TUCoPS :: Malware :: bt404.txt

BAZARR THUG LIFE , DONT READ OR VIRUS INFECT YOU


------=_Part_765_15522818.1055455853375
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

read da attached advisory for remote vulnerability in popular used application. 

-bazarr 
------=_Part_765_15522818.1055455853375
Content-Type: text/plain; name=bazarr-episode-5.txt
Content-Transfer-Encoding: 7bit
Content-Disposition: ATTACHMENT; filename=bazarr-episode-5.txt

/* typespeed server <=v0.4.1 remote root vulnerability!			*/
/* by: bazarr								*/
/* bazarr@ziplip.com							*/
/* bazarr episode #5							*/


----------------------
PREFACE

>caddis< i just be messing wid you man relax 
--- caddis :No such nick/channel

after reading tutorial on html programmering , i have redesigned website it now cover all features of real website.
it have many a cool content now!

http://geocities.com/rrazab 

after a long series of elaborate emails wid lcamtuf it has become apparent dat it is up to me and him to save full disclosure from blackhats. 
we are forming a group called FHAB or fire hot asian boys(it a house hold name). at the moment it is me lcamtuf and a half mexican from alaska-
who just idles in #!FHAB all day long. tuf in da process of auditing many a opensshd functions while i be auditing many a setgid uucp true64 applications. 
together we form ultimate team and we able to find all blackhat bugs around da entire globe and stop dem from hacking anymore openbsd devlopers. 

dis be an advisory for remote typespeed vulnerability on debian x.x and everyone else around da world.

lets take a look at man page output:

DESCRIPTION
       Typespeed gives your fingers' cps (total and correct), typoratio and some points to compare with your friends.
       Typespeed's idea is ripped from ztspeed (a dos game made by Zorlim). Idea of the game should be clear to anyone, just type and type it fast, or be a lewser.

       Notice:  the  speed  of words going across the screen has been changed in version 0.4.0. Scores are not comparable with older versions now. See the README file for more
       detailed information.

now many a security researcher may remember dat martin@debian security team released advisory for typespeed and he got rid of all buffer overflows 
in typespeed. WRONG. typespeed did have many a command line overflows but a glance at da source code and i spot elaborate remote buffer overflow bug.

now we all know dat typespeed was science project for college student who now is off at programming job and dont care about typespeed anymore. 
so he cannot be expected to deliver patch for typespeed. it is up to debian to deliver da patch. i be glad he got B+ for typespeed though. 

lets take a look at terminal session for a second: 

thuglife@debian$ pwd
/home/thuglife/.elm/pornstash
thuglife@debian$ ls -al /usr/games/typespeed 
-rwxr-sr-x    1 root     games       32092 Jan  4  2002 /usr/games/typespeed
thuglife@debian$ 

now some of you thinking dat 'oh wow another gid games bug , go audit qpopper or somthing you jackass' 
and to that i say: 
shut up high on PCP voice in my head, because dis is remote gid games not local! and i'll audit qpopper when i finish UNP (not including xti part) 

...

dis be a remote gid games bug , it 0day too so you be able to hack many a boxes wid it. 

now i am off to da land of source code where der be many a nice bugs to take care of and 
release back into wild where dey can roam free from blackhat abuse.  dis be a copy and paste out of my bug file 
(it encrypted so dont hack my box to steal dis unless you can break rot96 devloped by me) 

#109

file: /usr/games/typespeed , remote bug martin missed

src location: network.c

code snip:

void net_swapscore(int typesock, stats_struct *stat,stats_struct *stat2)
{

        char buf[60];
        int x,i;
        char *temp,*temp2;
        char *number;

        sprintf(buf,"SCORE: %d %f %f %f\n",stat->score,stat->speed,stat->totalspeed,stat->ratio);

        i=send(typesock, buf, strlen(buf), 0);

        strcpy(buf,"                                                           "); //HACKLOG what da hell is dis!
									
        while(1) {

                i = recv(typesock, buf, 59, MSG_PEEK);
                if (i == -1 && errno != EWOULDBLOCK) {
                        endcursestuff();
                        perror("recv()");
                        exit(1);
                }
                if (i > 0) {
                        recv(typesock, buf, strlen(buf) + 1, 0);
                        if(strstr(buf,"SCORE:") > 0) {
                                break;
                        }
                }
        }

        number=malloc(10*sizeof(char)); //HACKLOG dis mallocs ten cuz sizeof(char) garonteed to be 1 byte (it 2 bytes on mips i dink) 
        temp=malloc(80*sizeof(char));	//HACKLOG dis mallocs 80 

        i=0;
        for(x=7;x<=strlen(buf);x++) {
          temp[i]=buf[x]; //HACKLOG temp 80 bytes so it can hold big 59 byte buf
          i++;
        }


        strncpy(number,temp,strcspn(temp," ")); //HACKLOG strncpy so it secure 
        stat2->score=strtol(number, NULL, 10);	//HACKLOG WAIT , STRNCPY BUT IT USE STRCSPN , WHAT DA HELL IS STRCSPN
        free(number);

	THE REST BE USELESS

after period of 9 hours studying strcspn() manpage i am able to report dat der be a buffer overflow in typespeed. 
here copy and paste of strcspn() manpage:

...
       size_t strcspn(const char *s, const char *reject);
       .... 
DISCRIPTION:
       ...
       The strcspn() function calculates the length of the initial segment of s which consists entirely of characters not in reject.

dis mean dat we can overflow buffer 'number' with buffer 'temp' which is buffer 'buf' and buffer 'buf' is 60 bytes while buffer number is 10. 
dis mean dat we have heap overflow on our hands and dis is serious issue. ALPHA TANGO WHISKY NINER WE GOT A CODE ZERO BUFFER OVEFLOW IN CODE. 
see i prove dat just cuz author use strncpy does not mean dat he secure from attack of buf too big attack. 

----------------------
PATCH 

too many a bugs in typespeed to patch dis year , sorry!
but if you really want to den go talk to martin , it his job not mine!
i just report da bugs not patch dem, i am like mean bus driver i wont help you if im on my lunch break!

----------------------
XPLOIT

it possible to code xploit using small read code but i not wasting time on dis sorry. 

----------------------
VENDORS NOTIFYED 

dis aint my job! 

----------------------
VENDORS VULNERABLE

debian 3.0 - default install!#$
FreeBSD - ports?
NetBSD - ports?
OpenBSD - ports?

all user who have typespeed installed. (whole globe)

----------------------
ADVANCE WARNING

irix you in trouble in next episode(lsd not only kid on block wid commerical unix!) 

would you belive dat der has been patches buy deb team wich actually added locally xploitable bugs to gain root on multiple distros wid?
it may be too early in bazarr season to discuss dis issue , sorry! it confidential! 

debian be a great gnu linux distro despite security holes. it wonderful. i use it forever. 

----------------------
GREETS

irc-bazarr - hello der fake bazarr's , i know you must like me very much to imposter me so i give you a greet.
remember dat da real bazarr (me) NEVER uses public irc under name 'bazarr'. i am sorry for abuse caused by fake bazarrs
but dat aint me sorry. fake bazarrs include: some guy from free shell provider and bell somthing. 

yourname - send me email and i pick a random name to be put in here!

realbazarr - it amazing dat young boy wid twinkle in his eye and foot in his ass can gain so much fame so quickly. 

documentry - im sad to report dat ring member documentry has to come to an end because dave censor too much. 
dat mean you missing many a cool ring member captures such as da palmers capture which prove he a wild one. 

*palmers* i cannot get rid of the impression that you are the only one who knows about your ring
>palmers< ok you playing hard ball
>palmers< i can be your best friend or your worst enemy
>palmers< its a long cold road to travel down
*palmers* oh, what do you mean by that?
>palmers< nothing i just kidding!

----------------------
BYE

remember dat i am constantly working on more and more bleeding edge security vulnerablitys for dis communtity. 
it a change from my-hello-world-ftpd fmt string and cross site scripting vulnerabilitys reported by 24 year old fl4ppyw1lly@hotmail.com. 
i be exposing more buffer too big attacks , int too big attacks , the revolutionary int too small attack, and the very private 
size_t -1 attack which will be discussed in detail very very soon in a paper i be writing intitled "Is my buffer too small?" and 
will be placed in /misc on my wonderful website , so plz check dat often!

bye guys i have to go now it has been fun. though it time for me to 
clean my room and feed my ginnie pig named fuzbal , the class let me take him home for a week,
but i never give him back. never. 

-bazarr




------=_Part_765_15522818.1055455853375--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH