Rocksolid Light

Welcome to Rocksolid Light

mail  files  register  nodelist  faq  login

Necessity has no law. -- St. Augustine


rocksolid / Hacking / 0day in secure-dead-drop

SubjectAuthor
* 0day in secure-dead-dropanon
+- Re: 0day in secure-dead-dropanon
+* Re: 0day in secure-dead-dropAnonUser
|`* Re: 0day in secure-dead-dropanon
| `* Re: 0day in secure-dead-dropAnonUser
|  `- Re: 0day in secure-dead-dropanon
`- Re: 0day in secure-dead-dropwindowshater

1
Subject: 0day in secure-dead-drop
From: anon
Newsgroups: rocksolid.shared.hacking
Organization: def4
Date: Sun, 9 Sep 2018 16:29 UTC
Path: rocksolid2!def3!.POSTED.localhost!not-for-mail
From: anon@anon.com (anon)
Newsgroups: rocksolid.shared.hacking
Message-ID: <004257a35b8b363c3f48e2eb7c59192d@def4.com>
Subject: 0day in secure-dead-drop
Date: Sun, 09 Sep 2018 16:29:34+0000
Organization: def4
Lines:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
View all headers
In the secure-dead-drop program provided here:
https://github.com/JeremyRuhland/secure-dead-drop/blob/master/index.cgi
there is a critical bug, which allows the overwriting of shell variables, enabling the attacker to execute system binaries with the rights of the webserver.

In line 173 of the program there is a call to a function:

cgi_getvars BOTH ALL

The function cgi_getvars will overwrite shell variables if the vars in post or get string will have corresponding names (like in: http://example.com/index.cgi&SHELL=%2Fbin%2Frm which would replace the shell variable SHELL with /bin/rm on the host example.com).

Replacing the call with one that only asks for specific variables would fix this problem, like this:

cgi_getvars BOTH var1 var2 var3 var4 var5

The author of the software has been informed and advised already earlier (for different reasons) against using it anymore (sounds to me like this bug will not be fixed).

Description of the program (from the github page):
"Introduction

We already know that all internet and phone traffic is being monitored. You cannot trust your email providers for private and anonymous access. Javascript is dangerous. Tor is broken in some circumstances. The PGP web-of-trust leaks user information in a dangerous way.

Let's fix some of that with software designed to let users of safe computers communicate over unsafe networks.

This webapp allows anonymous users to send messages to your inbox, which arrive signed and encrypted using PGP to ensure message integrity and privacy. Only SSL connections are permitted, which ensures encrypted communication between client and server."

Cheers

wed

Posted on def4.i2p


Subject: Re: 0day in secure-dead-drop
From: anon
Newsgroups: rocksolid.shared.hacking
Organization: def4
Date: Sun, 9 Sep 2018 19:45 UTC
References: 1
Path: rocksolid2!def3!.POSTED.localhost!not-for-mail
From: anon@anon.com (anon)
Newsgroups: rocksolid.shared.hacking
Message-ID: <5699451bc6ac1ec162c02efebcfb421f@def4.com>
Subject: Re: 0day in secure-dead-drop
Date: Sun, 09 Sep 2018 19:45:22+0000
Organization: def4
In-Reply-To: <004257a35b8b363c3f48e2eb7c59192d@def4.com>
References: <004257a35b8b363c3f48e2eb7c59192d@def4.com>
Lines:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
View all headers
that should say :

http://example.com/index.cgi?SHELL=%2Fbin%2Frm

of course

Posted on def4.i2p


Subject: Re: 0day in secure-dead-drop
From: AnonUser
Newsgroups: rocksolid.shared.hacking
Organization: RetroBBS
Date: Tue, 11 Sep 2018 15:24 UTC
References: 1
Path: rocksolid2!.POSTED.retrobbs!not-for-mail
From: anonuser@retrobbs.rocksolidbbs.com.remove-8bh-this (AnonUser)
Newsgroups: rocksolid.shared.hacking
Subject: Re: 0day in secure-dead-drop
Date: Tue, 11 Sep 2018 08:24:06 -0700
Organization: RetroBBS
Message-ID: <673a6f98af71c94016168c1975ff275e$1@retrobbs.rocksolidbbs.com>
References: <004257a35b8b363c3f48e2eb7c59192d@def4.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: novabbs.com; posting-host="retrobbs:10.128.3.129";
logging-data="31466"; mail-complaints-to="usenet@novabbs.com"
To: anon
X-Comment-To: anon
In-Reply-To: <004257a35b8b363c3f48e2eb7c59192d@def4.com>
X-FTN-PID: Synchronet 3.17a-Linux Feb 20 2018 GCC 6.3.0
X-Gateway: retrobbs.rocksolidbbs.com [Synchronet 3.17a-Linux NewsLink 1.108]
View all headers
  To: anon
it's great you took the time to let the author know. what he does about it now is his business, but the word is out.
--- Synchronet 3.17a-Linux NewsLink 1.108
Posted on RetroBBS


Subject: Re: 0day in secure-dead-drop
From: anon
Newsgroups: rocksolid.shared.hacking
Organization: def4
Date: Tue, 11 Sep 2018 09:28 UTC
References: 1
Path: rocksolid2!def3!.POSTED.localhost!not-for-mail
From: anon@anon.com (anon)
Newsgroups: rocksolid.shared.hacking
Message-ID: <45d06a6e03c24a1b352e2c9f18518ab7@def4.com>
Subject: Re: 0day in secure-dead-drop
Date: Tue, 11 Sep 2018 09:28:24+0000
Organization: def4
In-Reply-To: <673a6f98af71c94016168c1975ff275e$1@retrobbs.rocksolidbbs.com>
References: <673a6f98af71c94016168c1975ff275e$1@retrobbs.rocksolidbbs.com>
Lines:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
View all headers
He has put a comment on the github page:

"This code is not secure in the slightest and should never be used due to bash shell variable injection bugs.

If you are interested in it for historical purposes please check out the previous commit."

At least he is sincere about it and warns his potential users.

Posted on def4.i2p


Subject: Re: 0day in secure-dead-drop
From: AnonUser
Newsgroups: rocksolid.shared.hacking
Organization: Rocksolid Light
Date: Fri, 14 Sep 2018 08:55 UTC
References: 1 2
Path: rocksolid2!.POSTED.local_inn!not-for-mail
From: AnonUser@rslight.i2p (AnonUser)
Newsgroups: rocksolid.shared.hacking
Subject: Re: 0day in secure-dead-drop
Date: Fri, 14 Sep 2018 08:55:06 -0000 (UTC)
Organization: Rocksolid Light
Message-ID: <b3e66b02011a6635e57610a90ebe0985$1@rslight.novabbs.com>
References: <673a6f98af71c94016168c1975ff275e$1@retrobbs.rocksolidbbs.com> <45d06a6e03c24a1b352e2c9f18518ab7@def4.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 14 Sep 2018 08:55:06 -0000 (UTC)
Injection-Info: novabbs.com; posting-host="local_inn:10.13.0.7";
logging-data="26315"; mail-complaints-to="usenet@novabbs.com"
View all headers
anon wrote:

He has put a comment on the github page:

"This code is not secure in the slightest and should never be used due to
bash shell variable injection bugs.

If you are interested in it for historical purposes please check out the
previous commit."

At least he is sincere about it and warns his potential users.

it's good he did that even if abandoning it. shows some integrity on his part.



Posted on Rocksolid Light.




Subject: Re: 0day in secure-dead-drop
From: anon
Newsgroups: rocksolid.shared.hacking
Organization: def4
Date: Fri, 14 Sep 2018 14:47 UTC
References: 1
Path: rocksolid2!def3!.POSTED.localhost!not-for-mail
From: anon@anon.com (anon)
Newsgroups: rocksolid.shared.hacking
Message-ID: <647bba01096ea3ec721006146a5e808b@def4.com>
Subject: Re: 0day in secure-dead-drop
Date: Fri, 14 Sep 2018 14:47:35+0000
Organization: def4
In-Reply-To: <b3e66b02011a6635e57610a90ebe0985$1@rslight.novabbs.com>
References: <b3e66b02011a6635e57610a90ebe0985$1@rslight.novabbs.com>
Lines:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
View all headers
I would find it a bit annoying if it was only about this bug, since it is maybe a 10 min effort to fix it.
But he said already before that this should not be used anymore, due to shellshock et al.

Posted on def4.i2p


Subject: Re: 0day in secure-dead-drop
From: windowshater
Newsgroups: rocksolid.shared.hacking
Organization: def4
Date: Sat, 29 Sep 2018 18:00 UTC
References: 1
Path: news.novabbs.com!rocksolid0!rs!def3!.POSTED.localhost!not-for-mail
From: windowshater@anon.com (windowshater)
Newsgroups: rocksolid.shared.hacking
Message-ID: <704aefdce5dba68870f7500943eaddf4@def4.com>
Subject: Re: 0day in secure-dead-drop
Date: Sat, 29 Sep 2018 18:00:57+0000
Organization: def4
In-Reply-To: <004257a35b8b363c3f48e2eb7c59192d@def4.com>
References: <004257a35b8b363c3f48e2eb7c59192d@def4.com>
Lines:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
View all headers
This tutorial here http://www.team2053.org/docs/bashcgi/postdata.html teaches the same wrong usage of the code.

I guess the use of bash for cgi is near extinct nowadays, so this will not have a big impact.

Posted on def4.i2p


1
rocksolid light 0.7.2
clearneti2ptor