Grex Cyberpunk Conference

View Responses

Grex Cyberpunk Item 90: Finger exploit:note the 31173 already knew
Entered by madjest on Wed Sep 30 11:51:24 UTC 1998:

New exploit
impact:rock the world
consequences:run arbitrary code on a server with normal user privz
you can run arbitrary code on any machine with aan open finger port with
normal user privz regardless of who you are
this could also be used as the second denial of service attack that the
finger port will be vulnerable to.
do it by fingering |/bin/cat /etc/passwd ||\@victim.com to print the passwd
file
to your screen this method will also list directorys
have fun (hehehe)
the madjester

12 responses total.

#1 of 12 by raven on Wed Sep 30 17:26:41 1998:

As the fairwitness of this conference I have to point out Grex is
*not* a hacker board.  If you are going to discuss specific hacking
techniques please do so on a mailing list.  The Cyberpunk conf
is intended for discussions of the *social* aspects of our future
in cyberspace.  I hate to sound anal but I don't want Grex going
down in legal flames because you people aren't smart enough to
start a mailing list.

#2 of 12 by hc on Thu Oct 1 14:32:34 1998:

Actually raven, this brings up an excellent question. Given that the last post
doesn't specifically promote illegal activities, but really only serves as
a security alert, is it really illegal? L0pht, for example, post
vulnerabilities like this on their high-traffic website without major
problems. Hell, Cult of the dead Cow posted a utility designed only to
exploit a Windows security hole, and no one tried to shut them down... 

I can understand your concern in a way, but I think that concern is more of
a sign of the times - the media hae made people so paranoid about computer
security that security information itself is seen as risky stuff. God forbid
if you happen to be searched by a cop who saw some crap news report on
"Hackers" and he discovers you have copies of 2600 or Phrack on your person.
Having said all of this, I think you'd find a lot more people interested in
things like this on a mailing list - I don't think that hackers are likely
to be coming here searching for things like this. (usenet might be an idea
too, or #2600 on irc.)

#3 of 12 by raven on Fri Oct 2 01:22:19 1998:

Well it wasn't posted like a security alert it was posted in the manner
of d00d l00k 8t kewl tis kewl hack.  Now I don't even really care if
people want to hack/crack, whatever, as long as you don't attack Grex,
or *implicate Grex as the source of the information in your cracks.*
Go start a mailing list and use PGP while you're at it, not hard people.
Or if you're rich little trust fund kids go start a kewl XXX warez &
crackz board on a Linux machine.  We run on almost zero funds here and
don't need the grief of even a potential lawsuit unless it's for something
important like free speech over political or literary issues.  This is
just the wrong forum for the samizdat of cracking.

#4 of 12 by hc on Fri Oct 2 15:06:48 1998:

Fair enough, I guess it was just the "too stupid" bit that got my back up.
This makes me curious though - while I can see what you mean for Grex, would
this means that IRC servers might be held liable as well? I mean, while I
never got into IRC, I understand that once in a while, someone actually does
post a security hole onto a channel (like #2600, I suppose) along with the
IP address of the machine that it was found on. Who's liable in a case like
that, I wonder?
And as a complete sidetrack, who out there reading this bbs sees a link
between hacking/cracking/security and the cyberpunk movement? Are we all a
bunch of computer freaks, or is it just me?

#5 of 12 by raven on Fri Oct 2 23:28:25 1998:

Well I think there is a tie in if computer cracking crosses over and becomes
social cracking as well.  Cyberpunk is about an articulate critique of
where our corporate mediated society is going.  Cracking could be a part
of this if it's combined with intelligent social critique to make society
more just & sustainable etc.  The problem is that I don't think of "kracker
kidz," have any interest in broader issues at all they just want to run
some canned dialer scripts and then brag about how many systems they have
broken into for no other reason than to brag about their kracking "skills."

For me what's important isn't even so much the legal risk but why the legal
risk is being underetaken.  The above post presented no compelling reason
(to me) as to why a system should be cracked and it just seemed like an
innane legal risk for Grex.  BTW I like your hellcow website, some good
lit on there.

#6 of 12 by hc on Mon Oct 5 17:44:17 1998:

Alas, if only I could take credit for a good website... I've been calling
myself hellcow for about five years now, and when I started, I could have
sworn that I was the onlu one...  Since then, many other hellcows seem to have
appeared. Great minds think alike, perhaps? 
What was the address? I'm curious. 
Handles are funny things really. I was really annoyed when i discovered that
there was at least one other person out there calling themselves hellcow.
Especially when I discovered a hellcow on AOL. But still, it's good to hear
that someone is using the name well.. ;-)
(I tried to move over to "Wire Rat" but there were loads of those, and I
haven't come up with anything good since then.)

#7 of 12 by vhd on Fri Oct 23 23:27:36 1998:

As a message to "elite hacker" that claims he found the finger vaunerability,
This exploit has been around for a LONG time...IT does not take an "elite"
hacker" to know this.  I dont understand the computer underground anymore.
It used to be a place where people could talk about security with one another,
now manifested my "lamers" and "script kiddies" alike.  These two types of
vermin are found on bbs's like grex.  I urge you to stop and read.  All that
want to learn how to crack/hack.  The best source for this is your local
bookshop/library.  You can find great info.  And dont you even try to
omplicate grex as a source for your cracks.  Grex is a public bbs, with no
intent to corrupt anyones computer system.  As a message to Raven, a fellow
mac user, i urge you to keep this conferece underway like you have been doing
for years now.  As a message to the sysadmins.  Dont be surprised when the
latter of script kiddies on this system have an AOL ip adress, that would be
152.xxx.xxx.xxx.  

-vhd-

#8 of 12 by jezebel on Mon Nov 9 18:56:08 1998:

This response has been erased.

#9 of 12 by jezebel on Mon Nov 9 19:06:47 1998:

'scuse me for being stoopid..but is it the system that makes the typing,
response etc all slow and variable..?!
I tend to lose patience and start hitting all the keys!
err I was saying some stuff..
1) Real hackers / security sysadmin types don't brag about *kewl* stuff like
the kiddie hackers do. Maybe Grex could have a conf on Security features.
I'm sure the techy talk would keep the kids out (they have short attention
spans , bless!)
2)Although cyberpunk has connatation with hacking (being a rebel/renegade?)
I think it has more depth...

#10 of 12 by morpheus on Wed Nov 11 07:24:04 1998:

well, for deep technical UNIX/c stuff (which would include security 
vulnerabilities of the code), there is jellyware.

hmm, curious, jezebel, you don't live in chicago perchance do you? 
someone I know with the login jezebel lives in chitown or thereabouts.

#11 of 12 by inf3ct on Sun Nov 28 09:26:59 1999:

HOW DO I CRACK A PASSWD FILE DON'T TELL ME TO GET CRACKER JACK!!! I HATE IT
ANY WIN PROGS OUT THER THE PASSWD IS
root:7D/7NWCiEebSA:0:1:Operator:/:/bin/csh if anyone cracks this send it to
kryptonite@bboy.com
th4nks -d1sk 1nf3ct

#12 of 12 by raven on Sun Nov 28 23:45:29 1999:

Ah yes another daring script kiddie exploit.  Fortunatley this Win
bianaries don't patch very fast so this stupid exploit should go down in
flames.

Response not possible - You must register and login before posting.