Rocksolid Light

Welcome to Rocksolid Light

mail  files  register  newsreader  groups  login

Message-ID:  

Quantum Mechanics is God's version of "Trust me."


computers / Hacking / Re: 0day in secure-dead-drop

SubjectAuthor
* 0day in secure-dead-dropanon
+- Re: 0day in secure-dead-dropanon
+* Re: 0day in secure-dead-dropAnonUser
|`* Re: 0day in secure-dead-dropanon
| `* Re: 0day in secure-dead-dropAnonUser
|  `- Re: 0day in secure-dead-dropanon
`- Re: 0day in secure-dead-dropwindowshater

1
0day in secure-dead-drop

<004257a35b8b363c3f48e2eb7c59192d@def4.com>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=564&group=rocksolid.shared.hacking#564

 copy link   Newsgroups: rocksolid.shared.hacking
Path: rocksolid2!def3!.POSTED.localhost!not-for-mail
From: anon@anon.com (anon)
Newsgroups: rocksolid.shared.hacking
Message-ID: <004257a35b8b363c3f48e2eb7c59192d@def4.com>
Subject: 0day in secure-dead-drop
Date: Sun, 09 Sep 2018 16:29:34+0000
Organization: def4
Lines:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
 by: anon - Sun, 9 Sep 2018 16:29 UTC

In the secure-dead-drop program provided here:
https://github.com/JeremyRuhland/secure-dead-drop/blob/master/index.cgi
there is a critical bug, which allows the overwriting of shell variables, enabling the attacker to execute system binaries with the rights of the webserver.

In line 173 of the program there is a call to a function:

cgi_getvars BOTH ALL

The function cgi_getvars will overwrite shell variables if the vars in post or get string will have corresponding names (like in: http://example.com/index.cgi&SHELL=%2Fbin%2Frm, which would replace the shell variable SHELL with /bin/rm on the host example.com).

Replacing the call with one that only asks for specific variables would fix this problem, like this:

cgi_getvars BOTH var1 var2 var3 var4 var5

The author of the software has been informed and advised already earlier (for different reasons) against using it anymore (sounds to me like this bug will not be fixed).

Description of the program (from the github page):
"Introduction

We already know that all internet and phone traffic is being monitored. You cannot trust your email providers for private and anonymous access. Javascript is dangerous. Tor is broken in some circumstances. The PGP web-of-trust leaks user information in a dangerous way.

Let's fix some of that with software designed to let users of safe computers communicate over unsafe networks.

This webapp allows anonymous users to send messages to your inbox, which arrive signed and encrypted using PGP to ensure message integrity and privacy. Only SSL connections are permitted, which ensures encrypted communication between client and server."

Cheers

wed

Posted on def4.i2p

Re: 0day in secure-dead-drop

<5699451bc6ac1ec162c02efebcfb421f@def4.com>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=565&group=rocksolid.shared.hacking#565

 copy link   Newsgroups: rocksolid.shared.hacking
Path: rocksolid2!def3!.POSTED.localhost!not-for-mail
From: anon@anon.com (anon)
Newsgroups: rocksolid.shared.hacking
Message-ID: <5699451bc6ac1ec162c02efebcfb421f@def4.com>
Subject: Re: 0day in secure-dead-drop
Date: Sun, 09 Sep 2018 19:45:22+0000
Organization: def4
In-Reply-To: <004257a35b8b363c3f48e2eb7c59192d@def4.com>
References: <004257a35b8b363c3f48e2eb7c59192d@def4.com>
Lines:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
 by: anon - Sun, 9 Sep 2018 19:45 UTC

that should say :

http://example.com/index.cgi?SHELL=%2Fbin%2Frm

of course

Posted on def4.i2p

Re: 0day in secure-dead-drop

<673a6f98af71c94016168c1975ff275e$1@retrobbs.rocksolidbbs.com>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=566&group=rocksolid.shared.hacking#566

 copy link   Newsgroups: rocksolid.shared.hacking
Path: rocksolid2!.POSTED.retrobbs!not-for-mail
From: anonuser@retrobbs.rocksolidbbs.com.remove-8bh-this (AnonUser)
Newsgroups: rocksolid.shared.hacking
Subject: Re: 0day in secure-dead-drop
Date: Tue, 11 Sep 2018 08:24:06 -0700
Organization: RetroBBS
Message-ID: <673a6f98af71c94016168c1975ff275e$1@retrobbs.rocksolidbbs.com>
References: <004257a35b8b363c3f48e2eb7c59192d@def4.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: novabbs.com; posting-host="retrobbs:10.128.3.129";
logging-data="31466"; mail-complaints-to="usenet@novabbs.com"
To: anon
X-Comment-To: anon
In-Reply-To: <004257a35b8b363c3f48e2eb7c59192d@def4.com>
X-FTN-PID: Synchronet 3.17a-Linux Feb 20 2018 GCC 6.3.0
X-Gateway: retrobbs.rocksolidbbs.com [Synchronet 3.17a-Linux NewsLink 1.108]
 by: AnonUser - Tue, 11 Sep 2018 15:24 UTC

To: anon
it's great you took the time to let the author know. what he does about it
now is his business, but the word is out.
--- Synchronet 3.17a-Linux NewsLink 1.108
Posted on RetroBBS

Re: 0day in secure-dead-drop

<45d06a6e03c24a1b352e2c9f18518ab7@def4.com>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=567&group=rocksolid.shared.hacking#567

 copy link   Newsgroups: rocksolid.shared.hacking
Path: rocksolid2!def3!.POSTED.localhost!not-for-mail
From: anon@anon.com (anon)
Newsgroups: rocksolid.shared.hacking
Message-ID: <45d06a6e03c24a1b352e2c9f18518ab7@def4.com>
Subject: Re: 0day in secure-dead-drop
Date: Tue, 11 Sep 2018 09:28:24+0000
Organization: def4
In-Reply-To: <673a6f98af71c94016168c1975ff275e$1@retrobbs.rocksolidbbs.com>
References: <673a6f98af71c94016168c1975ff275e$1@retrobbs.rocksolidbbs.com>
Lines:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
 by: anon - Tue, 11 Sep 2018 09:28 UTC

He has put a comment on the github page:

"This code is not secure in the slightest and should never be used due to bash shell variable injection bugs.

If you are interested in it for historical purposes please check out the previous commit."

At least he is sincere about it and warns his potential users.

Posted on def4.i2p

Re: 0day in secure-dead-drop

<b3e66b02011a6635e57610a90ebe0985$1@rslight.novabbs.com>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=568&group=rocksolid.shared.hacking#568

 copy link   Newsgroups: rocksolid.shared.hacking
Path: rocksolid2!.POSTED.local_inn!not-for-mail
From: AnonUser@rslight.i2p (AnonUser)
Newsgroups: rocksolid.shared.hacking
Subject: Re: 0day in secure-dead-drop
Date: Fri, 14 Sep 2018 08:55:06 -0000 (UTC)
Organization: Rocksolid Light
Message-ID: <b3e66b02011a6635e57610a90ebe0985$1@rslight.novabbs.com>
References: <673a6f98af71c94016168c1975ff275e$1@retrobbs.rocksolidbbs.com> <45d06a6e03c24a1b352e2c9f18518ab7@def4.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 14 Sep 2018 08:55:06 -0000 (UTC)
Injection-Info: novabbs.com; posting-host="local_inn:10.13.0.7";
logging-data="26315"; mail-complaints-to="usenet@novabbs.com"
 by: AnonUser - Fri, 14 Sep 2018 08:55 UTC

anon wrote:

> He has put a comment on the github page:

> "This code is not secure in the slightest and should never be used due to
bash shell variable injection bugs.

> If you are interested in it for historical purposes please check out the
previous commit."

> At least he is sincere about it and warns his potential users.

it's good he did that even if abandoning it. shows some integrity on his
part.

Posted on Rocksolid Light.

Re: 0day in secure-dead-drop

<647bba01096ea3ec721006146a5e808b@def4.com>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=569&group=rocksolid.shared.hacking#569

 copy link   Newsgroups: rocksolid.shared.hacking
Path: rocksolid2!def3!.POSTED.localhost!not-for-mail
From: anon@anon.com (anon)
Newsgroups: rocksolid.shared.hacking
Message-ID: <647bba01096ea3ec721006146a5e808b@def4.com>
Subject: Re: 0day in secure-dead-drop
Date: Fri, 14 Sep 2018 14:47:35+0000
Organization: def4
In-Reply-To: <b3e66b02011a6635e57610a90ebe0985$1@rslight.novabbs.com>
References: <b3e66b02011a6635e57610a90ebe0985$1@rslight.novabbs.com>
Lines:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
 by: anon - Fri, 14 Sep 2018 14:47 UTC

I would find it a bit annoying if it was only about this bug, since it is maybe a 10 min effort to fix it.
But he said already before that this should not be used anymore, due to shellshock et al.

Posted on def4.i2p

Re: 0day in secure-dead-drop

<704aefdce5dba68870f7500943eaddf4@def4.com>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=577&group=rocksolid.shared.hacking#577

 copy link   Newsgroups: rocksolid.shared.hacking
Path: news.novabbs.com!rocksolid0!rs!def3!.POSTED.localhost!not-for-mail
From: windowshater@anon.com (windowshater)
Newsgroups: rocksolid.shared.hacking
Message-ID: <704aefdce5dba68870f7500943eaddf4@def4.com>
Subject: Re: 0day in secure-dead-drop
Date: Sat, 29 Sep 2018 18:00:57+0000
Organization: def4
In-Reply-To: <004257a35b8b363c3f48e2eb7c59192d@def4.com>
References: <004257a35b8b363c3f48e2eb7c59192d@def4.com>
Lines:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
 by: windowshater - Sat, 29 Sep 2018 18:00 UTC

This tutorial here (http://www.team2053.org/docs/bashcgi/postdata.html) teaches the same wrong usage of the code.

I guess the use of bash for cgi is near extinct nowadays, so this will not have a big impact.

Posted on def4.i2p

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor