==Phrack Inc.== Volume 0x0b, Issue 0x3f, Phile #0x05 of 0x0f |=-------------------------=[ We Are Watching ]=------------------------=| |=----------------------------------------------------------------------=| |=----------------------------=[ b0il3dp1g ]=---------------------------=| "Right now, the attackers are not worried because there is only one honeynet" - Lance Spitzner 1 - Background 2 - Field Examples 2.1 - pokleyzz 2.2 - II-Labs 2.3 - Lorenzo ... aka The Long Named Whitehat 2.4 - Alan McCaig (b0f) ... again 2.5 - Obcure 2.6 - Matthieu Peschaud 2.7 - Mike Heins 2.8 - David Ray 2.9 - David Harlan 2.10 - David Harlan & The Long Named Whitehat (again) 3 - Conclusion --[ 1. Background Whitehats love to pretend they know what's going on in the scene. They set up boxes which are insecure and call them honeypots. I think lance got owned a few too many times and then just made up the excuse that he was trying to get owned to gain information. Others that are almost as lame as lance and actually know about the grep command can use shells and make up fake alias's and try to get all the possible info about the latest in blackhat action. What exploits we have, what vulnerabilities we know about, what techniques we have discovered, what has been backdoored or owned. Then they try to use this information to gain fame within their group of peers by posting to security mailing lists. WELL MISTER WHITEY, WE ARE WATCHING YOU ASWELL. We have been watching a few mailing lists and have noticed that whitehats have been purposely planting honeypots into scripts for the last couple of months. --[ 2. Field Examples - --- Example 1: pokleyzz --- - Here is example 1: http://www.securityfocus.com/archive/1/323227 "Webfroot Shoutbox 2.32 directory traversal and code injection." by pokleyzz is A very good advisory, a very good technique (you will die for sharing it pokleyzz!), but one messed up workaround.: $conf = str_replace('./', '', $conf); // to avoid directory traversal This is supposed to stop this attack. But in the provided exploit, which I have not seen work besides on extremely new installed apache implementations, does not even use directory transversal. It uses full paths. So the exploit will work even when the suggested fix is in place. Also note that this "avoid directory traversal" code can be avoided by using ...//...//...// instead of ../../../. This fix is in use in the current version of shoutbox. - --- Example 2: II-Labs --- - Next we have some strange whitehat method of trying to trick others into creating honeypots in their own code by showing false examples of holes and solutions. In example2: http://www.securityfocus.com/archive/1/320997/2003-05-07/2003-05-13/0 "II-Labs Advisory: Remote code execution in YaBBse 1.5.2 (php version)" by Dalibor Karlovic & DownBload is A very horrible advisory which points out a nonexistant hole in YaBB. While YaBB does the include/include_once's securily, this whitehat is trying to convince other programmers that it is insecure. They instead introduce a different solution, one which is terribly insecure. So now all those who would have used the YaBB method of ensuring include's are secure would now use II-Lab's method: if (!isset($sourcedir)) $sourcedir = ""; then.. include_once ($sourcedir . '/Errors.php'); Which would not prevent anything, since $sourcedir would be defined in gpc variables by the attacker(honeypot user). - --- Example 3: Lorenzo ... aka The Long Named Whitehat --- - Now example three.. This one I am slighly confused. I believe what the whitehat is trying to do is promote drug use among the whitehat community. This guy's English translator must have fucked up.. he thinks it's project smokingpot. That is the only logical explanation for: http://www.securityfocus.com/archive/1/326399/2003-09-09/2003-09-15/0 http://www.securityfocus.com/archive/1/326398 "Sambar Server : Crashing service with search.pl" by Lorenzo Manuel Hernandez Garcia-Hierro, Which stats "I encountered a buffer overflow vulnerability in the search system by perl file ( search.pl ) , with this you can corrupt the stack . The failure occurs when you send a specially crafted query." The code which Lorenzo believes is insecure is: $value =~ tr/+/ /; Not a single whitehat responded to this post. The drugs must be working. - --- Example 4: Alan McCaig (b0f) ... again --- - Another instance of the whitehat not knowing what in the hell they are even typing is example number 4, proudly submitted to us by Alan McCaig (b0f) in: http://www.securityfocus.com/archive/1/319505/2003-04-22/2003-04-28/0 I don't think we need to say anything about this completely moronic post that hasn't already been said by Nathan Neulinger: "This is not a security problem. This is a case of using an automated tool to find these vulnerabilites and not attempting to understand the code itself. Nowhere in the code is MSG_Error_General() passed anything other than a static compiled-into-the-executable string. It's purely a utility function to wrap common error text/footer/etc. around a generic string." - --- Example 5: obscure --- - This one was pointed out along time ago, although since then obscure has been told of his flaws and has removed the suggested fix (http://eyeonsecurity.org/misc/yabbfix.html). We believe obscure was at one time a lance recruit, but was molested and told his parents of the lance sleepovers. Lance did not take too kindly to this narqing, so he kicked obscure out of the honeynet project for ever! Anyways, The problem was in YaBB and UBB: http://www.securityfocus.com/archive/1/249031 "CSS vulnerabilities in YaBB and UBB allow account hijack" by obscure The suggested fix for the cross site scripting was: if ($message =~ /\[img\]http:\/\/.*\[\/img\]/) { $message =~ s~\[img\]\n?javascript\:(.+?)\n?\[/img\]~\[ img\]javascript\:$1\[/img \]~isg; if($message =~ m~\[img\]\n?(.+?)\n?\[/img\]~gi && $1 !~ m~javascript\:~gi) { $message =~ s~\[img\]\n?(.+?)\n?\[/img\]~~isg; } } That only works if one instance of [img][/img] is present. What about multiple? It fails to protect the home users.. setting each of their machines up to be a honeypot. Now Lance and friends have a whole army of vulnerable xss clientpots. Boo obscure. Boo this whitehat! - --- Example 6: Matthieu Peschaud --- - By alerting the public of security vulnerabilities Matthieu Peschaud looks like an upstanding citizen of France. Full-disclosure is all the rage. Too bad it's not completely full. It is only enough to let all those blackhats know the program is coded poorly. So they'll figure out the easy to spot vulnerabilities and exploit all those honeypots out there. Btw, the url is http://www.securityfocus.com/archive/1/342559 not only is this a non-issue when you follow the instructions in the readme file and put a .htaccess in the /include/ directory, but his "patched" version still leaves /include/menus.inc.php vulnerable to the same attack. Misinformation to the max! - --- Example 7: Mike Heins --- - http://www.securityfocus.com/archive/1/287142/2003-10-28/2003-11-03/0 At the time, interchange was a redhat project. It is unknown weather or not all or some of the redhat developers are in cahoots with lance. Looking at redhat's security history, I would no doubt argue that they have implemented almost as many backdoors into their OS as theo's gang. Making them a high priority on the whitehat's most wanted list. Open up the oven, it's time to start a fire. The bug is for ../../ directory transversal. the fix in lib/vend/server.pm: if($path =~ m{\.\./}) { logGlobal("Attempted breakin using path=$path, will show 404"); $path =~ s{\.\./}{}g; } Notice, as any blackhat can see.. you can evade this ../ filtering by sending ....// or ..././ or even .../...// instead of ../ This vuln is in vend, minivend, interchange, and a bunch of other projects that use vend's code. As you can see it logs this information to a global logfile. This is what lance uses to notify him when a hacker is in action. He uses his newly accuired grep skills to look for this in the log. - --- Example 8: David Ray --- - http://bau2.uibk.ac.at/matic/ws20.htm "CGI Security: not as scary as it sounds", perhaps should be called "LANCE! I have brainwashed to programmers, now we shall have job security" Check the example of "secure" input validation the author must have forgot this simple exploit: script.cgi?>script.cgi Which will overwrite script.cgi. Here is the vulnerable section from the paper: "So let's disallow any characters other than a-z, A-Z, 0-9, and the characters . - _ and @. (The % symbol is used for e-mail purposes only.) If we do this, the script would remain functional and be safe from users trying to send command-line arguments because it disallows whitespace characters. #!/usr/bin/perl print "Content-type: text/plain\n\n"; $address = $ENV{`QUERY_STRING`}; #btw, this next line should have \- #does Lance know how to code? if ($address =~ /[^a-zA-Z0-9_-.<\@>]/) { print "Username must be in the form \"user@machine\", Please try again,\n"; } else { print "FINGER OF $address:\n\n", \ `/usr/bin/finger $address`; } " Then there was a problem in another tutorial there, this one had no author, So it must be written by Lance. This is a honeynet of misinformed tutorials with the intent of teaching programmers bad habits. A classic infosec technique. "* Specific Guidelines for File I/O If your script has any file i/o, you want to make sure that any file description has no ~s or ../s in it, since those characters could be used to create or read from unexpected files. Do things like this: ## user-input in associative array %form $form{'filename'}=~tr/~//d; #get rid of ~s $form{'filename'}=~s/\.\.\///g; #get rid of ../s open(HANDLE,"$startpath/$form{'filename'}");" The s/\.\.\///g; can be defeated with .\./ or ..../....// as any blackhat knows. Of course informative security solution is : " $form{'search'}=~s/([{}[]|\;<>()])/\\$1/g; This will put an escaping back-slash in front of any potentially dangerous character." Not only forgot the & character, which can be used to issue additional commands it also forgets the \ which can escape the escape. These papers are quite old and are still used as resources for new and impressional programmers. In accordence with Lance's plan, these hordes of programmers will soon be coding and distributing insecure software to millions of servers worldwide. Now that's a honeynet! - --- Example 9: David Harlan --- - Whoever decided to publish David's book, "Using perl for web programming" must have either been a lance supporter or had never even heard of 'the web' before. This book has as much secured code as openvms. You might laugh when I tell you how he passes data between perl scripts. instead of using require all the time, he uses a system call and passes data as arguments. Most of the time the data passed comes from the user and is not filtered for dangerous characters. Here is an example of how Lance followers are teaching programmers how to code in "Listing 4.1-Script to Print a Summary of User-Survey Data (PRINTDATA1.PL)" open (data, "printdatasup period$i $email |"); No filtering is done to the path or $email. Any shell meta characters (besides /) are allowed. $email is passed directly to the system. There are many times this problem occurs throughout the book. He is teaching other, less knowledgable programmers, how to code very insecurely. This is all the further I read into the book. I could not stand the programming style for any longer. If Lance's book is anything like this one, it shouldn't sell more than 10 copies. But that's still 10 more honeypots for Lance's network. - --- Example 10: David Harlan & The Long Named Whitehat (again) --- - http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-05/0125.html This 'DarkHunter' is a 'BigRetard' when he suggests to fix a cross site scripting vulnerability with addslashes(). He must be trying to trick internet users into thinking movable type is coded in php. Since it is coded in perl many people will add all sorts of insecure php code to their site and the blackhats will have more honeypots to get stuck in. Or atleast that's BigRetard's plan. His suggested fix is almost as bad as Lorenzo Hernandez Garcia-Hierro's fix for XSS. It seems he knows exactly what he is doing when he backdoors this product. The post in which Lorenzo attempts to mindcontrol admins into installing his backdoor is http://lists.netsys.com/pipermail/full-disclosure/2003-October/011481.html Check out this social engineering to try and convince people that his fix is superior to the offical one. "Due to the completely incorrect treatment and work of the Geeklog development team , that they don't developed fixes for THEIR product which is used around the world by lots of users , i have fixes aka patches for the last Geeklog vulnerabilities." Then he pastes his backdoor, which is vulnerable to all sorts of XSS. Including this extremely advanced technique: yousuck Then lorenzo gets caught trying to backdoor millions by Jouko Pynnonen http://lists.netsys.com/pipermail/full-disclosure/2003-October/011953.html lorenzo retailiates with a new fix http://lists.netsys.com/pipermail/full-disclosure/2003-October/011485.html then tries to confuse admins by releasing another backdoored fix http://lists.netsys.com/pipermail/full-disclosure/2003-October/011487.html Then a maintainer of geeklog posts saying that the sql injections have not been reproduced and "the post even claims to have found the problem in a 2.x version of Geeklog that doesn't exist yet". Did I mention that FUD is tactic used by the sec.industry to scare users into doing irrational things? (Such as installing backdoored fixes). Yep, this moron truely is a crucader for the honeypot project.. even his site is a honeynet! Check out http://lists.netsys.com/pipermail/full-disclosure/2003-December/014594.html for a confession. I am sorry I had to post so many urls. This lorenzo guy makes up for 70% of the traffic on the fd list. I think he and morning_wood were separated at birth. --[ 3. Conclusion I think it is safe to say that whitehats around the world are working for Lance, trying to get as many of the internet users/programmers as possible caught in their honeynet. Don't stand by idle, fight against these honeypots... or soon Lance will get his wish and the entire internet will be as vulnerable as default redhat installs. One giant honeynet, and the attackers will not be scared. We are watching you too Lance. Even in the shower. You have a small pecker. |=[ EOF ]=---------------------------------------------------------------=|