Re: [FYI] Is the RIAA "hacking you back"?

[Kai Raven <k.raven@freenet.de>]

From: gobbles@hushmail.com
To: bugtraq@securityfocus.com
Subject: Local/remote mpg123 exploit
Date: Mon, 13 Jan 2003 10:23:18 -0800

-----BEGIN PGP SIGNED MESSAGE-----

___ ___ ___ ___ _ ___ ___ ___ ___ ___ _ _ ___ ___ _______
/ __|/ _ \| _ ) _ ) | | __/ __| / __| __/ __| | | | _ \_ _|_ _\ \ / /
| (_ | (_) | _ \ _ \ |__| _|\__ \ \__ \ _| (__| |_| | /| | | | \ V /
\___|\___/|___/___/____|___|___/ |___/___\___|\___/|_|_\___| |_| |_|
"Putting the honey in honeynet since '98."

Introduction:
Several months ago, GOBBLES Security was recruited by the RIAA
(riaa.org) to invent, create, and finally deploy the future of
antipiracy tools. We focused on creating virii/worm hybrids to infect
and spread over p2p nets. Until we became RIAA contracters, the best
they could do was to passively monitor traffic. Our contributions to the
RIAA have given them the power to actively control the majority of hosts
using these networks.

We focused our research on vulnerabilities in audio and video players.
The idea was to come up with holes in various programs, so that we could
spread malicious media through the p2p networks, and gain access to the
host when the media was viewed.

During our research, we auditted and developed our hydra for the
following media tools:
mplayer (www.mplayerhq.org)
WinAMP (www.winamp.com)
Windows Media Player (www.microsoft.com)
xine (xine.sourceforge.net)
mpg123 (www.mpg123.de)
xmms (www.xmms.org)

After developing robust exploits for each, we presented this first part
of our research to the RIAA. They were pleased, and approved us to
continue to phase two of the project -- development of the mechanism by
which the infection will spread.

It took us about a month to develop the complex hydra, and another month
to bring it up to the standards of excellence that the RIAA demanded of
us. In the end, we submitted them what is perhaps the most sophisticated
tool for compromising millions of computers in moments.

Our system works by first infecting a single host. It then fingerprints
a connecting host on the p2p network via passive traffic analysis, and
determines what the best possible method of infection for that host
would be. Then, the proper search results are sent back to the "victim"
(not the hard-working artists who p2p technology rapes, and the RIAA
protects). The user will then (hopefully) download the infected media
file off the RIAA server, and later play it on their own machine.

When the player is exploited, a few things happen. First, all
p2p-serving software on the machine is infected, which will allow it to
infect other hosts on the p2p network. Next, all media on the machine is
cataloged, and the full list is sent back to the RIAA headquarters
(through specially crafted requests over the p2p networks), where it is
added to their records and stored until a later time, when it can be
used as evidence in criminal proceedings against those criminals who
think it's OK to break the law.

Our software worked better than even we hoped, and current reports
indicate that nearly 95% of all p2p-participating hosts are now infected
with the software that we developed for the RIAA.

Things to keep in mind:
1) If you participate in illegal file-sharing networks, your
computer now belongs to the RIAA.
2) Your BlackIce Defender(tm) firewall will not help you.
3) Snort, RealSecure, Dragon, NFR, and all that other crap
cannot detect this attack, or this type of attack.
4) Don't fuck with the RIAA again, scriptkids.
5) We have our own private version of this hydra actively
infecting p2p users, and building one giant ddosnet.

Due to our NDA with the RIAA, we are unable to give out any other
details concerning the technology that we developed for them, or the
details on any of the bugs that are exploited in our hydra.

However, as a demonstration of how this system works, we're providing
the academic security community with a single example exploit, for a
mpg123 bug that was found independantly of our work for the RIAA, and is
not covered under our agreement with the establishment.


Affected Software:
mpg123 (pre0.59s)
http://www.mpg123.de


Problem Type:
Local && Remote


Vendor Notification Status:
The professional staff of GOBBLES Security believe that by releasing our
advisories without vendor notification of any sort is cute and humorous,
so this is also the first time the vendor has been made aware of this
problem. We hope that you're as amused with our maturity as we are.
;PpPppPpPpPPPpP


Exploit Available:
Yes, attached below.


Technical Description of Problem:
Read the source.


Credits:
Special thanks to stran9er@openwall.com for the ethnic-cleansing
shellcode.-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlwEARECABwFAj4jBA0VHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAP4gwA
oKmMyRIxA74KZfAVv3MsEBKCZxRMAJsFFhywKWzMoiT/Qiy4FV+r1inukA==
=OjMp
-----END PGP SIGNATURE-----



[jinglebellz.c  application/octet-stream (10230 bytes)]

[jinglebellz.c.sig  text/plain (502 bytes)]
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wj8DBQA+IwO0HNGnlyGZsA8RAuusAJ49gGSCJzKlRpn+7b9vd+GYydWzUQCgjq3Ofe2n
WBnlQNf4GeyaFTit5N0=
=RBjc
-----END PGP SIGNATURE-----


Ciao
Kai

-- 
WWW: http://kai.iks-jena.de/
GPG-Key: 0x60F3882F / 0x76C65282
ICQ:146714798 


-- 
To unsubscribe, e-mail: debate-unsubscribe@lists.fitug.de
For additional commands, e-mail: debate-help@lists.fitug.de