Slashdot Mirror

this exploit was mentioned http://online.securityfocus.com/news/83 here too

VNC uses a DES-encrypted challenge-response system to avoid passing passwords over the wire in plaintext.

However, it seems that a weakness in the way the challenge is generated by some servers would make this useless.

The following program attempts to repeatedly connect to a vnc server and prints the challenge string.

Against tightvnc-1.2.1_unixsrc, you'll see output like

• $ python pvc.py somehost:1
• 4b24fbab355452b55729d630fcf73d43
• b3acdf3fab422b7aa49b8d786f93def3
• b3acdf3fab422b7aa49b8d786f93def3
• b3acdf3fab422b7aa49b8d786f93def3
• b3acdf3fab422b7aa49b8d786f93def3
• 88e37f1677c4e4f56eb2fa00a2804ded
• 88e37f1677c4e4f56eb2fa00a2804ded
• 88e37f1677c4e4f56eb2fa00a2804ded
• 88e37f1677c4e4f56eb2fa00a2804ded

[...] each time the same string is printed twice in a row the server has repeated a challenge.

WinVNC version 3.3.3R9 will display output more like

• $ python pvc.py otherhost:0
• Server declined connection
• Server declined connection
• 91ff701f7dce8c6eebbc6062ffebcc6a
• Server declined connection
• Server declined connection
• [...]

It appears that connects are rate-limited, even if the connects come from two distinct machines. This appears to foil the below attack on VNC authentication. (Whether this means there is a good DoS opportunity against WinVNC is a separate question)

If your server will give the same challenge repeatedly, and you can sniff somebody else's challenge and response, it appears that you could authenticate without knowing the password simply by connecting within the 1-second window to get the same challenge, and then send the same response as the legitimate client.

More importantly, Open Source problems stay visible until they are fixed. There's no hiding behind STO, no stonewalling.

Yeah, no Open Source project would conceal a major bug for months, and continue to make at major releases without fixing it, until finally someone forces their hand by posting the details on BugTraq.

That would never happen.

Chapter 1. PC Magazine

Chapter 2. The Register

Chapter 3. Security Focus

Chapter 4. Webopedia

Chapter 5. ibas

Yeah, the admins should have patched this up. Wanna know the funniest? Check this article where a security writer got hit with Slapper. It shows even those who should know better sometimes get hit.

Time for me to get a list of all their IPs, so when they portscan me I can file a lawsuit against them.

It's time to put these wannabe hax0rz outta business.


That is a great idea, until you realize that your "basis" for a lawsuit has been fundamentally flawed for almost two years.

Try telling that to Slashteam.

-klerck (logged out because I've posted more than two comments in the last 24 hours)

Never mind all of those security holes in IRC that they ignored for about two months. They *just* released an update for that stuff and it had been floated on Bugtraq (and they were notified) quite a while ago.

SecurityFocus Search

Do a search for "trillian". They seem to have a problem with buffer overflows.

Okay, so this vulnerability was published and corrected over a month ago. Of course it's still growing; a lot of people still haven't patched their servers. How is that newsworthy? It's been out for quite a while now, anyway, and nothing is different today from yesterday. Nothing horrible has happened, it's just continuing to do what it was designed to do.

Besides which, the impact is a lot less than, say, Code Red which affected a much larger number of machines -- it hit all unpatched IIS servers versus unpatched SSL-enabled Apache servers.

Again, I ask, how is this news? What has changed that made this story worth reporting again?

A 10baseT patch cable with the TX wires clipped will get you a whole lotta nothing because the TX wires are used for heartbeat signals. You need to corrupt the outgoing frames instead, which is a PITA.

The easier method is to use a 10 Mbit AUI adapter with the TX pins cut. You can probably even find a 10baseT -> AUI adapter at a computer junk shop for a buck or three.

For more about creating a receive-only ethernet adapter check out http://www.robertgraham.com/pubs/sniffing-faq.html #receive-only or read up on Antisniff (weird, I can't find anything about it on @stake's site).

Up in the air. May. Key words and phrases that denote that no final decision to "screw" users of '97 have been made.

Since its a 'bug', by default they're already screwed. The decision to patch this will 'unscrew' users if it's made.

But until such time, they're are indeed screwed.

SecurityFocus/BugTraq article about the bug says that its as simple as getting someone to modify and return a document to you.

9. Notes Notes are stored on the Kolab server inside the user's IMAP sub folder "Notes" (German: "Notizen"). Physically, they are represented as multi-part MIME emails with the actual note being a MIME part. See the appendix for the exact file format.

It's more than just physical and logical security. There is also psychological security, if you will. All the physical and logical security in the world won't protect you from social engineering.

(Oh, and don't forget to email your username/password/IP to me. Thanks.)

It's more than just physical and logical security. There is also psychological security, if you will. All the physical and logical security in the world won't protect you from social engineering.

(Oh, and don't forget to email your username/password/IP to me. Thanks.)

Security Focus has some good recommendations for securing IIS.

Security Focus has some good recommendations for securing IIS.

"Their patching tiny pinprick holes and not the overall problems, their mitigating factors, their ignoring small demonstrated flaws, all add up into a monster problem, which basically stinks," said Http-equiv in an e-mail interview Tuesday.

You mean fixed the same day it was announced by Microsoft. This bug has been discussed on Bugtraq for a month now.

If you're not convinced he's not a stereotypical l337ist, check out some pictures of him. He's cool.

Won't help you if you are using IE due to this flaw since you can spoof hotmail or any other SSL based site and noone will be the wiser. It allows for a trivial "Man in the middle" attack. Some nice security guys on BugTraq providede a nice tool for spying on all SSL sessions. Note that Microsoft doesn't seem to even care to fix this flaw that basically makes SSL useless as a privacy tool.

The FBI is taking a serious notice on Wardriving. Here's a SecurityFocus article on how they are setting up Honeypots, FBI stings to catch warchalkers, although it claims they are just trying to get a feel for whats really out there.

The BugTraq post describes the nature of a MOTM exploit using this vulnerability.

A BugTraq reader was able to successfully demonstrate this using dsniff and OpenSSL as his tool kit. Screenshots on his site illustrate this, with his own bank account!

The BugTraq post describes the nature of a MOTM exploit using this vulnerability.

A BugTraq reader was able to successfully demonstrate this using dsniff and OpenSSL as his tool kit. Screenshots on his site illustrate this, with his own bank account!

I raised this via the mailing list a few months back - some emails were traded but nothing has come of it.

Many packages are signed these days - it virtually guarantees that the code you are downloading has not been modified by any third parties. You all remember the irssi , BitchX and openssh incidents right?

Trojaned gcc, anyone?

You aren't supposed to go to thoughtcrime.org. You should Read The Goddamn Story.

http://online.securityfocus.com/archive/1/286893/2 002-08-05/2002-08-11/1 (opens in new window).

It seems that it isn't TOTALLY browser related. Verisign and Microsoft both know about this error, according to the people in the thread. It's a good read with a lot of detailed info about the flaw and where the flaw exactly is.

I didn't have time earlier, but for those interested, here is the original Bugtraq post by 'I.C. Weiner' (those Russians are so funny.. and modest too!) detailing the RSA SecurID Algorithm.

And for those really interested in the topic, here is Vin McLellan's excellent response detailing why publication of the algorithm does nothing to hurt the security of the system.

One last thing.. some people are saying that ACE will only run on Windows or Solaris. According to my ACE/Server 5.0 Install Guide for UNIX, it is also supported on AIX and HP-UX. The Guide also seems to suggest that it may run on other unices, but would not be supported by RSA.

I didn't have time earlier, but for those interested, here is the original Bugtraq post by 'I.C. Weiner' (those Russians are so funny.. and modest too!) detailing the RSA SecurID Algorithm.

And for those really interested in the topic, here is Vin McLellan's excellent response detailing why publication of the algorithm does nothing to hurt the security of the system.

One last thing.. some people are saying that ACE will only run on Windows or Solaris. According to my ACE/Server 5.0 Install Guide for UNIX, it is also supported on AIX and HP-UX. The Guide also seems to suggest that it may run on other unices, but would not be supported by RSA.

But, as the previous poster said, the patent stuff prevents you from building an open-source clone.

23 languages on 14 platforms? That's odd. As recently as 6 July 2001 Mr. Paget was posting a position-wanted ad on SecurityFocus, describing his language/platform knowledge as follows:

I am fluent (if a little rusty) in many programming languages (C, C++, Delphi, VB, VBScript, various assemblers), and I am keen to broaden my skills, specificially [sic] to include Unix and x86 assembler...my Unix knowledge is far from brilliant

One can only wonder which 23 languages and 14 platforms he knows, if several of the most important ones are notable by their absence or explicit disclaimer. Of course, he never tires of telling us he's a fast learner. Maybe he has filled in some of those gaping holes in his basic computer knowledge in the last year and a bit.

I believe this XDR vulnerabilty stems from a more serious problem in most implimentations of calloc()
The problem is created when the size of the ADT * numElements > a machine word
I'm parphrasing from this advisory on bugtraq

Before jumping to conclusions, read the reply to the "vulnerabilities" on the BugTraq mailing list here. Doesn't look like its something unknown to the public and its really more of a vendor problem, not MS one.

The original source code was never posted on Bugtraq. What went up, and was then removed at Snosofts request, was a post by Phased containg a link to the code. In the same article Dave Ahmad goes on to say that pulling it at the request of the originating team was normal procedure but that it would remain in the archives untill a further decision was made.

Sigh, moderate parent down, although the influence concern is still valid, the claim may not be.

The previous letter, post #3996524, was written by Florin Andrei on Bugtraq at Wed Jul 31 2002 - 16:26:30 CDT. For more quality Bugtraq'ing material, search the SecurityFocus Bugtraq Archives. Hope this helps.

We're all glad HP backed down, but what scares me is that the "Responsible Disclosure" FUD continues. On Bugtraq people write that CERT and SecurtyFocus are "established parties" and everyone who does not give them their so-called "0days" is irresponsible (at least CERT is known to sell 0days). I personally won't give them my 0days early.

The "Responsible Disclosure" draft continues to get advertised, though it was not approved by the IETF .

Why do people think about giving away the right of free speech just because of some FUD?

Even in the unlikely case if this bad RFC passes, does it mean that that people are safer when they disclose problems - I definitely don't think so personally.

So the facts are: some companies can't write secure code, and it is more expensive to write code securely.

Just check "Help -> About" on Windows before using the word "responsibility".

The easiest solution is to shoot the messenger and to outlaw saying the emperor has no clothes. But this won't fix the problem in the real world. Such regulations will only alienate a lot of people and will make things worse.

check out this bugtraq posting for a small analysis of the trojan.

At this point I think we need to make the assumption that the problem is a bit more common than viewing these compromises individually would suggest, and perhaps these individual events can even be linked together.

And for the developers out there, I think it's time to check over all of your current distributed source tarballs.

to subscribe to Bugtraq or a similar security mailing list. Especially you guys that run any type of server. Securityfocus is your friend; they'll have these advisories far in advance of any other place on the net.

to subscribe to Bugtraq or a similar security mailing list. Especially you guys that run any type of server. Securityfocus is your friend; they'll have these advisories far in advance of any other place on the net.

Linux AIM exploit. Don't expect to see this on /. anytime soon, though.

Problems ? There are no problems with IE. Besides the fact you must not press the CTRL-key and you must not click the back-button. But hey - who needs navigation anyway ?

Problems ? There are no problems with IE. Besides the fact you must not press the CTRL-key and you must not click the back-button. But hey - who needs navigation anyway ?

If you care about security, you should be reading Bugtraq. As soon as I saw the title I checked my email and read the real advisory - now that I'm done upgrading, I can come back and see what Slashdot says about it.

The original security advisory (with attached patch for OpenSSL 0.9.6d) is here. A follow-up with patches for older versions is here.

The original security advisory (with attached patch for OpenSSL 0.9.6d) is here. A follow-up with patches for older versions is here.

"There are several potentially exploitable vulnerabilities in the OpenSSL toolkit. A security review of OpenSSL is being done by A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) under the DARPA program CHATS. Through this review, the following vulnerabilities were discovered:

1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulnerability is exploitable.

2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer.

3. Various buffers for ASCII representations of integers were too small on 64 bit platforms.

4. The ASN1 parser can be confused by supplying it with certain invalid encodings.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0655 to issue 3, and CAN-2002-0659 to issue 4.

Here's a link.

Gobbles proved them wrong.

First off, as others have said, relax, Mr. Fox Photographer.

This has to be one of the greatest /. stretches of belief of all time.

No, it's pretty typical for slashdot. You really ought to have known that about slashdot posters. ;^)

Well, do you know of a nation that DOES NOT DO THAT?

He was referring to the Gilmore v. Ashcroft lawsuit. Please click here [slashdot.org]. There are many people who haven't been keeping up with slashdot articles. Too many people post without reading the stories. Please become current before you post.

I am a news photographer for FOX. My best friend at work went to Afghanistan. They could go wherever they pleased IN A WAR ZONE.

The issue isn't US gov't control of media companies. The issue is that the gov't and media companies (MPAA, RIAA, and Microsoft) are trying to control information flow of individual users on the internet through legislation.

Once upon a time, there was the DMCA. This didn't go far enough so congress, the content providers and Microsoft created the CTPBDA and Palladium. These initiatives require changes made to hardware to protect content from broad piracy through the internet.

But those initiatives will affect more than simple piracy, though. Things are happening that are threatening free speech on the net.

As long as the internet exists in its present form and with current computer technology, it undermines any government's attempt to control information to the general public. This is important to US foreign policy in places like, say, China.

Currently, the Chinese government is playing whack-a-mole on the internet cafe's. In those cafe's, the users are pretty much in control of the information they choose to receive. The police, even in China, only have so many resources, and as some have been shut down, many more have popped up.

If DRM initiatives become the law of the land forcing all electronic devices to implement DRM, and we export those technologies to China, then China would potentially have an absolute lock on the information going to it's citizens. If that web browser isn't signed with the Official Chinese Department of Information's digital key, than it's not going to run on the Palladium architecture, now will it?

But here's the real kicker. If we don't export the DRM technologies to China, then Communist Red China's citizens would have greater liberty to access information than US citizens.

So the question of the day is, do we as a nation implement DRM to protect movie studios profits, or do we encourage the internet to be a medium for social and political change?

Oh wait, and it doesn't stop there. Remember COINTELPRO? Ashcroft has removed the rules that were put in place to prevent the FBI from abusing it's power. The FBI can open a file on you having a GREENPEACE bumper sticker [securityfocus.com].

And then Congress wants ISP's to hold email for 90 days [theregister.co.uk] -- of course, the terrorists will have long moved away from email, and use FedEX, USPS, Airborne Express, UPS, or one of the many other shipping companies to send their instructions, or packet radio, or newspaper ads, or drop boxes... And even if they do use e-mail there's also things such as one-time use hotmail addresses, one-time pads (which are provably unbreakable), IPSec, VPNs, pgp (or gpg), 802.11b networks, and anonymous remailers. Just remember, this law won't affect the terrorists, only you and me.

So, tell me again how the US is not regulating information flow and communications?

First off, as others have said, relax, Mr. Fox Photographer.

This has to be one of the greatest /. stretches of belief of all time.

No, it's pretty typical for slashdot. You really ought to have known that about slashdot posters. ;^)

Well, do you know of a nation that DOES NOT DO THAT?

He was referring to the Gilmore v. Ashcroft lawsuit. Please click here. There are many people who haven't been keeping up with slashdot articles. Too many people post without reading the stories. Please become current before you post.

I am a news photographer for FOX. My best friend at work went to Afghanistan. They could go wherever they pleased IN A WAR ZONE.

The issue isn't US gov't control of media companies. The issue is that the gov't and media companies (MPAA, RIAA, and Microsoft) are trying to control information flow of individual users on the internet through legislation.

Once upon a time, there was the DMCA. This didn't go far enough so congress, the content providers and Microsoft created the CTPBDA and Palladium. These initiatives require changes made to hardware to protect content from broad piracy through the internet.

But those initiatives will affect more than simple piracy, though. Things are happening that are threatening free speech on the net.

As long as the internet exists in its present form and with current computer technology, it undermines any government's attempt to control information to the general public. This is important to US foreign policy in places like, say, China.

Currently, the Chinese government is playing whack-a-mole on the internet cafe's. In those cafe's, the users are pretty much in control of the information they choose to receive. The police, even in China, only have so many resources, and as some have been shut down, many more have popped up.

If DRM initiatives become the law of the land forcing all electronic devices to implement DRM, and we export those technologies to China, then China would potentially have an absolute lock on the information going to it's citizens. If that web browser isn't signed with the Official Chinese Department of Information's digital key, than it's not going to run on the Palladium architecture, now will it?

But here's the real kicker. If we don't export the DRM technologies to China, then Communist Red China's citizens would have greater liberty to access information than US citizens.

So the question of the day is, do we as a nation implement DRM to protect movie studios profits, or do we encourage the internet to be a medium for social and political change?

Oh wait, and it doesn't stop there. Remember COINTELPRO? Ashcroft has removed the rules that were put in place to prevent the FBI from abusing it's power. The FBI can open a file on you having a GREENPEACE bumper sticker.

And then Congress wants ISP's to hold email for 90 days -- of course, the terrorists will have long moved away from email, and use FedEX, USPS, Airborne Express, UPS, or one of the many other shipping companies to send their instructions, or packet radio, or newspaper ads, or drop boxes... And even if they do use e-mail there's also things such as one-time use hotmail addresses, one-time pads (which are provably unbreakable), IPSec, VPNs, pgp (or gpg), 802.11b networks, and anonymous remailers. Just remember, this law won't affect the terrorists, only you and me.

So, tell me again how the US is not regulating information flow and communications?