Computer underground Digest Tue Dec 10, 1996 Volume 8 : Issue 87 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Field Agent Extraordinaire: David Smith Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #8.87 (Tue, Dec 10, 1996) File 1--Is Connection to the Net an Inalienable Right? File 2--The strange case of Eric Jenott & "Mr. Liu" (continued) File 3--CDA Appeal on Supreme Court Docket File 4--OPPOSITION: FRC on Supreme Court News (CDA) File 5--Mike Godwin replies to CIEC bulletin on CDA File 6--New House Rules Means More Info File 7--BoS: Serious BIND resolver problem (fwd) File 8--Cu Digest Header Info (unchanged since 10 Dec, 1996) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Sun, 8 Dec 1996 21:53:43 -0600 From: Richard Thieme Subject: File 1--Is Connection to the Net an Inalienable Right? In his award-winning science fiction novel, "The Stars My Destination," Alfred Bester conceived of a world in which "jaunting," or short-distance teleportation, was the norm. In order to jaunt, you had to know exactly where you were, so criminals were kept in a maze-like cave in darkness, denied access to the sense data that would allow them to visualize their location. This intentionally cruel and unusual punishment had nothing to do with the crimes for which prisoners were sentenced. Participation in the Internet and other computer networks is our version of jaunting. That's how twenty-first century humankind transcends time and space. Denying a criminal access to computer networks is like breaking his fingers for writing a hold-up note and forbidding him to use a pen. When the crime has had nothing to do with computers or networks in the first place, it's like putting him into a sensory-deprivation tank simply to punish him. Enter Chris Lamprecht, alias "Minor Threat," a sometime hacker and formerly a programmer, installer, and trouble-shooter for Optical Document Technology in Austin, Texas. Lamprecht is now serving seventy months in a Texas prison for money laundering, although the activities connected to his sentencing included burglary and the theft and sale of hundreds of thousands of dollars worth of electronic switching systems and other telephone company equipment. His crimes had nothing to do with hacking, but if the criminal justice system has its way, he will not be able to use a computer connected to a modem or connect to a network when he gets out. The case illustrates not only the great gulf fixed between those who use the Net and those who don't, but also how the image of hackers as "evil geniuses" can distort the perception and judgement of those who play into the image as well as those who fear and misunderstand it. From the government side, it seems Lamprecht's computer activities were linked to his criminal activities through a bizarre chain of reasoning. Lamprecht once made calls to change the outgoing telephone message on someone's answering machine. He acknowledged that and stopped doing it. The police investigation determined, however, that Lamprecht was "computer literate" and he and his cohorts were "known hackers and had the capability to enter into a computer program and review, extract, and change information." Lamprecht and his pals, particularly Jason Copson, had penetrated several private and government computer systems, although "it is unknown if these illegal entries have resulted in monetary gain." (Lamprecht says he never made a dime from his hacking; like most hackers, he explored computer systems for the pleasure of the quest and to learn). One of Lamprecht's errors was speaking openly with Copson during a telephone call Copson made from prison. Both men knew the calls were monitored, but discussed nevertheless their desire to "ruin" an Austin cop, Paul Brick. They discussed obtaining his social security number. To prevent them from entering computer systems in search of that social security number, the following stipulation was made: "Upon release from imprisonment ... for a term of three years, the defendant cannot be employed where he is the installer, programmer, or trouble shooter for computer equipment; may not purchase, possess or receive a personal computer which uses a modem; and may not utilize the Internet or other computer networks." When he heard these conditions, Lamprecht broke down in the courtroom and cried. They had hit him where it hurt. They deprived him of the only way he knew how to make a living and banished him for three additional years to the wasteland of the caves. Did the judge, the Honorable Sam Sparks, really understand what he was doing? Did he really intend that Lamprecht should not attend schools that assign email addresses and in some cases insist email be used to submit papers? Did he really intend that he never use a public library online catalog? Doesn't Sparks know that anyone with a few dollars can buy a social security number in the data marketplace? Besides, good hackers are equally adept at "social engineering." If Lamprecht talks someone out of their social security number, should we cut out his tongue? In short, does the judge have a clue as to how life is lived these days? Lamprecht's former boss, Selwyn Polit of ODT, laughed when asked about the case. "They're dead scared of him because of the computer stuff," he said. "They treat him differently because they think if he just thinks about computers, he can do magical things." Unfortunately, Lamprecht's statements feed these projections. He plays enthusiastically to the "evil hacker genius" image. Lamprecht says his sentence is longer than that of any other hacker, for example. But if his crime has nothing to do with that, why identify himself that way? Why feed the distortion? Lamprecht often sounds as if he claims sole repsonsibility for creating ToneLoc, a widely used program that scans for carriers and selected dial tones; it's particularly useful for hacking PBX codes. Simple wardialers existed before ToneLoc, but ToneLoc added some significant features -- it did random scanning and displayed the scans graphically, for example. Yet Lamprecht states in his biogrpahy in Phrack that he had lost the source code and Mucho Maass brought the program back from the dead and made it "user friendly." The need to seem to be what his captors thought he was has contributed to the unnecessary harshness of his punishment. Lamprecht is learning painfully that you can be punished for how you're perceived as much as what you've done. Some of his colleagues describe him as an innocent despite his criminal activity, naive about the real world. His employer as well as his friends call him loyal, reliable, capable. His employer felt his need to be more than capable might have led him to exaggerate his computer skills. Polit said "he took pride in his work and wrote clean tight code, but nothing spectacular. He's sharp, but not extraordinary." Would ODT hire him back? Absolutely. But they may not have that opportunity. Lamprecht feels it's a question of free speech and first amendment rights, but he "will probably have an uphill battle because of the wide discretion given judges in creating conditions of probation," says Tim Muth, partner at Reinhart, Boerner, Van Deuren, Norris, and Rieselbach, a Milwaukee, Wisconsin, law firm. Muth built the firm's celebrated web site and has a passion for the legal issues emerging in the virtual world. "On the other hand, with the growing importance of computers and network communications for making a living, a court might say that a greater justification should be required for this kind of restriction. Unfortunately for Lamprecht, our courts have not yet recognized such a principle in the constitution or elsewhere." Lamprecht hopes to find lawyers willing to work pro bono to establish that principle. And who can blame him? Isolated from the network, deprived of his livelihood, the prospect of wandering the maze in the cave is a lonely one. You don't have to be the anti-hero of Neuromancer to know how it feels to be kept off the Net. Just as we don't speak a language, but our language speaks us, once we have been connected, we can never forget that the Net is our hive mind. We don't dream up the Net, the Net dreams us. Now more than ever, you just can't be a human being alone. Richard Thieme ------------------------------ Date: Mon, 9 Dec 1996 15:44:21 -0600 (CST) From: Crypt Newsletter Subject: File 2--The strange case of Eric Jenott & "Mr. Liu" (continued) According to the Fayetteville Observer, Eric Jenott's court martial on espionage charges at Fort Bragg, NC, was set to roll today, Monday, Dec. 9, 1996. If convicted, the potential sentence -- life in prison -- is dire. The Army, according to the Observer, will try to show Jenott was trying to "gain favor" with the Chinese government by giving passwords on an Army system to a Chinese agent, known as "Mr. Liu." According to the paper, Jenott's family insist that he gave only an unclassified "Internet code" to Liu. Jenott's defense team wants "Mr. Liu," also identified as Qihang Liu, declared an essential witness. If this is granted by the court and Liu cannot be produced, the prosecution could collapse. Liu was a Chinese national who worked for a short time at Oak Ridge National Laboratory on a computer database and management system. He is no longer in America. According to the Observer, Liu was interrogated by the FBI before leaving the country. During this investigation, Liu apparently "told federal agents that Jenott did not give him a classified computer password. Later, he said Jenott might have given him the password, then finally said he probably received [a] password from Jenott." Further, "Liu told investigators that Jenott gave him at least two other computer passwords, including one that let him enter [a] University of Washington computer system." John Jenott, the Ft. Bragg soldier's father, has provided a partial transcript of a conversation conducted in which his son says the passwords weren't secret. The passwords, said Jenott, were published in training books given by GTE to soldiers for home study. The Observer's report on the case contains further confusing mumble about unspecified secret information on an Army system being passed by Jenott to yet another individual. The text of it can be found at http://www.foto.com . George Smith Crypt Newsletter http://www.soci.niu.edu/~crypt ------------------------------ Date: Tue, 10 Dec 1996 22:51:01 CST From: CuD Moderators Subject: File 3--CDA Appeal on Supreme Court Docket Supreme Court to decide on Internet indecency law By Richard Carelli Associated Press Writer WASHINGTON (AP) - Charting its first venture into cyberspace law, the Supreme Court Friday agreed to decide whether Congress violated free-speech rights by restricting indecency on the Internet. The justices said they will study the Communications Decency Act, Congress' first crack at regulating the freewheeling global computer network. A three-judge federal court in Philadelphia blocked the law from taking effect earlier this year, ruling that it wrongly would chill adults' right of access to sexual material that may be inappropriate for children. A decision from the nation's highest court is expected by July. ------------------------------ Date: Fri, 6 Dec 1996 16:21:07 -0700 From: --Todd Lappin-- Subject: File 4--OPPOSITION: FRC on Supreme Court News (CDA) Source - fight-censorship@vorlon.mit.edu We're not the only ones who are excited about the pending Supreme Court case on the constitutionality of the Communications Decency Act. Turns out, the CDA's proponents are also looking forward to having their day in court. The following press release from the Family Research Council gives their side of the story, complete with Cathy Cleaver's usual rantings about the dangers of online smut. Remember... despite what the FRC says, "indecency" is NOT a synonym for pornography. Work the Network! --Todd Lappin--> Section Editor WIRED Magazine --------------------------------- FOR IMMEDIATE RELEASE: Dec. 6, 1996 CONTACT: Kristi S. Hamrick, (202) 393-2100 For Radio, Kristin Hansen SUPREME COURT TO REVIEW COMPUTER PORN RULING WASHINGTON, D.C. -- The Supreme Court announced Friday that it will review the Reno v. ACLU decision to enjoin the Communications Decency Act made earlier this year by a three-judge panel in Philadelphia. Family Research Council Director of Legal Studies Cathy Cleaver said that the Department of Justice's appeal of the Philadelphia ruling is the right thing to do, and that now the Supreme Court has the opportunity to "reverse the radical ruling which gave Bob Guccione the right to give his Penthouse magazine to our children on the Internet." Cleaver continued, "Laws against selling porn magazines to kids are not unconstitutional. Why should we have to tolerate the same degrading images of women being given to those same kids on-line?" Family Research Council presented a "friend of the court" brief with the Philadelphia judges in ACLU v. Reno defending the cyberporn provisions of the Communications Decency Act. Cleaver said the Philadelphia decision contradicts previous Supreme Court decisions on the distribution of indecent material through the media. The Communications Decency Act: * Prohibits adults from using a computer to send indecent pornography directly to a known child * Prohibits adults from knowingly displaying indecent pornography to children * Defines "indecent material" as material, which in context, depicts or describes sexual or excretory activities or organs in a patently offensive manner * Imposes fines, prison sentences (up to 2 years), or both on violators * Exempts those who merely provide access to a network or system over which they have no control * Provides limited defenses for employers and those who make a reasonable and effective effort to restrict children's access to pornography * Expands telephone harassment prohibitions to include harassment by computer Arguments will likely be heard in early spring. Family Research Council and other pro-family and anti-pornography groups will be filing briefs in support of the Justice Department's defense of the law. FOR MORE INFORMATION OR INTERVIEWS, CALL THE FRC MEDIA OFFICE. ### +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ This transmission was brought to you by.... THE CDA DISASTER NETWORK The CDA Disaster Network is a moderated distribution list providing up-to-the-minute bulletins and background on efforts to overturn the Communications Decency Act. To subscribe, send email to with "subscribe cda-bulletin" in the message body. To unsubscribe, send email to with "unsubscribe cda-bulletin" in the message body. WARNING: This is not a test! WARNING: This is not a drill! ------------------------------ Date: Fri, 6 Dec 1996 23:17:18 -0800 (PST) From: Declan McCullagh Subject: File 5--Mike Godwin replies to CIEC bulletin on CDA Source - fight-censorship@vorlon.mit.edu [Forwarded with permission. --Declan] ---------- Forwarded message ---------- Date--Thu, 5 Dec 1996 19:59:54 -0800 From--Mike Godwin Subject--Re--CIEC Bulletin No. 16 - SC Agrees to Hear CDA Appeal Dear Jonah, It seems to me that this release obscures rather than clarifies what the significance of today's announcement was. Despite some fallacious news reports, the announcement today was not about whether the Supreme Court has chosen to review the lower court's decision in ACLU v. Reno -- the Court has *no choice* as to whether it will review that decision, so long as the government's appeal is not a frivolous one. According to Article III of the U.S. Constitution, the Supreme Court can be compelled by Congress to hear certain kinds of appeals, even though normally Congress lets the Court set its own docket. Pursuant to Article III, the CDA, like the Voting Rights Act and certain other legislative measures, grants the government an "appeal as of right" whenever a provision of the act is found unconstitutional by a lower court . This is very different from the normal petition-for-certiorari process by which cases normally come before the Court. Journalists have been reporting the story today as if there had been some doubt before now that the Supremes would review the case -- as to this matter, that question was answered the instant the government filed its appeal. What is significant about today's news is that the Supreme Court has expressed 1) an interest in hearing oral arguments as well as 2) an interest in speaking *directly* to the issues raised by the case (as distinct from deciding the case summarily). Yes, I know the CIEC announcement says the Supreme Court has "agreed to hear" the case -- technically a true statement -- but a press release that is technically correct yet does not clarify the legal issues does no one any service. As lawyers and public-interest advocates, we are perpetually obligated to explain the issues to our clients and consituents, and to anticipate and resolve confusions before they happen. What we've done here instead is hand the radical right an opportunity to say or imply that this news signals the Court's intention to overturn the case, when in fact what it signals is the Court's deep interest in the case's issues. Let's do better than the other side and aim for 100-percent clarity and understanding evey time we tell people about our work. --Mike -- At 12:48 PM -0800 12/6/96, Jonah Seiger wrote: >----------------------------------------------------------------- > _______ _ _ ____ _ _ _ _ > |__ __| (_) | | | _ \ | | | | | (_) > | |_ __ _ __ _| | | |_) |_ _| | | ___| |_ _ _ __ > | | '__| |/ _` | | | _ <| | | | | |/ _ \ __| | '_ \ > | | | | | (_| | | | |_) | |_| | | | __/ |_| | | | | > |_|_| |_|\__,_|_| |____/ \__,_|_|_|\___|\__|_|_| |_| > > Citizens Internet Empowerment Coalition Update No. 16 > December 6, 1996 > ----------------------------------------------------------------- > http://www.cdt.org/ciec/ > ciec-info@cdt.org > ----------------------------------------------------------------- > CIEC UPDATES are intended for members of the Citizens Internet > Empowerment Coalition. CIEC Updates are written and edited by the > Center for Democracy and Technology (http://www.cdt.org). This > document may be reposted as long as it remains in its entirety. > ------------------------------------------------------------------ > > ** 55,000 Netizens Vs. U.S. Department of Justice. ** > * The Fight To Save Free Speech Online * > > Contents: > > o Supreme Court Agrees to Hear CDA Challenge > o What You Can Do - Join the CIEC! > o How to Remove Yourself From This List > o More Information on CIEC and the Center for Democracy and Technology > > ---------------------------------------------------------------------- > >SUPREME COURT AGREES TO HEAR LANDMARK CASE TO DETERMINE FUTURE OF FREE >SPEECH IN CYBERSAPCE > >The United States Supreme Court today agreed to hear the government's >appeal of a landmark legal challenge to the Communications Decency Act. >The case, which will determine the future of freedom of speech in >cyberspace, is expected to be heard in March or April. A special panel >of >federal judges in Philadelphia ruled the CDA unconstitutional in June. > >The Citizens Internet Empowerment Coalition (CIEC), which brought a >successful challenge to the CDA earlier this year, applauded the courts >decision to hear the case. > >"This case will determine the future of free expression in the >information >age, and is the most important first amendment case before the court in >recent memory." said Jerry Berman, Executive Director of the Center for >Democracy and Technology (CDT) and one of the organizers of the CIEC. >"The lower court ruled unequivocally, based on a solid factual record, >that >the CDA was unconstitutional," Berman added, "and we believe the Supreme >Court will agree with them upon review." > >The CIEC is a broad coalition of groups concerned about the future of >the >Internet, including on-line service and Internet service providers, >libraries, book, magazine, newspaper and music publishers, software >companies, public interest organizations, and more than 55,000 >individual >Internet users. The lead plaintiff in the case is the American Library >Association. > >The Philadelphia court ruled the CDA unconstitutional in June, agreeing >with the Citizens Internet Empowerment Coalition's arguments that: > >* The Internet is a unique communications medium that deserves free > speech protection at least as broad as that enjoyed by print medium. > >* Individual users and parents -- not the government -- should decide >what > material is appropriate for their children, and; > >* Simple, inexpensive user empowerment technology is a very effective >and > constitutional way of limiting the access of minors to inappropriate > material on the Internet. > >The CIEC challenge, also known as ALA v DOJ, was consolidated with a >separate lawsuit brought by the American Civil Liberties Union and 20 >other >plaintiffs, ACLU v. Reno. The cases were argued together before the >three-judge federal panel in Philadelphia last spring, and the legal >teams >continue to work together as co-plaintiffs in the Supreme Court phase. > >The Communications Decency Act (CDA), passed by Congress in February >1996 >for the first time imposed far reaching broadcast-style content >regulations >on the Internet. > >The full text of the Philadelphia ruling and other information on the >case >can be found on the Citizens Internet Empowerment Coalition Web Page >(http://www.cdt.org/ciec/). Please also visit the CIEC web page for the >latest news and information about the case. > >The 27 plaintiffs in the case include: American Library Association, >Inc.; >America Online, Inc.; American Booksellers Association, Inc.; American >Booksellers Foundation for Free Expression; American Society of >Newspaper >Editors; Apple Computer, Inc.; Association of American Publishers, Inc.; >Association of Publishers, Editors and Writers; Citizens Internet >Empowerment Coalition; Commercial Internet eXchange; CompuServe >Incorporated.; Families Against Internet Censorship; Freedom to Read >Foundation, Inc.; Health Sciences Libraries Consortium; HotWired >Ventures >LLC; Interactive Digital Software Association; Interactive Services >Association; Magazine Publishers of America, Inc.; Microsoft >Corporation; >Microsoft Network; National Press Photographers Association; NETCOM >On-Line >Communication Services, Inc.; Newspaper Association of America; Opnet, >Inc.; Prodigy Services Company; Wired Ventures, Ltd.; and, the Society >of >Professional Journalists Ltd. ------------------------------ Date: Mon, 2 Dec 1996 18:21:33 -0800 (PST) From: "Brock N. Meeks" Subject: File 6--New House Rules Means More Info Source - fight-censorship@vorlon.mit.edu ((MODERATORS' NOTE: Brock Meeks, fearless Net-reporter and founder of CyberWire Dispatch, has moved on and up to MSNBC, where his articles can be found at: http://www.msnbc.com - His fans can find him there, and, of course, on the Well)) House Rules Change Compels More Online Info by Brock N. Meeks Chief Washington Correspondent MSNBC Washington -- A new House rule for the 105th Congress compels committee chairmen to make published documents available via the Internet, MSNBC has learned. The rule requiring published documents to be put online is ambiguous and doesn't provide any details as to how the rule will be carried out. Indeed, the entire text of the rule, which hasn't been made public, is merely a single sentence: "Each committee shall, to the maximum extent feasible, make its publications available in electronic form." The House GOP leadership drafted the new rule as part of a package of rules changes during a closed door session last week. The new rules won't go into effect until voted on by the entire House when the 105th convenes January 7th. Before that action takes place, however, the rules must first be approved by the House Republican Conference Committee. That move will take place "shortly before the full House convenes," said a House Rules Committee staffer. The House Rules staffer confirmed that the intent of the rule is to have information available via the Internet. "We all share the goal of getting as much information out as quick as possible," he said. However, "there are some logistical problems if we tie this [rule] too tightly." One such problem is that of publishing committee meeting and hearing transcripts. Although committees usually get these transcripts back within 48 hours, "they are usually filled with errors," the staffer said. Such errors can be a quote attributed to the wrong member by the transcriber, he said. Transcripts are currently circulated to House members for the purposes of editing and error correction. However, that process often delays, sometimes by weeks during heavy legislative calenders, how quickly transcripts are put online. Other committee documents, such as the full text of bills are "much easier" to put online, the staffer said, "but things such as transcripts are a much stickier wicket." There also is some question as to what the word "publication" actually means. It's not clear, for example, that transcripts are publications, nor is it clear that so-called "discussion drafts" -- or working documents -- are publications the staffer said. The whole rule "turns on this one word, 'publication,'" says Gary Ruskin, director of the Congressional Accountability Project, a Ralph Nader congressional watchdog organization. "Some folks are saying that the word 'publication' might be restrictive or tautological," Ruskin said, "I'm still trying to figure it out." In general, Ruskin said the rule "looks like a good step forward." His organization pushed hard during the last Congress trying to get Speaker Newt Gingrich (R-Ga.) to make good on his 1994 promise that all congressional documents, without exception, would be made available via the Internet through the Thomas system . Gingrich bailed on that promise and Thomas, though it now contains many more documents from when it was first launched, is still far from being the comprehensive service Gingrich promised. Although the phrase "to the maximum extent feasible" appears to give committee chairman a lot of latitude as to how quickly documents go online, Ruskin said he's encouraged by the wording. He said the "intent" of that statement puts the presumption on a committee that if a document is printed, "there should be no technical reason why it can't go online quickly." With this rule in place, "there will have to be an awfully good reason why [committees] fail to put such documents online," Ruskin said. Although there are no penalities attached to such a rule, Ruskin said "if worse comes to worse" there can be a "an ethics complaint filed against the committee chairman if a reasonably case can be made that they aren't making documents available in a feasible time frame." Just how this new rule will effect the future of a bill introduced by Rep. Rick White (R-Wash.) late in the 104th, which mandated that a broad range of congressional documents be put online, isn't known. White's bill (H.Res. 478) never made it out of committee. White's office didn't return our calls for comment. Traditionally, committee chairman have used their power to distribute important committee documents as means of controlling the committee's agenda. For example, after a bill has been passed by the full committee, the chairman, behind closed doors and without the approval of the full committee, can amend the bill, sometimes altering it dramatically. This results in a "manager's amendment," a document that, though published, is not widely distributed beyond the chairman's political allies and assorted well-heeled lobbyists. No where was such micro-managing of a bill more apparent than during the legislative wrangling over the telecommunications reform act last year. The House version of the telecom reform bill was radically amended by Commerce Chairman Thomas Bliley (R-Va.) and few people, least of all the public, were allowed to see those changes before they came to the floor for a vote. Under the new proposed rule it, Bliley would not have been able to withhold that document from going online well before the floor vote was taken. To do so with the new rule in place would risk triggering an ethics complaint from a group such as Ruskin's Congressional Accountability Project. The new rule, however, doesn't mandate that the Speaker's office put any information online. Despite all the bluster from Gingrich about the benefits of a more informed public, he has yet to make the Speaker's office accessible via the Internet. --end-- ------------------------------ Date: Wed, 20 Nov 1996 08:16:38 -0500 (EST) From: Noah Subject: File 7--BoS: Serious BIND resolver problem (fwd) From -Noah ---------- Forwarded message ---------- Date--Mon, 18 Nov 1996 22:53:16 -0700 (MST) From--Oliver Friedrichs To--firewalls@greatcircle.com Subject--BoS--Serious BIND resolver problem ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ###### . Secure Networks Inc. Security Advisory November 18, 1996 Vulnerability in Unchecked DNS Data. In research for our upcoming network auditing tool, we have uncovered a serious problem present in implementations of BIND which trust invalid data sent to them. This vulnerability specifically applies to hostname to address resolution and can result in local and remote users obtaining root privileges. It is recommended that security conscious users upgrade to the latest version of the BIND resolver immediately. Information on obtaining the latest official release is provided at the end of this message. Technical Details ~~~~~~~~~~~~~~~~~ When a standard hostname lookup is performed on internet connected systems, the resulting address should be 4 bytes (Forgetting about IPv6 for now). Assuming that the address will always be 4 bytes, many privileged and unprivileged programs (including network daemons) trust the address length field which is returned from gethostbyname() in the hostent structure. By trusting the length field returned by DNS to be 4 bytes, it then copies the address into a 4 byte address variable. The vulnerability exists due to the fact that we can specify the size of IP address data within the DNS packet ourselves. By specifying a size larger than 4 bytes, an overflow occurs, as the program attempts to copy the data into the 4 byte structure it has allocated to store the address. One example of this vulnerability occurs in rcmd.c, the standard BSD library routine which is used by rsh and rlogin to remotely connect to systems. Note that the code itself is not faulty, however the resolver implementation is. Example code follows: hp = gethostbyname(*ahost); if (hp == NULL) { herror(*ahost); return (-1); } *ahost = hp->h_name; . . . bzero(&sin, sizeof sin); sin.sin_len = sizeof(struct sockaddr_in); sin.sin_family = hp->h_addrtype; sin.sin_port = rport; bcopy(hp->h_addr_list[0], &sin.sin_addr, hp->h_length); In this example, we copy hp->h_length ammount of data into the address variable of a sockaddr_in structure, which is 4 bytes. The hp->h_length variable is taken directly from the DNS reply packet. If we now look at how rcmd() declares it's variables, and after looking through rlogin with a debugger, we can determine that this is a dangerous situation. int rcmd(ahost, rport, locuser, remuser, cmd, fd2p) char **ahost; u_short rport; const char *locuser, *remuser, *cmd; int *fd2p; { struct hostent *hp; struct sockaddr_in sin, from; fd_set reads; On further testing, and implementation of exploitation code, we can verify that this is indeed possible via the rlogin service. In order to exploit the problem, we first start a program to send a fake DNS replies. [root@ariel] [Dec 31 1969 11:59:59pm] [~]% ./dnsfake oakmont.secnet.com(4732)->idoru.secnet.com(53) : lookup: random-domain.com (1:1) sent packet fake reply: 270 bytes idoru.secnet.com(53)->oakmont.secnet.com(4732) : reply: random-domain.com (1:1) We then cause rcmd() within rlogin to do a host lookup and response with our false data. [oliver@oakmont] [Dec 31 1969 11:58:59pm] [~]% whoami oliver [oliver@oakmont] [Jan 01 1970 00:00:01am] [~]% rlogin random-domain.com random-domain.com: Connection refused # whoami root # Impact ~~~~~~ By checking common BSD sources, we can see that over 20 local programs are vulnerable to this attack, and possibly 2 remote daemons. The possibility of exploiting local programs may seem insignificant, however if one considers an attacker somewhere on the internet intercepting DNS lookups, and inserting their own replies, it isn't. There is a real threat of passive attacks present here, whereby any user on a network running any of these programs can be a victim. Take for instance traceroute, or ping both of which fall prey to this problem. Aside from stock UN*X programs which ship with most vendor operating systems, there appears to be problems related to h_length in external software packages. Due to the flaw, FWTK (Firewall Toolkit) a freely available firewall kit appears vulnerable. The generic routine, conn_server(), which is utilizied by the proxy servers, appears to trust the data as well. Vulnerable Systems ~~~~~~~~~~~~~~~~~~ At this point we would assume that most vendor systems who have incorporated BIND directly into their operating system are vulnerable. Solaris is not vulnerable according to Casper Dik Fix Information ~~~~~~~~~~~~~~~ The maintainers of BIND, and CERT were notified of this problem several months previous to this posting. We recommend upgrading to the latest release of BIND which solves this problem due to the incorporation of IPv6 address support. The latest official release of BIND is availible at: ftp.vix.com in the directory /pub/bind/release/4.9.5 We wish to acknowledge and thank Theo Deraadt, the maintainer of the OpenBSD operating system for his help in finding and analyzing this problem. More information on OpenBSD can be found at http://www.openbsd.org. - Oliver Friedrichs -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAzJATn0AAAEEAJeGbZyoCw14fCoAMeBRKiZ3L6JMbd9f4BtwdtYTwD42/Uz1 A/4UiRJzRLGhARpt1J06NVQEKXQDbejxGIGzAGTcyqUCKH6yNAncqoep3+PKIQJd Kd23buvbk7yUgyVlqQHDDsW0zMKdlSO7rYByT6zsW0Rv5JmHJh/bLKAOe7p9AAUR tCVPbGl2ZXIgRnJpZWRyaWNocyA8b2xpdmVyQHNlY25ldC5jb20+iQCVAwUQMkBO fR/bLKAOe7p9AQEBOAQAkTXiBzf4a31cYYDFmiLWgXq0amQ2lsamdrQohIMEDXe8 45SoGwBzXHVh+gnXCQF2zLxaucKLG3SXPIg+nJWhFczX2Fo97HqdtFmx0Y5IyMgU qRgK/j8KyJRdVliM1IkX8rf3Bn+ha3xn0yrWlTZMF9nL7iVPBsmgyMOuXwZ7ZB8= =xq4f -----END PGP PUBLIC KEY BLOCK----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Oliver Friedrichs - (403) 262-9211 - Secure Networks Inc. Suite 440, 703-6th Avenue S.W. Calgary, AB, Canada, T2P 0T9 ------------------------------ Date: Thu, 21 Mar 1996 22:51:01 CST From: CuD Moderators Subject: File 8--Cu Digest Header Info (unchanged since 10 Dec, 1996) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (860)-585-9638. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown) In ITALY: ZERO! BBS: +39-11-6507540 In LUXEMBOURG: ComNet BBS: +352-466893 UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/CuD ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #8.87 ************************************