|
The L0pht spends considerable time researching and documenting security flaws that exist
in the internet infrastructure. These flaws may be in operating systems, networking
protocols, or application software. So that system administrators, users, and
software and hardware vendors may benefit from our knowledge, we share some of
it with you.
The L0pht Advisories are meant as an archive of
vulnerabilities that we have researched and made
public. As
part of the Advisories we will be publishing
detailed tutorials
and documentation about the techniques and tools
used to uncover programming and protocol flaws.
|
| Release | Application | Platforms | Severity | Author |
|---|---|---|---|---|
|
4/11/97 |
Microsoft NT Passwords | L0phtCrack the Microsoft NT cracker | L0phtcrack will recover passwords from Windows NT registries in a variety of fashions, including exhaustive keyspace attacks. | mudge@l0pht.com weld@l0pht.com |
|
Recently several NT password crackers have emerged. We offer this
one with the belief that it offers some features and functionality
that the current ones do not have.
L0phtcrack will recover passwords from Windows NT registries in a variety of fashions. By feeding in the output from PWDump [by Jeremy Allison, jra@cygnus.com] and a dictionary file, L0phtcrack rev 1 will attempt to retrieve:
1) only the LANMAN plaintext password Alternatively, L0phtcrack gives you the capability to _brute force_ the entire key space and recover ALL USER PASSWORDS up to 14 characters in length. By going through the entire keyspace available, this program WILL RETURN ALL OF THE PLAINTEXT PASSWORDS (both LANMAN and MD4) up to and including 14 characters in length (note that the User Login Dialog box on NT machines limits the amount of characters that can be typed to 14 for the MD4 dialect. Future releases of this software will enable brute forcing of up to 16 characters for MD4). L0phtcrack comes in three flavours:
1) A nice Windows GUI interface so you can point and click.
L0phtCrack in tar gzipped format.
|
||||
| Release | Application | Platforms | Severity | Author |
|---|---|---|---|---|
|
3/19/97 UPDATED 3/24/97 |
IIS 3.0 | Windows NT Server 4.0 | Users view the contents of .asp files which could contain sensitive information such as passwords. | weld@l0pht.com |
|
Microsofts IIS 3.0 supports server side scripting using "Active Server
Pages" or .asp files. These files are meant to execute and not be
visible to the user. These scripts may contain sensitive information
such as SQL Server passwords. These files can be downloaded and
viewed instead of executed by replacing '.' in a URL with a '%2e'.
There is a hot-fix for this problem available from Microsoft Dated Thu Feb 27 14:22:00 1997 This problem only exists in sites without the hot-fix that attempted a fix using using an ISAPI filter that failed to filter out '%2e' correctly.
|
||||
| Release | Application | Platforms | Severity | Author |
|---|---|---|---|---|
| 1/14/97 | Dynamically linked SUID programs calling getopt(3) | Solaris OS | Users can exploit a problem in Solaris SUID programs that use getopt(3) to obtain elevated priveledges. | mudge@l0pht.com |
|
Scenario: A buffer overflow condition exists in the getopt routine.
By supplying an invalid option and replacing argv[0] of a SUID
program that uses the getopt(3) function with the appropriate address and
machine code instructions, it is possible to overwrite the saved
stack frame and upon return force the processor to execute user
supplied instructions with elevated permissions.
|
||||
| Release | Application | Platforms | Severity | Author |
|---|---|---|---|---|
| 1/14/97 | Filter Fresh Coffee Machines | Users can gain access using a factory default backdoor. | /dev/null@l0pht.com | |
|
Scenario: Suppose you don't work at Microsoft, Sun, or any of the
companies that provide free hot caffinated
beverages to their employees. It's a sad day when you find yourself at
work (or scrounging around
someone elses place of employment... I dunno, perhaps leaving a portable
sniffing laptop up in the acoustic
ceiling tiles) around 2am and the only coffee available is from a FILTER
FRESH vending machine. It's even
sadder when you are being asked to deposit .55 cents for an 8oz. cup of
really poor java.
How to scam coffee from FILTER FRESH coffee vending machines.
|
||||
|
| ||||
| Release | Application | Platforms | Severity | Author |
|
1/10/97 updated 3/20/1997 |
Novell Netware 3.11 and lower / Netware 3.x | Novell Netware 3.11 and lower / Netware 3.x | Under Netware 3.11 and lower, users may create trojan horses by creating personal login scripts for users who do not already have one. Under all 3.x versions users may create or modify their own login scripts. | tan@l0pht.com |
|
Scenario: Users without a personal login script are vunerable to a
trojan
horse type attack. Any user logged into the server can create a
personal
login script for any user that does not already have one. A user may
also
create their own personal login script, circumventing any access
control
implemented through EXITing to menu systems or issuing commands from
the
personal login script. Under these senarios, one user may use another
to
launch an elevated privelidges attack. Alternately, a user may EXIT
from
the login script, circumventing any menu systems typically used to
restrict access at the presentation level. The vunerability has been
tested under Netware 3.x, is believed to exist in Netware 2.x (but is
un-tested). Netware 4.x is planned to undergo examination.
|
||||
|
| ||||
| Release | Application | Platforms | Severity | Author |
| 12/12/96 | Domino 1.5 | Sites running Domino 1.5 | Users can edit or delete documents. Users can create documents under another users identity | weld@l0pht.com |
|
Lotus Domino is a web interface which allows users to access Lotus Notes
databases via HTTP. Many Domino sites on the Internet have incorrect
permissions granted to anonymous or registered users. Some Domino web
sites have relied on the design of their web pages to keep users from
accessing the commands to edit and delete documents. This can be bypassed
by editing the URL for the Domino web site. Once an edit form is
obtained, it is possible to enter data under the identity of another user.
Server side scripting associated with that document will be executed.
|
||||
|
| ||||
| Release | Application | Platforms | Severity | Author |
| 12/17/96 | crontab | FreeBSD, BSDI | any local user can gain root priveledges | mudge@l0pht.com |
|
Due to a problem with the code in crontab, a buffer overflow exists that
allows a user to overwrite the information in a saved stack frame. When
the function returns, the saved frame is popped off of the stack and
user supplied code can be executed.
|
||||
|
| ||||
| Release | Application | Platforms | Severity | Author |
| 12/9/96 | Modstat | Systems with the *BSD distribution of modstat sgid kmem | Users can gain group kmem permissions and thus read DES keys, passwords, and in certain situations panic the machine (you know, the standard things you can do with group kmem perms). | mudge@l0pht.com |
|
Modstat is sgid kmem which is really handy to become if you feel
like looking through /dev/mem and /dev/kmem (gee, wonder what
you might want to do that for Advisory Details (source code) The next day FreeBSD released a patch. |
||||
|
| ||||
| Release | Application | Platforms | Severity | Author |
| 11/22/96 | Kerb4 | Sites running Kerb4 | remote users can dictionary crack kerberos user accounts without needing to know the username or kerberos realm name | mudge@l0pht.com |
| It has long been known that Kerberos 4 Ticket
Granting Tickets are susceptible to dictionary attacks as they contain a
constant string that can be used for compares (the string happens to be
"krbtgt"). Thus it h as always been possible to; querry a Kerberos server,
hand in a valid principle (user and kerberos realm), recieve a Ticket
Granting Ticket, decrypt the DES ticket using dictionary words for the
key, if the phrase "krbtgt" exists in the decrypted packet you have the
correct key. This exact attack has been going on for some time in certain
circles. In particular it seems to work quite well on dialup servers using
kerberos for password authentication.
Here is the complete toolkit used to expose the vulnerability in non-patched kerberos 4 servers.
A fix for CNS 96q1 from Mark Eichin
|
||||
|
| ||||
| Release | Application | Platforms | Severity | Author |
| 9/96 | Sendmail 8.7.5 | All | Any local user can gain root privileges | mudge@l0pht.com |
|
Due to a problem with the code in sendmail a buffer overflow condition
exists that allows a user to overwrite the information in a saved
stack frame. When the function returns, the saved frame is popped off of
the stack and user code can be executed.
An exploit script will be made public upon the actual release of Sendmail 8.8 which fixes this particular exploitable code segment.
Full L0pht Advisory
Mudge has written a paper entitled, Compromised - Buffer - Overflows, from Intel to SPARC Version 8, that discusses the problems of buffer overflows. There is a postscript version available as well as the Acrobat version.
If you want to learn more about the technical details of buffer overflows
read this buffer
overflow tutorial.
|
||||
| Release | Application | Platforms | Severity | Author |
| 5/96 | s/key | All | s/key can be cracked | mudge@l0pht.com |
|
MONKEY - the s/key cracker MONKEY - MONitor s/KEYs MONKEY is a program that works similarly in nature to Alec Muffet's CRACK. In essence it takes the md4 value in either HEX or English words and compares it to a dictionary. Once the secret password is known, one time password schemes based off of it are useless as the appropriate response can be generated based upon the current challenge. | ||||
| Release | Application | Platforms | Severity | Author |
| 4/96 | test-cgi | All | Anyone can remotely inventory the files on a machine | mudge@l0pht.com |
| On many web sites there exists a file called test-cgi (usually in the cgi-bin directory or somewhere similar). There is a problem with many of these test-cgi files. | ||||
|
| ||||
