==Phrack Inc.==

               Volume 0x0b, Issue 0x3f, Phile #0x05 of 0x0f

|=-------------------------=[ We Are Watching ]=------------------------=|
|=----------------------------------------------------------------------=|
|=----------------------------=[ b0il3dp1g ]=---------------------------=|


"Right now, the attackers are not worried because there is only one 
 honeynet"
- Lance Spitzner


1 - Background

2 - Field Examples
	2.1 - pokleyzz
	2.2 - II-Labs
	2.3 - Lorenzo ... aka The Long Named Whitehat
	2.4 - Alan McCaig (b0f) ... again
	2.5 - Obcure
	2.6 - Matthieu Peschaud
	2.7 - Mike Heins
	2.8 - David Ray
	2.9 - David Harlan
	2.10 - David Harlan & The Long Named Whitehat (again) 

3 - Conclusion



--[ 1. Background

Whitehats love to pretend they know what's going on in the scene.  They
set up boxes which are insecure and call them honeypots.  I think lance
got owned a few too many times and then just made up the excuse that he
was trying to get owned to gain information.  Others that are almost as
lame as lance and actually know about the grep command can use shells
and make up fake alias's and try to get all the possible info about the
latest in blackhat action.  What exploits we have, what vulnerabilities
we know about, what techniques we have discovered, what has been
backdoored or owned. Then they try to use this information to gain fame
within their group of peers by posting to security mailing lists.

WELL MISTER WHITEY, WE ARE WATCHING YOU ASWELL.

We have been watching a few mailing lists and have noticed that
whitehats have been purposely planting honeypots into scripts for
the last couple of months.




--[ 2. Field Examples


- --- Example 1: pokleyzz --- -

Here is example 1:
http://www.securityfocus.com/archive/1/323227

"Webfroot Shoutbox 2.32 directory traversal and code injection." by
pokleyzz is A very good advisory, a very good technique (you will die for
sharing it pokleyzz!), but one messed up workaround.:


$conf = str_replace('./', '', $conf); // to avoid directory traversal


This is supposed to stop this attack.  But in the provided exploit, which
I have not seen work besides on extremely new installed apache
implementations, does not even use directory transversal.  It uses full
paths.  So the exploit will work even when the suggested fix is in place.
Also note that this "avoid directory traversal" code can be avoided by
using ...//...//...// instead of ../../../.  This fix is in use in the
current version of shoutbox.



- --- Example 2: II-Labs --- -

Next we have some strange whitehat method of trying to trick others into
creating honeypots in their own code by showing false examples of holes
and solutions.

In example2:
http://www.securityfocus.com/archive/1/320997/2003-05-07/2003-05-13/0

"II-Labs Advisory: Remote code execution in YaBBse 1.5.2 (php version)"
by Dalibor Karlovic & DownBload is A very horrible advisory which points
out a nonexistant hole in YaBB.  While YaBB does the
include/include_once's securily, this whitehat is trying to convince
other programmers that it is insecure.  They instead introduce a
different solution, one which is terribly insecure.  So now all those
who would have used the YaBB method of ensuring include's are secure
would now use II-Lab's method:


if (!isset($sourcedir)) $sourcedir = "";
then..
include_once ($sourcedir . '/Errors.php');


Which would not prevent anything, since $sourcedir would be defined in
gpc variables by the attacker(honeypot user).



- --- Example 3: Lorenzo ... aka The Long Named Whitehat --- -

Now example three.. This one I am slighly confused.  I believe what the
whitehat is trying to do is promote drug use among the whitehat community.
This guy's English translator must have fucked up.. he thinks it's project
smokingpot.  That is the only logical explanation for:

http://www.securityfocus.com/archive/1/326399/2003-09-09/2003-09-15/0


http://www.securityfocus.com/archive/1/326398

"Sambar Server : Crashing service with search.pl" by Lorenzo Manuel
Hernandez Garcia-Hierro, Which stats "I encountered a buffer overflow
vulnerability in the search system by perl file ( search.pl ) , with
this you can corrupt the stack . The failure occurs when you send a
specially crafted query."

The code which Lorenzo believes is insecure is: $value =~ tr/+/ /;

Not a single whitehat responded to this post.  The drugs must be working.



- --- Example 4: Alan McCaig (b0f) ... again --- -

Another instance of the whitehat not knowing what in the hell they are
even typing is example number 4, proudly submitted to us by Alan McCaig
(b0f) in:

http://www.securityfocus.com/archive/1/319505/2003-04-22/2003-04-28/0

I don't think we need to say anything about this completely moronic post
that hasn't already been said by Nathan Neulinger:

"This is not a security problem. This is a case of using an automated
tool to find these vulnerabilites and not attempting to understand the
code itself.

Nowhere in the code is MSG_Error_General() passed anything other than a
static compiled-into-the-executable string. It's purely a utility
function to wrap common error text/footer/etc. around a generic string."



- --- Example 5: obscure --- -

This one was pointed out along time ago, although since then obscure has
been told of his flaws and has removed the suggested fix
(http://eyeonsecurity.org/misc/yabbfix.html).  We believe obscure was
at one time a lance recruit, but was molested and told his parents of
the lance sleepovers.  Lance did not take too kindly to this narqing,
so he kicked obscure out of the honeynet project for ever!  Anyways,
The problem was in YaBB and UBB:

http://www.securityfocus.com/archive/1/249031
"CSS vulnerabilities in YaBB and UBB allow account hijack" by obscure

The suggested fix for the cross site scripting was:


	if ($message =~ /\[img\]http:\/\/.*\[\/img\]/) {
		$message =~ s~\[img\]\n?javascript\:(.+?)\n?\[/img\]~\[ 
img\]javascript\:$1\[/img \]~isg;
		if($message =~ m~\[img\]\n?(.+?)\n?\[/img\]~gi && $1 !~ m~javascript\:~gi) 
{
			$message =~ s~\[img\]\n?(.+?)\n?\[/img\]~<img src="$1">~isg;
		}
	}


That only works if one instance of [img][/img] is present.  What
about multiple?  It fails to protect the home users.. setting each
of their machines up to be a honeypot.  Now Lance and friends have
a whole army of vulnerable xss clientpots.  Boo obscure.  Boo this
whitehat!



- --- Example 6: Matthieu Peschaud --- -

By alerting the public of security vulnerabilities Matthieu Peschaud
looks like an upstanding citizen of France.  Full-disclosure is all
the rage.  Too bad it's not completely full.  It is only enough to
let all those blackhats know the program is coded poorly.  So they'll
figure out the easy to spot vulnerabilities and exploit all those
honeypots out there.

Btw, the url is http://www.securityfocus.com/archive/1/342559

not only is this a non-issue when you follow the instructions in the
readme file and put a .htaccess in the /include/ directory, but his
"patched" version still leaves /include/menus.inc.php vulnerable to
the same attack.  Misinformation to the max!



- --- Example 7: Mike Heins --- -

http://www.securityfocus.com/archive/1/287142/2003-10-28/2003-11-03/0
At the time, interchange was a redhat project.  It is unknown weather
or not all or some of the redhat developers are in cahoots with lance.
  Looking at redhat's security history, I would no doubt argue that
they have implemented almost as many backdoors into their OS as theo's
gang.  Making them a high priority on the whitehat's most wanted list.
Open up the oven, it's time to start a fire.

The bug is for ../../ directory transversal.  the fix in lib/vend/server.pm:


	if($path =~ m{\.\./}) {
		logGlobal("Attempted breakin using path=$path, will show 404");
		$path =~ s{\.\./}{}g;
	}


Notice, as any blackhat can see.. you can evade this ../ filtering by
sending ....// or ..././ or even .../...// instead of
../

This vuln is in vend, minivend, interchange, and a bunch of other
projects that use vend's code.  As you can see it logs this
information to a global logfile.  This is what lance uses to notify
him when a hacker is in action.  He uses his newly accuired grep
skills to look for this in the log.



- --- Example 8: David Ray --- -

http://bau2.uibk.ac.at/matic/ws20.htm

"CGI Security: not as scary as it sounds", perhaps should be called
"LANCE! I have brainwashed to programmers, now we shall have job security"
Check the example of "secure" input validation the author must have forgot
this simple exploit:

script.cgi?>script.cgi

Which will overwrite script.cgi.  Here is the vulnerable section from
the paper:


"So let's disallow any characters other than a-z, A-Z, 0-9, and the
characters . - _ and @. (The % symbol is used for e-mail purposes only.)
If we do this, the script would remain functional and be safe from users
trying to send command-line arguments because it disallows whitespace
characters.


#!/usr/bin/perl
print "Content-type: text/plain\n\n";
$address = $ENV{`QUERY_STRING`};
#btw, this next line should have \-
#does Lance know how to code?
if ($address =~ /[^a-zA-Z0-9_-.<\@>]/) {
print "Username must be in the form
\"user@machine\", Please try again,\n";
}
else {
print "FINGER OF $address:\n\n", \
`/usr/bin/finger $address`;
}
"


Then there was a problem in another tutorial there, this one had no author,
So it must be written by Lance.  This is a honeynet of misinformed tutorials
with the intent of teaching programmers bad habits.  A classic infosec
technique.


"* Specific Guidelines for File I/O If your script has any file i/o, you
want to make sure that any file description has no ~s or ../s in it, since
those characters could be used to create or read from unexpected files.
Do things like this:
## user-input in associative array %form
$form{'filename'}=~tr/~//d; #get rid of ~s
$form{'filename'}=~s/\.\.\///g; #get rid of ../s
open(HANDLE,"$startpath/$form{'filename'}");"


The s/\.\.\///g; can be defeated with .\./ or ..../....// as any blackhat
knows.  Of course informative security solution is :


"
$form{'search'}=~s/([{}[]|\;<>()])/\\$1/g;

This will put an escaping back-slash in front of any potentially dangerous
character."

Not only forgot the & character, which can be used to issue additional
commands it also forgets the \ which can escape the escape.  These papers
are quite old and are still used as resources for new and impressional
programmers.  In accordence with Lance's plan, these hordes of programmers
will soon be coding and distributing insecure software to millions of
servers worldwide.  Now that's a honeynet!



- --- Example 9: David Harlan --- -

Whoever decided to publish David's book, "Using perl for web programming"
must have either been a lance supporter or had never even heard of
'the web' before.  This book has as much secured code as openvms.

You might laugh when I tell you how he passes data between perl scripts.
instead of using require all the time, he uses a system call and passes
data as arguments.  Most of the time the data passed comes from the
user and is not filtered for dangerous characters.  Here is an example of
how Lance followers are teaching programmers how to code in


"Listing 4.1-Script to Print a Summary of User-Survey Data (PRINTDATA1.PL)"

   open (data, "printdatasup period$i $email |");


No filtering is done to the path or $email.  Any shell meta characters 
(besides /) are allowed.  $email is passed directly to the system.

There are many times this problem occurs throughout the book.  He is 
teaching other, less knowledgable programmers, how to code very
insecurely.  This is all the further I read into the book.  I could not
stand the programming style for any longer.  If Lance's book is anything
like this one, it shouldn't sell more than 10 copies.
But that's still 10 more honeypots for Lance's network.



- --- Example 10: David Harlan & The Long Named Whitehat (again) --- -

http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-05/0125.html
This 'DarkHunter' is a 'BigRetard' when he suggests to fix a cross site 
scripting vulnerability with addslashes().  He must be trying to
trick internet users into thinking movable type is coded in php.  Since
it is coded in perl many people will add all sorts of insecure php code
to their site and the blackhats will have more honeypots to get stuck in.
Or atleast that's BigRetard's plan.

His suggested fix is almost as bad as Lorenzo Hernandez Garcia-Hierro's fix 
for XSS.  It seems he knows exactly what he is doing when he backdoors this 
product.  The post in which Lorenzo attempts to mindcontrol admins into
installing his backdoor is 
http://lists.netsys.com/pipermail/full-disclosure/2003-October/011481.html 
Check out this social engineering to try and convince people that his fix is 
superior to the offical one.

"Due to the completely incorrect treatment and work of the Geeklog
development team , that they don't developed fixes for THEIR product which
is used around the world by lots of users , i have fixes aka patches for the
last Geeklog vulnerabilities."

Then he pastes his backdoor, which is vulnerable to all sorts of XSS.  
Including
this extremely advanced technique:

<a onmouseover=alert(document.cookie)>yousuck</a>

Then lorenzo gets caught trying to backdoor millions by Jouko Pynnonen
http://lists.netsys.com/pipermail/full-disclosure/2003-October/011953.html
lorenzo retailiates with a new fix
http://lists.netsys.com/pipermail/full-disclosure/2003-October/011485.html
then tries to confuse admins by releasing another backdoored fix
http://lists.netsys.com/pipermail/full-disclosure/2003-October/011487.html
Then a maintainer of geeklog posts saying that the sql injections have
not been reproduced and "the post even claims to have found the problem in
a 2.x version of Geeklog that doesn't exist yet".  Did I mention that FUD is
tactic used by the sec.industry to scare users into doing irrational things?
(Such as installing backdoored fixes).  Yep, this moron truely is a crucader
for the honeypot project.. even his site is a honeynet!  Check out
http://lists.netsys.com/pipermail/full-disclosure/2003-December/014594.html
for a confession.

I am sorry I had to post so many urls.  This lorenzo guy makes up for 70% of 
the traffic on the fd list.  I think he and morning_wood were separated at 
birth.




--[ 3. Conclusion

I think it is safe to say that whitehats around the world are working
for Lance, trying to get as many of the internet users/programmers as
possible caught in their honeynet.  Don't stand by idle, fight against
these honeypots... or soon Lance will get his wish and the entire internet
will be as vulnerable as default redhat installs.  One giant honeynet, and
the attackers will not be scared.  We are watching you too Lance.  Even in
the shower.  You have a small pecker.


|=[ EOF ]=---------------------------------------------------------------=|