Hi,
I come to report a little strange discolsure discovered by my co-worker
Fx0day.
When you save session informations under putty and you need proxy for a
session,
We can find in plain clear text the login and password proxy auth in the
windows database register.
Strange to see a good ssh client storing plain clear text hot
informations !!
Cordialement
Antoine SANT
Antoine SANT
Administration R et S
MAAF Assurances Europex
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Wednesday, 25, 2006 10:24:11 -0400 mflaschen3 (AT) mail (DOT) gatech.edu
wrote:

Windows offers no security against local users. It is trivial to boot to
a program like ERD Commander and replace admin passwords. the other
hand, PuTTy is meant to protect against everyone; that's why it doesn't
allow saved passwords. Thus, this seems like a vulnerability to me.

Unix offers no security against local users either. If I can sit at the
console, I can login in single user mode, mount the drives rw and edit
/etc/passwd all day.

Furthermore, I can take any hard drive, with any file system on it, and
with the right tools I can read everything on the drive, even deleted stuff.

So what's your point? That when you own the box you own the box?

If you first have to own the box to get to the information, then it's not a
vulnerability. It's not best practice, but it's not a vulnerability.

Paul Schmehl (pauls (AT) utdallas (DOT) edu)
Senior Information Security Analyst
The University of Texas at Dallas

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Exactly. A few years ago I used to deal with linux fanboys showing them
the cute trick of "linux single" at boot time. After a few hours begging
for the admin password, I teached the trick and they usually stopped the
brag about how security Linux was.

Wed, 25 2006 12:34:49 -0500
Paul Schmehl <pauls (AT) utdallas (DOT) eduwrote:

PSWednesday, 25, 2006 10:24:11 -0400 mflaschen3 (AT) mail (DOT) gatech.edu
PSwrote:
PS
PSWindows offers no security against local users. It is trivial to boot to
PSa program like ERD Commander and replace admin passwords. the other
PShand, PuTTy is meant to protect against everyone; that's why it doesn't
PSallow saved passwords. Thus, this seems like a vulnerability to me.
PS>
PSUnix offers no security against local users either. If I can sit at the
PSconsole, I can login in single user mode, mount the drives rw and edit
PS/etc/passwd all day.
PS
PSFurthermore, I can take any hard drive, with any file system on it, and
PSwith the right tools I can read everything on the drive, even deleted stuff.
PS
PSSo what's your point? That when you own the box you own the box?
PS
PSIf you first have to own the box to get to the information, then it's not a
PSvulnerability. It's not best practice, but it's not a vulnerability.
PS
PSPaul Schmehl (pauls (AT) utdallas (DOT) edu)
PSSenior Information Security Analyst
PSThe University of Texas at Dallas
PS

Carlos Cardoso
http://www.carloscardoso.com <== blog semi-pessoal
http://www.contraditorium.com <== ProBlogging e cultura digital

"You lost today, kid. But that doesn't mean you have to like it"

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Exactly. If youve managed to lost your root password, deal with the
karma, does not make the system insecure by design with a "linux single"
feature.

Not that a lot of users dont forget their passwords anyway.

Wed, 25 2006 23:57:15 +0530
Raj Mathur <raju (AT) linux-delhi (DOT) orgwrote:

RMWednesday 25 2006 23:14, cardoso wrote:
RMExactly. A few years ago I used to deal with linux fanboys showing
RMthem the cute trick of "linux single" at boot time. After a few
RMhours begging for the admin password, I teached the trick and they
RMusually stopped the brag about how security Linux was.
RM
RMCan't do that in most modern distributions today -- they're configured
RMto ask for root password before they give a single-user shell.
RM
RMNot that there aren't other ways around that restriction
RM
RM-- Raju
RM
RM>
RM>
RMWed, 25 2006 12:34:49 -0500
RMPaul Schmehl <pauls (AT) utdallas (DOT) eduwrote:
RM>
RMPSWednesday, 25, 2006 10:24:11 -0400
RMmflaschen3 (AT) mail (DOT) gatech.edu PSwrote:
RMPS>
RMPSWindows offers no security against local users. It is
RMtrivial to boot to PSa program like ERD Commander and replace
RMadmin passwords. the other PShand, PuTTy is meant to
RMprotect against everyone; that's why it doesn't PSallow saved
RMpasswords. Thus, this seems like a vulnerability to me. PS>
RMPSUnix offers no security against local users either. If I can
RMsit at the PSconsole, I can login in single user mode, mount the
RMdrives rw and edit PS/etc/passwd all day.
RMPS>
RMPSFurthermore, I can take any hard drive, with any file system on
RMit, and PSwith the right tools I can read everything on the
RMdrive, even deleted stuff. PS>
RMPSSo what's your point? That when you own the box you own the
RMbox? PS>
RMPSIf you first have to own the box to get to the information,
RMthen it's not a PSvulnerability. It's not best practice, but
RMit's not a vulnerability. PS>
RM
RM--
RMRaj Mathur * * * * * *raju (AT) kandalaya (DOT) org * http://kandalaya.org/
RM* * * *GPG: 78D4 FC67 367F 40E2 0DD5 *0FEF C968 D0EF CC68 D17F
RM* * * * * * * * * * * It is the mind that moves
RM
RM
RMFull-Disclosure - We believe in it.
RMCharter:
RMHosted and sponsored by Secunia - http://secunia.com/
RM

Carlos Cardoso
http://www.carloscardoso.com <== blog semi-pessoal
http://www.contraditorium.com <== ProBlogging e cultura digital

"You lost today, kid. But that doesn't mean you have to like it"

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Sorry, I shouldn't have implied that was only true of Windows. However,
you CAN'T access encrypted data with physical drive access.

Matt Flaschen

>Windows offers no security against local users. It is trivial to boot to
>a program like ERD Commander and replace admin passwords. the other
>hand, PuTTy is meant to protect against everyone; that's why it doesn't
>allow saved passwords. Thus, this seems like a vulnerability to me.
>>
Unix offers no security against local users either. If I can sit at the
console, I can login in single user mode, mount the drives rw and edit
/etc/passwd all day.

Furthermore, I can take any hard drive, with any file system on it, and
with the right tools I can read everything on the drive, even deleted
stuff.

So what's your point? That when you own the box you own the box?

If you first have to own the box to get to the information, then it's
not a vulnerability. It's not best practice, but it's not a vulnerability.

Paul Schmehl (pauls (AT) utdallas (DOT) edu)
Senior Information Security Analyst
The University of Texas at Dallas

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Wednesday, 25, 2006 23:57:15 +0530 Raj Mathur
<raju (AT) linux-delhi (DOT) orgwrote:

Wednesday 25 2006 23:14, cardoso wrote:
>Exactly. A few years ago I used to deal with linux fanboys showing
>them the cute trick of "linux single" at boot time. After a few
>hours begging for the admin password, I teached the trick and they
>usually stopped the brag about how security Linux was.
>
Can't do that in most modern distributions today -- they're configured
to ask for root password before they give a single-user shell.

Not that there aren't other ways around that restriction

Precisely - like booting from a Knoppix cd, mounting the drives rwyou
get the picture. Physical access == total access. Worst case scenario, I
simply remove the drives and mount them on a box that I do control.

Paul Schmehl (pauls (AT) utdallas (DOT) edu)
Senior Information Security Analyst
The University of Texas at Dallas

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

I have a dual WinXP/Debian boot, and I deal with that problem by locking
my door.

Matt Flaschen

cardoso wrote:
Exactly. A few years ago I used to deal with linux fanboys showing them
the cute trick of "linux single" at boot time. After a few hours begging
for the admin password, I teached the trick and they usually stopped the
brag about how security Linux was.

Wed, 25 2006 12:34:49 -0500
Paul Schmehl <pauls (AT) utdallas (DOT) eduwrote:

PSWednesday, 25, 2006 10:24:11 -0400 mflaschen3 (AT) mail (DOT) gatech.edu
PSwrote:
PS
PSWindows offers no security against local users. It is trivial to boot to
PSa program like ERD Commander and replace admin passwords. the other
PShand, PuTTy is meant to protect against everyone; that's why it doesn't
PSallow saved passwords. Thus, this seems like a vulnerability to me.
PS>
PSUnix offers no security against local users either. If I can sit at the
PSconsole, I can login in single user mode, mount the drives rw and edit
PS/etc/passwd all day.
PS
PSFurthermore, I can take any hard drive, with any file system on it, and
PSwith the right tools I can read everything on the drive, even deleted stuff.
PS
PSSo what's your point? That when you own the box you own the box?
PS
PSIf you first have to own the box to get to the information, then it's not a
PSvulnerability. It's not best practice, but it's not a vulnerability.
PS
PSPaul Schmehl (pauls (AT) utdallas (DOT) edu)
PSSenior Information Security Analyst
PSThe University of Texas at Dallas
PS

Carlos Cardoso
http://www.carloscardoso.com <== blog semi-pessoal
http://www.contraditorium.com <== ProBlogging e cultura digital

"You lost today, kid. But that doesn't mean you have to like it"

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Wednesday, 25, 2006 15:18:10 -0400 Matthew Flaschen
<matthew.flaschen (AT) gatech (DOT) eduwrote:

Sorry, I shouldn't have implied that was only true of Windows. However,
you CAN'T access encrypted data with physical drive access.

Not even that is true. You can always *access* the data. Depending upon
the type and complexity of the encryption, it may take a while to decrypt,
but once I have physical access, I have both the data and the time to do
just that. *Most* of the "encryption" schemes for things like passwords
that used to be stored in plain text (until somebody pointed it out) are
fairly trivial and easily broken.

Even if they're not, I may be able to use the program itself to decrypt the
password and then capture it in plain text in memory.

Again, once you have physical access, it's game over, plain and simple.

Paul Schmehl (pauls (AT) utdallas (DOT) edu)
Senior Information Security Analyst
The University of Texas at Dallas

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

, with physical access and unlimited computing power there's no
security. Too bad no one has unlimited computing power (and very few
have the power to break readily available schemes).

Matthew Flaschen

Matthew Flaschen

Paul Schmehl wrote:
Wednesday, 25, 2006 15:18:10 -0400 Matthew Flaschen
<matthew.flaschen (AT) gatech (DOT) eduwrote:

>Sorry, I shouldn't have implied that was only true of Windows. However,
>you CAN'T access encrypted data with physical drive access.
>>
Not even that is true. You can always *access* the data. Depending
upon the type and complexity of the encryption, it may take a while to
decrypt, but once I have physical access, I have both the data and the
time to do just that. *Most* of the "encryption" schemes for things
like passwords that used to be stored in plain text (until somebody
pointed it out) are fairly trivial and easily broken.

Even if they're not, I may be able to use the program itself to decrypt
the password and then capture it in plain text in memory.

Again, once you have physical access, it's game over, plain and simple.

Paul Schmehl (pauls (AT) utdallas (DOT) edu)
Senior Information Security Analyst
The University of Texas at Dallas

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

cardoso a :
Exactly. A few years ago I used to deal with linux fanboys showing them
the cute trick of "linux single" at boot time. After a few hours begging
for the admin password, I teached the trick and they usually stopped the
brag about how security Linux was.

You know we do appreciate your work with crackheads.
Local attacks against windows are easier imho thoo.

endrazine-

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Paul Schmehl a :
Not even that is true. You can always *access* the data. Depending
upon the type and complexity of the encryption, it may take a while to
decrypt, but once I have physical access, I have both the data and the
time to do just that. *Most* of the "encryption" schemes for things
like passwords that
several times the age of the universe is a while thoo.
used to be stored in plain text (until somebody pointed it out) are
fairly trivial and easily broken.

Even if they're not, I may be able to use the program itself to
decrypt the password and then capture it in plain text in memory.

you know you can use pretty strong encryption on Hd, right ?
Again, once you have physical access, it's game over, plain and simple.

Paul Schmehl (pauls (AT) utdallas (DOT) edu)

Regards,

endrazine-

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

If you have access to a local account, yes, but if you do not have any
account, its harder than "linux single" was.

Thu, 26 2006 00:12:36 +0200
endrazine <endrazine (AT) gmail (DOT) comwrote:

ecardoso a :
eExactly. A few years ago I used to deal with linux fanboys showing them
ethe cute trick of "linux single" at boot time. After a few hours begging
efor the admin password, I teached the trick and they usually stopped the
ebrag about how security Linux was.
e
eYou know we do appreciate your work with crackheads.
eLocal attacks against windows are easier imho thoo.
e
e
eendrazine-
e

Carlos Cardoso
http://www.carloscardoso.com <== blog semi-pessoal
http://www.contraditorium.com <== ProBlogging e cultura digital

"You lost today, kid. But that doesn't mean you have to like it"

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Thu, 02 Nov 2006 01:15:19 CST, nocfed said:

And if you have physical access then you can simply use a floppy, usb
dongle, or any other type of removable media to boot from.
physical access is obtained then you pretty much have full access,
barring full disk encryption.

For bonus points, figure out how to reboot the machine without being
detected. For starters, there's that pesky 'uptime' ;)

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/
PGP SIGNATURE
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

3GABiVJbuAxhdUH2q/GWZ+Q=
=lLoK
PGP SIGNATURE

Valdis.Kletnieks (AT) vt (DOT) edu wrote:

For bonus points, figure out how to reboot the machine without being
detected. For starters, there's that pesky 'uptime' ;)

1. Pull power plug on target machine.
2. case, disconnect data cable from target hard drive.
3. Use PATA/SATA-to-USB cable to connect target hard drive to attacker's
laptop.
4. Re-energise target machine (it won't boot, this is only to supply
power to target hard drive.)
5. Using laptop, mount target hard drive and <insert malfeasance here>.
6. When done, install rootkit on filesystem of target hard drive.
7. Power down, unplug USB adapter cable, reattach target hard drive's
controller, close case, boot target.
8. Using rootkit installed in 6, get privilege and manipulate log files,
utmp, kernel state, et al. to cover any traces of a shutdown.
9. Profit.

Brian

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Thu, 02 Nov 2006 06:47:02 PST, Brian Dessent said:

8. Using rootkit installed in 6, get privilege and manipulate log files,
utmp, kernel state, et al. to cover any traces of a shutdown.

"Funny when I left for lunch I was logged in and a screensaver running"

It's really hard to put the state back exactly the way it was - currently
running processes are particularly obnoxious. At best, you can make it
not-too-obtrusive. course, with *most* users, stealth isn't required,
as they'll just assume the frikking thing crashed and rebooted again.

It's also loads of fun if the box in question is a server that's being
monitored by Big Brother or similar. Kinda hard to erase the 'red' marker
on the big screen in the NC. Similar comments apply to machines that
report to a central syslog server

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/
PGP SIGNATURE
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

CNsQmFNuYsmG/GFAdqjzMg=
=aB27
PGP SIGNATURE

It's also loads of fun if the box in question is a server that's being
monitored by Big Brother or similar. Kinda hard to erase the 'red' marker
on the big screen in the NC. Similar comments apply to machines that
report to a central syslog server

7b) unplug target network cable [thus avoiding the remote syslog issue]

With BigBrother you get 5 minutes (typically) before you create an alarm
so, depending on what sort of is required to get into the
server, that may be possible.

The easiest thing to do though would be just flip the power on a whole
rack (and maybe a few next to it) somebody will just figure a janitor
tripped over something.

or just hit the EP on the way out of the datacenter. We had that
happen *more than once* at a former site because people mistook it as
the release for the maglocks (which it sort of still was, since those
were on datacenter power).

~Mike.

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

11/2/06, Valdis.Kletnieks (AT) vt (DOT) edu <Valdis.Kletnieks (AT) vt (DOT) eduwrote:
Thu, 02 Nov 2006 01:15:19 CST, nocfed said:

And if you have physical access then you can simply use a floppy, usb
dongle, or any other type of removable media to boot from.
physical access is obtained then you pretty much have full access,
barring full disk encryption.

For bonus points, figure out how to reboot the machine without being
detected. For starters, there's that pesky 'uptime' ;)

Back up the settings and configuration of the System and
monitored applications.Then clone the GUID/SID/etc of the machine to
the Attackers laptop and do a restore of the backed up data also to
the attackers laptop, which had the necessary S put on it in
preparation for the attack.

Pull the data cable out of the server and put it in the laptop. You
are now free to install your rootkit, reboot the server and then cover
your tracks.

Replace cable in server and vamoose
-JP

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

11/2/06, Tonnerre Lombard <tonnerre.lombard (AT) sygroup (DOT) chwrote:
Salut,

Thu, 2006-11-02 at 01:15 -0600, nocfed wrote:
And if you have physical access then you can simply use a floppy, usb
dongle, or any other type of removable media to boot from.
physical access is obtained then you pretty much have full access,
barring full disk encryption. Personally I see linux's password for
single user mode to be like a screen door infront of an old door with
a combination lock on it. It takes VERY little effort to punch a
whole through it, even if you only have 1 minute alone with the
server.

If you have physical access, just plug in your iPod with UNIX and enjoy
full memory access to the host machine

I've always enjoyed the idea of throwing a tiny rogue pxe
server(soekris) under the raised floor in a datacenter, vampire tapped
into the uplink ethernet, and having it set to pxe once into a hacked
up pxelinux that boots the server(s) one time into its own S,
installs a rootkit, and reboot it again into its own media. Setting
this up may require a bit more time as you would have to remove the
sheath, punch the wires making sure to not cut them, and tap in.
Using a simple environment like busybox you can have this type of
system mount just about any type of filesystem(regardless of S),
figure out which S it is and install the appropriate rootkit. This
would require that the servers be set to PXE before their normal boot
media but could cause all sorts of havok. Most DC's will utilize a
PXE environment in order to (re)deploy servers on the fly. I'm sure
you all get the point.

Another idea would be another type of vampire tap/wap combo so you can
have the network as your own little playground. I think that I read
about a tiny one a while back, but did not find it with a simple
search. Maybe someone knows what I am referring to?

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Quoting Valdis.Kletnieks (AT) vt (DOT) edu:

Thu, 02 Nov 2006 01:15:19 CST, nocfed said:
>
>And if you have physical access then you can simply use a floppy, usb
>dongle, or any other type of removable media to boot from.
>physical access is obtained then you pretty much have full access,
>barring full disk encryption.
>
For bonus points, figure out how to reboot the machine without being
detected. For starters, there's that pesky 'uptime' ;)

I am taking this out of context, I know.

'uptime' is not really a reliable metric of uninterrupted system
execution in a
shared environment with physical access to system.

For years I had the longest **** in the IRC uptime wars by dropping a
BSD box to
ddb (kernel debugger), and setting the boottime variable to some
obscene number.
And then people were wondering how come I had a kernel built 2 months ago with
an uptime of 2 years.

has an example of usage.

Under Solaris, someone reasonably crafty might decide to boot into kadb (kgdb
now?) and basically do the same. probably edit the boottime variable
directly from userland - if you have physical access, why not root the
box? Root it through openfirmware even - there was a Phrack article on
how to do it.

Yes, one can lock the box physically, lock out BIS, compile kernel
without ddb,
or secure openfirmware, and yet, someone with enough will will get in.

//Stany, who occasionally looks up from Lie Algebras, and reads Sysphrog's
comments.

(please cc: me on follow-ups if you want me to read them, otherwise I
might miss
them)

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/