yah, this is one of the reasons I started filtering all of gobbles emails right to the trash.. dude -- grow up, its getting old On Wed, 2004-05-05 at 11:28, Richard Johnson wrote: > iDEFENSE: The Power of Intelligence : Current Intelligence Report > > > Local Remote FreeBSD Kernel Exploit Exists in the Wild > iDEFENSE iIRCLOG iIntelligence iSecurity Brief 05.10.04 > > I. BACKGROUND > We at iDEFENSE have come to the conclusion that the best way to offer > our clients proactive security, as a service, is to have individuals > on staff who have experience in the intelligence world (including > former pc technicians, janitors, and massage therapists) who have been > fired from their minimum wage positions at various government > facilities, for no other reason than gross incompetence. > > iDEFENSE outsources IRC logging services to some of the greatest minds > in computer security, who have infiltrated some of the most nefarious > hacking groups in existance - including #dtors, #w00w00, and #nologin, > and then the logs are read by our team of former janitors and failed > psychology students, and later turned into profound intelligence-like > reports to be sold to the private sector, the Department of Homeland > Security, and the Chinese government. > > Information fencing might be a crime, when said information is gained > illegally, but as long as the Department of Homeland Security remains > dedicated to the fight against domestic terrorists (especially those > who frequent the Eris Free, and are known for their aggressive attacks > on the American lifestyle as they write "BUSH IS SUX0R" on critical > infrastructure related computers, such as *.co.kr nameservers and the > ever popular plethora of *.gsfc.nasa.gov hosts running five year old > copies of IIS - without even the eEye IIS obfuscation PRODUCT in place > to protect these critical machines), civil rights do not apply. As a > community, we must accept that the Department of Homeland Security is > often too afraid to actually enforce the Patriot Act (since they would > need to be able to justify their actions, and probably can't do that > in an official capacity trying to track down Osama Joe Defacer at his > pre-school). The solution is simple - millions of dollars a year to > our company, iDEFENSE, to gather chat logs and to write intelligence > reports for them. > > Feel safe that we are teamed up with the DHS to provide you a safer > America. > > Beyond this, iDEFENSE strives to compile intelligence reports off of > other hacker resources, such as hacker conferences (where we supply > alcohol to minors and get them in morally compromising situations for > our own profit - in the name of national security, one might say fuck > the children[2], we're Republicans anyways), we like run-on sentences, > hacker mailing lists, and our deployment of various advanced honeypots > (wireless, honeytokens, etc). Honey tokens are cool. You'd be amazed > at what kind of honey tokens we have given out. > > The following advisory is our first public example of INTELLIGENCE IN > ACTION, demonstrating our ability to obtain zeroday vulnerabilities > from our janitorial-powered thinktanks. > > As a side note, if you own a modern IRC client (that supports logging) > or are in the position to install tcpdump and parse the packet dumps > with Max Vision's brilliant tcpdump to irc log conversion utility[1], > we might have an exciting job in the information security world just > for you! Send a resume and a description of your IRC assets to our > human relations department at hr@xxxxxxxxxxxx and we will get back to > you as soon as possible. > > II. Exploit Definitions > > For some time, exploits have been classified in one of two categories; > either an exploit is "remote" or it is "local". This leaves out an > entire class of exploits, however, which we will soon be releasing a > series of advisories on. This class of bug is more accurately named > "local" than the previous class of bugs called "local exploits", so we > will attempt to clarify the three classes of exploits for you. > > a) Remote Exploit > An exploit that attacks a network server, without requiring any > sort of authentication to that server. For instance, an exploit > for a webserver (httpd (hyper text transfer protocol daemon)) is > normally in this category, unless it's some gay local signalling > dos thingie. > > b) Local Exploit > An exploit that requires local access to a machine, authenticated > or otherwise. Here local access implies physical access to the > machine that is about to be hacked, and examples of upcoming > local bugs include: > - booting into single user mode > - hard drive theft > - extracting user passwords through torture, > and our historical example, > - CAN-2004-0109 > c) Local remote exploit > An exploit that requires authentication to a machine, but does not > demand physical access to said machine, and the attack can be > performed over the network. > > One could easily add a forth category, being "Local Local Exploits", > but this approaches some degree of silliness, and when one cannot take > his job seriously enough to not giggle when reading official titles, > clients will wonder if they're actually paying for a serious PRODUCT. > > III. The FreeBSD Kernel Exploit > > Recently a post was made to full-disclosure concerning the compromise > of an account on a shell server, drunken.fi.st. The entire post can > be read here[3]; however most if it seems to involve uninteresting > scene nonsense, so we will focus on the important parts. > > "- rave gets his account backdoored on kokanin's box. He finds the > obviously placed bindshell stashed as ~/bin/zsh. He laughs and says > the backdoor was lame. Well he obviously missed the getpass() > LD_PRELOAD, ssh, and passwd all on his local account mailing all his > new passwords out. Oh, and he left an exploit (servu.c) in his > directory for the version of servu ftpd he was running on his home > windows machine. Oops." > > Proper behaviour of LD_PRELOAD would not allow a non privileged user as > rave to hook privilaged processes (read my upcoming advisory titled > "TOO MANY SUIDS A BAD THING IN *IX" for more information) such as the > *IX tool for changing passwords, /bin/passwd. For hooking of getpass, > either root access would already be needed, or some sort of design bug > in the kernel. > > We at iDEFENSE Labs have been unable to determine exactly how to > exploit this vulnerability, or even identify where it is in the source > code, but we are confident it is there, in some version. > > We thought that LD_PRELOAD bugs disappeared with the release of AIX 4, > but Sun has recently proven us wrong, and now FreeBSD has a different > problem. We continue to advise our clients to use only OpenBSD, > Openwall (Owl) Linux, or Microsoft products - as clearly anyone with > a bit of intelligence can see, everything else sucks. > > IV. Closing > > The purpose of this security briefing was not to demonstrate detailed > knowledge of a specific vulnerability, but to rather demonstrate the > powers of INTELLIGENCE IN ACTION, and that our staff is capable of > extracting valuable security INTELLIGENCE from even the vaguest of > references. If you're in awe of the incredible feat demonstrated, you > and your organization definately need to subscribe to our world-class > intelligence services. > > If you have any details concerning the methods of exploitation for the > vulnerability described in this advisory, please contact Mike Sutton > immediately for a fat lump of the big DHS[4] dollars. He can be > contacted at msutton@xxxxxxxxxxxxx > > We hope that you have been impressed with our demonstration of our > famed INTELLIGENCE IN ACTION techniques. If you are interested in > purchasing a subscription to our services, please contact our sales > department at sales@xxxxxxxxxxxx so that we can broker a deal. > > We treat all sales transactions and inquiries with confidentiality. > _________________________________________ > / PLEASE HELP ME! My name is Jay Healy, \ > | and I work for Goldman-Sachs, and we've | > | been anally raped by iDEFENSE! Call me | > \ at (212) 357-1207 if you can save me! / > ----------------------------------------- > \ _ > \ (_) > \ ^__^ / \ > \ (oo)\_____/_\ \ > (__)\ ) / > ||----w (( > || ||>> > > [1] http://www.honeynet.org/tools/danalysis/privmsg > [2] Some believe that those who take advantage of children, are simply > pedophiles, regardless of the situation. In rebuttal to the claim > that iDEFENSE employs pedophiles, we would like to say that we are > 100% certain that Micheal Jackson is guilty, we are fans of his > music, and will continue buying his records to help support him. > [3] http://lists.netsys.com/pipermail/full-disclosure/2004-April/020690.html > [4] It's probably a good thing that our company receives so much > federal funding. The combined millions of dollars pooled from > various government entities is definately being spent wisely; > it is better that bureaucrats do what they can to get us as much > money as possible - this allows various government agencies to > have instant access to the latest cross-site scripting issues in > hotmail's service, before they are turned into devestating worms - > and keeps funding from going to asinine ventures such as aids and > cancer research. Fight terror, not disease. > > V. About iDEFENSE > > iDEFENSE is a global security intelligence company that proactively > monitors sources throughout the world from technical vulnerabilities > and hacker profiling to the spread of viruses and other malicious code. > iALERT, our security intelligence service, provides decision-makers, > frontline security professionals and network administrators with timely > access to actionable intelligence and decision support on cyber-related > threats. We are currently trying for complete market dominance and hope > to soon eliminate the Carlyle Group by any means necessary. We already > have stolen their webdesign - their customer base is next. For more > information, visit http://www.idefense.com, or our research team's > official website at http://idefense.bugtraq.org. -- |Keith A. Pachulski | PenTeleData LP1 Information Security and Privacy| |Phone: (800) 281.3564 x2454 | Pager: 6103497095@xxxxxxxxx| |PGP: 6B56 C8DC 6201 6D1A BFF5 5799 E193 ABAA 9549 74D0|
Attachment:
signature.asc
Description: This is a digitally signed message part