|
|
Post by StRiDeR on Apr 15, 2004 16:40:55 GMT 8
alamak...tak ingat lak plak.. x pe..it's o.k... |
|
|
|
Post by atokENSEM on Apr 15, 2004 17:03:54 GMT 8
Perlukah kita gunakan antivirus?
Banyak pihak menyarankan penggunaan perisian antivirus terkini untuk memastikan keselamatan komputer. Persoalannya, perlukah atau tidak kita menggunakan perisian sebegini rupa? Memang tiada jawapan mudah, namun sebagai pengguna kita seboleh-bolehnya tidak mahu membelanjakan duit tanpa justifikasi tetapi pada masa yang sama ingin meminimakan risiko tersebut. Tetapi bagaimana ya?
Di sini diturunkan beberapa tips dan saranan mudah yg boleh kita amalkan :-
1. Jangan sekali-kali menggunakan MS Outlook atau Outlook Express.
Sebagai ganti gunakan Pegasus Mail, TheBAT atau Eudora, yg mempunyai ciri-ciri terbaik Outlook untuk menghantar dan menerima gambar serta teks dsb.
2. Tidak membuka atau membaca mel-mel dari sumber yg tak dikenali.
Padamkan terus tanpa membaca mel-mel yang anda ragui kesahihan serta sumbernya, terutamanya dari penghantar mel "spammers".
3. Memasukkan perisian firewall seperti Zone Alarm, atau Tiny Firewall untuk mencegah penggodam daripada memasuki komputer dan meletakkan perisian jahat seperti trojan atau jalan belakang serta mencuri kata laluan anda.
4. Attachment berbentuk Word atau Excel?
Beritahu sahaja sesiapa yang ingin menghantarkan attachment bahawa anda hanya menerima fail dalam bentuk RTF (rich text format) sebagai ganti Word, ataupun CSV (comma separated values) untuk Excel. Untuk membukanya, klik kanan pada attachment tersebut pilih MS Word atau Excel. Senangkan...
5. Padamkan opsyen Javascript atau Vbscript dalam pelayar web anda.
Kurang skrin popup timbul, serta memudahkan pelayaran anda ke tempat-tempat yang dituju. Laman web juga lebih cepat dipindahkan.
6. Padamkan perisian wscript.exe dan cscript.exe di dalam direktori Windows
Mengelakkan skrip-skrip jahat seperti virus AnnaKournikova.vbs contohnya daripada dijalankan tanpa pengetahuan kita.
7. Menggunakan mel berasaskan web seperti hotmail.com, yahoo mail dsb Mempunyai ciri terkini seperti penapis mel tak diingini, pengimbas virus serta melihat maklumat mel tanpa membukanya terlebih dahulu.
8. Mengelakkan diri dari melayari laman web warez, yg tak masuk akal ataupun lucah melampau.
9. Memadamkan opsyen berkongsi fail dan pencetak di dalam rangkaian
Dapat mencegah kemasukan tanpa kebenaran ke dalam pemacu yg dikongsi bersama serta mengelakkan penyebaran perisian jahat.
Tiada jaminan 100%, tetapi sehingga kini bilangan jangkitan dalam lebih sepuluh tahun pengalaman menggunakan komputer adalah satu atau dua sahaja. Hebatkan... tanpa mengeluarkan duit sesen pun untuk membeli perisian antivirus. Anda pula bagaimana?
|
|
|
|
Post by StRiDeR on Apr 15, 2004 17:10:43 GMT 8
Perlukah kita gunakan antivirus? Banyak pihak menyarankan penggunaan perisian antivirus terkini untuk memastikan keselamatan komputer. Persoalannya, perlukah atau tidak kita menggunakan perisian sebegini rupa? Memang tiada jawapan mudah, namun sebagai pengguna kita seboleh-bolehnya tidak mahu membelanjakan duit tanpa justifikasi tetapi pada masa yang sama ingin meminimakan risiko tersebut. Tetapi bagaimana ya? Di sini diturunkan beberapa tips dan saranan mudah yg boleh kita amalkan :- 1. Jangan sekali-kali menggunakan MS Outlook atau Outlook Express. Sebagai ganti gunakan Pegasus Mail, TheBAT atau Eudora, yg mempunyai ciri-ciri terbaik Outlook untuk menghantar dan menerima gambar serta teks dsb. 2. Tidak membuka atau membaca mel-mel dari sumber yg tak dikenali. Padamkan terus tanpa membaca mel-mel yang anda ragui kesahihan serta sumbernya, terutamanya dari penghantar mel "spammers". 3. Memasukkan perisian firewall seperti Zone Alarm, atau Tiny Firewall untuk mencegah penggodam daripada memasuki komputer dan meletakkan perisian jahat seperti trojan atau jalan belakang serta mencuri kata laluan anda. 4. Attachment berbentuk Word atau Excel? Beritahu sahaja sesiapa yang ingin menghantarkan attachment bahawa anda hanya menerima fail dalam bentuk RTF (rich text format) sebagai ganti Word, ataupun CSV (comma separated values) untuk Excel. Untuk membukanya, klik kanan pada attachment tersebut pilih MS Word atau Excel. Senangkan... 5. Padamkan opsyen Javascript atau Vbscript dalam pelayar web anda. Kurang skrin popup timbul, serta memudahkan pelayaran anda ke tempat-tempat yang dituju. Laman web juga lebih cepat dipindahkan. 6. Padamkan perisian wscript.exe dan cscript.exe di dalam direktori Windows Mengelakkan skrip-skrip jahat seperti virus AnnaKournikova.vbs contohnya daripada dijalankan tanpa pengetahuan kita. 7. Menggunakan mel berasaskan web seperti hotmail.com, yahoo mail dsb Mempunyai ciri terkini seperti penapis mel tak diingini, pengimbas virus serta melihat maklumat mel tanpa membukanya terlebih dahulu. 8. Mengelakkan diri dari melayari laman web warez, yg tak masuk akal ataupun lucah melampau. 9. Memadamkan opsyen berkongsi fail dan pencetak di dalam rangkaian Dapat mencegah kemasukan tanpa kebenaran ke dalam pemacu yg dikongsi bersama serta mengelakkan penyebaran perisian jahat. Tiada jaminan 100%, tetapi sehingga kini bilangan jangkitan dalam lebih sepuluh tahun pengalaman menggunakan komputer adalah satu atau dua sahaja. Hebatkan... tanpa mengeluarkan duit sesen pun untuk membeli perisian antivirus. Anda pula bagaimana? artikel nie o.k gak...but bagi saya still kena pakai antivirus gak...lau x kena serangan melalui internet...network pun cam LAN pun leh kena gak virus/trojan/worm...kadang2 kat floppy disk pun ader file yg kena infected ngan virus...n kadang2 windows yg kita pakai pun still ader "holes" lagi...so, org leh exploit kat situ...bagi saya laa, antivirus itu wajib ader bagi setiap komp...dan ia perlu diupdated kan selalu... |
|
|
|
Post by atokENSEM on Apr 15, 2004 17:34:54 GMT 8
artikel nie o.k gak...but bagi saya still kena pakai antivirus gak...lau x kena serangan melalui internet...network pun cam LAN pun leh kena gak virus/trojan/worm...kadang2 kat floppy disk pun ader file yg kena infected ngan virus...n kadang2 windows yg kita pakai pun still ader "holes" lagi...so, org leh exploit kat situ...bagi saya laa, antivirus itu wajib ader bagi setiap komp...dan ia perlu diupdated kan selalu... betul..mesti slalu updated.. |
|
|
|
Post by StRiDeR on Apr 15, 2004 17:36:53 GMT 8
betul..mesti slalu updated.. sebab lau x updated...x guna pakai antivirus...sebab dia x leh detect virus/trojan/worm yg baru... |
|
|
|
Post by atokENSEM on Apr 16, 2004 2:51:18 GMT 8
Microsoft tawar harga istimewa kepada pelajar, guru
MICROSOFT Malaysia Sdn Bhd menawarkan edisi Microsoft Office Guru dan Murid 2003 pada harga istimewa RM199 di PC Fair selama tiga hari bermula hari ini di Pusat Dagangan Dunia Putra (PWTC), Kuala Lumpur.
Setiap pek dijual membenarkan murid dan guru untuk memuaturunkan lesen sama pada tiga komputer peribadi atau laptop, bermakna pengguna menikmati produk berkenaan pada harga RM66 bagi setiap PC.
Pengarah Organisasi Pemasaran Bisnes, Microsoft Malaysia, Christopher Yong berkata:
“Pendidikan terus menjadi tumpuan utama Microsoft. Ini adalah sumbangan kami dalam merapatkan jurang digital antara guru dan murid.”
Edisi guru dan murid, seperti Microsoft Office 2003, banyak memberi penekanan terhadap pembelajaran. Ia mengandungi banyak sumber-sumber maklumat, termasuk kamus dan tesaurus, perkhidmat penterjemahan, MSN® Search, MSN Money Stock Quotes, serta Microsoft Encarta® Encyclopedia.
“Ia menggunakan perantara sama dengan Office 2003 maka memberi anda akses mudah terhadap aplikasi, mengelakkan anda daripada keperluan membelajar program baru.
“Dengan penekanan terhadap masyarakat celik IT, kami berharap pelajar dan guru akan mengambil kesempatan daripada peluang baik ini,” kata Yong.
|
|
|
|
Post by StRiDeR on Apr 16, 2004 19:17:17 GMT 8
Windows Expand-Down Data Segment Local Privilege Escalation Release Date: April 13, 2004 Date Reported: November 21, 2003 Severity: Medium (Local Privilege Escalation to Kernel) Vendor: Microsoft Systems Affected: Windows NT 4.0 Windows 2000 Description: eEye Digital Security has discovered a privilege escalation vulnerability in the Windows kernel that would allow any locally logged-in user to execute code with the highest possible privileges (kernel). A malicious user with legitimate but unprivileged access to a Windows system, or an attacker or worm payload able to acquire unprivileged access through an unrelated exploit, could take advantage of this vulnerability in order to completely compromise a Windows NT 4.0 or Windows 2000 machine. There are two separate but related flaws in the Windows kernel that cause the vulnerability described in this advisory to exist. The first problem is insufficient validation in the NtSetLdtEntries API function, which allows a security check to be bypassed and a potentially dangerous data segment to be created. The second issue is a lack of sanitization in certain portions of kernel code, leading to the modification of arbitrary memory locations if user code passes a reference to a malicious segment (created using NtSetLdtEntries) into the kernel. Technical Description: The NtSetLdtEntries API call allows a process to create a Local Descriptor Table (LDT) for itself, and to modify the descriptors contained therein. Although the function performs base and limit checking to ensure that a data segment encompassing kernel memory is not created, the function does not account for the effects of the Expand-Down flag (Type bit 2 for data segments), and as a result, we can create an expand-down data segment descriptor from which any part of memory is addressable. As long as the conditions "base < 7FFF0000h", "base <= base + limit" (to protect against integer overflows), and "base + limit < 7FFF0000h" are all satisfied, the descriptor will be successfully created. Although the details of expand-down data segments are beyond the scope of this advisory (but see References for a link to an excellent overview), it's sufficient to say that the limit on an expand-down segment indicates how much memory is excluded from, rather than included in the segment. On a normal segment, the memory from 'base' to 'base' + 'limit' is addressable from the segment; in the case of an expand-down data segment, addressable memory ranges from 'base' + 'limit' + 1 to 'base' - 1. With a limit of 0 and the Granularity bit set to 1, an expand-down segment encompasses all but 4KB of the 4GB virtual address space, but NtSetLdtEntries -- unaware of the effects of the expand-down flag on data segments -- interprets this as a segment that only covers 4KB of memory, and allows it to be created. This behavior is of course a flaw, but what makes it a vulnerability is that some kernel code uses the selectors it receives from user-mode code in the DS and ES registers, without any prior validation or sanitization. If NtSetLdtEntries performed proper input checking, then this would not be a problem either -- the idea is that, regardless of what hand-crafted segments they reference, DS and ES would only address user memory -- but because that protection mechanism can be bypassed, it is a problem. Most kernel code will throw an access violation if a pointer it receives references kernel memory (technically, if the address is 7FFF0000h or higher), but since the base of the effective segment is never taken into account, this check can be bypassed, and other fundamental assumptions about pointers being relative to virtual address 0 can be broken. For the sake of example, there is a REP MOVS instruction in the NTOSKRNL INT 2Eh interrupt handler that can be influenced to write to arbitrary locations in kernel memory. INT 2Eh is invoked by user code to call system routines in kernel code, and the MOVS instruction is performed to copy the function arguments supplied by the caller onto the kernel stack. Although most people know the operation of MOVS as copying data from ESI to EDI, meticulously technical readers and real-mode veterans will note that it actually copies from DS:ESI to ES:EDI. If ES references a non-zero-based data segment that addresses kernel memory, then the destination is "shifted" by the base of the segment. If the address of the kernel stack pointer can be determined (for instance, by causing this REP MOVS to first write detectable data into a large block of memory in user land, or by getting the kernel to "leak" the address), then the segment base can be configured such that the destination is any arbitrary address above the kernel stack pointer, such as the LDT. The epilog to this story is that, once arbitrary kernel memory can be modified to contain arbitrary values, a machine is wholly compromised. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: www.microsoft.com/technet/security/bulletin/MS04-011.mspx. Credit: Derek Soede Copyright (c) 1998-2004 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert-at-eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security
|
|
|
|
Post by atokENSEM on Apr 17, 2004 2:17:17 GMT 8
Platform Microsoft nadi kenderaan pada masa depan
PENGELUAR perisian utama dunia, Microsoft Corp (Microsoft) yang menjadikan setiap komputer di rumah menggunakan sistem operasinya (OS) kini menyasarkan OS itu digunakan dalam setiap kenderaan.
Naib Presiden Microsoft (Unit Perniagaan Automotif), Dick Brass berkata, syarikat kini menyasarkan untuk menjadikan setiap kenderaan di dunia ini akan mempunyai salah satu daripada OS Microsoft di dalamnya.
Katanya, kereta yang dibekalkan dengan OS Microsoft boleh ‘bercakap’ apabila tiba masanya untuk membuat penukaran minyak selain memberitahu pemandu mengenai keadaan jalan rosak di hadapan serta mengenal pasti laluan alternatif.
“Malah melalui penggunaan OS Microsoft juga membolehkan kenderaan itu membuat pembayaran tol secara automatik manakala perisian yang mengendalikan sistem brek akan mempertingkatkan keupayaannya secara wayerles,” katanya.
Platform Microsoft kini sudah pun ada dalam 23 jenis model kereta berlainan termasuk BMW 7 series, Citroen, Daimler, Fiat, Volvo, Hyundai, Mitsubishi, Subaru dan Toyota.
Brass berkata, kini ada 50 juta kenderaan di seluruh dunia dan 50 juta kenderaan baru dihasilkan setiap tahun mengatasi perkembangan pasaran untuk komputer desktop.
Katanya, mikro pemproses kini menguasai sebahagian besar fungsi kenderaan dan sudah bertahun Microsoft terbabit dalam telematik automotif, konsep penggabungan komputer dan telekomunikasi.
“Pemandu kini banyak membuang masa mereka dalam perjalanan selain sering keliru dengan pelbagai peralatan termasuk alat peninjau telapak yang menyediakan laporan trafik daripada Jabatan Pengangkutan.
“Pengenalan TBox Microsoft yang boleh diperoleh dalam masa 12 hingga 36 bulan lagi, membolehkan pengguna dihubungkan dengan pelbagai alat yang menyediakan data trafik terkini dan alat ini mempunyai pemproses, memori dan pemacu keras,” katanya.
Brass menegaskan pemandu boleh menggunakan sistem ini mewujudkan sistem kenderaan untuk abad ke-21 selain membantu mengurang kesesakan lalu lintas.
Sysbug-A virus baru menyamar gambar lucah
PENGGUNA Windows dinasihati agar berhati-hati apabila menerima mel elektronik (e-mel) yang memiliki lampiran wendynaked.jpg.exe kerana ia adalah sejenis virus dikenali sebagai Sysbug-A Trojan yang melakukan penyamaran berbentuk gambar untuk memastikan dapat memasuki sistem komputer mangsa dan seterusnya menguasai komputer berkenaan
Virus Sysbug-A Trojan dipercayai disebarkan ke seluruh dunia menggunakan perisian spam dengan strategi utama untuk menjangkiti seberapa ramai pengguna internet.
Perunding Teknologi Kanan Sophos, Graham Cluely, berkata kaedah penyebaran menggunakan perisian spam digunakan kerana penulis virus kini mendapati ia teknik berkesan untuk menyebarkan virus selepas teknik lain seperti e-mel.
“Penulis virus memanfaatkan teknik berkenaan sebagai usaha untuk menipu pengguna Internet untuk membenarkan kod virus berkenaan memasuki sistem komputer dan seterusnya menguasainya terutama komputer yang menggunakan sistem operasi Windows,” katanya.
Beliau berkata, walaupun Sysbug-A merebak dengan kadar yang agak pantas dalam Internet, ia masih lagi tidak dapat menandingi virus Swen-A dan Mimail yang merebak dan menjangkiti pengguna Internet di seluruh dunia
atok..
|
|
|
|
Post by StRiDeR on Apr 17, 2004 16:55:45 GMT 8
Microsoft DCOM RPC Memory Leak Release Date: April 13, 2004 Date Reported: September 10, 2003 Severity: High (Remote Code Execution) Vendor: Microsoft Systems Affected: Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Server 4.0 Microsoft Windows NT Server 4.0, Terminal Server Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Description: eEye Digital Security has discovered a critical remote vulnerability in the way Microsoft Windows handles DCOM RPC requests. This vulnerability is a separate issue from vulnerabilities described in Microsoft Security Bulletins MS03-026 and MS03-039. The RPC (Remote Procedure Call) protocol provides an inter-process communication mechanism allowing a program running on one computer to execute code on a remote system. Distributed COM (DCOM) extends the usability of COM to support COM communication across a network with other computers. The DCOM RPC interface in charge of processing incoming RPC based DCOM activation requests has been prone to failure in the past. An issue in the DCOM interface dealing with direct memory allocation from a user supplied size can be exploited remotely to exhaust all available memory on a targeted machine, rendering it inoperable. Technical Description: After the DCOM activation request is unmarshalled it is passed off to the Activation class of functions within the rpcss.dll. A routine dealing with the class allocates a size specified in a length field within the request packet. This DWORD length field is not validated before allocation so any size can be chosen by the client issuing the activation request. Normally this buffer is released after the activation request as completed. If we choose an abnormally large size, one that is larger than the memory pool of the source buffer, we can cause an exception when the page boundary is hit. Like most exception handlers, no cleanup is performed due to the unpredictable nature of the exception. An attacker can exhaust all available memory on the remote machine within seconds, rendering it extremely unstable, if not totally inoperable. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: www.microsoft.com/technet/security/bulletin/MS04-012.mspx. Credit: Discovery: Riley Hassell Additional Research: Riley Hassell and Barnaby Jack Copyright (c) 1998-2004 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert-at-eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security
|
|
|
|
Post by atokENSEM on Apr 18, 2004 2:35:58 GMT 8
RedHat Enterprise Linux V.3 Untuk eServer IBM
Red Hat Enterprise Linux v.3, yang merupakan seri terbaru dari Red Hat, kini tersedia di seluruh jajaran produk eServer IBM.
Red Hat Enterprise Linux ditawarkan dalam bentuk paket, bersama server xSeries dan BladeCenter dari IBM. Paket ini akan mengemas Red Hat Enterprise Linux AS, ES dan WS, serta, nantinya, Red Hat Enterprise Linux v.3 terbaru.
Red Hat Enterprise Linux v.3 akan meliputi seluruh platform eServer IBM berarsitektur Linux tunggal -- iSeries, pSeries, xSeries, zSeries, BladeCenter (termasuk BladeCenter JS20 yang berbasis teknologi POWER), Clusters 1350 dan 1650, e325, IntelliStation dan TotalStorage.
IBM Global Services memberikan dukungan terhadap Red Hat Enterprise Linux v.3 antara lain lewat layanan dukungan terkelola Red Hat Network. Red Hat dan IBM Global Services menyediakan layanan ujung-ke-ujung yang relatif lengkap untuk para pelanggan berupa pengetahuan teknis Linux dan sumber daya engineering. Kedua perusahan ini juga mengkolaborasikan dan memaketkan penawaran layanan dan konsultasi IBM dan Red Hat, sehingga tersedia dukungan satu atap guna memenuhi kebutuhan pelanggan akan Linux.
Sementara untuk peranti lunak, IBM menyediakan dukungan terhadap Red Hat Enterprise Linux 3 di seluruh portofolio peranti lunak utamanya yakni WebSphere, DB2, Lotus, Tivoli dan Rational. Saat ini, IBM mendukung software yang berjalan pada Red Hat Enterprise Linux, dengan lebih dari 200 produk piranti lunak yang mendukung distribusi tersebut.
Dengan dukungan Red Hat yang diperluas ke seluruh server IBM, IBM juga menjadi perusahaan penyedia berbagai jenis peranti lunak untuk xSeries, iSeries, pSeries dan zSeries yang berjalan pada Red Hat Enterprise Linux.
|
|
|
|
Post by StRiDeR on Apr 18, 2004 17:31:38 GMT 8
Windows Local Security Authority Service Remote Buffer Overflow Release Date: April 13, 2004 Date Reported: October 8, 2003 Severity: High (Remote Code Execution) Vendor: Microsoft Systems Affected: Windows 2000 Windows XP Description: eEye Digital Security has discovered a remote buffer overflow in the Windows LSA (Local Security Authority) Service (LSASRV.DLL). An unauthenticated attacker could exploit this vulnerability to execute arbitrary code with system-level privileges on Windows 2000 and Windows XP machines. The susceptible LSA functionality is accessible via the LSARPC named pipe over TCP ports 139 and 445. This buffer overflow bug is within the Microsoft Active Directory service functions exposed by the LSASS DCE/RPC endpoint. These functions provide the ability to use Active Directory services both locally and remotely, and on default installations of Windows 2000 and Windows XP, no special privileges are required. Some Active Directory service functions generate a debug log file in the "debug" subdirectory located in the Windows directory. A logging function implemented in LSASRV.DLL is called to write entries to the log file. In this function, the vsprintf() routine is used to create a log entry. The string arguments for this logging function are supplied as parameters to vsprintf() without any bounds checking, so if we can pass a long string argument to the logging function, then a buffer overflow will occur. We found some RPC functions which will accept a long string as a parameter, and will attempt to write it to the debug log file. If we specify a long string as a parameter to these RPC functions, a stack-based buffer overflow will happen in the Active Directory service functions on the remote system. Attackers who successfully leverage this vulnerability will be executing code under the SYSTEM context of the remote host. Technical Description: The buffer overflow bug is in a logging function which generates a string for the log file using vsprintf(). The name of the log file is "DCPROMO.LOG", and it is located in the Windows "debug" directory. The Active Directory service functions implemented in LSASRV.DLL are as follows: Function Function Name number ----------------------------------------------- 0 DsRolerGetPrimaryDomainInformation 1 DsRolerDnsNameToFlatName 2 DsRolerDcAsDc 3 DsRolerDcAsReplica 4 DsRolerDemoteDc 5 DsRolerGetDcOperationProgress 6 DsRolerGetDcOperationResults 7 DsRolerCancel 8 DsRolerServerSaveStateForUpgrade 9 DsRolerUpgradeDownlevelServer 10 DsRolerAbortDownlevelServerUpgrade In these functions, the DsRolepInitializeLog() API is called to create the log file "DCPROMO.LOG" in the Windows "debug" subdirectory. After calling this API, entries are written to the log file by invoking the DsRolepLogPrintRoutine() function. The following is an example of a log file that can be generated on the remote host using DsRolerDcAsDc() API: 09/25 21:49:22 [INFO] DsRolerDcAsDc: DnsDomainName aaaaa 09/25 21:49:22 [INFO] SiteName bbbbb 09/25 21:49:22 [INFO] SystemVolumeRootPath ccccc 09/25 21:49:22 [INFO] DsDatabasePath ddddd, DsLogPath eeeee 09/25 21:49:22 [INFO] ParentDnsDomainName fffff 09/25 21:49:22 [INFO] ParentServer ggggg 09/25 21:49:22 [INFO] Account hhhhh 09/25 21:49:22 [INFO] Options 1 The remote host can be specified as the first argument of the DsRolerDcAsDc() API. The parameters shown in this debug log file such as DnsDomainName "aaaaa", SiteName "bbbbb", and SystemVolumeRootPath "ccccc" are string arguments for the DsRolerDcAsDc() API. These string parameters are logged using DsRolepLogPrintRoutine(), so, we can cause a buffer overflow condition by supplying a long DnsDomainName, SiteName, SystemVolumeRootPath, etc. However, most of Active Directory service functions call RpcImpersonateClient() API, which changes the server thread's security context to that of the client. Generally, the "debug" subdirectory located in the Windows directory is not writeable by everyone if the drive is formatted as NTFS, meaning that we cannot append to the log using a null session. The RpcImpersonateClient() API is called before opening the log file, and if the connected client does not have the privilege to write to the log file, then CreateFile() will fail, and the vulnerable call to vsprintf() is not performed. However, the DsRolerUpgradeDownlevelServer() function, which is supported by Windows 2000 and XP, does not use the RpcImpersonateClient() API -- it calls DsRolepInitializeLog() API immediately. So, if we specify a long string parameter to this function, we can pass these parameters into vsprinf() in the DsRolepLogPrintRoutine() API, and a buffer overflow will occur. The DsRoleUpgradeDownlevelServer() client API which issues the DCE/RPC request is implemented in NETAPI32.DLL. This is an undocumented API. If we specify a long szDomainName, LSASS.EXE -- which provides the Active Directory service functions running on the local computer -- will crash. This type of attack can be performed against the local machine for the purpose of privilege escalation. There is no parameter to specify the remote host for the DsRoleUpgradeDownlevelServer() client API. The API specifies the host as NULL internally, so the DCE/RPC request will be sent to LSASS.EXE running on the local computer. However, the function called from LSASS.EXE does not check whether the request is sent from the local machine or a remote one, so it will also handle requests sent from remote hosts. So, if we craft this DCE/RPC packet by hand, or if we modify the client API to be able to specify remote host, then we can cause a buffer overflow on an arbitrary remote host running Windows 2000 or Windows XP. Because the Active Directory services interface is registered on the LSASS named pipe RPC endpoint (ncacn_np:host[\PIPE\LSARPC]), it is sufficient to use CreateFile() and ReadFile(), WriteFile(), and/or TransactNamedPipe() in order to communicate with LSASS.EXE on the vulnerable host. No SMB knowledge is necessary, just an RPC bind and a DsRoleUpgradeDownlevelServer() packet. We also can craft this DCE/RPC packet if we modify the instructions of DsRoleUpgradeDownlevelServer() client API. The first argument for DsRolepEncryptPasswordStart() API which is used in DsRoleUpgradeDownlevelServer() API internally is the remote host. In this case, NULL is specified for the first argument. So, if we can change this to the pointer which is stored the remote host, we can send DCE/RPC request for DsRoleUpgradeDownlevelServer() function. In order to modify the DsRoleUpgradeDownlevelServer() API, the protections on a region of this API implemented in NETAPI32.DLL must be changed to PAGE_EXECUTE_READWRITE using the VirtualProtect() API. The following code changes will allow the remote host to be specified as the 9th parameter (szUnknown2) of the DsRoleUpgradeDownlevelServer() API. In case of Windows 2000, we should specify the DomainName as Unicode; on Windows XP, we should use ASCII. We can execute about 2KB of code on the remote host using this buffer overflow. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: www.microsoft.com/technet/security/bulletin/MS04-011.mspx. Credit: Discovery: Yuji Ukai Additional Research: Derek Soeder Copyright (c) 1998-2004 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert-at-eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security
|
|
|
|
Post by StRiDeR on Apr 20, 2004 0:54:26 GMT 8
Windows VDM TIB Local Privilege Escalation Release Date: April 13, 2004 Date Reported: February 9, 2004 Severity: Medium (Local Privilege Escalation to Kernel) Vendor: Microsoft Systems Affected: Windows NT 4.0 Windows 2000 Description: eEye Digital Security has discovered a second local privilege escalation vulnerability in the Windows kernel that would allow any user capable of executing code to elevate that code to the highest possible local privilege level (kernel). For instance, a malicious user with legitimate access to a machine, or a remote attacker or worm payload able to obtain unprivileged access through an unrelated exploit, could use this vulnerability to wholly compromise a Windows NT 4.0 or Windows 2000 system. The problem lies in a certain area of the Windows kernel that supports 16-bit code executing in a Virtual DOS Machine (VDM). By causing the processor to execute code in Virtual86 (essentially "16-bit emulation") mode without first initializing a VDM for the process, specific routines in the Windows 2000 kernel code may be caused to dereference a null pointer, which actually functions as a pointer to attacker-controlled data if memory is allocated at virtual address 0. (On Windows NT 4.0, the pointer can be controlled directly by the user.) Other pointers and fields at offsets from the VDM data address may then be supplied with specially-crafted data, in order to write to arbitrary locations in kernel memory. Technical Description: A Virtual DOS Machine is simply a collection of data structures that, among other things, instructs the kernel how to behave when an exception occurs within Virtual 8086-mode code. Typically, the state of the VDM and V86-mode code execution is handled using the NtVdmControl() API exported by NTDLL.DLL, but it is sufficient to call NtContinue() with a CONTEXT structure that properly supplies CS:EIP, SS:ESP, and EFLAGS with the Virtual-8086 Mode flag (bit 17) set, in order to switch the calling thread into Virtual 8086 mode and bypass VDM initialization entirely. When a thread is executing in V86 mode and something bad happens, the first thing most kernel fault handlers do is to check for the V86 flag in the EFLAGS stored on the stack, dealing with the exception differently based on whether or not it's set. For instance, KiTrap0D (the General Protection Fault handler) emulates the behavior of certain IOPL-restricted privileged instructions if they occur in V86 mode (e.g., POPF is considered a privileged instruction during V86-mode execution). In some cases, it attempts to consult VDM information for the current process -- on Windows 2000, by first dereferencing the "VdmObjects" field of the current thread's associated EPROCESS structure ([[[FFDFF124h]+44h]+1DCh]) and then using other pointers and data relative to that address. As mentioned above, however, the "VdmObjects" pointer on Windows 2000 will be 0 if NtVdmControl() has not yet been used to initialize it. Of course, because V86-mode code needs the low end of memory to be addressable, 0 is in fact a perfectly valid base for a chunk of virtual memory, provided that ZwAllocateVirtualMemory() is called with a base address of 1..(4KB-1) to allocate it. So, if a region of memory is allocated at 0 prior to causing a V86-mode fault, then the kernel will attempt to access user-controlled memory, which it treats with as much trust and lack of validation as a kernel-controlled data structure. Yes, sometimes even null pointers are exploitable. Among other things, the "VdmObjects" data structure features a pointer to a "VDM TIB" data area ([[[[FFDFF124h]+44h]+1DCh]+98h] on Windows 2000) that contains CONTEXT structures which the kernel routine VdmSwapContexts() references in certain circumstances. (On Windows NT 4.0, this pointer is in the user-land TIB at offset F18h and is therefore naturally under user control.) The "VDM TIB" pointer is not validated during the interesting portion of KiTrap0D, so it can point to an arbitrary address in user or kernel memory. This can allow all sorts of bad things to happen. Continuing the GPF example from above, a POPFD instruction (for instance) encountered during V86-mode execution will cause the effective context at the time of the fault to be stored at offset +CD0h within the data area (+AD0h for Windows NT 4.0), then the context at offset +A04h is retrieved for the purpose of restoring when KiTrap0D exits. The selector values in this latter context are sanitized in order to have CPL/DPL=3, but it doesn't really matter because the context stored at offset +CD0h can be written to any location in user or kernel memory, including the IDT or a process's LDT. Of course, writing arbitrary data to an arbitrary location in kernel memory is the last thing that happens to one's machine before it officially becomes the attacker's machine, so the only thing left to talk about is what an attacker can do with unfettered kernel-level access on a system. For more information on that subject, please visit www.rootkit.com. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: www.microsoft.com/technet/security/bulletin/MS04-011.mspx. Credit: Derek Soeder Copyright (c) 1998-2004 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert-at-eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security It seems like MS fixed over 20 vuln's this time. Check the overview here: www.microsoft.com/technet/security/bulletin/winapr04.mspx
|
|
|
|
Post by StRiDeR on Apr 21, 2004 13:47:31 GMT 8
what a scam... Elaborate eBay FRAUD happening right now... be warned Complex eBay scam will probably net a few victims 04-10-2003 08:43:26 AM CST -- from the SNP mailbox Our friends over at www.root-core.org passed along this eBay scam that is making the rounds today. Although eBay scams are happening everyday, this one is particularly well layed out and will probably s***er quite a few eBay users because of the work that has gone in to creating this 'sting'. They not only registered a domain name, www.ebayv.com, but as well they cut and pasted major sections of the real www.ebay.com web site to this 'fake domain'. They then cut and pasted the wording of the user agreement to con folks into going to the fake eBayv.com domain and update their information. A quick visit to the domain showed that it is alive and well - and has not been shut down yet by the authorities. One of the major problems with the folks at the REAL eBay is that it is next to impossible to send email to them to alert their security department of these frauds in a timely manner. In fact the attempts by the real eBay to hide or shield their security folks from contact by users or people who might want to report a felony in progress works greatly to the scammers and fraudster's advantage. I took the time to try to look up the registrar and where the fake ebayv.com was hosted, but even that left me more confused then certain about where the domain was truly hosted at. I have attached a copy of the SCAM email that is being forwarded to eBay users. See what you think and take a guess how many folks will fall for this well layed out scam : the fake site: www.ebayv.com/ this is the message sent to customers ----------------------------------- from:suspension-at-ebay.com subject:FPA NOTICE: eBay Registration Suspension - Section 9- [your email address] ----------------------------------- Return-Path: <suspension-at-ebay.com> **Received: from capitol.rdsct.ro (81.196.163.5)** ----------------------------------- Dear [your ebay name] ([your email]), We regret to inform you that your eBay account has been suspended due to concerns we have for the safety and integrity of the eBay community. Per the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us. Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to eBay. To update your member profile copy and paste the following link in your web browser, after you pass the account verification process, your account will be enabled for further use. www.ebayv.com/aw-cgi/eBayISAPI/info.php?userid=[your_bay_id]&password=suspended&verification=1 Regards, Safeharbor Department, eBay Inc |
|
|
|
Post by StRiDeR on Apr 22, 2004 16:40:18 GMT 8
Amerika pernah guna virus Trojan ke atas Russia
PENGARANG yang juga bekas Setiausaha Tentera Udara Amerika Syarikat, Thomas C Reed, dalam bukunya At the Abyss: An Insider’s History of the Cold War mendedahkan taktik Amerika Syarikat menggunakan virus Trojan untuk melancarkan perang bagi cubaan melumpuhkan ekonomi Russia ketika kemuncak Perang Dingin.
Dalam bukunya, Reed menceritakan secara terperinci bagaimana kerajaan Amerika Syarikat menggunakan virus Trojan yang diletakkan antara barisan kod program dalam perisian secara rahsia dan apabila sampai masanya, ia membebaskan virus yang mampu merosakkan apa saja program komputer yang ada.
Reed yang juga bekas pembantu khas Presiden Ronald Reagan, berkata virus itu dimasukkan ke dalam perisian semata-mata dengan tujuan untuk sabotaj ekonomi Russia kerana ketika itu perisik negara berkenaan giat mencuri secara rahsia teknologi tinggi milik Amerika Syarikat, termasuk perisian komputer.
Katanya, pentadbiran Reagan menyedari aktiviti rahsia Russia mencuri maklumat sulit bertujuan membangunkan keupayaan yang sama dengan apa dimiliki Amerika Syarikat dalam persaingan sengit ketika Perang Dingin.
Katanya, Reagan dengan nasihat Pengarah Agensi Perisikan Pusat, Wiliam Casey dan kakitangan Majlis Keselamatan Negara, Guss Weiss, mencadangkan satu pelan khas bagi melawan kegiatan mencuri maklumat rahsia, iaitu dengan menggunakan ‘cracker’.
“Kerajaan mengetahui kegiatan mencuri cip mikro dijalankan ejen Russia tetapi membiarkan kegiatan berkenaan kerana mikro cip itu sudah diprogramkan untuk menghasilkan isyarat palsu selepas 10 juta kitaran,” katanya.
Reed berkata, contoh paling jelas ialah letupan pada paip gas asli yang menghubungkan antara Siberia dan Eropah Barat pada 1982 akibat daripada virus Trojan dalam perisian mengganggu perjalanan sistem operasi komputer yang menguruskan penghantaran gas itu.
Perisik Russia mencuri perisian berkenaan untuk digunakan pada paip gas berkenaan tanpa mengetahui ia sudah mengandungi virus Trojan. Russia memeriksa perisian itu tetapi gagal mengesan sebarang keraguan dan ia berfungsi dengan lancar dalam tempoh beberapa bulan
Namun selepas lima bulan, virus Trojan yang sudah diprogramkan itu membebaskan virus yang mengganggu perjalanan penghantaran gas asli itu dan menyebabkan tekanan dalam paip meningkat dengan mendadak dan akhirnya meletup.
|
|
|
|
Post by StRiDeR on Apr 26, 2004 3:10:47 GMT 8
Linux belum mampu atasi Windows
SISTEM operasi (OS) Windows daripada Microsoft Corp (Microsoft) masih lagi menjadi OS paling unggul mengatasi OS terbuka dan percuma, Linux.
Berdasarkan kajian Yankee Group, OS Linux didapati tidak akan mengatasi keunggulan Windows dalam masa terdekat ini disebabkan usaha untuk mengubah ke OS terbuka itu dikatakan mahal kepada syarikat besar.
Kira-kira 90 peratus daripada 300 syarikat besar yang mempunyai 10,000 atau lebih pengguna dikatakan mengubah daripada Windows ke Linux akan membabitkan kos tinggi selain akan berhadapan dengan pelbagai kesukaran serta membabitkan banyak masa.
Kajian membabitkan 1,000 pentadbir teknologi dan eksekutif di seluruh dunia juga mendapati OS Linux yang boleh disalin dan ubah suai dengan mudah tidak akan menyediakan sebarang keuntungan perniagaan kepada syarikat besar.
Penganalisis Kanan Yankee (Prasarana aplikasi dan platform perisian), Laura DiDio berkata, dalam syarikat besar, penggunaan Linux atau mengubah sepenuhnya daripada Windows ke Linux akan meningkatkan perbelanjaan kepada tiga hingga empat kali ganda.
“Selain itu, ia juga didapati mengambil masa panjang iaitu tiga kali ganda bagi menggunakannya bagi mempertingkatkan keupayaannya daripada satu versi Windows ke versi terkini Windows,” katanya.
Kajian juga mendapati walaupun perkembangan Linux memang hebat, dalam tempoh dua tahun akan datang, ia dijangka tidak dapat mengatasi Windows sebagai OS dalam komputer yang mampu menyimpan maklumat selain mengendalikan fungsi kritikal yang dikenali sebagai sistem pelayan (servers).
Antara tahun ini dan 2006, desktop Linux juga didapati tidak mampu membuat kemunculan hebat dalam menguasai pasaran 94 peratus Windows.
|
|
