So I just have to send money?
FROM:MRS. M SESE-SEKO
DEAR FRIEND,
I AM MRS. SESE-SEKO WIDOW OF LATE PRESIDENT MOBUTU
SESE-SEKO OF ZAIRE? NOW KNOWN AS DEMOCRATIC REPUBLIC
OF CONGO (DRC). I AM MOVED TO WRITE YOU THIS LETTER,
THIS WAS IN CONFIDENCE CONSIDERING MY PRESENT
CIRCUMSTANCE AND SITUATION.
I ESCAPED ALONG WITH MY HUSBAND AND TWO OF OUR SONS
KONGOLO AND NZANGA OUT OF DEMOCRATIC REPUBLIC OF
CONGO (DRC) TO ABIDJAN, COTE D'IVOIRE WHERE MY FAMILY
AND I SETTLED, WHILE WE LATER MOVED TO SETTLED IN
MORROCO WHERE MY HUSBAND LATER DIED OF CANCER
DISEASE. HOWEVER DUE TO THIS SITUATION WE DECIDED TO
CHANGED MOST OF MY HUSBAND'S BILLIONS OF DOLLARS
DEPOSITED IN SWISS BANK AND OTHER COUNTRIES INTO OTHER
FORMS OF MONEY CODED FOR SAFE PURPOSE BECAUSE THE NEW
HEAD OF STATE OF (DR) MR LAURENT KABILA HAS MADE
ARRANGEMENT WITH THE SWISS GOVERNMENT AND OTHER
EUROPEAN COUNTRIES TO FREEZE ALL MY LATE HUSBAND'S
TREASURES DEPOSITED IN SOME EUROPEAN COUNTRIES. HENCE
MY CHILDREN AND I DECIDED LAYING LOW IN AFRICA TO
STUDY THE SITUATION TILL WHEN THINGS GETS BETTER,
LIKE NOW THAT PRESIDENT KABILA IS DEAD AND THE SON
TAKING OVER (JOSEPH KABILA). ONE OF MY LATE HUSBAND'S
CHATEAUX IN SOUTHERN FRANCE WAS CONFISCATED BY THE
FRENCH GOVERNMENT, AND AS SUCH I HAD TO CHANGE MY
IDENTITY SO THAT MY INVESTMENT WILL NOT BE TRACED AND
CONFISCATED. I HAVE DEPOSITED THE SUM OF EIHGTEEN
MLLION UNITED STATE DOLLARS(US$18,000,000,00.) WITH A
SECURITY COMPANY , FOR SAFEKEEPING. THE FUNDS ARE
SECURITY CODED TO PREVENT THEM FROM KNOWING THE
CONTENT. WHAT I WANT YOU TO DO IS TO INDICATE YOUR
INTEREST THAT YOU WILL ASSIST US BY RECEIVING THE
MONEY ON OUR BEHALF.ACKNOWLEDGE THIS MESSAGE, SO THAT
I CAN INTRODUCE YOU TO MY SON (KONGOLO) WHO HAS THE
OUT MODALITIES FOR THE CLAIM OF THE SAID FUNDS. I WANT
YOU TO ASSIST IN INVESTING THIS MONEY, BUT I WILL NOT
WANT MY IDENTITY REVEALED. I WILL ALSO WANT TO BUY
PROPERTIES AND STOCK IN MULTI-NATIONAL COMPANIES AND
TO ENGAGE IN OTHER SAFE AND NON-SPECULATIVE
INVESTMENTS. MAY I AT THIS POINT EMPHASISE THE HIGH
LEVEL OF CONFIDENTIALITY, WHICH THIS BUSINESS
DEMANDS, AND HOPE YOU WILL NOT BETRAY THE TRUST AND
CONFIDENCE, WHICH I REPOSE IN YOU. IN CONCLUSION, IF
YOU WANT TO ASSIST US , MY SON SHALL PUT YOU IN THE
PICTURE OF THE BUSINESS, TELL YOU WHERE THE FUNDS ARE
CURRENTLY BEING MAINTAINED AND ALSO DISCUSS OTHER
MODALITIES INCLUDING REMUNERATION FOR YOUR SERVICES.
FOR THIS REASON KINDLY FURNISH US YOUR CONTACT
INFORMATION, THAT IS YOUR PERSONAL TELEPHONE AND FAX
NUMBER FOR CONFIDENTIAL PURPOSE AND ACKNOWLEDGE
RECEIPT OF THIS MAIL USING THE ABOVE EMAIL ADDRESS.
BEST REGARDS,
MRS M. SESE SEKO
Don't hack my eMule. I need my warez.
e-matters GmbH
www.e-matters.de
-= Security Advisory =-
Advisory: eMule/lmule/xmule multiple remote vulnerabilities
Release Date: 2003/08/17
Last Modified: 2003/08/17
Author: Stefan Esser [s.esser@e-matters.de]
Application: eMule <= 0.29c
xmule <= 1.4.3, <= 1.5.6a
lmule <= 1.3.1
Severity: Several vulnerabilities within emule and its unix ports
allow remote compromise of p2p users.
Risk: Critical
Vendor Status: eMule Vendor has released a bugfixed version.
(no solution for lmule, because no support anymore
(no 100% solution for xmule)
Reference: http://security.e-matters.de/advisories/022003.html
Overview:
eMule and its unix ports are the most famous filesharing clients which
are based on the eDonkey2000 network. The estimated usercount reaches
from 1 million to even 10 million p2p clients (according to a mldonkey
statistic). With such a large userbase eMule is not only a thorn in the
side of the music and movie industry but also an attractive target for
script kids or worm writers. And indeed auditing the source code revealed
vulnerabilities which can be abused to disturb the eMule network or to
takeover other client machines.
Details:
The eMule source code is object oriented which makes security auditing
from my point of view a lot harder because the flow of execution is not
obvious and it is first needed to get a general overview of the objects
and their dependencies.
While auditing the source code following bugs where discovered
1) OP_SERVERMESSAGE Format String Vulnerability
emule <= 0.29a
xmule <= 1.4.3, <= 1.5.4
lmule <= 1.3.1
When the client receives a message from the server it passes this
message to a function that expects a format string argument. This
could be used by a malicious server to crash or takeover the
connected client system.
2) OP_SERVERIDENT Heap Overflow
emule <= 0.29a
xmule <= 1.4.3, <= 1.5.4
lmule <= 1.3.1
When receiving a serverident packet from the server it is parsed in
an unsafe manner that could lead to an exploitable heap overflow.
Again this allows a malicious server to crash or takeover the
connected client.
3) Servername Format String Vulnerabilities
emule <= 0.29c
xmule <= 1.4.2, <= 1.5.5
lmule <= 1.3.1
Several ways of adding a server with a name that contains format
string specifiers could crash the client. Remote code execution
through this bug is unlikely because only very short servernames
are accepted.
4) AttachToAlreadyKnown Object Destruction Vulnerability
emule <= 0.29c
xmule <= 1.4.2, <= 1.5.6a
lmule <= 1.3.1
When the client receives a special sequence of packets an
error situation can be triggered where the currently used
client object is deleted. This is similar to an ordinary
double free vulnerability with the exception that here a whole
object is mistakenly freed and still used. Because this hole
was proven to be exploitable (remote code execution) and the
same packets are completely legal for other clients (no IDS
signature can be created anyway), I am not going into details
how to trigger the bug. There are just too many vulnerable
systems out there.
Proof of Concept:
e-matters is not going to release an exploit for this vulnerability to
the public. The developed exploit is considered extremly dangerous
because it uses a technique that allows to exploit this kind of double
free bugs on Windows 2K/XP systems without version or binary dependant
offsets.
DCOM has shown again how devestating windows overflows are. Which is
caused by not patching users on the one hand and on the other hand by
an unsecure windows design that allows to exploit most vulnerabilities
with very few or without system dependant offsets.
Disclosure Timeline:
26. July 2003 - First contact to emule and xmule Vendors.
(xmule email bounced back after some time)
29. July 2003 - emule vendor has verified and fixed the bugs.
New version is in betatests.
31. July 2003 - contact with xmule vendor establised.
02. August 2003 - xmule 1.5.6a (unstable) was released by the
xmule vendor. This version fixes only (3).
11. August 2003 - xmule 1.4.3 (stable) was released by the xmule
vendor. I mailed the vendor the same day, that
it only fixes (3) and (4) while the first two
are not fixed. No reaction yet.
17. August 2003 - emule vendor released version 0.30a which fixes
all security bugs. Their changelog does not
underline the importance of the update and is
incorrectly stating problem (4) as only a
crashbug.
Recommendation:
It is very important that word about this vulnerability is spread fast
in the eMule community, because P2P users are usually not reading
security mailinglists and will therefore be very slow in upgrading to new
versions of their favourite tools. If you connect to the network you can
still see a huge amount of very old clients.
And I hope the pressure of the xmule community can force the release
of an 100% fixed version.
I hope I do not need to remember the P2P users that the RIAA repeatetly
asked for the right to hack into their PCs.
