2

http://sourceforge.net/p/whonix/wiki/Security

Also be sure to check out the brilliant paper recently published by Hakin9 in their issue on Nmap.

The authors detail the working of their DARPA Inference Cheking Kludge Scanner (DICKS), and cite such prominent references as
Z. Sun, "Towards the synthesis of vacuum tubes," Journal of Concurrent, Extensible Technology, vol. 84, pp. 1-19, Feb. 2005.
C. Hoare, J. Wilkinson, and D. Ritchie, "Contrasting Scheme and Internet QoS using SluicyMash," Journal of Flexible, Omniscient Epistemologies, vol. 20, pp. 154-194, Feb. 2000

Some excerpts:

"Obviously, event-driven modalities and web browsers are based entirely on the assumption that extreme programming and digital-to-analog converters are not in conflict with the deployment of massive multiplayer online role-playing games."

"We show our method's real-time evaluation in Figure 1. We consider a framework consisting of n flip-flop gates. Such a claim might seem counter intuitive but is derived from known results. Next, NMAP does not require such a theoretical emulation to run correctly, but it doesn't hurt. This seems to hold in most cases. We use our previously enabled results as a basis for all of these assumptions. This seems to hold in most cases."

"Figure 1.3: The 10th-percentile latency of NMAP, as a function of popularity of IPv7"

So that was the untested code from http://seclists.org/fulldisclosure/2012/Jul/375 which apparently should launch Calculator.

Because it's missing from the summary and also the linked article, here's the initial report: http://seclists.org/fulldisclosure/2012/Jul/375

Agreed. Bugtraq is an excellent list, probably a must-have. Security Basics might also be a good one for you to be on.

You can join both at http://seclists.org/

Mike

I get my security information for a few different places.

First off i like to monitor two RSS feeds in perticular. The are both seclists.org lists. The first one being Full Disclosure, and Bugtraq.

I have used trillian for my IM'ing needs for a while now and found a nifty addon called Good News to monitor all of my those feeds. So i get a nice toast every 15 minutes are so with all the most recent entries to those lists.

Another place i like to monitor are some of the exploit site out there to see whats being publicly posted for the skids to download. One such site is exploit-db. A single google search can yield a few more.

Ontop of that i like to check up on the twitter accounts of many of the high profile professionals from time to time.

If i find something in any of these places that pertains to my setup i immediately take action. Sometimes that means taking services offline until a patch can be applied. What i have learned is that once you put a service out ontop the public network from your own home IP, there is a new found respect for the security of you network. Keeping that in the back of my mind helps me stay proactive on my approach to the matter.

I get my security information for a few different places.

First off i like to monitor two RSS feeds in perticular. The are both seclists.org lists. The first one being Full Disclosure, and Bugtraq.

I have used trillian for my IM'ing needs for a while now and found a nifty addon called Good News to monitor all of my those feeds. So i get a nice toast every 15 minutes are so with all the most recent entries to those lists.

Another place i like to monitor are some of the exploit site out there to see whats being publicly posted for the skids to download. One such site is exploit-db. A single google search can yield a few more.

Ontop of that i like to check up on the twitter accounts of many of the high profile professionals from time to time.

If i find something in any of these places that pertains to my setup i immediately take action. Sometimes that means taking services offline until a patch can be applied. What i have learned is that once you put a service out ontop the public network from your own home IP, there is a new found respect for the security of you network. Keeping that in the back of my mind helps me stay proactive on my approach to the matter.

Lookout for that molehill! Yes, some versions are vulnerable, and everyone is having a hissy fit about this. I've tested every single copy of various versions of MySQL that I have running, and they are not vulnerable. And I'm running MySQL on Windows, Arch, RHEL, Ubuntu and CentOS.

Yes, it's exactly that. They assumed memcmp returned a value in the range -128..127 - so they've assumed a char was sufficient. And many implementations do indeed return that, but unfortunately not all.

http://seclists.org/oss-sec/2012/q2/493:

Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.

They say you can get in by making 300 connection attempts, which can be done within a fraction of a second. Which is true.

They don't say that you have to do it within a fraction of a second.

The memcmp function has a 1/256 chance of returning the required value that makes it treat any password as the correct password - there's no link between the connection attempts, each time you try to connect you have the same 1/256 chance. You could space the attempts out over seveal minutes, hours or days if you wanted to - it'd just slow down the time it'd take you to get in (and make it more likely they've patched their systems before you get in).

Practically, this is slightly less newsworthy than it sounds. Yes the bug exists and yes it's serious, but it also depends on which memcmp version you're using on whether you're actually affected. The gcc builtin ones aren't affected or the libc ones, the glibc one is. That means whether it's exploitable depends on how your server was compiled. And it appears that the official versions from mysql.com aren't affected, and testing my debian systems today neither are they (but they're nicely firewalled anyway, just in case). Source: http://seclists.org/oss-sec/2012/q2/493

Today I switched my Netgear WNDR3800's Advanced/IPv6 setting to "Auto Config" (as opposed to "Auto Detect", which uses 6to4...ugh) and it (somewhat oddly) doesn't show a WAN IP but does show a LAN IP of 2601:9:yadda:yadda:yadda/64. Seems to actually work

It looks like picking "DHCP" also works...sort of. There's the important caveat that OS X apparently doesn't support DHCPv6. If set my "Internet Connection type" to "DHCP", the laptop I'm typing on doesn't get an IPv6 address with the "LAN Setup" set to either choice, "Use DHCP Server" (unsurprising) or "Auto Config" (which maybe requires the upstream to be using "Auto Config" as well? that smells like a bug in my router's firmware rather than anything more fundamental). So WAN Auto Config / LAN Auto Config is the way to go for me, for now.

4) brute force the password, knowing that only 3 bytes are unique to the device.

You don't have to guess. The password is computable from the MAC address using this short Perl program.

The factory password is, literally, "factory". It cannot be disabled and its password cannot be changed.

Someone should go to jail for this. It may fall under criminal negligence, sabotage, or even providing material aid to terrorists.