Good thing thing is that OSX is still compatible with OS 9 so al the old exploits still work.
Best thing is that with good multithreading the user will never notice that the box is hacked. Even if it is slow that will be nothing new to the user.
Damn, I converted my girlfriend to computergames and now she has a faster PC than me.
</slightly Off Topic>
You do not need a company full of geeks, just a few. There are lots of poeple that need to take the sales part. Hey, If i need a test for a monkey test ("just press some buttons and see the app does not crash") I need those sales/middle management people for that!
And if you like the lateste HW/SW use it, if not there are still a lot of cobol programmers needed. The ppl that do not like all the latest tech stuff but just wait for their pay will be the cobol programmers of the future.
solutions ?almost. Re:Obvious solution:
on
Buried in email?
·
· Score: 1
I did this.
(spam it to me me at "test2201@hotmail.com", the default hotmail filters move 66 % to bulk(=spam) mail. > 10 msd per day).
But it seems spammers have worked arround this by linesniffing. If your account gets older more and more leaks occur.
I wonder how people on highly visible web sites manage. Is there any GOOD antispam software that can handle multiple pop3 accounts?
If there is a return addres i do send them a reply, of coarse with a fake email adress. They take my time --> i take time from them. I try to prevent accessing web sites since they might get paid for every hit. And hey, i already know where to find porn on the internet.
(since the site seems almost slashdotted a copy is made below)
Security flaw in Linux 2.4 IPTables using FTP PORT
Tempest Security Technologies
a business unit of CESAR - Centro de Estudos e Sistemas Avançados do Recife
Author: Cristiano Lincoln Mattos, CISSP, SSCP
Recife, Pernambuco, Brazil
Table of Contents
Overview
Detailed description
Solutions
Demonstration tool
Download
Acknowledgements
Text version
Overview
Systems affected: Firewalls using Linux Kernel 2.4.x with IPTables
Release date: 16 April 2001
Platforms: Linux Kernel 2.4.x
Impact: If an attacker can establish an FTP connection passing through a Linux 2.4.x IPTables firewall with the state options allowing "related" connections (almost 100% do), he can insert entries into the firewall's RELATED ruleset table allowing the FTP Server to connect to any host and port protected by the firewalls rules, including the firewall itself.
Linux 2.4.x includes NetFilter, a raw framework for filtering and mangling packets. IPTables, used for firewalling, is set inside the NetFilter framework. One of the new features in this setting is connection tracking, known to some as "stateful inspection". The four possible states it can mantain are: ESTABLISHED, NEW, RELATED and INVALID. We are interested here in the RELATED state -- it includes, among other things, the FTP DATA connections, active (PORT command) and passive (PASV command).
The module ip_conntrack_ftp is responsible for analysing FTP connections that pass through the firewall, looking for PORT and PASV commands, and including entries for those connections in the firewall's connection table. There is a security flaw in the manner in which the PORT command is interpreted and processed. Essentially, you can pass any IP/port in an FTP PORT commmand, and the module will not validate these parameters, adding an entry to the RELATED ruleset allowing connections from the FTP server, any source port, to the specified destination IP and port. In most cases, people make stringent security rules and have lax firewall rules regarding RELATED connections, allowing the attacker to connect to anywhere.
This can be used, for example, for the FTP server to connect to any TCP port on the firewall, or any other node protected by the firewall. Even though there may be rules normally denying this type of traffic, it would pass through the firewall, because of the rule allowing RELATED.
The attacker does not even need to have a valid login in the FTP server, as the PORT command is interpreted by the module independently of any authentication procedures (USER and PASS).
This is a security flaw which can be exploited when an attacker is in a position behind your firewall, i.e., "protected". For example, if your firewall protects an FTP Server and the attacker has compromised it by other means, he can use this to connect to other protected networks. Or, if your attacker is behind your firewall as a client and connects to an FTP server on the Internet, he can use it to allow this FTP server to connect to other protected networks.
Detailed description
Most firewall setups using IPTables include the following rule, for allowing established and related connections through:
iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT
The "related" state includes connections such as the FTP data transfer connections, both active and passive modes. If related connections and FTP are allowed through the firewall, then the system is most likely vulnerable.
The attack consists in connecting to the FTP server (passing through the firewall) and using the PORT commands with arbitrary IP and port parameters - the normal parameters should be the client's IP and a random port.
To explain the process in more details, we'll outline the following scenario:
Client IP: 200.249.243.12, an IP on the internet
Firewall: 200.249.137.1 (internet interface) 200.249.193.1 (DMZ interface)
FTP server: 200.249.193.2 (inside a DMZ network, protected by the firewall)
In a normal ftp data transfer, the client would emit the following command to initiate an active data transfer:
PORT 200,249,243,12,4,10
Which would insert an entry in the connection table (cat/proc/net/ip_conntrack), of the following form:
Allowing a connection from the FTP server to the client in the specified
port. Since the module ip_conntrack_ftp doesn't check the passed IP and
ports, an attacker can pass the following parameters:
PORT 200,249,193,1,0,22
Which would insert an entry in the connection table (cat/proc/net/ip_conntrack), of the following form:
Allowing a connection from the FTP server to the firewall, on port 22, ie, the SSH port. This will work by inserting the rule into the RELATED ruleset, which as shown above is normally too open. The rule can be inserted to any destination IP and port.
Of course, the FTP server will probably not accept the command (if it has anti-bounce protection), saying "Illegal PORT command", but the firewall will have interpreted the commands and added an "expecting related" entry as described above to its connection table. The attacker will then have ten seconds to establish the connection, before the entry expires and is removed from the connection table.
It is not even necessary to have logged in the FTP server since the module doesn't check for valid USER and PASS commands. All we have to do is trick the code into thinking we have established a connection (IP_CT_ESTABLISHED+IP_CT_IS_REPLY). To do that, it is only necessary to send any string to the FTP server, which should reply with "invalid command", and then we send the PORT command with our parameters... The FTP server will probably be complaining that a login has not been established yet, but the firewall will have done what we want it to:
220 tsunami FTP server ready.
xxxgarbagexxx
530 Please login with USER and PASS.
PORT 200,249,193,1,0,22
530 Please login with USER and PASS.
QUIT
221 Goodbye.
The implications should be obvious -- we outline two main scenarios of attack:
* The FTP server is protected by the firewall: in this case, the client (attacker) would be on the internet. If the FTP server is compromised by the attacker using other means, the attacker can insert rules allowing the FTP server to:
Connect to hosts on the internet, for downloading of trojans, tools, reverse tunnels, etc;
Connect to the firewall itself and exploit it from there onwards;
Connect to other hosts on networks protected by the firewall, such as an internal network, for example;
... use your imagination:)
* The client (attacker) is protected by the firewall: in this case, the client would connect to an FTP server that he controls on another network such as the internet (as long as the connection passes through the firewall). The attacker would insert rules allowing the FTP server that he controls to:
Connect to the firewall itself and attack it from there onwards;
Connect to other hosts on networks protected by the firewall, such as a DMZ or other networks for example;
... again, use your imagination:)
A few observations:
From my tests, the use of NAT (NAT of the FTP server, NAT of the client and NAT of the target) doesn't stop the attack in anyway. Of course, the attacker will only have to pay attention to which IP he is connecting to, but the entries are inserted into the connection table anyway.
By default, the ip_conntrack_ftp module only analyses FTP control connections on port 21, so this would only work on connections to FTP servers binding on port 21. Unless, obviously, the module were configured to listen on another port as well.
This should not need to be said:) but this attack bypasses the firewall rules by inserting an entry into the ruleset for RELATED connections -- for the attack to work, there must be a rule allowing the client to connect to an FTP server (through the firewall) in the first place, and the rule allowing the RELATED state for the specified connection. This is a very common setting, as most firewalls allow their clients to perform FTP, and the too-open RELATED rule is also very common -- i've seen it an lots of IPTables FAQs, guides, lists, etc.
Solutions
First and foremost, you should tighten your firewall rules to limit the scope of this vulnerability, by only allowing RELATED connections to the hosts that really need them, and not to all connections.
The NetFilter core team was notified and quickly developed a patch. It is available at:
-/* Update the ftp info */
+/*
+ * Update the ftp info only if the source address matches the address specified
+ * in the PORT or PASV command. Closes hole where packets could be dangerously
+ * marked as RELATED to bypass filtering rules. Thanks to Cris
But one of the reasons they gave is that they wanted to test what happend at different latency's. Well, if they want a lot of latency they include europe( that me). And why include some cyber game cafe's in asia?
I still miss the reference to goat, why is stil coming back every now and then. Nathalie Portman i can get (its even in the faq). But why always the reference to a goat??? and the web site...sx
Just see:
http://bbspot.com/toys/slashtitle/index.html
There must be some secret messages in some slashdot articles. If slashdot look alikes can be made that easy. Just take the email address, some subject and some non relevant remark and you are there.
Maybe slashdot is one enourmous codebook....
Why dont we see a 1/dist^7 relation to distance if there are 7 dimensions. This is what they are saying. If there were more dimensions we would see another power. but we don't see this.
Even without the key it is possible to decrypt the data. It just takes a lot of time. But if you have the means to read the overwritten data from a disk, you surely could afford the equipment to decrypt the data.
:conspicacy mode on The NSA already has tools to decrypt DES-128, that is why it is realeased for export. Overwriting 7 times is possible to recover. :conspiracy mode off
Well if you read the article you could have read they can take data from a tape that is damaged. i think a hammer is not a problem for this kind of data reconstruction. Which lead me to the best solution: Hcl (? Is this muriatic acid in englisch = zoutzuur in het nederlands ?). Back to the question how many overwrites? An important part of the trick is to know the data density of the disk. Since they are using a head of a recent MR hard disk, it is supposed is to come close to the data density of the best hard disks that exists now. Overwriting would leave nothing in the resolution that it could scan today. SO the number of times you overwrite is according the number of years you want to hide the data. -watergate audio tape is not save at all. -your 20 MB (80286) hard disk could easly be reconstructed if overwriten once. -your 80 GB disk should be save for 5 to 10 years or it should contain very valuable data. This is like encrypting data. It is save, but only for a limited time. So the suggestion of somebody to encrypt the data is just a as (un)save. It only takes time to recover the data.
It was kid in mentalaty, but he "showed" to know more that just running some scripts. Unless call writing c program also a script. But a "hey you earned it" was not a good thing to do. Ddos that hacker (a port scan of noel already gave him a log of lag) But if he was that good he better pursued some other goals than rm -f. -Some media hype things like "crack yahoo" -Go for the money. Either by getting it from banks CCards or earning it by cracking for money("security audits") by the way, it became a little bit predictive after story #5. somy already wrote it was statd.
Nice idea, but the windows version is a software program. If it locks up it ignores your finger, liked bill cared anyway..... By the way no linux version? (is there a pen version of linux?)
What if the record company decides to use this like the divx (dvd) standard, but then starts to offer this music for free. Singles are already less and less brought out into the consumer store since they do not earn much by this. If they created a pc-windows (+ linux?) player you could donwload the latest music in their new format, but for free this could become popular. This way they could create a (microsoffie) new standard. It has already been established that mp3 actually sells records . and if mp3 players start including this new algorith as a extension (hey you have to have something extra over the competetion). It could win. (It could be copied...)
Slashdot Mirror
Worst thing is that MaxOS (or linux..) users have no sence of humor when it touches their OS.
Good thing thing is that OSX is still compatible with OS 9 so al the old exploits still work.
Best thing is that with good multithreading the user will never notice that the box is hacked. Even if it is slow that will be nothing new to the user.
Damn, I converted my girlfriend to computergames and now she has a faster PC than me.
</slightly Off Topic>
You do not need a company full of geeks, just a few. There are lots of poeple that need to take the sales part. Hey, If i need a test for a monkey test ("just press some buttons and see the app does not crash") I need those sales/middle management people for that!
And if you like the lateste HW/SW use it, if not there are still a lot of cobol programmers needed. The ppl that do not like all the latest tech stuff but just wait for their pay will be the cobol programmers of the future.
(spam it to me me at "test2201@hotmail.com", the default hotmail filters move 66 % to bulk(=spam) mail. > 10 msd per day).
But it seems spammers have worked arround this by linesniffing. If your account gets older more and more leaks occur. I wonder how people on highly visible web sites manage. Is there any GOOD antispam software that can handle multiple pop3 accounts?
If there is a return addres i do send them a reply, of coarse with a fake email adress. They take my time --> i take time from them. I try to prevent accessing web sites since they might get paid for every hit. And hey, i already know where to find porn on the internet.
(since the site seems almost slashdotted a copy is made below)
/proc/net/ip_conntrack), of the following form:
/proc/net/ip_conntrack), of the following form:
:)
:)
:) but this attack bypasses the firewall rules by inserting an entry into the ruleset for RELATED connections -- for the attack to work, there must be a rule allowing the client to connect to an FTP server (through the firewall) in the first place, and the rule allowing the RELATED state for the specified connection. This is a very common setting, as most firewalls allow their clients to perform FTP, and the too-open RELATED rule is also very common -- i've seen it an lots of IPTables FAQs, guides, lists, etc.
f tp.c linux/net/ipv4/netfilter/ip_conntrack_ftp.c
f tp.c Fri Aug 11 05:35:15 2000
/* Update the ftp info */
/*
Security flaw in Linux 2.4 IPTables using FTP PORT
Tempest Security Technologies
a business unit of CESAR - Centro de Estudos e Sistemas Avançados do Recife
Author: Cristiano Lincoln Mattos, CISSP, SSCP
Recife, Pernambuco, Brazil
Table of Contents
Overview
Detailed description
Solutions
Demonstration tool
Download
Acknowledgements
Text version
Overview
Systems affected: Firewalls using Linux Kernel 2.4.x with IPTables
Release date: 16 April 2001
Platforms: Linux Kernel 2.4.x
Impact: If an attacker can establish an FTP connection passing through a Linux 2.4.x IPTables firewall with the state options allowing "related" connections (almost 100% do), he can insert entries into the firewall's RELATED ruleset table allowing the FTP Server to connect to any host and port protected by the firewalls rules, including the firewall itself.
Linux 2.4.x includes NetFilter, a raw framework for filtering and mangling packets. IPTables, used for firewalling, is set inside the NetFilter framework. One of the new features in this setting is connection tracking, known to some as "stateful inspection". The four possible states it can mantain are: ESTABLISHED, NEW, RELATED and INVALID. We are interested here in the RELATED state -- it includes, among other things, the FTP DATA connections, active (PORT command) and passive (PASV command).
The module ip_conntrack_ftp is responsible for analysing FTP connections that pass through the firewall, looking for PORT and PASV commands, and including entries for those connections in the firewall's connection table. There is a security flaw in the manner in which the PORT command is interpreted and processed. Essentially, you can pass any IP/port in an FTP PORT commmand, and the module will not validate these parameters, adding an entry to the RELATED ruleset allowing connections from the FTP server, any source port, to the specified destination IP and port. In most cases, people make stringent security rules and have lax firewall rules regarding RELATED connections, allowing the attacker to connect to anywhere.
This can be used, for example, for the FTP server to connect to any TCP port on the firewall, or any other node protected by the firewall. Even though there may be rules normally denying this type of traffic, it would pass through the firewall, because of the rule allowing RELATED.
The attacker does not even need to have a valid login in the FTP server, as the PORT command is interpreted by the module independently of any authentication procedures (USER and PASS).
This is a security flaw which can be exploited when an attacker is in a position behind your firewall, i.e., "protected". For example, if your firewall protects an FTP Server and the attacker has compromised it by other means, he can use this to connect to other protected networks. Or, if your attacker is behind your firewall as a client and connects to an FTP server on the Internet, he can use it to allow this FTP server to connect to other protected networks.
Detailed description
Most firewall setups using IPTables include the following rule, for allowing established and related connections through:
iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT
The "related" state includes connections such as the FTP data transfer connections, both active and passive modes. If related connections and FTP are allowed through the firewall, then the system is most likely vulnerable.
The attack consists in connecting to the FTP server (passing through the firewall) and using the PORT commands with arbitrary IP and port parameters - the normal parameters should be the client's IP and a random port.
To explain the process in more details, we'll outline the following scenario:
Client IP: 200.249.243.12, an IP on the internet
Firewall: 200.249.137.1 (internet interface) 200.249.193.1 (DMZ interface)
FTP server: 200.249.193.2 (inside a DMZ network, protected by the firewall)
In a normal ftp data transfer, the client would emit the following command to initiate an active data transfer:
PORT 200,249,243,12,4,10
Which would insert an entry in the connection table (cat
EXPECTING: proto=6 src=200.249.193.2 dst=200.249.243.12 sport=0 dport=1034
Allowing a connection from the FTP server to the client in the specified
port. Since the module ip_conntrack_ftp doesn't check the passed IP and
ports, an attacker can pass the following parameters:
PORT 200,249,193,1,0,22
Which would insert an entry in the connection table (cat
EXPECTING: proto=6 src=200.249.193.2 dst=200.249.193.1 sport=0 dport=22
Allowing a connection from the FTP server to the firewall, on port 22, ie, the SSH port. This will work by inserting the rule into the RELATED ruleset, which as shown above is normally too open. The rule can be inserted to any destination IP and port.
Of course, the FTP server will probably not accept the command (if it has anti-bounce protection), saying "Illegal PORT command", but the firewall will have interpreted the commands and added an "expecting related" entry as described above to its connection table. The attacker will then have ten seconds to establish the connection, before the entry expires and is removed from the connection table.
It is not even necessary to have logged in the FTP server since the module doesn't check for valid USER and PASS commands. All we have to do is trick the code into thinking we have established a connection (IP_CT_ESTABLISHED+IP_CT_IS_REPLY). To do that, it is only necessary to send any string to the FTP server, which should reply with "invalid command", and then we send the PORT command with our parameters... The FTP server will probably be complaining that a login has not been established yet, but the firewall will have done what we want it to:
220 tsunami FTP server ready.
xxxgarbagexxx
530 Please login with USER and PASS.
PORT 200,249,193,1,0,22
530 Please login with USER and PASS.
QUIT
221 Goodbye.
The implications should be obvious -- we outline two main scenarios of attack:
* The FTP server is protected by the firewall: in this case, the client (attacker) would be on the internet. If the FTP server is compromised by the attacker using other means, the attacker can insert rules allowing the FTP server to:
Connect to hosts on the internet, for downloading of trojans, tools, reverse tunnels, etc;
Connect to the firewall itself and exploit it from there onwards;
Connect to other hosts on networks protected by the firewall, such as an internal network, for example;
... use your imagination
* The client (attacker) is protected by the firewall: in this case, the client would connect to an FTP server that he controls on another network such as the internet (as long as the connection passes through the firewall). The attacker would insert rules allowing the FTP server that he controls to:
Connect to the firewall itself and attack it from there onwards;
Connect to other hosts on networks protected by the firewall, such as a DMZ or other networks for example;
... again, use your imagination
A few observations:
From my tests, the use of NAT (NAT of the FTP server, NAT of the client and NAT of the target) doesn't stop the attack in anyway. Of course, the attacker will only have to pay attention to which IP he is connecting to, but the entries are inserted into the connection table anyway.
By default, the ip_conntrack_ftp module only analyses FTP control connections on port 21, so this would only work on connections to FTP servers binding on port 21. Unless, obviously, the module were configured to listen on another port as well.
This should not need to be said
Solutions
First and foremost, you should tighten your firewall rules to limit the scope of this vulnerability, by only allowing RELATED connections to the hosts that really need them, and not to all connections.
The NetFilter core team was notified and quickly developed a patch. It is available at:
http://netfilter.samba.org/security-fix/
http://netfilter.gnumonks.org/security-fix/
http://netfilter.filewatcher.org/security-fix/
Since it is small, I've included it here:
diff -urN linux-2.4.3.orig/net/ipv4/netfilter/ip_conntrack_
--- linux-2.4.3.orig/net/ipv4/netfilter/ip_conntrack_
+++ linux/net/ipv4/netfilter/ip_conntrack_ftp.c Mon Apr 16 02:18:30 2001
@@ -187,7 +187,12 @@
(int)matchlen, data + matchoff,
matchlen, ntohl(tcph->seq) + matchoff);
-
+
+ * Update the ftp info only if the source address matches the address specified
+ * in the PORT or PASV command. Closes hole where packets could be dangerously
+ * marked as RELATED to bypass filtering rules. Thanks to Cris
"if you are so clever why ain't you rich"
If asked 90% of the people think their IQ is above average.
But one of the reasons they gave is that they wanted to test what happend at different latency's. Well, if they want a lot of latency they include europe( that me). And why include some cyber game cafe's in asia?
you can subscribe from 4 april to 11 april BUT only if you live in america or taiwan. That latest part make me wonder. How in the world can somebody in taiwan join be silly me in europe has no change at all....Why is Blizzard only accepting beta test applications from U.S. & Canadian residents? faq says: "Due to the differences in varying country time zones, we have decided to limit the test to U.S., Canada, and a small number of pre-selected cyber game cafés. " And since the CD will be mailed i can not work arround it. bummer. But maybe the cd will leak.....
I still miss the reference to goat, why is stil coming back every now and then. Nathalie Portman i can get (its even in the faq). But why always the reference to a goat??? and the web site...sx
Just see: http://bbspot.com/toys/slashtitle/index.html There must be some secret messages in some slashdot articles. If slashdot look alikes can be made that easy. Just take the email address, some subject and some non relevant remark and you are there. Maybe slashdot is one enourmous codebook....
I cannot read the site (already /. 'ed?) but from the heading it sound like the lpr linux router from a flop project.
With the risk of getting of topic: There is a software package called vmware that enables to boot windows from a linux window(or prompt).
Why dont we see a 1/dist^7 relation to distance if there are 7 dimensions. This is what they are saying. If there were more dimensions we would see another power. but we don't see this.
could somebody explain.
Even without the key it is possible to decrypt the data. It just takes a lot of time. But if you have the means to read the overwritten data from a disk, you surely could afford the equipment to decrypt the data.
:conspicacy mode on
:conspiracy mode off
The NSA already has tools to decrypt DES-128, that is why it is realeased for export.
Overwriting 7 times is possible to recover.
Well if you read the article you could have read they can take data from a tape that is damaged. i think a hammer is not a problem for this kind of data reconstruction. Which lead me to the best solution: Hcl (? Is this muriatic acid in englisch = zoutzuur in het nederlands ?). Back to the question how many overwrites? An important part of the trick is to know the data density of the disk. Since they are using a head of a recent MR hard disk, it is supposed is to come close to the data density of the best hard disks that exists now. Overwriting would leave nothing in the resolution that it could scan today. SO the number of times you overwrite is according the number of years you want to hide the data. -watergate audio tape is not save at all. -your 20 MB (80286) hard disk could easly be reconstructed if overwriten once. -your 80 GB disk should be save for 5 to 10 years or it should contain very valuable data. This is like encrypting data. It is save, but only for a limited time. So the suggestion of somebody to encrypt the data is just a as (un)save. It only takes time to recover the data.
It was kid in mentalaty, but he "showed" to know more that just running some scripts. Unless call writing c program also a script. But a "hey you earned it" was not a good thing to do. Ddos that hacker (a port scan of noel already gave him a log of lag) But if he was that good he better pursued some other goals than rm -f. -Some media hype things like "crack yahoo" -Go for the money. Either by getting it from banks CCards or earning it by cracking for money("security audits") by the way, it became a little bit predictive after story #5. somy already wrote it was statd.
Nice idea, but the windows version is a software program. If it locks up it ignores your finger, liked bill cared anyway..... By the way no linux version? (is there a pen version of linux?)
What if the record company decides to use this like the divx (dvd) standard, but then starts to offer this music for free. Singles are already less and less brought out into the consumer store since they do not earn much by this. If they created a pc-windows (+ linux?) player you could donwload the latest music in their new format, but for free this could become popular. This way they could create a (microsoffie) new standard. It has already been established that mp3 actually sells records . and if mp3 players start including this new algorith as a extension (hey you have to have something extra over the competetion). It could win. (It could be copied ...)