Slashdot Mirror

On a UNIX box, if I'm signing on as me (non-admin type), then I can feel pretty good about general security

Have fun!

Here's a link to the original article.

It's the first rumblings of Curious Yellow, I tell ya.

The end is near. So download Linux!

RTFA!!!!

With the exploit code so freely available, link 1, link 2, I wouldn't be too surprised to see mutations out. It was released nearly a month ago.

Here's a link to the Mcafee site re: the worm. Here's a link to the source code of the worm.

write your own buffer overflow exploit

I don't think they've quite finished with breaking it: http://www.securiteam.com/windowsntfocus/5WP0O1P9F A.html With something like 30-40% of m$ customers still running WinNT, is this responsible corporate citizenship?

Anybody remember the User Mode Linux VM escape exploit?
Seems more elegant than nuking your machine.
At DefCon X, Gobbles announced a simmiler vulnerability in vmware, though no exploit or advisory has been released so far. For anyone that assumes they're just fear mongering, They also announced the zero day apache bug there, which I'm sure you all remember.

Encryption isn't a magic bullet.

SafeWeb Vulnerability, Fingerprinting Websites Using Traffic Analysis

Netcamo

It does, but it also uses UDP port 1434 (which you can't turn off). Read this report to see how it works.

Did the service patch for this problem just barely come out a week ago? That's what another poster said. This report says Microsoft was notified on 17 May 2002--several months ago. Not good.

I was just about to post the same thing! Moderators: mod this one up! People need to read this otherwise they'll think their cracked box is safe!

From securiteam.com: ..It can be configured such that clients can use named pipes over a NetBIOS session (TCP port 139/445) or sockets with clients connecting to TCP port 1433 or both. Whichever method is used the SQL Server will always listen on UDP port 1434. This port is designated as the Microsoft SQL Monitor port and clients will send a message to this port to dynamically discover how the client should connect to the Server.

Read further into the report. The exploits use the vulnerability in the code which listens to UDP port 1434. You can't turn this off!

First thing I did with my ZyXEL Prestige 600 is change that damned default password.

To do this, at least on my 600:

1. Telnet in (make sure you have vt100). On my LAN, the Zyxel is set at 192.168.1.1 -- I don't know how Sprint has it.
2. Use the default 1234 password, and then hit return to log in.
3. At the menu, type "23" and return. 23 is the option for the "System Password" page.
4. Now type the old and new password (twice) using the TAB key to skip fields. Don't pick something obvious.
5. Go down to where it says "Enter here to CONFIRM or ESC to CANCEL" and hit ENTER/RETURN to save your new password. (You may be asked to confirm that you want to do this.)
6. When you get back to the main menu, exit your telnet session by typing "99".
7. Try telnetting in again using 1234 and make sure it doesn't work. Now try to use your new password.
8. Profit.

I'm guessing that if these aren't the exact instructions for the later Prestiges, it'll be pretty close.

Even better than changing passwords is to disable remote login from outside the local network. (I hear this is the default on new Prestige modems). Or, depending on how insecure your LAN is, you can assign particular IPs permission to get in and block all others. This is accomplished using a "filter", just like a w/ a firewall.

To block incoming telnet sessions on the WAN, check out this page. This page also offers a "probe" you can use to discover vulnerable modems.

Finally, check this list for common default passwords. This is an important page, so check it for any equipment you might be using.

W

Oh no, this never happens on OS X.

What, like Curious Yellow?

In a related, underpublicized story, Linksys's WET11, which has been getting a lot of buzz as a cheap wireless ethernet bridge, has a firmware flaw which allows a DoS. LinkSys has been slow to come out with a fix.

9. Notes Notes are stored on the Kolab server inside the user's IMAP sub folder "Notes" (German: "Notizen"). Physically, they are represented as multi-part MIME emails with the actual note being a MIME part. See the appendix for the exact file format.

You may notice that OpenBSD now claims "One remote hole in the default install, in nearly 6 years!" If OpenBSD utilized an SE Linux type security system, the remote exploit from two and a half weeks ago would have been far more limited in its scope.

Security Enhanced Linux was the motivating factor for the security framework being incorporated into the 2.5 Linux kernel. I would hardly consider that a waste of my tax dollars.

Sadly Apple has had a (local) exploit in the default install of Mac OS X (10.0 through 10.1).

It was was 'gain root access' via NetInfo hack (details here: http://www.securiteam.com/securitynews/6T00O0K2UW. html).

Bascially all you needed to do to expoit this was:
a) Run an application (e.g. Terminal)
b) Run NetInfo Manager (in /Applications/Utilites/) and leave it running as the foreground Application.
c) Run the 1st application (e.g. Terminal) but this time start it from the "Apple->Recent Items->" menu and it will run as setuid root.

In the case of the Terminal application, this gave you a root prompt.

:-(

This is true even on Windows where there was no way to read a jpeg file via Win32 until recently.

This is not true at all, Internet Explorer has been able to view jpeg files for as long as it's been around. Outlook Express, an extremely popular e-mail client, uses IE's activex control to display html e-mail's. All it would take is for someone to view an html e-mail with a jpeg image in it.

More information on recent buffer overflows in widely used compression imlementations (all of them can be exploited with a specially constructed file):

MP3 Files can Cause Code Execution under Winamp

Double Free Bug in zlib Compression Library

bzip2 contains multiple security vulnerabilities

Besides, as soon as I clocked the title I was worried. No more rebooting doesn't make much odds to *nix users. but while the average Joe Luser may not contribute jack shit to the Open Source community, money is money. Ask an average user (Box from high street chain, OEM windows install, clueless) "What ticks you off about Windows?" and none will say "The built in privacy violations. None will say "The bloated binaries." (hey, this thing is slow, better spunk away another grand on another one!) None will say "The attrocious security blunders". None will say "Contributing to a competitor-strangling monopoly."

It's crashes. Every time I've asked, anyway. Crashes are what tick off the ordinary Joe Luser. Losing work, watching scandisk (To quote Jack Dee, a mainstream comedian: "I didn't shutdown from the start menu because you crashed!), ruining marriage. Well maybe not the last one. But in a world without rebooting, how the hell are we going to sell *nix to the tech-clueless Windoze crowd? Face it, even "Free" software needs capital.

Ali

Old news.

Second link: hats off to those who don't run wu-ftpd. I would never claim that all linux systems are alike. As for those who do (run wu-ftpd), arguing over whether a given windows or linux combo is worse is almost pointless.. they're both buggy POSs and it takes one crack to ruin the box.

As for the third link..

A design flaw, rather than a true "bug"

I do program, and where I come from, design flaws usually count as bugs. Usually they're the hardest ones to fix

There is absolutely NO evidence that this vulnerability has ever been exploited

You could apply that statement to MS's latest problem, and you'd be equally foolish

HOW LONG was it, after the design flaw became known, that the flaw was fixed and new releases made to fix it. A day or two?

This is just from the searching I have done, and it's so ridiculous I actually don't believe it myself; somebody *please* correct the errors here, but AFAICT: Flaw published1/4/01, apparently fixed by redhat 4/10/01 (debian nailed this on 4/16). Somebody noticed on the kernel mailing list 7/24/01 that there was still a problem (improved exploit perhaps?), and this was fixed by redhat on 10/09/01. I can't find a second debian fix; maybe they got it right the first time. Anyway to answer your question, not quite.

...are condemned to repeat it.

-sting3r

1. It allocates disk sectors in extents - therefore, it absolutely requires defragmentation. See Executive Software's Diskeeper benchmarks, and their white paper. You don't have to believe Executive Software, and there may be good reasons for disbelieving them. Think about it: every other filesystem that has had extent-based allocation ended up with defragementers: DEC's ODS-2 (VMS), SGI's EFS (Irix) are two examples of radically different filesystems by radically different vendors, yet each required defragmentation. Fortunately, SGI provided such a good one, that 3rd party vendors didn't even bother.
2. Each file has multiple "streams". These could very obviously promote security problems. Alternatively, see this for another example. Microsoft itself has had a bunch of problems with NTFS streams, including bizarre interactions with IIS.
3. It's broken by design. Any fool can extend the MFT and use up all of a partition's disk space.

Two questions - 1) if this "problem" has been around since the mid-80's why has it never been exploited?

Because it's been fixed for quite a while in most OSes. There are still some exceptionally stupid OSes that are vulnerable to it, but nobody who knows beans about security uses them.


-

Ummm Buffer overrun on date field to execute arbitrary code from HERE or just the fact that "Enterprise level" software has a vulnerability like a scripting host in the default install. Perhaps the fact that the same company that brought you this HTA Exploit might make some one wary. To partially use your example just because all of this companys other lines of cars explode dosn't mean this one will. No really!!

An article which appeared yesterday on Securityteam's website shows there is a "bug" in whois entry retrieval system wherin a registered sub domain will have its entry retrieved before the real parent domain's. The example they show is identical to the whois information being shown here today.

If this is the true cause, and it is not corrected soon, whois (sic) to say how far it might go?

Going on means going far
Going far means returning

They did make it work, but AOL foiled them.

Then they tried again, and again, and again. Each time, AOL blocked them. They've proven that they can tell the difference between clones and their official client. I don't know why AOL doesn't do the same thing to the linux clones. But don't say Microsoft hasn't tried, because they have.

The following links are some that i've come across. They are rather interesting at times:

A how-to for stealing someone's domain name, which was a ddresed in the article. Furthermore, the specs for these protocols and implementations can be found here and here. There was also a critical interview calling for the implementation of these more secure systems in order to prevent the holes in the current system..

Patch Availability:

Windows 95 Patch

Windows 98 Patch

The following is from a March 4, 2000 news release from Securiteam.com

Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows 95/98/98 Second Edition.
The vulnerability could cause a user's system to crash, if they attempted to access a file or folder whose path contained certain reserved words.

Vulnerable systems:
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition

DOS device names are reserved words, and cannot be used as folder or file names.
When parsing a reference to a file or folder, Windows correctly checks for the case in which a single DOS device name is used in the path, and treats it as invalid.
However, it does not check for the case in which the path includes multiple DOS device names.
When Windows attempts to interpret the device name as a file resource, it performs an illegal resource access that usually results in a crash.

Because it is not possible to create files or folders that contain DOS device names, it would be unusual for a user to try to access one under normal circumstances.
The chief threat posed by this vulnerability is that a malicious user could attempt to entice a user to attempt such an access.
For instance, if a web site operator hosted a hyperlink that referenced such a path, clicking the link would result in the user's machine crashing. Likewise, a web page or HTML mail that specified a local file as the source of rendering information could cause the user's machine to crash when it was displayed. If this happened, the machine could be put back into normal service by restarting it.

What causes the vulnerability? The vulnerability results because of a flaw in the way Windows 95 and 98 (including Windows 98 Second Edition) parse file path names. Device names such as COM1, CON or LPT1 are reserved words, and they can't be used as folder or file names. When parsing a reference to a path, Windows checks for the presence of a single DOS device name in the path. If one is found, the path is correctly treated as invalid and an error is returned. However, neither Windows 95 nor 98 check for multiple DOS device names. This is the source of the vulnerability. If a read or write operation is attempted to a path whose name contains multiple DOS device names, it will cause Windows to attempt to access invalid resources. In some cases, the effect of this invalid access would be to cause the application that supplied the path to hang, but the more likely effect is that the machine would present a blue debug screen and crash. What names could cause this problem? It's not possible to compile an exhaustive list of all DOS device names, because third-party application developers can create their own device drivers and add their names to the reserved list. However, Microsoft Knowledge Base article Q256015 provides a list of all standard DOS device names. What would need to happen for me to be affected by this vulnerability? You would need to try to reference a path that contains more than one DOS device name. The operations by which this could happen are familiar file and folder access operations - reading a file, listing a folder's contents, etc. Under normal conditions, this problem is unlikely to occur. Users cannot create files and folders whose names are reserved words like DOS device names. Because of this, it would be very unusual for a user to try to access such a file or folder. For example, it would be very unlikely that a user would try to list the contents of C:\COM1\COM1, since it is impossible for him to have created such a folder. However, a malicious user might use this vulnerability to try to cause other users' systems to crash. How could a malicious user do this? She would need to entice the user into doing something that resulted in an attempt to access a file whose path contained reserved words. For example, if she hosted a web site, she could include a link on a web page that displayed a file located in C:\COM1\COM1. Normally, it's safe to allow a web site to do this - the site can't read or change the file, only display it in the owner's browser. However, when Windows tried to locate the file, it would cause the system to crash. It wouldn't matter that the file doesn't even exist on the user's machine, because the very act of trying to find it is what would cause the crash. There also are scenarios in which it would not be necessary for the user to click on a link to be affected by the vulnerability. For example, web pages can specify that an image file on the user's computer should be used as the page background. If this were done, simply displaying the page would cause the user's computer to crash. HTML mails could be used in a similar manner. Are customers who have Preview Mode enabled on their mail viewers at any greater risk from this vulnerability? Yes. HTML mail renders in Preview Mode, so if a malicious user sent an HTML mail to someone who had Preview Mode enabled, the vulnerability be exploited as soon as the mail was previewed. I have preview mode enabled in Outlook. If I received such a mail, what should I do? Start Outlook from a command prompt, and use the /safe and /nopreview options to turn off preview mode. Microsoft Knowledge Base articles Q197180 and Q182112 provide information on how to do this. Once you're able to get into Outlook, you can simply delete the offending mail. Obviously, you should do this without opening the mail. What would I need to do to put my machine back in service after a crash? You would just need to restart the machine. There's no lasting harm from the crash, although any work that was in progress would be lost during the crash. Does this vulnerability affect Windows NT 4.0 or Windows 2000? No. Who should install the patch? Customers using Windows 95, Windows 98 or Windows 98 Second Edition should install the patch. What does the patch do? The patch causes paths containing more than one DOS device name to be treated as invalid paths. This is correct behavior.

Just to be fair, they recently obtained a C2 on NT4+special service pack+certain hardware, in a networking environment. See here for more info.